Intrusion Windows Server 2003 test

1. Reconnaissance Mainframe

First you need to discover more information about gathering goals, including:

L The IP address of the host on the target network

L accessible TCP and UDP ports on the target system

L operating system used on the target system

Use Nmap for port scanning and system identification of the host, as shown in the figure:

You can see that the host is open for 80, 135, 139, 1025, 1107 ports, and 80 for the test IIS 6.0, the system recognizes that the host may be Windows XP SP2 OR sp3,or Windows Server 2003, and then from the installation of the IIS service can be determined that the host installation of the operating system should be Windows 2003, with this information to start looking for the open port to find the appropriate vulnerabilities.

2. Detect Server Vulnerabilities

Use the powerful vulnerability scanner Nessus to scan Windows 2003 servers for the following steps:

2.1 Start the Nessus server, as shown in the following figure Nessus is already working properly.

2.2 Set the scan policy as shown in the figure:

The setting options are general, Credentials, Plugins, Preferences, the actual scanning requirements, set the appropriate options can be scanned.

2.3 Start scan

The server has an IP address of 192.168.100.2, which is shown in the Web Settings page as follows:

Press the Launch Scan button to start the server-side scan and nessus to start a vulnerability scan of the servers.

2.4 View the Server vulnerabilities

After waiting for some time, the Nessus scans out the following vulnerabilities:

You can see that there are 9 high severity fatal vulnerabilities that can be exploited to invade this server.

Select one of the plugin id:11808,ms03_026 vulnerabilities to attack. As long as the host has such a vulnerability, you can use the Metasploit attack tool, easy to the vulnerable server to effectively invade and control the host.

3. Attack server

After a vulnerability is detected, use Metasploit to attack the server with the following steps:

3.1 Start Metasploit, enter search 03_026 in bash to find the appropriate attack command, as shown in the figure:

3.2 Use the appropriate exploits and view the following options:

3.3 Set rhost target host IP and use windows/exec attack load command, as follows:

Start an intrusion attack, create a new user named Ram with a password of 123 on the remote server, and join the Administrators group to make RAM the administrator user of the server.

3.4 Use the exploit command to start the attack, as shown in the figure:

Although the hint says the DCERPC service did not reply to our request. But its really remote server has created a user named Ram, adding RAM to the Administrators group to elevate permissions.

The user ram you just created already has the permissions of the Administrators administrators group.

3.5 using the attack payload windows/shell/reverse_tcp can connect to a remote server as telnet to a remote control execution command, as shown in the figure:

Set the local IP address and port number, and perform the exploit command to connect to the remote server, as shown in the figure: