.

Metasploit - Win XP sp3 - port 445 exploit !! and Meta bug

<<

rebrov

User avatar

Full Member
Full Member

Posts: 130

Joined: Mon May 11, 2009 4:00 pm

Post Tue May 18, 2010 8:55 pm

Metasploit - Win XP sp3 - port 445 exploit !! and Meta bug

well 1st of all : my first question is :

can't i exploit windows xp sp3 at port 445 ??? cuz itried many payloads reverse  with no use :S

so is there any way to exploit port 445 at xp sp3 ?

second while trying to exploit it via Metasploit i couldn't and the meta got bug and then disappear i took screenshot fast be4 it disappear here it is :

Image


any idea ?
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue May 18, 2010 10:35 pm

Re: Metasploit - Win XP sp3 - port 445 exploit !! and Meta bug

Are you sure your target is MS08-067 vulnerable?  Any chance it was patched?
~~~~~~~~~~~~~~
Ketchup
<<

rebrov

User avatar

Full Member
Full Member

Posts: 130

Joined: Mon May 11, 2009 4:00 pm

Post Wed May 19, 2010 3:59 am

Re: Metasploit - Win XP sp3 - port 445 exploit !! and Meta bug

Ketchup wrote:Are you sure your target is MS08-067 vulnerable?   Any chance it was patched?


well , its sp3 so i think its not Vulnerable since the MS08_067 exploit not working into sp3 patched system

thats why i ask about is there anyway to exploit port 445 at xp sp3 system ??

and what do u think about this bug

btw this bug also happened when i successfuly exploited vulnerable MS08_067 system after the exploit complete and session has been opened it disappeared :S dunno why this happen only in Metasploit 3.3.3

any idea ?
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed May 19, 2010 7:20 am

Re: Metasploit - Win XP sp3 - port 445 exploit !! and Meta bug

I do believe that SP3 is vulnerable by default. 

http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

Yes, you can exploit port 445 on an XP SP3 machine.  Bug, why are you just randomly sanding exploits against this machine?  Why not identify the vulnerability first?  Coincidentally, I find that the MS08-067 is the one most common false positives.
~~~~~~~~~~~~~~
Ketchup
<<

rebrov

User avatar

Full Member
Full Member

Posts: 130

Joined: Mon May 11, 2009 4:00 pm

Post Wed May 19, 2010 3:25 pm

Re: Metasploit - Win XP sp3 - port 445 exploit !! and Meta bug

Ketchup wrote:I do believe that SP3 is vulnerable by default. 

http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

Yes, you can exploit port 445 on an XP SP3 machine.  Bug, why are you just randomly sanding exploits against this machine?  Why not identify the vulnerability first?   Coincidentally, I find that the MS08-067 is the one most common false positives.


Not shown: 997 filtered ports
PORT    STATE SERVICE      VERSION
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows XP microsoft-ds
5101/tcp open  admdog?


thats what i got from Nmap

what do u think ?
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed May 19, 2010 3:40 pm

Re: Metasploit - Win XP sp3 - port 445 exploit !! and Meta bug

@rebrov -

Glad to see you're still hanging around, and learning!

That list shows open ports, and generically defined services.  Your next steps should be connecting to those ports, and banner grabbing / researching, to see what service versions, etc, are reported as running on those ports, then follow up with searches for vulnerabilities existing on those versions and services.

For instance, you might find that some other service is actually using that port, and it's not really Microsoft ds on there, at all.  Conversely, you could be hitting a honeypot (if this were a real-life pentest,) where that port isn't really even running the exploitable service, but responds to queries as if it was.  You need to adequately try to determine what's running, not just gather a basic list of responding ports, and start attacking.  ;)

These are very tried and true principles for pentesting, and you need to do some digging on them, rather than just throwing a list of nmap reported open ports to the list.  We're here to help, and to answer educated questions, not to lead you through every step.  (No offense intended, just recommending you spend more time on this than simply a base nmap scan, followed by, "why doesn't an exploit work on 445?")

I understand that you're running a tool, like Metasploit, to perform these tests, but sometimes, you need to have a clearer understanding of the target system and it's services, before just throwing Metasploit and other tools at it, in the hopes that generically defined exploits will 'just work' as you'd like / expect them to.

Good luck, and as you continue, let us know what more you find.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

rebrov

User avatar

Full Member
Full Member

Posts: 130

Joined: Mon May 11, 2009 4:00 pm

Post Wed May 19, 2010 3:45 pm

Re: Metasploit - Win XP sp3 - port 445 exploit !! and Meta bug

hayabusa wrote:@rebrov -

Glad to see you're still hanging around, and learning!

That list shows open ports, and generically defined services.  Your next steps should be connecting to those ports, and banner grabbing / researching, to see what service versions, etc, are reported as running on those ports, then follow up with searches for vulnerabilities existing on those versions and services.


thanks for info i will try telnet or netcat for banner grabbing :)
For instance, you might find that some other service is actually using that port, and it's not really Microsoft ds on there, at all.  Conversely, you could be hitting a honeypot (if this were a real-life pentest,) where that port isn't really even running the exploitable service, but responds to queries as if it was.  You need to adequately try to determine what's running, not just gather a basic list of responding ports, and start attacking.   ;)

These are very tried and true principles for pentesting, and you need to do some digging on them, rather than just throwing a list of nmap reported open ports to the list.  We're here to help, and to answer educated questions, not to lead you through every step.  (No offense intended, just recommending you spend more time on this than simply a base nmap scan, followed by, "why doesn't an exploit work on 445?")

