Often you may wish to obtain access to a service or password protected area on a network. Examples of this may be trying to log into a ssh service, RDP, http-get (i.e. what your router pops up with), etc. There a multitude of tools that will allow you to perform these password attacks, hydra, medusa and ncrack are popular examples. Some tools may cope with certain protocols better than others, but hydra has become a staple tool in my arsenal. You have the choice of nominating a single host name, then cycling through a password list; nominating a username list and testing a password, or a combination of both username lists and password lists.
[Read more…]
Spawning a TTY Shell
Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.
[Read more…]
Creating Metasploit Payloads
Often one of the most useful (and to the beginner underrated) abilities of Metasploit is the msfpayload module. Multiple payloads can be created with this module and it helps something that can give you a shell in almost any situation. For each of these payloads you can go into msfconsole and select exploit/multi/handler. Run ‘set payload’ for the relevant payload used and configure all necessary options (LHOST, LPORT, etc). Execute and wait for the payload to be run. For the examples below it’s pretty self explanatory but LHOST should be filled in with your IP address (LAN IP if attacking within the network, WAN IP if attacking across the internet), and LPORT should be the port you wish to be connected back on.
[Read more…]
Port Forwarding with Metasploit
Once a meterpreter shell is obtained on a system a larger range of options is available to the Penetration Tester for accessing the system. In a hypothetical scenario the victim is running a vulnerable mail server on port 25, and we have a remote exploit we wish to use against it. Unfortunately for us it’s behind a firewall. After getting a meterpreter shell via a client side attack we want to somehow bypass the firewall and get access to port 25. Meterpreters portfwd can do this.
Tool
portfwd
[Read more…]
Finding Public Exploits
There are thousands of exploits out in the wild, even more being traded privately or held back as 0 days. Clearly we want to get access to as many of these resources as we can to maximize the chance of successful exploitation. A warning must be given to anyone downloading exploits. There are several fake exploits out there specifically designed to harm or destroy your computer. Never download exploits from a source and run them without first checking what they do and what commands they will be executing on your system. It’s highly recommended that you decode any encoded values to find what they actually mean. For example this exploit when decoded runs the “rm -rf” command on your system. Saying that, some of the resources outlined here such as exploit-db and security focus can be considered pretty trustworthy.