76
Chapter 6
Compromising a Windows XP Virtual Machine
Before we dive into the specifics of Meterpreter, we first need to compromise
a system and get a Meterpreter shell.
Scanning for Ports with Nmap
We begin by identifying the services and ports running on the target by con-
ducting a port scan with
nmap
to find a port to exploit, as shown here:
msf >
nmap -sT -A -P0 192.168.33.130
[*] exec: nmap -sT -A -P0 192.168.33.130
. . . SNIP. . .
PORT STATE SERVICE VERSION
21/tcp open
ftp Microsoft ftpd
25/tcp open
smtp Microsoft ESMTP 6.0.2600.2180
80/tcp open
http Microsoft IIS webserver 5.1
|_html-title: Directory Listing Denied
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
1433/tcp open
ms-sql-s Microsoft SQL Server 2005 9.00.1399; RTM
6646/tcp open unknown
MAC Address: 00:0C:29:EA:26:7C (VMware)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003
. . . SNIP . . .
Nmap done: 1 IP address (1 host up) scanned in 37.58 seconds
msf >
After conducting our port scan at , we see that some interesting ports
are accessible, including MS SQL at , a potential attack vector. But perhaps
the most interesting thing that
nmap
tells us is that this machine is running
Windows XP Service Pack 2 at , which is now at the end of life, which means
some published vulnerabilities will not have been fixed or patched by the
installation of SP3.
Also of note, we see the standard FTP and SMTP ports, which might
be available to be leveraged for an attack. And we see that port 80 is open,
which means we have a potential web application to attack.
Attacking MS SQL
In this example, we’ll attack port 1433, MS SQL, because this is often an
entry point of weakness that can lead to a complete compromise and full
administrative-level control over the target.