Video - Using Netcat to Exploit Server 2008

17 minutes
Share the link to this page
Copied
  Completed
You need to have access to the item to view this lesson.
One-time Fee
$99.99
List Price:  $139.99
You save:  $40
€96.05
List Price:  €134.47
You save:  €38.42
£78.28
List Price:  £109.60
You save:  £31.31
CA$143.28
List Price:  CA$200.59
You save:  CA$57.31
A$160.13
List Price:  A$224.20
You save:  A$64.06
S$135.03
List Price:  S$189.05
You save:  S$54.02
HK$777
List Price:  HK$1,087.84
You save:  HK$310.83
CHF 88.49
List Price:  CHF 123.89
You save:  CHF 35.40
NOK kr1,126.80
List Price:  NOK kr1,577.57
You save:  NOK kr450.76
DKK kr717.22
List Price:  DKK kr1,004.14
You save:  DKK kr286.92
NZ$176.87
List Price:  NZ$247.63
You save:  NZ$70.75
د.إ367.26
List Price:  د.إ514.17
You save:  د.إ146.91
৳11,929.84
List Price:  ৳16,702.26
You save:  ৳4,772.41
₹8,538.94
List Price:  ₹11,954.85
You save:  ₹3,415.91
RM448.65
List Price:  RM628.13
You save:  RM179.48
₦154,544.52
List Price:  ₦216,368.52
You save:  ₦61,823.99
₨27,792.76
List Price:  ₨38,910.97
You save:  ₨11,118.21
฿3,416.65
List Price:  ฿4,783.45
You save:  ฿1,366.80
₺3,519.17
List Price:  ₺4,926.99
You save:  ₺1,407.81
B$637.56
List Price:  B$892.61
You save:  B$255.05
R1,874.85
List Price:  R2,624.87
You save:  R750.01
Лв188
List Price:  Лв263.20
You save:  Лв75.20
₩145,711.39
List Price:  ₩204,001.77
You save:  ₩58,290.38
₪364.90
List Price:  ₪510.87
You save:  ₪145.97
₱5,865.41
List Price:  ₱8,211.81
You save:  ₱2,346.40
¥15,715.92
List Price:  ¥22,002.92
You save:  ¥6,286.99
MX$2,016.21
List Price:  MX$2,822.78
You save:  MX$806.56
QR363.08
List Price:  QR508.32
You save:  QR145.24
P1,386.50
List Price:  P1,941.15
You save:  P554.65
KSh12,902.70
List Price:  KSh18,064.30
You save:  KSh5,161.60
E£5,082.90
List Price:  E£7,116.27
You save:  E£2,033.36
ብር12,710.92
List Price:  ብር17,795.80
You save:  ብር5,084.87
Kz91,190.88
List Price:  Kz127,670.88
You save:  Kz36,480
CLP$98,919.10
List Price:  CLP$138,490.70
You save:  CLP$39,571.60
CN¥729.82
List Price:  CN¥1,021.78
You save:  CN¥291.96
RD$6,081.12
List Price:  RD$8,513.82
You save:  RD$2,432.69
DA13,508.78
List Price:  DA18,912.83
You save:  DA5,404.05
FJ$231.84
List Price:  FJ$324.58
You save:  FJ$92.74
Q768.97
List Price:  Q1,076.59
You save:  Q307.62
GY$20,886.35
List Price:  GY$29,241.72
You save:  GY$8,355.37
ISK kr13,953.60
List Price:  ISK kr19,535.60
You save:  ISK kr5,582
DH1,006.73
List Price:  DH1,409.47
You save:  DH402.73
L1,841.91
List Price:  L2,578.75
You save:  L736.83
ден5,908.74
List Price:  ден8,272.47
You save:  ден2,363.73
MOP$798.63
List Price:  MOP$1,118.11
You save:  MOP$319.48
N$1,856.28
List Price:  N$2,598.86
You save:  N$742.58
C$3,673.45
List Price:  C$5,142.98
You save:  C$1,469.52
रु13,596.38
List Price:  रु19,035.48
You save:  रु5,439.09
S/371.74
List Price:  S/520.45
You save:  S/148.71
K405.18
List Price:  K567.27
You save:  K162.09
SAR375.47
List Price:  SAR525.68
You save:  SAR150.20
ZK2,762.82
List Price:  ZK3,868.06
You save:  ZK1,105.23
L478.38
List Price:  L669.75
You save:  L191.37
Kč2,417.95
List Price:  Kč3,385.23
You save:  Kč967.27
Ft39,478.73
List Price:  Ft55,271.81
You save:  Ft15,793.07
SEK kr1,088.11
List Price:  SEK kr1,523.40
You save:  SEK kr435.29
ARS$102,698.50
List Price:  ARS$143,782.01
You save:  ARS$41,083.50
Bs689.84
List Price:  Bs965.80
You save:  Bs275.96
COP$441,236.66
List Price:  COP$617,748.98
You save:  COP$176,512.31
₡50,688.88
List Price:  ₡70,966.47
You save:  ₡20,277.58
L2,536.46
List Price:  L3,551.14
You save:  L1,014.68
₲778,577.57
List Price:  ₲1,090,039.75
You save:  ₲311,462.17
$U4,443.67
List Price:  $U6,221.32
You save:  $U1,777.64
zł409.39
List Price:  zł573.17
You save:  zł163.77
Already have an account? Log In

