Exploiting Windows XP Using Kali Linux

In this article, we’ll walk you through how to exploit a live install of Windows XP Service Pack 3. We’ll make use of the well-known vulnerability in the netapi32.dll in the Windows Operating System.

The vulnerability is in fact very dangerous because the attacker is not required to authenticate to the target machine prior to running the attack.


Penetration Testing: A Hands-On Introduction to Hacking

Penetration Testing: A Hands-On Introduction to Hacking


This article is inspired by the book Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman. 

The exploit module we’ll make use of through the Metasploit framework is called exploit/windows/smb/ms08_067_netapi. 

Before continuing with this tutorial, you’ll need to:

Please note that it is illegal to perform this attack without the victim’s permission!

Using Metasploit to exploit Windows XP

Start off by firing up both virtual machines.

Log in to Kali Linux, and fire up a terminal window.

Terminal window in Kali Linux

Terminal window in Kali Linux


The first thing we’ll need to do is to start the Metasploit Framework. 

Enter these commands into the terminal window:

The first command, "service postgresql start," launches a PostgreSQL database, which Metasploit uses to track your commands.

The next command, "msfconsole," launches the Metasploit text-based console. This is where we’ll perform our attack.

After "msfconsole" has finished loading (which can take a while), you should see something like this:

msfconsole in kali linux

Msfconsole in Kali Linux


As previously mentioned, we’ll use the module, exploit/windows/smb/ms08_067_netapi. We tell metasploit which module to use by entering the following command:

Now that we’ve told Metasploit which exploit module we’d like to use, we need to set some options. Enter this into the command line to show all available options:

showing options in metasploit

Showing options in metasploit


As you see, there are not many options that need to be set.

In other words, the only option we’ll need to set is the target IP-address. You can find the target IP-address by running "ipconfig" in cmd on your Windows VM. In my case, the IP-address is 10.0.0.17.

The exploit module is now configured and ready to go. But, we’ll also have to tell Metasploit which payload it should install on the target machine. In this attack, we’ll use the payload "windows/meterpreter/reverse_tcp."

setting up the exploit in metasploit

Setting up the exploit in metasploit


The payload windows/meterpreter/reverse_tcp will create a reverse shell.

A reverse shell will push a connection from the target machine (windows) back to the attacker (Kali).
In practice, this means that our Kali machine will open a local port and listen for a connection from the target machine on port 4444 (LPORT).

Note that this isn’t stealthy at all. You should at least change the LPORT to a regular port number like 80 (HTTP) to have any chance of succeeding.

You may have noticed that the LHOST field doesn’t contain anything. We’ll need to set LHOST to our Kali IP-address, which is 10.0.0.107 in my case.

The payload needs this information so the victim machine can connect back to the attacking machine.

Everything’s now set up in Metasploit. Before proceeding, make sure that the Windows firewall is deactivated on your Windows VM.

You should also create a txt-file on your desktop in the Windows VM. The content can be anything you like; we’ll just use it to illustrate the power of this attack.

Now that you’re all set and ready to go, let’s exploit the target machine. Type this command to proceed:

Exploiting Windows XP SP3 Using Kali Linux

Exploiting Windows XP SP3 Using Kali Linux


We're in!

What has actually happened here?

When exploiting our target machine (Windows XP), we delivered a payload, which initiated a reverse shell connection.

The reverse shell made our target machine connect back to the attacking machine (Kali Linux), providing a shell connection directly to the Windows Operating System.

Let’s navigate to the file we created earlier in the Desktop folder (on the Administrator user in my case):

Using meterpreter

Using meterpreter


Now, we only need to navigate to the Desktop folder and view the content of the file using the "cat" command.

exploit/windows/smb/ms08_067_netapi in kali

exploit/windows/smb/ms08_067_netapi in kali


Congratulations! You have now gained access to a remote Windows XP operating system, using the exploit/windows/smb/ms08_067_netapi exploit!

 

 

 

 

Top