Greetings and initial video presentation, we're going to see how we go about using meterpreter to backdoor a Windows XP target. So with every virtual lab that we do appear inside of this course, we need to first confirm network connectivity. So my Cali machine I've done an IF config, I've located my get your net zero adapter and I have confirmed that I have an IP address ending in 133. Some over here in my Windows XP machine and I see that I'm on the same network and I have an IP address of 131. Now I'm going to go back on over here, and I'm going to ping that 131 to see if I get a confirmation that these two machines have seen each other. So at my terminal on my Kali machine, I have typed in ping and again, if the IP address of my Windows XP target, I'm gonna go ahead and hit Enter, and it comes back with positive responses.
I can go ahead and hit Ctrl C to break the sequence and we're back to the root prop. So at the prompt I typed Clear. And that cleans up my terminal so I get a nice clean working space. And now we're ready to proceed on with the lab. Now, if I was new to this network and I didn't know about my Windows XP machine, I would go ahead and just run in map and I would scan the entire subnet and looking for targets or potential targets, you're free to go ahead and do an Nmap scan of your entire subnet. Nothing wrong with that, I'm going to go ahead and move forward and just do the Windows XP target machine.
So I've typed in end map space dash capital A the IP address of my Windows XP target, I'm going to go ahead and hit Enter, and in just a moment is going to come back with some good results. That was a long in map scan. And we come back and we look at the results. Now what happened here was I got tired of waiting, so I thought maybe it was hung up. So I just hit enter. Well, when you do that within map, it comes up and it tells you what's going on in the background, and how long it's going to take and how much time is remaining.
All that fun stuff. So you can hit enter, you can get a status update on your Nmap scan. So it tells me that the ports are currently open that I need such as 445 3389 comes up with the MAC address, lets me know that it's running the VMware virtual machine. We also got some other information down here such as the pipe, which is what we're interested in, we need to know this. So the target machine in this case is XP, running SP two, and it is the professional version. So after I've got my results with that in map scan, I'm pretty satisfied with results.
I'm going to go ahead and clear the terminal one more time. And at this new prompt, I'm just going to type in M MSF console, I'm going to go ahead and hit enter. This is going to start meta sploit I need to create a meterpreter session with this Windows XP target. So I'm going to use my old standby for creating a reverse shell and that is the M S 08 underscore 067 underscore net API. Now to do this at the MSF prompt, I'm going to type in the use Command, followed by the exploit that I want to use, which is located in Windows, the SMB folder, and it's called ms 08 underscore 067 underscore net API. I'm going to go ahead and enter with that.
And in just a moment, my prompt is going to change, let me know that I'm now loaded the exploit, we can use the show options command to see what options need to be attended to before we can get into this meterpreter session. So I've done a show options, and it tells me that the remote host must be set. The Port 445 is already up and running. And we already have an SM pipe coming over to our browser. So I'm going to go ahead and do I set remote host and type in the IP address for my Windows XP target. There is no shame in confirming anything so if you're having any doubt Or any trepidation about what is the IP address of your Windows XP machine, go check and come back and type it in correctly.
You don't want to have to do this three or four times. I'm gonna go ahead and hit Enter. And my remote host has now been set to the IP address for my Windows XP target. With everything looking good, I'm now ready to establish that reverse shell that I need from a meterpreter session with my Windows XP target. I'm going to type in exploit and hit Enter. And in just a moment, it's going to establish that session for me.
And we know the session established correctly because I now have a meta printer to run some dos commands using the command prompt on the Windows XP remotely using my meta printers session, I can type in Shell and I will establish a connection over to that Windows XP machine using a DOS prompt we can use the net sh Man along with some additional syntax to check out what operational mode our firewall is in on the remote target. So I've typed in net sh space firewall space show space hop mode. And if I hit Enter, in just a moment, it's going to come up and show me the status of the firewall currently is disabled. But you can also use the net sh command to not only disable it, but if you're your windows administrator, you can use this command on the command prompt of any Windows machine to turn on the Windows Firewall.
