Finding and Utilising an Exploit against Windows XP using Metasploit

Metasploit XP

Windows XP represents a key moment in software security. XP was released just as the internet started becoming prevalent in homes as well as offices, because of this prevalence it became clear that security was not a priority during software development. After the release of XP the number of viruses and known vulnerabilities skyrocketed. In response to Windows XP’s poor security becoming apparent, Microsoft shifted manpower from Longhorn; its next release of Windows, to implementing security features planned for Longhorn into Windows XP Service Pack 2, leaving over five years between the release of Windows XP and Longhorn; the operating system that would come to be known as Windows Vista.

For organisations and home users Windows XP’s poor security is a nightmare, but as I’m looking to build-up my skills at testing exploits and examining the security of software it is a dream. Windows XP now has so many known exploits that I’m almost spoilt for choice. So because of this I got myself a copy of XP and decided to try and take advantage of an exploit.

At first I thought this would be so easy that it would take no more than five minutes, this was not the case however, as instead of the very first version of Windows XP, I had a copy of Service Pack 3 which remedied a good amount of the earlier issues. This added complexity meant that instead of leveraging an obvious exploit pulled from a quick Google search, I would have to do a bit more digging with my version of XP to find what vulnerabilities applied to it.

This also means that instead of briefly making a blog post stating that I had completed my first exploit, I thought it might be useful if I outlined my working in more detail and create a full length tutorial so that it may help others if they get struck.

Getting Setup

My first exploit required a couple of tools. The first is VirtualBox which is a free virtualisation product you can use to run other operating systems within your main operating system. Within VirtualBox you’ll need to create your Windows XP Virtual Machine by clicking on “New” in the menu bar:

Creating a Windows XP VirtualBox

The name can actually be anything, but typing Windows XP will automatically set the “Type” and “Version” to Windows XP 32-bit. Follow the steps to on the next few pages to create your machine (I’d recommend giving it around 2GB of RAM is you have enough, but the default recommendation of a 10 GB Hard Drive should probably be enough) and when it asks choose your image of Windows XP and once the machine boots it will be like installing Windows XP on any computer. A final step within Windows XP itself after creating your user is to disable Windows firewall within Start>Control Panel.

You’ll need to create a second virtual machine for Kali Linux. The download at kali.org will work within VirtualBox, but after speaking to a friend and finding they were able to change the resolution of their VM and I was stuck with a tiny 1024×768; they informed me that the download available at Offensive Security would work better as this is a preconfigured VirtualBox image. This image is a lot easier to setup. Once the image has downloaded click File > Import Appliance, and it will configure itself. Be sure to also update your Kali install by going to terminal and typing

$ sudo apt-get update && sudo apt-get upgrade

For both the Kali and XP virtual machines you’ll also need to change the network settings so that they use “Bridged Adapter” instead of “NAT,” otherwise your two virtual machines might not be able to communicate.

Windows XP Exploit Network Settings

Both virtual machine images are needed to carry out the exploit, but the tool needed to help actually find the vulnerabilities we can use is Nessus.

Nessus is a vulnerability scanner that will indicate what exploits a system may be vulnerable to. Nessus does have a paid for version, but we’ll stick with the personal use version. When you visit the download page you will also need to request an activation code that will be sent to your email.

Once the file for Nessus has downloaded the next step will be to enter a terminal window and unpack it with

$ dpkg -i <file path and name>

Installing Nessus in Terminal in Kali

Start the Nessus process with

$ /etc/init.d/nessusd start

Then enter https://kali:8834 into Firefox within Kali, create your Nessus login credentials and enter your activation code, it may also need a healthy amount of time to update. Once this is complete and your at the main Nessus homepage, feel free to minimise the window and return to it later.

