ms08–067, or the 67th security bulletin Microsoft released in the year 2008, is an update patching a critical, popular, and frequently found vulnerability in systems running Microsoft Windows 2000, Windows XP, and Windows Server 2003. Since then, in the community, somewhat lovingly, the vulnerability found popular reference by the same name.
A Kali Linux machine. https://www.kali.org/
A machine running one of the Windows operating systems listed above in italics.
Means of connection between the machines(LAN cable, home network, etc.)
Note: That this OS must not have been updated with the ms08–067(since 2008). You may procure a fresh XP distribution without any updates for this.
I used VMware to create 3 virtual machines. The machines are to communicate with each other. From here, I will use the Kali system to penetrate Windows XP and Server 2003.
Part 1: Passive Reconnaissance and Attack Setup
On the Kali machine, login with the default credentials(kali/kali).
Metasploit(https://www.metasploit.com/) is a penetration testing tool that comes preinstalled with Kali. Click the Kali icon on the top left and search and start “metasploit framework”. Login with the same password.
Now, open a new (normal) shell by clicking the “Terminal Emulator” icon at the top right.
Then, enter the
sudo su command for administrator rights (same password), and the
ifconfig command to find the Kali machine’s IP address.
Now, this is a big one. First, we use the
nmap -O [network ID]/[subnet mask]command.
nmap(“network map”) is an incredibly useful open source command line tool for network scanning. -O enables OS scanning, to check what operating systems the devices on the network use.
We can find [network ID] by taking our own IP address, and replacing the last nonzero number with 0. For example, my address was “192.168.73.128". Since all numbers are nonzero, I simply replace the last number instead to get “192.168.73.0”. This is the network ID my machine(s) are connected to.
[subnet mask] can be calculated by taking the number of fields that are nonzero in the network ID and multiplying them by a factor of 8. From the “192.168.73.0” network ID, there are 3 fields of nonzero and 1 zero. Thus, the subnet mask is 3*8=24, meaning that the subnet mask is 24 bits (out of 32) long.
Now we can start the scan. It has to go through every possible host address(a total of 254!) in the network, so it might take a few seconds.
1: IP ADDRESSES
On my output, we can see nmap reports for 3 addresses — this is where nmap has found hosts/other devices.
2: OS CPE
This field tells us the common platform enumerator of possible operating systems. We narrow it down to .129 and .130, one of which is running XP and the other Server 2003.
Luckily, the scan has also revealed that .130 has one more port — the 1025 port running NFS-or-IIS. A quick google will tell you that NFS and IIS stand for “Network File System”, and “Internet Information System”, respectively. Obviously, both these services would likely be in use by a server.
Therefore, we can conclude that the IP address ending in 129 belongs to the XP machine, and the one ending in 130 belongs to the server.
Part 2: Attack
First, I conduct an attack on the XP machine. Return to the Metasploit shell and enter the command
to find the exploit for the vulnerability and enter
use [#], or
to directly access it.
Use the command
set rhost [IP Address of XP machine] to declare the target, and finally,
If the attack worked, you should notice your prompt changing from
msf6 > to
meterpreter >. From here, you can issue commands like:
Take note of the commands
upload. They give us an Administrator command prompt to the XP computer, and the ability to put any file anywhere in the computer easily. From here, virtually any significant action that could be done by the compromised computer’s authorized administrator locally could be done on our end as well. Safe to say, this computer has been successfully hacked.
Next, we move on to the windows server. The process of exploiting the ms08–067 vulnerability is the same. Our goal will be to find the server password.
exit the current XP meterpreter session prompt, then
set rhost [Server 2003 IP] and
Once in, use the
search -f meterpreter command to locate secret.txt. It works similarly to
grep in UNIX CLIs, and
-f specifies to look at all files. Once located, proceed to use the
cat command to concatenate, or view it.
Copy the encrypted text. This was encrypted using base64, which I arrived at via trial and error of multiple encryption standards. Decrypting it gave me the p@ssword1504 of ictusr!
Part 3: Ethicality and further reading.
Before performing any ethical hacking, ensure that you know and understand the nature and characteristics of the client organization’s business, system and network. This will guide you in handling yanoianod yadanioa kaiogn aoihg kljdnfbgks o ij g;oisdfkbjn iosjd;igo skvjs ;doigr jsdkjgneknyhaoirjkemn yuoynueobrng enmbg kjentjgejbrjhtbehj nnighaejfd eaifoha btkjbawkhitgb awjh fgiasekmf auhtrionght boehbog s ayv. You get the idea.
Hope you enjoyed this guide. It’s rather basic, showing how to exploit ms08–067, but not the vulnerability itself. For a deeper understanding of this stack corruption/buffer overflow vulnerability, I recommend this whitepaper by Jason Matthyser. Be warned-you probably need a somewhat advanced understanding of computer logic, standards, structures, and processes, as well as Assembly Language, in order to fully grasp the intricacies and weakness of ms08–067. Happy pentesting!