background image

76

Chapter 6

Compromising a Windows XP Virtual Machine

Before we dive into the specifics of Meterpreter, we first need to compromise 
a system and get a Meterpreter shell.

Scanning for Ports with Nmap

We begin by identifying the services and ports running on the target by con-
ducting a port scan with 

nmap

 to find a port to exploit, as shown here:

msf > 

nmap -sT -A -P0 192.168.33.130 

[*] exec: nmap -sT -A -P0 192.168.33.130

. . . SNIP. . .

PORT     STATE SERVICE      VERSION
21/tcp   open  

ftp          Microsoft ftpd 

25/tcp   open  

smtp         Microsoft ESMTP 6.0.2600.2180 

80/tcp   open  

http         Microsoft IIS webserver 5.1 

|_html-title: Directory Listing Denied
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows XP microsoft-ds
1025/tcp open  msrpc        Microsoft Windows RPC
1433/tcp open  

ms-sql-s     Microsoft SQL Server 2005 9.00.1399; RTM 

6646/tcp open  unknown
MAC Address: 00:0C:29:EA:26:7C (VMware)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS details: Microsoft Windows XP Professional SP2   or Windows Server 2003

. . . SNIP . . .

Nmap done: 1 IP address (1 host up) scanned in 37.58 seconds

msf >

After conducting our port scan at  , we see that some interesting ports 

are accessible, including MS SQL at  , a potential attack vector. But perhaps 
the most interesting thing that 

nmap

 tells us is that this machine is running 

Windows XP Service Pack 2 at  , which is now at the end of life, which means 
some published vulnerabilities will not have been fixed or patched by the 
installation of SP3.

Also of note, we see the standard FTP   and SMTP   ports, which might 

be available to be leveraged for an attack. And we see that port 80   is open, 
which means we have a potential web application to attack.

Attacking MS SQL

In this example, we’ll attack port 1433, MS SQL, because this is often an 
entry point of weakness that can lead to a complete compromise and full 
administrative-level control over the target.