ms03_026_dcom help please

This topic contains 21 replies, has 6 voices, and was last updated by  Triban 7 years, 5 months ago.

  • Author
    Posts
  • #7602
     cyber.spirit 
    Participant

    Hi guys, i start working in my new lab to learn metasploit completely so i used ms03_026_dcom exploit to attack to a windows xp machine but i cant get access is any body know why? here is the complete details:

    ms03_026 vulnerability
    =================================================
    Lab setup:

    Attacker Machine: Bactrack 5 R2 Gnome
          IP Address: 192.168.137.67
    Victem’s Machine: Windows XP SP 3
          IP Address: 192.168.137.165
    =================================================
    Victem’s Portscan output:

    PORT     STATE SERVICE
    21/tcp   open  ftp
    135/tcp  open  msrpc
    139/tcp  open  netbios-ssn
    445/tcp  open  microsoft-ds
    3389/tcp open  ms-term-serv
    =================================================
    Metasploit Framework 4.2

    Exploit= windows/dcerpc/ms03_026_dcom
    Payload= windows/meterpreter/bind_tcp

    Module options (exploit/windows/dcerpc/ms03_026_dcom):

      Name   Current Setting  Required  Description
      —-  


     


     


      RHOST  192.168.137.165  yes       The target address
      RPORT  135              yes       The target port

    Payload options (windows/meterpreter/bind_tcp):

      Name      Current Setting  Required  Description
      —-      


     


     


      EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
      LPORT     4444             yes       The listen port
      RHOST     192.168.137.165  no        The target address

    Exploit target:

      Id  Name
      —  —-
      0   Windows NT SP3-6a/2000/XP/2003 Universal
    =================================================
    Exploitation Process output

    [*] Started bind handler
    [*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal…
    [*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.137.165[135] …
    [*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.137.165[135] …
    [*] Sending exploit …
    [*] Exploit completed, but no session was created.
    =================================================

    Thankx

  • #47478
     24772433 
    Participant

    The RHOST IP should be the victim machine’s IP ie x.x.x.67. RHOST is remote host, not local.

    Steve.

  • #47479
     ZeroOne 
    Participant

    @24772433 wrote:

    The RHOST IP should be the victim machine’s IP ie x.x.x.67. RHOST is remote host, [font=Verdana:2whyfnk5]not local[/font:2whyfnk5].

    Steve.

    not if he is running a test on LAN. which seems he does.

  • #47480
     cyber.spirit 
    Participant

    @zeroone wrote:

    @24772433 wrote:

    The RHOST IP should be the victim machine’s IP ie x.x.x.67. RHOST is remote host, [font=Verdana:3rok5qrk]not local[/font:3rok5qrk].

    Steve.

    not if he is running a test on LAN. which seems he does.

    SOOO sorry guys i typed ip address places wrongly so here is thwecorrect info:

    Attacker Machine: Bactrack 5 R2 Gnome
         IP Address: 192.168.137.67
    Victem’s Machine: Windows XP SP 3
         IP Address: 192.168.137.165

    i modified the first post too so you can check it too

    i really dont know what is my problem everything seems to be ok help me pls

  • #47481
     unicityd 
    Participant

    Your victim machine is running XP service pack 3 which is not vulnerable.  This is an old bug, you’ll need an unpatched Windows machine to test it. 

  • #47482
     cyber.spirit 
    Participant

    ok unicityd  so you think which SP of windows xp is vulnerable?
    and which msf exploit is compatible with Windows XP SP3?

  • #47483
     24772433 
    Participant

    As mentioned, it’s an old exploit and since patched. You could try seeing if kb823980 is installed separately in Add Remove programs and uninstall. This will work.

  • #47484
     Gromic 
    Participant

    Hi cyber.spirit

    I guess you go through Viveks Videos on Metasploit, right?!

    As far as I know the RPC-dcom exploit has been patched in SP1 or 2 …not 100% sure at the moment.

    However, the exploit will definately work with an unpatched Win XP – so no SPs (I tested that). Also make sure to disable any (Windows-) firewall.

  • #47485
     cyber.spirit 
    Participant

    Yes gromic
    Your Guess is absolutely true.so first if it patched in sp1-2 then why we can see windows 2003 in exploit target range?
    then i wanna ask you something what is your opinion about this video serious?

