Exploits
Ok… so on a particular LAN that I happen to have access to, there is a particular computer that I am interested in (we'll just say that it's another one of mine). Long story short I want access to it. So after a short nmap scan I found out the following information:
Starting Nmap 5.00 ( http://nmap.org ) at 2011-04-28 16:52 EDT Interesting ports on 192.168.0.109: Not shown: 997 filtered ports PORT STATE SERVICE VERSION 21/tcp filtered ftp 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds Service Info: OS: Windows
Host script results: |_ nbstat: NetBIOS name: , NetBIOS user: <unknown>, NetBIOS MAC: 00:43:20:e9:3e:63 | smb-os-discovery: Windows XP | LAN Manager: Windows 2000 LAN Manager | Name: MSHOME\**** |_ System time: *******************
I tried common username/password combinations on the ftp port with no luck… I could brute force it, but I really don't want to do that as that is pretty noisy…
After googling the other ports and services, I got a rough handle on what they are and what they do. I then looked for expoits and found quite a bit. However, nowhere could I find how to use them, short of metasploit. As great of a tool as metasploit is, I would like to learn how metasploit does it (without attempting to reverse engineer it), and I would like to learn how it was done before metasploit came to be.
Please understand I am not looking for hand holding, I want to learn how to do it, not just a tutorial. I am not asking for one of you to take the next couple hours of your life to explain it to me. But possibly somebody could point me in the right direction for my journey of knowledge.
Thanks All,
Bellepheron
Before Metasploit, it was just scripts/compiled source code. All Metasploit does is nicely package the exploit for you and give you more freedom with it (like selecting your own payload), everything else is virtually the same. Basically, you would download a script and then run it via the command line, passing it arguments (like the I.P address you wanted to attack). You generally see "proof of concept" exploits in that form before a Metasploit plugin is made too, so it's not like an old relic of the "good 'ole days" or anything.
Take a look at the types of exploits you'd use on those services, and Google them. Find out what they are exactly, and how they work. Then you can get behind the scenes of Metasploit's ease of use and really find out how things work.
Also, that's an XP machine. I can think of an exploit which would work on one of those open ports off the top of my head, if you were wondering if it's exploitable.