Exploiting Vulnerabilities in Windows 2000 (Server)
What is Windows 2000 Server?
Microsoft Windows 2000 Server is a multipurpose network operating system. It is available in three versions, each geared toward variously sized organizations and applications: Windows 2000 Server — an entry level server designed for use in small and midsize businesses as a file, print, intranet and infrastructure server.
Windows 2000 is the most exciting and important product that Microsoft has ever created, a family of operating systems aimed at the corporate server and desktop markets that combines the latest technology with ease-of-use and simplicity features. As the first major upgrade to Windows NT since version 4.0 shipped in July 1996, Windows 2000 represents the next generation of the reliable, scalable, and secure operating system we’ve all come to know and respect. Originally titled Windows NT 5.0, Windows 2000 was so renamed in late 1998 when it became clear that this release would extend past its NT roots to embrace markets currently dominated by the mainstream Windows products such as Windows 98.
Today, each Edition of Windows 2000 — including the desktop-based Professional Edition as well as the various members of the Server family — targets a specific portion of the business market, making a compelling case for complete Windows 2000-based solutions. Windows 2000 Professional now bests Windows 98 as the obvious choice for mobile users with its advanced power management features, offline prowess, and integration with Windows 2000 networks. On the high-end, Windows 2000 Data Center Server scales to heights previously unknown to Windows NT, offering support for 64 GB of RAM, multiple processors, and advanced clustering. Windows 2000 scales up — and down — into markets that are new for a Windows NT product. In this way, Microsoft has greatly increased the number of possible usage scenarios for Windows 2000.
But Windows 2000 Server is the true high point in the Windows 2000 Product line. Encompassing a family of products that includes Server Standard Edition, Advanced Server, and Data Center Server, Windows 2000 Server scales from small office/home office duty to the largest data warehouses on the planet.
So Let’s Exploit ..
To exploit the vulnerabilities of Windows 2000 Server we must have Kali Linux and Windows 2000 server operating systems installed in a same VM ware or both machines must be in a same network.
First of all we have to start our Linux OS and Windows 2000 and check the IP address to find out if both are on the same network.
Kali Linux — Open Terminal and type ifconfig
Windows 2000 — Open command prompt and type ipconfig
We can compare both network addresses to find out the network both are connected to.
After that we can run a nmap scan on the IP Address of windows 2000 to find out the open ports and other details
* nmap [Target IP Address]
According to the results of the nmap scan we can run out Nessus Vulnerability Scanner on the target IP address. To do that we must start the nessus service in our Kali Linux Local Host first. We can do that running command,
*service nessusd start (fig 3)
in our Kali terminal.
After starting Nessus Service we have to fire up our web browser and go to our local host IP address. (https:// 127.0.0.1) Then we can see the login page for nessus vulnerability scanner. We can use our machine logins to access the services. (fig 4)
When the login is successful we will be redirected to the home page of the Nessus and we have to select Scan queue and add a new scan to the system. After that we have to fill up the fields and Set up the General Scan with adding the target IP for the scan target field and changing the policy to Internal Network Scan.
It will take some time to scan the vulnerabilities of the given system and after completion results will be displayed as Host Summary (fig 6) and we can view those vulnerabilities by clicking on vulnerabilities (fig 7).
Then we can select any vulnerability we want to exploit and if those selected vulnerabilities are critical level, there is a better chance for a successful exploitation. Critical Vulnerabilities are displayed in purple color tags in the summery. As the first attack we are going to exploit the MS04–011 Critical Vulnerability in Windows 2000.
We are using Metasploit Framework in Kali Linux for exploit those vulnerabilities. The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Before start using Metasploit Framework, we have to start the Apache Service and Postgre SQL service in Kali Linux from our terminal.
*service apache2 start
*service postgresql start (fig 9)
Then we can start Metasploit Framework by typing
*msfconsole
in our terminal. (fig 10)
In the msfconsole we have to search for the exploits that available for the selected vulnerability.
(in msf>) * search [vulnerability ID or Name]
in this case we are searching for the MS04–011 as the result we can see some matching modules for the selected vulnerability. We have to use the best ranked exploitation to have best chance in successful attack. In here we are using MS04–011 Microsoft LSASS Service DsRoler Upgrade Downlevel Server Overflow exploit to create a shell and ave access to the windows machine. We can select the path of the exploitation and use it in msfconsole.
*use exploit/windows/smb/ms_04_011_lsass
By typing *show options we can see the option list that available for the exploit and we have to assign the target IP (Windows 2000) with,
*set RHOST [Target IP Address]
It will be set for the IP address that we ave given and we just have to exploit the whole thing by typing, *exploit or *run in the msfconsole. Then it will create a shell from an available port for us. We can manipulate the files using that shell.
That is not the only way to have access to the windows 2000 machine. For Demonstrations we can use the MS05–039 Critical Vulnerability to have a same result as last attack.
We can search for available exploits by using search command in msfconsole. We have to select the highest ranked exploit. In here we are using Microsoft Plug and Play Service Overflow exploit. Then we can see the available options by using show options and we have to set the target IP address using set RHOST.
After setting the target IP we just have to start our attack by typing exploit or run. It will create a shell in a available port and we can have access to the file system in target machine.
As the final attack we are selecting MS03–026 critical vulnerability for exploit.
Search for available exploits by using search command in msfconsole. We are using MS03–026: Microsoft RPC Interface Buffer Overrun (823980) (uncredentialed check) exploit. Then we can see the available options by using show options and we have to set the target IP address using set RHOST.
After Exploiting this vulnerability we can have the access privileges for the target machine data. We can also manipulate the OS also.
So Thats all.
Peace. :)