Scanning for Vulnerabilities

With the tools setup and started you’ll be able to get started with finding vulnerabilities to test. For starters it is always good to start a scan with Nmap to get an overview of what services are running on the system with the terminal command

$ sudo nmap 192.168.0.28

Scanning XP with Nmap

This will show the services that are active on the Windows XP installation. Other scans such as an operating system scan could be run at this point to determine the operating system currently being run so that the range of exploits could be narrowed down. I already know the version being run so won’t run an OS scan as it will likely not give me any further information than I already know.

We have a basic overview of what services are running on the XP machine, but the aim is to utilise an exploit. This is where Nessus comes in. Bring your Nessus window back to the fore (or if you closed it load it with https://kali:8834). After logging into Nessus you’ll be presented with an empty “My Scans” page.

Nessus My Scans Page

Once you’ve clicked on “New Scan” you’ll be presented with a number of options, some of which require an upgrade to Nessus Professional. The scan we need is a “Basic Network Scan”.

Nessus Basic Network Scan Button

Enter a name for the scan that means something to you. Choose the target you’d like to scan. In this case we want the XP machine’s IP address. Instead of just clicking “Save” click the adjacent disclosure triangle and choose “Launch” to get the scan started straight away. The scan can take some time to complete so be patient and let it run.

Using a Vulnerability

When the Nessus scan completes, click on the vulnerability tab to be show a list of items ranging from critical vulnerabilities to basic information that the operating system may be broadcasting publicly. Your results may well match mine if we have the same version of Windows XP, the vulnerability I will utilise is the one at the top; MS08-067.

Nessus Scan Complete

Utilising the exploit needs the use of another tool, Metasploit, that is already part of our Kali Linux image. Load up Metasploit by moving to a terminal window and typing

 $msfconsole

If this is your first time starting Metasploit you’ll need to create a database. Rather than digress here the team at Offensive Security have a clear explanation here (for this tutorial you’ll only need the “Setup our Metasploit Database” section).

With the Metasploit console loaded we’ll need to find the exploit we’re looking to use within the Metasploit database by entering

> search MS08-067

This should present one result of exploit/windows/smb/ms08_067_netapi which we will need to utilise by entering

> use exploit/windows/smb/ms08_067_netapi

Exploit in Focus

Metasploit should now show our desired exploit in its initial stream. The exploit will likely have variables though and we need to know what they are, otherwise the exploit may fail. We can find them out by entering the command

> show options 

MS08_067 Options in Metasploit

MS08_067s options should present themselves as above and we can see that two of the options (RPORT and SMBPIPE) are already populated. RHOST is not and is flagged as “Required: Yes” so we will need it. Luckily RHOST is a simple one to find in this case as it stands for Remote Host which is our XP virtual machine. To set our XP machines address as the RHOST type

> set RHOST <VM IP Address>

The next step will prove that all your hard work will have paid off, the execution of the exploit. To take the juiciest step all you need to type is

> exploit

Exploit Success in Metasploit

Once a few seconds have passed the terminal window should show meterpreter which will allow you to run various commands on your target. If you’d like to know what you can run simply enter the command

> help

which will list any available commands you can run. To verify you have successfully completed the exploit I would recommend running ipconfig to show the IP address of the machine as well as screenshot to be able to visibly see the machine running. If you would like to feel you hold real power, feel free to enter shutdown which, unsurprisingly, will shut down the virtual machine.

Personal Lessons

This exercise has allowed my knowledge to grow far greater than I had expected. Due to Windows XP’s reputation for poor security I had half-expected to follow a tutorial and have successfully carried out an exploit within about half-an-hour.

Struggling to follow this due to me using Service Pack 3 has taught me far more valuable skills than with the tutorial alone as I would have solely learnt how to execute one exploit with Metasploit, on one operating system.

Being unable to follow a structured tutorial has meant that not only have I learnt how to utilise Nessus; not only for Windows XP  but also other operating systems, but I have had to investigate how I would find exploits within an operating system which led me to Nessus. These skills are transferrable to more than just one exploit on one operating system which is infinitely more useful. Thoughout my career I have found that lessons I have learnt on one issue can be adapted for other problems I may face in the future and it is always important to not get put off at the first issue.