Transcript

Greetings and in this short video presentation we're going to see how we go about conducting a buffer overflow on a server 2008 installed. As described in security Bolton, Microsoft is 09 dash 050. For this particular lab, we'll be using an install on server 2008 32 bit SP one and the download for this particular install is available inside the lab. But regardless, you have to have the 32 bit edition for server 2008 sp one. Once we have our installation package or the ISO image for server 2008 32 bit downloaded, we can begin the creation for the virtual machine using VMware. And we begin by just going up to File and clicking on new virtual machine or clicking on the tile that says Create a new virtual machine.

Either one, we'll launch the new virtual machine wizard. We click Next. And now we're going to select the installation disk image using an ISO and we're going to browse on over to where we save the download for our server 2008 32 bit ISO image. Once we have selected the correct ISO image, the new virtual machine wizard will identify it. And in this case, that is Windows Server 2008 was detected. We click Next.

And now we don't have to worry about the product key because we're going to use the trial version. We're going to give it a user friendly name. We're going to type in the password and then we're going to select the box for logging on automatically. Once I'm assured that all the information is correct, I'm just going to click Next. And from here we can give the virtual machine a user friendly name such as server 2000 And, and we can also select the location for which we want to store the virtual machine. I like to keep mine off of my C partition, I like to put them onto an external partition, so they don't take up as much room.

So I've gone ahead and given my virtual machine a user friendly name of server 2008 target, I have stored it onto my E drive inside of my directory for virtual machines inside of a new folder called server 2008 target, and then I click next, we can leave the default for the 40 gig for the disk partition, and I'm going to store this virtual disk as a single file. I click next, and this is my confirmation page. Now this is the last chance I will have to go back into making any changes. I'm also going to check the box to power on this virtual machine after the creation and I click Finish. From here, the server 2008 installation process begins. And we only have one particular window that we're going to worry about.

And when we get to it, we will restart the video at that point. So the installation process will stop and it will ask me for a product key. But we do not have to have a product key and we don't need to tell it to automatically activate when it logs on for the first time, we can uncheck that box. And we can just say next, and that will start the trial period. And for this message that pops up asking you what do you want to do? Or when do you want to enter the product key you say?

No. And we can begin the installation process again. We're going to go ahead and select the standard. This is for the full installation. So we're going to select Windows Server 2008 standard installation, and we're going to click Next. Now we have to start Like the box that says I have selected the addition of windows that I that I purchased, and we click next and this begins to copy and process.

