Ok... so on a particular LAN that I happen to have access to, there is a particular computer that I am interested in (we'll just say that it's another one of mine). Long story short I want access to it. So after a short nmap scan I found out the following information:
Starting Nmap 5.00 ( http://nmap.org ) at 2011-04-28 16:52 EDT
Interesting ports on 192.168.0.109:
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp filtered ftp
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
Service Info: OS: Windows
Host script results:
|_ nbstat: NetBIOS name: *******, NetBIOS user: <unknown>, NetBIOS MAC: 00:43:20:e9:3e:63
| smb-os-discovery: Windows XP
| LAN Manager: Windows 2000 LAN Manager
| Name: MSHOME\***********
|_ System time: *******************
I tried common username/password combinations on the ftp port with no luck... I could brute force it, but I really don't want to do that as that is pretty noisy...
After googling the other ports and services, I got a rough handle on what they are and what they do. I then looked for expoits and found quite a bit. However, nowhere could I find how to use them, short of metasploit. As great of a tool as metasploit is, I would like to learn how metasploit does it (without attempting to reverse engineer it), and I would like to learn how it was done before metasploit came to be.
Please understand I am not looking for hand holding, I want to learn how to do it, not just a tutorial. I am not asking for one of you to take the next couple hours of your life to explain it to me. But possibly somebody could point me in the right direction for my journey of knowledge.
Posts: 1003 Location: Eh? Joined: 10.04.09 Rank: Mad User
Posted on 29-04-11 02:15
Before Metasploit, it was just scripts/compiled source code. All Metasploit does is nicely package the exploit for you and give you more freedom with it (like selecting your own payload), everything else is virtually the same. Basically, you would download a script and then run it via the command line, passing it arguments (like the I.P address you wanted to attack). You generally see "proof of concept" exploits in that form before a Metasploit plugin is made too, so it's not like an old relic of the "good 'ole days" or anything.
The irony of man's condition is that the deepest need is to be free of the anxiety of death and annihilation; but it is life itself which awakens it, and so we must shrink from being fully alive. http://www.stealt. . .
Take a look at the types of exploits you'd use on those services, and Google them. Find out what they are exactly, and how they work. Then you can get behind the scenes of Metasploit's ease of use and really find out how things work.
Also, that's an XP machine. I can think of an exploit which would work on one of those open ports off the top of my head, if you were wondering if it's exploitable.
Hellbound Hackers is the collective work of the staff and the community and is therefore licensed under the CC BY-NC-SA license.