How to exploit two common Windows vulnerabilities

Metasploit and other free security testing tools can help you uncover Windows security vulnerabilities, like unencrypted laptop drives and local Windows password hashes.

In a previous tip about the 10 most common Windows vulnerabilities, I outlined the Windows flaws I see the most...

in my security assessment work. Now I want to take the two particular vulnerabilities I see more than any others and show you how they're exploited. You can then use these techniques on your Windows systems to find the holes before a malicious user does. One exploit is relatively non-technical and the other goes a little more in-depth but certainly doesn't require "elite" hacker skills. Either way, you can execute each of them using free tools in a matter of minutes. Let's jump right in.

Unencrypted laptops

First, let's look at the problem with unencrypted laptop drives. Given all the data breaches related to mobile systems, this is arguably one of the greatest business risks security administrators face today. Here's how a Windows-based system running any version of Windows can be owned in, say, 30 minutes or less.

Step 1: Download/install the current version of the ophcrack LiveCD and burn the ISO image onto CD. You can also carry out this exploit with the commercial Elcomsoft System Recovery program and similar tools, but I'll stick with the freebie for this exercise.

Step 2: Boot your test system from the ophcrack LiveCD. After it loads the operating system, the application and the default rainbow tables (which can take a few minutes), the program will automatically go to work on the local Windows password hashes. It will crack any LanManager (LM)-based hashes with relative ease. A couple of sample passwords (a blank one and a very basic one) discovered are shown in Figure 1.

Click all images to enlarge.
Figure 1:

Use the Ophcrack LiveCD to crack Windows passwords.

It only took a few minutes to crack these. More complex ones can be uncovered in short order too.

Step 3: Once the initial cracking is done and it still didn't find them all, you can click "Load" to load up previously downloaded or purchased rainbow tables that can crack more complex Windows hashes, such as the NTLM hashes that Vista uses.

Step 4: Now that one -- and likely all -- password hashes have been cracked, you simply shut down the ophcrack LiveCD, reboot the system into Windows and log in using your recovered password(s). An administrator-level login will buy you more, but you can almost always find sensitive information and stored passwords and even gain access to Windows domains and VPNs as a standard Windows user. The system is yours.

I can't think of a better way to demonstrate the need for laptop drive encryption.

For the second example, let's look at how easy it is to gain full remote access to a Windows system by exploiting a missing patch vulnerability.

Step 1: Run your favorite vulnerability scanner against your network and look for Windows systems that have vulnerabilities related to missing patches. These findings typically reference Microsoft remote code execution bulletins such as MS05-039 and MS06-040 (yes -- oldies but goodies I often come across). Figure 2 shows a QualysGuard finding that indicates a missing MS05-039 patch.

Figure 2:

QualysGuard report highlights an exploitable Windows vulnerability.

Step 2: Download/install the current version of Metasploit -- a free exploitation tool that can be used to demonstrate what happens when Windows systems aren't properly patched.

Step 3: Search the Metasploit exploit interface for a matching exploit. In Figure 3, using the MS05-039 example, you can see that Metasploit does indeed have an exploit that can be carried out on the target system.

Figure 3:

Search the Metasploit database to confirm an exploit is available.

This is a rudimentary -- and often frustrating -- way of connecting the dots and finding out what can be exploited, but it's the only reasonable way to go about it.

Step 4: Use the MSF Assistant GUI to plug in some basic variables for running your exploit. I typically use a reverse command shell (generic/shell_reverse_tcp) for the payload so I can demonstrate remote command prompt access, but there are many others you can select from such as add user and dllinject. Specific steps for carrying out the MS05-039 exploit are shown in Figures 4 through 8.


Figure 4:

Select the MS05_039_pnp exploit under Windows/SMB.


Figure 5:

Select your target version of Windows (if you don't know it, try them all).


Figure 6:

Select the payload (what you want it to do upon exploitation).


Figure 7:
Enter the IP address of the target system and your local system.


Figure 8:

Click Apply and voilà! You're done.

Step 5: You'll now be presented with a command prompt on the remote system. The drive is yours.

Take these techniques and tools for a spin and see what holes you can find -- and plug in a hurry -- while you can. There are plenty of other exploits you can carry out against your systems -- enough to fill an entire book. In fact, I (and many others) have done just that, so know this is just the beginning of your Windows security testing endeavors. Once you get these common Windows issues out of the way, you can tackle websites/apps, databases, wireless networks and so on -- the fun's never ending!

About the author: Kevin Beaver is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at

This was first published in October 2008

Dig Deeper



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: