One of the biggest challenges I run into doing evaluations with Metasploit Pro (or any Metasploit for that matter) is getting an exploit to run successfully. Though Pro is the most efficient way to run a penetration test, there are always still obstacles to getting a successful session.
One way to increase the odds of getting a session is to know the device you’re testing against is vulnerable, and the best way to make sure a device is vulnerable is to make it vulnerable, so here’s a quick and easy way HD taught me to do just that.
The challenge with vulnerability exploitation is there are only so many variables you can control. In order for a successful session to spawn all of these variables must be in the correct state. For example, different parameters will have to be modified on Metasploit if a host firewall or endpoint protection is enabled on the target. When I first set up the test environment I went for the gusto with a bunch of devices with tough vulns to exploit without any success. After hours of frustration I gave myself a reality check and eliminated as many variables as I could. Once I was able to get a successful session open I started introducing other variables into the equation. There were 2 reasons why this was a good idea: One, it boosted my confidence and two, it was as valid sanity check. Without eliminating the variables and actually executing a session, there wasn’t any proof that my network was set up for it.
The easiest way to make an XP machine vulnerable (with a reliable exploit) if you don’t have one available with SP2 is to enable the print spooler vulnerability (details here http://support.microsoft.com/kb/2347290). This exploit for this vulnerability is extremely reliable, so if you’re able to connect to the machine correctly and your variables are in check, you should be able to get a session.
Here’s the actual exploit: http://www.metasploit.com/modules/exploit/windows/smb/ms10_061_spoolss (keep in mind, this isn’t meant to be done on production devices)
Step 1: Open up the XP machine or VM and open up the “Printers and Faxes” menu.
Step 2: Add a local printer. Click next, choose “Local Printer Attached to this Computer”. Click Next.
Step 3: For “Use The Following Port” select “FILE: (Print to File)”. Click Next.
Step 4: Choose a printer type (doesn’t matter what type)
Step 5: Set the printer as a default printer.
Step 6: Share the printer, choose a share name and you’re done.
To exploit this vulnerability, you can run an automated exploitation (after a scan of course) under the “Excellent” category or you can run the individual module 67988 (the OSVDB number). Keep in mind, this exploit takes approximately 2 minutes to execute properly, so if you’re getting impatient, just give it a minute =].
If all your other variables are under control, you should get a Meterpreter session opened.
This was a great first step for me to get things rolling with not only my test environment, but with my understanding of exploitation, variables, and networks. Obviously I wouldn’t want to intentionally make something vulnerable while on an engagement for a client, but for a litness test, or purely for a sanity exercise, it helps out quite a bit.