I understand that you're running a tool, like Metasploit, to perform these tests, but sometimes, you need to have a clearer understanding of the target system and it's services, before just throwing Metasploit and other tools at it, in the hopes that generically defined exploits will 'just work' as you'd like / expect them to.

Good luck, and as you continue, let us know what more you find.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed May 19, 2010 4:20 pm

Re: Metasploit - Win XP sp3 - port 445 exploit !! and Meta bug

Sounds good.  Keep us posted.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

rebrov

User avatar

Full Member
Full Member

Posts: 130

Joined: Mon May 11, 2009 4:00 pm

Post Thu May 20, 2010 4:02 pm

Re: Metasploit - Win XP sp3 - port 445 exploit !! and Meta bug

hayabusa wrote:Sounds good.  Keep us posted.


i couldn't banner grabbing the service running under port 445 at the machine :S

tried telnet with no use
tried netcat with no info

what do u think ?
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu May 20, 2010 4:35 pm

Re: Metasploit - Win XP sp3 - port 445 exploit !! and Meta bug

NetBIOS is a binary protocol.  You can run the following nmap command to check for a few vulnerabilities.  There are also any number of scanners that will identify NetBios vulnerabilities. 

  Code:
nmap -sV -PN <IP Address> -p 445,137,139 --script=smb-check-vulns.nse
~~~~~~~~~~~~~~
Ketchup
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu May 20, 2010 7:25 pm

Re: Metasploit - Win XP sp3 - port 445 exploit !! and Meta bug

Pay close attention to what Ketchup told you.  When I mentioned banner grabbing, I wasn't specifically doing so, for 445.  It was a generalization, that is something you should be doing to any list you get from your initial scans, before trying to just jump in and exploit.

But Ketchup's advice is very valid, for your port 445 scenario.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

rebrov

User avatar

Full Member
Full Member

Posts: 130

Joined: Mon May 11, 2009 4:00 pm

Post Fri May 21, 2010 8:23 am

Re: Metasploit - Win XP sp3 - port 445 exploit !! and Meta bug

hayabusa wrote:Pay close attention to what Ketchup told you.  When I mentioned banner grabbing, I wasn't specifically doing so, for 445.  It was a generalization, that is something you should be doing to any list you get from your initial scans, before trying to just jump in and exploit.

But Ketchup's advice is very valid, for your port 445 scenario.


yes i know Hayabusa but why i did it for port 445 only because i know that port 139 netbios not possible to exploit under windows xp sp3 patched system

i tried many times with no success :S

its on sp1 i think only
<<

rebrov

User avatar

Full Member
Full Member

Posts: 130

Joined: Mon May 11, 2009 4:00 pm

Post Fri May 21, 2010 8:31 am

Re: Metasploit - Win XP sp3 - port 445 exploit !! and Meta bug

Ketchup wrote:NetBIOS is a binary protocol.   You can run the following nmap command to check for a few vulnerabilities.   There are also any number of scanners that will identify NetBios vulnerabilities. 

  Code:
nmap -sV -PN <IP Address> -p 445,137,139 --script=smb-check-vulns.nse




thanks for the info i tried this with this results

nmap -sV -PN 10.0.0.3 -p 445,139 --script=smb-check-vulns.nse

Starting Nmap 5.00 ( http://nmap.org ) at 2010-05-21 13:27 Egypt Dayl
Interesting ports on 10.0.0.3:
PORT    STATE    SERVICE      VERSION
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds


and also tried to send Fin scan to bypass firewall with this result

nmap -sF -P0 10.0.0.3 -p 445

Starting Nmap 5.00 ( http://nmap.org ) at 2010-05-21 1
Interesting ports on 10.0.0.3:
PORT    STATE        SERVICE
445/tcp open|filtered microsoft-ds


and also with Xmas scan this is the result

nmap>nmap -sX -P0 10.0.0.3 -p 445

Starting Nmap 5.00 ( http://nmap.org )
Interesting ports on 10.0.0.3:
PORT    STATE        SERVICE
445/tcp open|filtered microsoft-ds
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri May 21, 2010 9:13 am

Re: Metasploit - Win XP sp3 - port 445 exploit !! and Meta bug

rebrov wrote:
hayabusa wrote:Pay close attention to what Ketchup told you.  When I mentioned banner grabbing, I wasn't specifically doing so, for 445.  It was a generalization, that is something you should be doing to any list you get from your initial scans, before trying to just jump in and exploit.

But Ketchup's advice is very valid, for your port 445 scenario.


yes i know Hayabusa but why i did it for port 445 only because i know that port 139 netbios not possible to exploit under windows xp sp3 patched system

i tried many times with no success :S

its on sp1 i think only



Understood, but I seem to recall your list also showed port 5101 tcp, as well....  (I don't have the time to assist further, today (heavy workload,) so I'll leave this one in Ketchup's hands, and maybe pick up again, tomorrow, if things lighten up.

Good luck.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri May 21, 2010 9:22 am

Re: Metasploit - Win XP sp3 - port 445 exploit !! and Meta bug

rebov, those ports coming back as filtered could indicate that there is a firewall in place. 
~~~~~~~~~~~~~~
Ketchup
Next

Return to CEH - Certified Ethical Hacker

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software