Page 102

Chapter 6

Compromising a Windows XP Virtual Machine

Before we dive into the specifics of Meterpreter, we first need to compromise
a system and get a Meterpreter shell.

Scanning for Ports with Nmap

We begin by identifying the services and ports running on the target by con-
ducting a port scan with

nmap

to find a port to exploit, as shown here:

msf >

nmap -sT -A -P0 192.168.33.130

[*] exec: nmap -sT -A -P0 192.168.33.130

. . . SNIP. . .

PORT STATE SERVICE VERSION
21/tcp open

ftp Microsoft ftpd

25/tcp open

smtp Microsoft ESMTP 6.0.2600.2180

80/tcp open

http Microsoft IIS webserver 5.1

|_html-title: Directory Listing Denied
135/tcp  open  msrpc     Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows XP microsoft-ds
1025/tcp open  msrpc     Microsoft Windows RPC
1433/tcp open

ms-sql-s Microsoft SQL Server 2005 9.00.1399; RTM

6646/tcp open unknown
MAC Address: 00:0C:29:EA:26:7C (VMware)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003

. . . SNIP . . .

Nmap done: 1 IP address (1 host up) scanned in 37.58 seconds

msf >

After conducting our port scan at , we see that some interesting ports

are accessible, including MS SQL at , a potential attack vector. But perhaps
the most interesting thing that

nmap

tells us is that this machine is running

Windows XP Service Pack 2 at , which is now at the end of life, which means
some published vulnerabilities will not have been fixed or patched by the
installation of SP3.

Also of note, we see the standard FTP and SMTP ports, which might

be available to be leveraged for an attack. And we see that port 80 is open,
which means we have a potential web application to attack.

Attacking MS SQL

In this example, we’ll attack port 1433, MS SQL, because this is often an
entry point of weakness that can lead to a complete compromise and full
administrative-level control over the target.