background image

62

Chapter 5

Notice that when the payload is selected at   and the options are dis-

played at  , we are presented with some additional options in the payload 
section at  , such as 

LHOST

 and 

LPORT

. In this example, you could configure 

the payload to connect back to the attacker machine on a specific IP address 
and port number, called a 

reverse payload

. In reverse payloads, the connection 

is actually triggered by the target machine and it connects to the attacker. 
You might use this technique to circumvent a firewall or NAT installation. 

We’ll configure this exploit with both the 

LHOST

 and 

RHOST

 options. 

LHOST

our attacking machine, will connect back from the target machine (

RHOST

) on 

the default TCP port (4444). 

msf> show targets

Modules often list vulnerable potential targets. For example, because the vul-
nerability targeted by MS08-067 relies on hard-coded memory addresses, the 
exploit is specific to operating systems with specific patch levels, language 
version, and security implementations (as explained in detail in Chapters 14 
and 15). Using the 

show targets

 command at the 

msf MS08-067

 prompt displays 

a list of 60 exploit targets (with only a portion shown in the following exam-
ple). The success of the exploit will depend on the version of Windows you 
are targeting. Sometimes automatic detection will not work and could even 
trigger the wrong exploit, which will usually lead to a service crash.

msf exploit(ms08_067_netapi) > 

show targets

Exploit targets:

   Id  Name
   --  ----

    0   Automatic Targeting

   1   Windows 2000 Universal
   2   Windows XP SP0/SP1 Universal
   3   Windows XP SP2 English (NX)
   4   Windows XP SP3 English (NX)
   5   Windows 2003 SP0 Universal
   6   Windows 2003 SP1 English (NO NX)
   7   Windows 2003 SP1 English (NX)
   8   Windows 2003 SP2 English (NO NX)
   9   Windows 2003 SP2 English (NX)

In this example, you can see that the exploit lists Automatic Targeting   

as one option. Often, an exploit module will attempt to target the operating 
system automatically based on its version and select an exploit based on the 
system’s fingerprint. However, it’s often best to try to identify the appropriate 
exploit yourself to avoid triggering the wrong exploit or a potentially destruc-
tive one.

NOTE

This particular exploit is temperamental, and it has a tough time determining the oper-
ating system. If you use this exploit, be sure to set the target as the specific operating system 
you use in testing on your VM (Windows XP SP2).