  • #47486
     ZeroOne 
    Participant

    who on earth will be using XP with no SPs and with a disabled firewall lol, even if the exploit worked, what’s the point of getting access to a host threw that exploit whithout knowing what is really happening at the back end and how does these exploits exactly work.

  • #47487
     cyber.spirit 
    Participant

    no body! i know its so easy to hack but i want a msf expliot like dcom which can execute codes remotely. To hack windows xp  sp3

  • #47488
     unicityd 
    Participant

    Subscribe to the Bugtraq and Full-Disclosure mailing lists.  They are used for reporting and discussing new vulnerabilities.  Unfortunately, any tool/exploit you see announced there won’t work for long on any system that is kept up to date. 

    If you want to have something reliable that is going to work on a fully patched system, then you either need to write your own exploits and keep them secret or find someone willing to share their zero-days with you (not likely unless you’re paying).

    There’s nothing wrong with playing with a completely unpatched system to test out a tool like Metasploit to learn how it works, but you don’t need to learn the exploits themselves.  Exploits have a short shelf life.  MS03-026 is from 2003 (hence MS03); it’s ancient.

    If you want to target Windows XP SP3 systems, your best bet is to use exploits targeting applications like Acrobat or Flash.  Those are less likely to be up to date.  Of course, you’ll have to find some way to get the user to run the exploit.

    You should probably look for some of the other getting started threads on this site and follow the suggestions for reading/learning/experimenting.  You need to build up a skill set rather than looking for a magic bullet.  Occasionally a magic bullet does come along, but they don’t last. 

  • #47489
     Gromic 
    Participant

    +1 to what unicityd wrote.

    @zeroone I agree with you on that. But as unicityd wrote … it’s not the point to have a working exploit with which you can hack a gazillion of machines, but to learn how Metasploit as a tool functions. And here I think for learning purposes it’s totally fine to follow along an “old” exploit just to see what options there are, how to use them …and so on… So, see it as a “walk before you can run” thing ;o).

    One thought on “who on earth will be using XP with no SPs”, though. Think about all the people who run a stolen/hacked copy of XP (or Vista or Win7) on their machines with update services disabled in panic of not getting caught … I heared this can be quite common in Third World countries. I don’t know any statistics to show this though… it was just a thought…so please don’t get me on this ;o)…

    But you are probably right, in times of vista, win7 an unpatched copy of XP might be rare… (at least I have no personal experience about that…)

    @ cyber.spirit
    I think the patch was originally after SP1(or2) and then later added to the SPs… that’s why we still see Win 2003 in target range in Metasploit (was that your question?!?)…not sure about this though…

    I really like the videos on securitytube. I am quite a fan of the “visual learning approach”….since I can better remember things when someone has shown me how to do it.

    Anyways, have fun with the video series!

  • #47490
     Triban 
    Participant

    By no way am I a metasploit expert.  But as with all pen testing, just because a scan says something might be vulnerable, doesn’t make it so.  Metasploit does have the ability to do a quick check but it will be basing it on a few factors.  open ports, responses received and version of software will contain some of these clues to the system being exploitable.  But, information could be wrong or you may not be getting the full story.  Part of your learning should be to read up on the vulnerability reports for the systems.  You can subscribe to Microsoft’s security bulletins as well as keep your eyes on Bugtraq like unicityd recommended.  If you run an nmap scan against the target and it comes back saying it is Win XP SP3 then look through your lists to see what it might be vulnerable to.  Remember, extended support ends soon so security patches will become limited soon.

    I am sure you are now wondering about developing your own exploits.  Well if you have some decent assembly knowledge, that will be your language of choice to reverse engineer the kernel libraries in Windows.  There are some courses that cover this as well as some books out there.  You will need to get comfortable with Assembly to make decent exploits and find 0-days.  And assembly is a frigid cow of a language 😀  definitely not as warm and fuzzy as Python or Ruby 😀  But it can unlock a wealth of information from systems if you can navigate the dump.  Another tool that will be helpful is the Windows SDK, with some fun virtual serial ports you can connect to a system and run the debugger against it to see all the goings on and even send commands to it to see what breaks or how it behaves.

    As for ZeroOne, you would be surprised how many legit copies of XP are still running around without the latest patches and service packs.  And as I said before Microsoft will be ending support:
    http://windows.microsoft.com/en-us/windows/help/end-support
    Granted those with XP SP3 are good until 2014.  But that gives big organizations and enterprises enough time to roll-out Windows 7 in a non-holy-shit-we-gotta-move manner.  It is also sad to know that there are still Windows 2000 and NT4 servers out there in production. 

