Wednesday, 27 May 2015

Crash Windows 7 Using Metasploit and Remote Desktop Connection Vulnerability



Crashing Windows 7



Now while the story so far has been smooth and cozy, it gets a bit tough from here on. For modern operating systems like Windows 7, there aren’t any magical exploits like the ones we had for unpatched Windows XP machines. We had been able to hack Windows XP and try some meterpreter features on the exploited XP machine. However, when it comes to Windows 7, there aren’t any direct exploits for gaining access to the machine. We can try some client side attacks, etc. Social engineering toolkit would be great for stuff like that. However, there is still one vulnerability that waits to be exploited. In Windows 7, there is a hole in the RDP port (3389) which can work over LAN as well as over the internet. Over the internet stuff can get a bit tougher, however on the LAN, this should be a piece of cake (if you have successfully followed out pentest tutorials so far).

Requirements
Now you will require an attacker Kali machine, and a victim Windows machine, both running on Virtual machines. Windows 7 should be a fresh install, with no updates, as they can patch the vulnerability, making it unexploitable. Now when you have got all this setup, you can move on to further steps.

Information Gathering
Now we’ll have to find out the IP of out victim. This would have been complicated in a real life scenario, but in our case, you just go to Windows 7, open command prompt, and type ipconfig. You should be looking for IPv4 address of Local Area Network.



In our case thats where the information Gathering Stops

Starting Metasploit
Now execute the following commands to start metasploit framework
service postgresql start
service metasploit start
msfconsole
So now you have msf console opened up (note my codes will still display root@kali but you don’t mind it).

Exploit
Now select the exploit that we are going to be using-
use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
Now do a show options, it will tell you that it only requires two options, RHOST and RPORT. Rport is obviously 3389, the remote desktop port. The RHOST is the one you found out in the information gathering step. The use the following code to set the RHOST
set RHOST 192.168.—.—
Surprising as it may seem, we are done already. Just type
exploit
The target machine will get a Blue Screen Of Death and will reboot. You can do this as many times as you feel like, and in real life scenario, it can be really annoying, considering it can be done over the internet too.

Possible Problems



If you get an error of this sort, then most probably your Windows 7 machine has firewall enabled, and is blocking your packets. An antivirus could do the same thing. There might be some issues with the LAN connection too. A good diagnosis test would be to ping the machine. Go to a kali terminal and execute
ping 192.168.—.—
After waiting for a while, press ctrl + c which will stop the pinging. Look at the result-



If you get something like this (0 packets received), then there is absolutely no communication between the Kali and Windows machine (in effect, they are not on the same network, even though they are). That’s why the exploit doesn’t work.



Something like this means that the connection is just fine, and probably the Windows machine has become immune to the attack due to some patch. (see : https://technet.microsoft.com/en-us/library/security/ms12-020.aspx)
If its the former case, then you’ll have to find a way to get the connection working, and if its the latter, then try disabling firewall, antivirus, and maybe setting the network as home instead of public. Then go to advanced sharing settings, and choose all the options that you think will make your computer easier to hack.
If possible, see if you can uninstall installed updates. The final thing to do is to get an early unpatched release of Windows 7. In some cases installing VMware tools might help.

Enable Remote Desktop
In many Windows releases, remote desktop is turned off by default. To enable it, follow these steps-
Go to System (Control Panel\System and Security\System). Click on Remote settings. Select the “Allow Remote Connections to this computer” button. Click ok.



Select the allow option. By default don’t allow is selected in many Windows releases.

1 comment:

  1. In this fashion my buddy Wesley Virgin's report starts with this shocking and controversial video.

    You see, Wesley was in the army-and shortly after leaving-he discovered hidden, "SELF MIND CONTROL" tactics that the government and others used to get everything they want.

    As it turns out, these are the EXACT same SECRETS lots of famous people (especially those who "come out of nothing") and the greatest business people used to become wealthy and famous.

    You probably know how you only use 10% of your brain.

    Mostly, that's because the majority of your BRAINPOWER is UNCONSCIOUS.

    Maybe this thought has even occurred INSIDE OF YOUR own head... as it did in my good friend Wesley Virgin's head about 7 years back, while driving an unlicensed, garbage bucket of a car without a license and with $3.20 on his bank card.

    "I'm very fed up with going through life check to check! Why can't I turn myself successful?"

    You took part in those types of conversations, ain't it so?

    Your success story is going to happen. You just have to take a leap of faith in YOURSELF.

    Watch Wesley Virgin's Video Now!

    ReplyDelete