From this point forward, the installation process will complete on its own, and it will restart a couple of times. And when it's done with the installation, it will automatically boot you to the desktop with an automatic log on. Once the installation has completed, the VMware Tools will begin the installation process. Go ahead and allow that to complete and then we'll move on with the rest of the video. Once the VMware Tools have installed, the machine will need to reboot and when it does, it will come back up and we'll have access to our USB devices, our clipboard from our host machine and we'll be able to go fullscreen with our video. Now, once we have our clear desktop, we can begin by going to start and we're going to click on control panel and we're going to go into the window firewall.

And from here we're going to click on allow program through the Windows Firewall. And where it's comes up with the User Account Control, we're going to select Continue. And from here we're going to go down and find file and printer sharing. check that box and say Apply, say Okay, and now we can close up the firewall Management Console. Now since this export is designed for a file server 2008 we have to create a file to share so that we can enable the SMB service so we're going to go to start, we're going to go into computer and underneath the C drive, we're going to right clicking we're inside of the white window, we're going to go to new Select Folder, and we're going to call it share. Once we have created the share directory, we need to right click on that particular directory and then select Share from the context menu.

From here, we're just going to type in the everyone group. We're going to search for that. And we're going to add it. And we're going to select Share. We're going to allow the access to the user account control by selecting continue. And the share will be created in just a moment.

If the share process seems to be taking too long look for a hidden message that may have popped up behind the share being created window and see if that is available for you to go ahead and click on where it says do not allow this network to be shared publicly allow it to be only a private network. All right. So now we have created the share. And we can tell that this is a share because we had a to user icon wants to share the share is completed we can open it up just by double clicking it And we can right click inside the white window anywhere. And we're going to go to new rich text document. And we're going to type in top secret plans as the title for this document, paying particular attention how the name of the document is actually worded.

I've actually used underscore underscores between each of the words. This helps in the location of the file across the network with a Linux machine. Once the document inside of the share folder has been created, we're just going to go ahead and open it by double clicking it. And we're just going to type in the phrase, these are the plans. Once you have something typed inside of the document, you can go ahead and go to File and do a Save. And then you can close it out.

So the next thing we want to do is go ahead and confirm that we have network connectivity on our local network and we're going to do this by going Start. And in the search bar here, I'm going to type in cmd. It's going to be a command prompt. I'm going to type in IP config. Check my IP address, and I have an IP address of 192 dot 168 dot 145 dot 129. Now that I have discovered the correct IP address for my installation of server 2008, I'm going to go to my Cali machine.

I'm going to open up a terminal. And I'm going to attempt to ping this new server 2008 installation to ensure that we have network connectivity. So from the terminal of my callin machine, I have typed in ping 129 dot 168 dot 145 dot 129. And that is the IP address assigned to my server 2000 installation and we're going to see or check and confirm that we have connectivity and we do get a positive response back and our To break this sequence, I can just type in Ctrl C. And I'm back to the pump. We're ready now to begin the lab. And the first thing we're going to do is discover the network using n map.

So we'll begin by using n map to scan for all hosts that are currently on the 145 network. And I'm telling it that I want you to scan the last octet of the subnet mask or 255 hosts. So I'm going to go ahead and hit Enter. And in just a minute, we will see the results of the scan. So we've discovered all the hosts that are currently on the 145 network. And you can see that by the results, it's a pretty simple scan.

So we're going to step it up with another and that command to get some more interesting results. So from the previous scan results, I have chosen the IP address of one to nine as my next scan target and I'm going to use the end Map command dash st to look for all TCP IP ports that may be open on this particular target. And I'm now going to go ahead and hit Enter. And in just a moment, we'll get the scan results. So the scan has came back and we have the results and we're looking at three particular ports of interest, first port 135 139. And in particular port 445, which we know is used when the SMB service is installed and run.

One of the most useful and map options that we have is the dash capital O, which allows us to determine or identify the operating system. So I'm going to go ahead and use the 192 address again and I'm going to use the dash capital O option and hit enter and we'll see what comes back. So the scan results do come back and they are inconclusive. Because we don't have enough information to actually determine that this is a server 2008 installation, but we do have other options that we can use to scan and further confirm our suspicions. In this next part of the lab, we're going to fire up the administrator console. And we're going to use one of the scanner that is available up inside of the MS console to check the machine further and confirm that it actually is a server 2008 installation.