    On final note, any new testers out there should be looking toward Windows 7, 8 and Server 2008.  If you are in school, by the time you get out, those will be the primary systems out there.  Always keep your mind on what will be out there when you graduate.

    Ok, probably more than you needed.  But hopefully you find it helpful.

  • #47491
     cyber.spirit 
    Participant

    OK thank you both yeah i agree too in third world countries you can find many of unpatched OS, and 3xban i never say a machine is vulnerable until i get access to it even if port scanner says its vulnerable. but some of exploits in msf is not designed for old machines for example:

    Windows/browser/wabdav_dll_hijacker

    with this exploit u can get access to W2K8 R2 (If the admin is fool lol)

  • #47492
     cyber.spirit 
    Participant

    Ok 3xban if ur a metasploit expert so u can help me to find my answers.
    As you said i downloaded metasploitable, first this linuz based os has GUI mode or not? second which vulnerabilites it has i mean which exploits i can run with it?

    thank you so much

  • #47493
     Triban 
    Participant

    @3xban wrote:

    By no way am I a metasploit expert. 

    As I said, by no way am I an expert.  There is no GUI for Metasploit, at least not built into the application itself.  If you want a bit of an easier way to use the Metasploit framework, you can use Armitage, which I believe is in the current BT build.  That is a GUI front end of sorts to Metasploit.  But you will still need to know if the system you are attacking is vulnerable to the attacks.  And you will need to know how to configure the payloads accordingly.

  • #47494
     cyber.spirit 
    Participant

    @3xban wrote:

    @3xban wrote:

    By no way am I a metasploit expert. 

    As I said, by no way am I an expert.  There is no GUI for Metasploit, at least not built into the application itself.  If you want a bit of an easier way to use the Metasploit framework, you can use Armitage, which I believe is in the current BT build.  That is a GUI front end of sorts to Metasploit.  But you will still need to know if the system you are attacking is vulnerable to the attacks.  And you will need to know how to configure the payloads accordingly.

    Dear 3xban i didnt say metasploit i said metasploitable linux based os which is created to test metasploit exploits

    so what do you think? has the metasploitable GUI Mode?
    and which exploits i can use to attack it?

    Thank you

  • #47495
     ZeroOne 
    Participant

    @cyber.spirit wrote:

    @3xban wrote:

    @3xban wrote:

    By no way am I a metasploit expert. 

    As I said, by no way am I an expert.  There is no GUI for Metasploit, at least not built into the application itself.  If you want a bit of an easier way to use the Metasploit framework, you can use Armitage, which I believe is in the current BT build.  That is a GUI front end of sorts to Metasploit.  But you will still need to know if the system you are attacking is vulnerable to the attacks.  And you will need to know how to configure the payloads accordingly.

    Dear 3xban i didnt say metasploit i said metasploitable linux based os which is created to test metasploit exploits

    so what do you think? has the metasploitable GUI Mode?
    and which exploits i can use to attack it?

    Thank you

    cyber.. 3xban said:” by no way am I an expert”, and that means he is NOT a metasploit expert, for “metasploitable linux based” I never heard of that.
    As for 3xban, there is a GUI for metasploit, just open a terminal and type: msfgui

  • #47496
     Triban 
    Participant

    Metasploitable is a linux VM which has vulnerabilities and is designed to be exploited with Metasploit.  What those vulnerabilities are? Well that is the point of the excercise.  I am sure some googling you can find the exact exploits it is subject to but that will defeat the purpose of VM.  Most of these excercises designe for pen testing labs are closed systems and the point is to gain access to them.

  • #47497
     cyber.spirit 
    Participant

    Thank you but you think are them efficient?

  • #47498
     Triban 
    Participant

    For testing purposes yes.  It is designed to get you used to using Metasploit as well as other tools.  Best way to find out though for sure is to try them out.  These types of VMs and LiveCDs are usually free.  You just need a system to run them on.  But also none of these environments will make you an expert.  That comes with experience and know-how.  Again Metasploit is merely a tool in your bag of tricks.  The things it can do are not really new, they have been around.  Metasploit just provides a much easier way to do it.  If you truly want to learn you will look at how to accomplish these types of attacks and exploits without the use of the framework.

    Like building a website using something like Dreamweaver but never actually working in the code and then calling yourself a Web Developer.

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?