Simple Take Over of Windows Server 2008

(Click images to see bigger image.)

I found this little vulnerability while running a Nessus scan and wanted to see what I could do with it. As you see in the screen shot it is a Critical vulnerability called MS09-050

6

So I started my Metasploit by going to cd /opt/metasploit/apps/pro/msf3 from root

1

Then type search ms09-050 at the prompt as shown in the screen shot

2

As you see in the above screen shot you see where the arrow is pointing it says “good”. Cool Right!

Now type “use” as shown, then just copy and past that exploit after

3

Then you are going to want to see the options available. So type “show options”

4

Set the ip of the host that you want to exploit as shown above.

Now you want to see what payloads are available. There is a long list of payloads. From what I here the best one is windows/meterpreter/reverse_tcp

5

Type that command in as shown below, then “show options” to see what options you may have to set and ¬†as you see here we can set a listening host. Set your ip and soon the fun begins.

6

Now just type in “exploit” then “help” or “?” to see a list of all the fun things you can do to exploit this system.

7

8

As you can see below my 2 favorite things are “getsystem” and “hashdump”

getsystem takes control of the system

hashdump dumps the hash and you can see who is a user of the system as well as get the passwords

9

Got the system

10

Dumped the hash (note the users)

11

idletime is a fun command to see how long the system has been idle for

and screenshot is fun to see what is going on

Notice where the screenshot has been saved to. I will show you how to view it.

12

In the top right of your Kali Linux you see Applications and Places

Click on Places then File System

14

Then follow the path, click the usr folder

15

then the share folder

16

then click the metasploit-framwork folder

17

Then look for the name of the file that the system gave it

18

And Bada Boom Bada Bing, here is the desktop of this unsuspecting user. (Actually, it was my own little server that I had running for the purpose of this demonstration.)

19

This stuff is tons of fun to learn and even better to know how to defend against an attack like this one that can wipeout the entire network.

Advertisements

2 comments on “Simple Take Over of Windows Server 2008

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s