Okay let’s jump into this. I started with the Metasploit book, mainly because I got it in the mail first. This book is pretty cool right from the start. I wouldn’t recommend skipping around the book as you do with some technical reads as it appears this book builds upon itself.
The first thing I did was setup my target machine. The instructions in this book are 90% accurate. I had some issues finding a compatible version of SQL Server Management Studio. The link provided in the book for most things don’t seem to be accurate anymore.
I also had a little trouble finding Windows XP SP2. I had to go to some shady sites in order to acquire a copy… We will leave it at that lol… Thankfully you only need to google “Windows XP SP2 Key” in order to get a giant list back.
I had to setup the server a few times. The first time I set it up I followed the instructions in the book letter by letter. Unfortunately this produced a non-vulnerable system. So after some frustration I nuked it and did it again. After attempt 3 or 4 I finally managed to get it right.
Normally I would complain about having to set this up so many times. However, I have always been a big believer in fully understanding systems. I didn’t mind having to do this repeatedly because it just made me more comfortable with the underlying systems.
The Metasploit book does a pretty good job walking you through some scanning. I think for this category though I found “The Hacker Playbook” a little better. I can’t say for sure just yet because I just started but it seems that the I will probably be using a combination of the books throughout all my learning. At this point I cant recommend any single book. I will say I learned a TON more from THP than metasploit about scanning thus far.
THP Walks you through Open Source Intelligence Techniques OSINT. This is extraordinarily powerful when attempting to gather information on your target. Using tools such as discovery, recon-ng, nslookup and more you will be able to gather a ton of valuable info on your target. Unfortunetly since I have a brand new server with no domain attached to it, it’s not really useful for testing in our environment. I did however get a chance to run it against my DotNetRussell.com server and it was very cool to see all the info publically available.
The First Exploit
After OSNIT and scanning for vulnerabilities, it’s time for your first exploit. At this point I have already identified all of the open ports and services on my target server. I’ve grabbed the banner on the server, detected the system OS version and decided that the first exploit I am going to try and run is going to be MS08-067. This bug allows an attacker to get remote code execution through RPC commands. You can read more about it here on TechNet
According to the Metasploit book this exploit is still shockingly pretty prevalent in the wild. As I have never exploited a system ever in my life, I can’t tell you if this is true or not so I guess we will have to take their word for it. I will say that with Metasploit it’s kind of like handwavey magic. You just punch up metasploit, use the ms08_067_netapi exploit, set your target and run. The next thing you know you drop into a meterpreter session and you own the machine. It’s just like I’m living 1995 “Hackers”. I was half expecting flying around a file system and a giant pacman coming after me.
After the initial excitement wore off, I looked into the commands I had from meterpreter. I decided to see if I could navigate to the root site directory and replace the default.aspx file. Sure enough a few commands later I had defaced the site.
Part 1’s Conclusion
So far so good. I’m excited to continue to move through these books. I am extremely worried that they are teaching procedural techniques instead of going into further details that will make me a great hacker. I have always been a believer that if you don’t understand how it works then you can’t exploit it effectively. I am also a believer that with some work I can supplement the knowledge I need.
On to the next exploit!