3. Gaining Access / Exploitation

Introduction

The exploitation phase can only be as good as the recon and enumeration phases before it, if you did not enumerate all vulnerabilities you may miss an opportunity, or if you did not look hard enough at the target - the exploit you have chosen may fail entirely!

One common tool used for exploitation is called Metasploit which has many built-in scripts to try to keep life simple.

You can also used tools like Burp Suite and SQLMap to exploit web applications. There are tools such as msfvenom (for building custom payloads), BeEF (browser-based exploitation), and many many others.

Finding Exploit Command (Searchsploit)

Searchsploit is basically just a command line search tool for exploit-db.com.

Sql Injection Tools

SQL injection is the art of modifying a SQL query so you can get access to the target's database. This technique is often used to get user's data such as passwords, emails etc. SQL injection is one of the most common web vulnerabilities, and as such, it is highly worth checking for


Sqlmap

is arguably the most popular automated SQL injection tool out there. It checks for various types of injections, and has plenty of customization options.


Manual

Occasionally you will be unable to use sqlmap. This can be for a variety of reasons, such as a the target has set up a firewall or a request limit. In this case it is worth knowing how to do basic manual SQL Injection, if only to confirm that there is SQL Injection. A list of ways to check for SQL Injection can be found (https://owasp.org/www-community/attacks/SQL_Injection)


Metasploit

Metasploit, an open-source pentesting framework, is a powerful tool utilized by security engineers around the world. Maintained by Rapid 7, Metasploit is a collection of not only thoroughly tested exploits but also auxiliary and post-exploitation tools. Throughout this room, we will explore the basics of using this massive framework and a few of the modules it includes.


Initialize Database

msfdb init


Core Modules

Metasploit consists of six core modules that make up the bulk of the tools you will utilize within it:

  1. Exploit

    • holds all of the exploit code we will use

  2. Payload

    • contains the various bits of shellcode we send to have executed following exploitation

  3. Encoder

    • utilized in payload obfuscation, which module allows us to modify the 'appearance' of our exploit such that we may avoid signature detection

  4. NOP

    • used with buffer overflow and ROP attacks

  5. Auxiliary

    • used in scanning and verification machines are exploitable

  6. Post

    • provides looting and pivoting after exploitation


Nmap within Metasploit

Metasploit comes with a built-in way to run nmap and feed it's results directly into our database. Let's run that now by using the command db_nmap -s(flag) (ip)

  • Scan results get stored in metasploit database

    • hosts : get host details

    • services : get scanned services details

    • vulns : discovered vulnerabilities


Cheat Sheets

Reverse Shell

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md


Kali Linux Built in WebShells

Kali Linux also comes pre-installed with a variety of webshells located at /usr/share/webshells. The SecLists repo, though primarily used for wordlists, also contains some very useful code for obtaining shells.


PowerView

PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows "net *" commands. https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993


Last updated