The launch misquote, I'm just going to go to my terminal prompt and type in M MSF console. And I'm going to hit enter, give it a moment, and it will load up the MS console for me. Once the meta sploit console has completed loading, we're going to go ahead and type in the use Command. And we're going to use a scanner call the SMB underscore version. So I'm going to type in you Space auxiliary port slash scanner or slash SMB, or slash SMB underscore version than just going to hit Enter. And now we have to type in some option.

So once we have told us what the scanner that we want to use, notice that the prompt changes. Now we have to go in and configure the options. To figure out which options need to be configured, we use the show command, followed by the word options. And I'm just going to go ahead and hit Enter. And we see what options have to be configured. going across from the top underneath name, we see that there is the our host that must be configured.

And if you look underneath that required, it will tell you yes or no. We also see what the description for that particular option is. So we're going to type in set so that we can set the option for the remote host and we're going to type in the IP address. That we want to check for an SMD version. The command is set space, our host for remote host space, the IP address of the target, in this case, that's 192 dot 168 dot 145 dot 129. Now I'm going to hit Enter, and give it a moment and it will come back with another prompt asking me to go ahead and run or launched this particular scanner.

To launch the scanner, all we have to do is type in the run command and hit Enter. And in just a moment, it'll come back with the results. And here we see that the host is running Windows Server 2008 standard SP one, which is what we want to know. We can confirm that this is the correct version displaying going back to our target. And at the search window. We can just type in winrar for Windows version, and we can hit enter and we'll get a pop up window letting us know that this says Windows Server 2008 sp one.

So now that we have discovered that we are attacking, or we have a target that is server 2008, we need to find an exploit. So I'm going to type in the command back. And that's going to take us back one level. And now we're going to do a search for 2008. And I'm going to type in search 2008. And we'll see what pops up from the results.

And you see there's quite a few we have to scroll down and everything is an apple medical order. By the way, we have to scroll down and find the export for the windows SMB, Ms. 09, underscore zero 50 underscore SMB to underscore negotiate underscore function, underscoring this, that's the actual export we're going to be using. Once I highlight that I'm going to go ahead and copy it. And we're going to move back down here to the prop I'm going to type in a use. And now I'm going to paste what I copied. And we'll see that the prompt changes.

If you would like some more information about this particular exploit, you can back off one level and just change the word use with info. And you'll get all the information you ever want to know about this particular exploit. Again, we have options to configure. So we're going to use the show options command. Once I've typed in the show options command, I'm just going to I'm going to go ahead and hit Enter. And we see that we have to configure three things, the remote host, the port, which is already done for us, but we've also got to configure the local host, which will also do and we have to select a payload.

So for my remote host, I'm going to go in and type in the IP address along with the set our host command. And now I'm going to hit enter And that's complete. The localhost is the callee machine. And I know mine to be having an IP address ending in 132. So we'll go ahead and hit enter for that. For this particular lab, we're going to want to create a reverse hosts with our victims so that we can run some commands and exploit it to its full potential.

And for that, we're going to use meta printers. So I'm going to go ahead and use a meta printer, reverse shell payload, I'm going to go ahead and type in set payload to Windows meterpreter, reverse underscore TCP and hit enter. Now, the first time you run this particular exploit, it may go ahead and blue screen or cause your server 2008 to reboot, which is part of the characteristics of a buffer overflow. So we get that denial of service, but once it comes back up, you should be able to run the command again and establish a meterpreter prompt. So we're going to go and type in exploit. And now we hit enter.

The meta trader prop is the signal that you have successfully delivered the payload. And that brings us to the conclusion for this short video presentation. But do continue on with the lab as there's a lot of good post exploitation left to do. And I want to thank you for watching and I hope to see you in my next online video. Thank you

Sign Up

Share

Share with friends, get 20% off
Invite your friends to LearnDesk learning marketplace. For each purchase they make, you get 20% off (upto $10) on your next purchase.