Recent
Windows 2000 & Fast|Track
A couple of weeks ago I was going to test Fast|Track against a Windows 98 machine however I couldn’t get my wireless card to work on it. I finally got Windows 2000 with no patches or updates up and running. I installed Windows 2000 as according to many it’s quite a vulnerable OS.
Fast|Track is an automated tool that comes pre installed in BackTrack. It scans an ip address or range for open ports using NMap, once it has scanned the machine(s) it tries every exploit for the open ports found using NMap’s autopwn feature via Metasploit. It doesn’t take any notice of NMap’s OS discovery, so even if NMap discovers that the machine is running Windows 2000 with 100% accuracy (it didn’t), it will still try other OS exploits.
After Fast|Track had finished scanning and exploiting It gave me 4 active shell sessions that it had spawned from successful exploits.
Windows 2000 with no updates or patches was successfully exploited via the following vulnerabilities:
SMB:
MS06_040_netapi
MS05_039_pnp
MS04_011_lsass
DCERPC:
MS03_026_dcom
After playing around with the remote shells for a few minutes I decided to replicate my findings using Metasploit3 only. I managed to replicate them all using the windows/shell/reverse_tcp payload, I originally tried them with the generic/perl/reverse_shell payload however this did not work, it gave an error which I did not write down. While I was there I thought I would try Metasploit’s newish VNC reverse shell payload so I could have a visual representation of my Windows 2000 machine. In order to do this you have to start the built in VNC server in BackTrack, worked like a charm however the colour was a bit off and the connection was slow.
The moral of the story is to keep your systems updated and fully patched.
More info on Fast|Track.
More info on Metasploit.
P.S. I also tried Metasploit’s new MS08_067 RPC exploit however was unsuccessful.
