1. Gain access to the system
LLMNR is layer 2 UDP 5355. netbios-ns port 137
1. Crack the password using Responder
LLMNR (link local multicast name resolution) and NBT-NS (netbios namer service) are used to performe name resolution on the local link.
Responder is LLMNR, NBT-NS, MDNS poisoner. By default the tool only responds to SMB.
check the interfaces
Now run responder on the interface.
Now when a user on the LAN try to access the unavailable share, responder will capture the hash.
logs are stored in /usr/share/responder folder. We will have a hash. Now crack it with John.
on ubuntu you can install john as
2. Audit system passwords using Lophtcrack
windows tool. Can crack other password on remote machine if you know a single account utilizing SMB. Use password auditing. use password auditing wizard.
3. Find Vulnerabilities on exploit sites
4. Exploit client side vulnerabilities and get a VNC session
create msfvenom payload
using apache to transfer the file
Now run msfconsole
set the payload type, port and IP and visit the IP to download the executable. Run it you will get the shell
You can run the following commands in meterpreter.
upload file through meterpreter
the powersploit priv escaltion script./usr/share/windows-resources/powersploit
Now get shell
Now execute the script
Now exit it and to get a VNC from meterpreter use the following command.
5. Gain access to a system using armitage
GUI based msf
Now run armitage from Applications menu. Run intense scan. and then we can create a payload according to our target.
Once the victim opens the payload, we get the session.
6. Gain access to system using Ninja Jonin
Ninja is installed on target and Jonin on attacker machine.
We need to edit its config file to change the ip and port.
Open the Jonin listenere. it will catch the sessions.
7. Buffer Overflow (To do list)
Reference
Tools required
Immunity requires python 2
Run vulnserver. open debugger and attach the process. click on run to execute it.
connect to server from attacking machine (netcat)
a. Spiking
Type help to see a list of commands supported by the server.
Now lets spike the commands one by one. create a new file
Paste the following script in it.
Save the script. Now test the script.
0 and 0 are the values of SKIPVAR and SKIPSTR
if program does not crash on windows. The parameter is not vulnerable. Now lets test the other parameter.
The program in immunity debugger will appear as paused and registers will be overwitten with A.
b. fuzzing
System Password hacking
Last updated