If we enable the firewall, it will disable our session, so we're not going to do that. So at the windows prompt, I type exit to get me back to the meterpreter prompt. So that could run my next command. This next command is going to allow me to look at all the options I have for setting the username and password for the remote desktop. So I'm going to go ahead and hit enter here. In a second here, we can see that the dash use sets the username, and that the dash p sets the password.
So we're going to go ahead and finagle us a little bit of a command here. And you can use any username and password you want, just remember what it is. So I'm going to right click, and I'm going to go ahead and paste what's in the lab. And we're going to run the get gooey, and we're going to give it a space, a dash u and the username, I'm going to log on with his Mad Dog. And I'm given another space. And the password I'm going to use is hat.
I'm going to go ahead and hit enter. Now it tells you a lot of information here on this terminal and you've got to pay attention because we have a cleanup script that's going to remove this user Mad Dog and get rid of the password that we set for Mad Dog. So make sure that you type in the following when you're all done and you want to clean up your mess or your tracks. So what I'm gonna do now I'm going to right click, and I'm going to copy this. And I'm going to bring me up a txt file. And on this text file here, I'm just going to go and paste this.
And now I'm just going to minimize it. And now when I'm all done, and I want to clean up my tracks, I can use this helpful script. That'll do all the work for me. We're all done with metal Shredder. And we're all done with metal sploit. So we can just type in extra twice, typing one more time.
That brings us back to a prop and you can type in clear, and now you have a clear terminal to work with. So I've cleared my terminal one more time. And we're now ready to establish that Remote Desktop session with my Windows XP target. So I've typed in our desktop space dash u, my username Mad Dog space dash p, my password of hack space, the IP address of the target. Let's go ahead and see if we can now get some connectivity going here. And I remember desktop session pops up.
And it lets me know that this administrator has disconnected from the computer do you want to continue? I say yes, now you have to be patient, because it's going to take a few minutes for it to acknowledge some messages that are popping up over there on the XP machine. But once that happens, you will get your remote desktop. So I'm now in to my Windows XP target using RDP from my Kali machine. And I pretty much have the run of this machine as an administrator and I can do whatever I want. So I'm going to go up here to my taskbar, and I'm going to find the rd desktop.
I'm going to go ahead and quit. I think back to my Prop, I'm not going to go back into my meterpreter session. And we're now going to clean up my mess that we created over there on the Windows XP target using that script. So remember, I'm just using my up arrows, as I'm going through here and I'm finding the information that I need such as I need to load the exploit. So I'm gonna go ahead and do that first. let that happen.
Now I'm gonna go ahead and set the remote host one more time. Now I'm gonna go ahead and hit exploit. And just a moment, I'll have my interpreter session back up and running. And there it is. Now I'm ready to bring up the script, or the text file that has the script. So I'm gonna go ahead and copy this on over, it's gonna right click in here and copy that now I'm just going to minimize this.
And I'm gonna take it on over here to my meterpreter session. And I'm just going to paste that on in there, like so. And I'm going to hit Enter. And it's going to come back hopefully tell me that everything's been cleaned up and it says that it successfully deleted Mad Dog. All right, well, very good. Yes, that was very good.
But we're not quite done clean up our tracks yet. We have to get rid of all the event logs. Anybody with a little bit of knowledge could go in and locate and figure out that yeah, this machine was hacked. So We don't want to give him that ammo. So we're going to do another command here called clear, dV or clear the advance. And we're wiping out 75 records from application hundred 20 records from system and zero records from security.
We're now ready to kill any jobs that may be left running. So I'm gonna type in exit. And at my next prompt, I'm going to type in jobs space dash, capital K, I'm just going to copy and paste that right in from the lab just like that. And that's going to stop all jobs. So by now you should be getting used to using Metasploit and figuring out how to get a real quick down and dirty meterpreter session going on with your target machine. Now a lot of these labs will work with newer operating systems, but I will tell you that if the firewall is enabled, Windows defenders running or McAfee is up and running and it has a firewall or Symantec then The lab will obviously fail.
This type of an exploit this type of lab is designed for machines that have their firewall turned off. they've not been patched and they have weak passwords. In this short video presentation we saw how to use meterpreter to backdoor a Windows XP target. So if you have any questions or you have any concerns about the lab or the video, please don't hesitate to reach out and contact your instructor and I'll see you in my next video.