4. Post Exploitation
Introduction
The exploitation phase can only be as good as the recon and enumeration phases before it, if you did not enumerate all vulnerabilities you may miss an opportunity, or if you did not look hard enough at the target - the exploit you have chosen may fail entirely!
One common tool used for exploitation is called Metasploit which has many built-in scripts to try to keep life simple.
You can also used tools like Burp Suite and SQLMap to exploit web applications. There are tools such as msfvenom (for building custom payloads), BeEF (browser-based exploitation), and many many others.
Finding Exploit Command (Searchsploit)
Searchsploit
is basically just a command line search tool for exploit-db.com.
Sql Injection Tools
SQL injection is the art of modifying a SQL query so you can get access to the target's database. This technique is often used to get user's data such as passwords, emails etc. SQL injection is one of the most common web vulnerabilities, and as such, it is highly worth checking for
Sqlmap
is arguably the most popular automated SQL injection tool out there. It checks for various types of injections, and has plenty of customization options.
Manual
Occasionally you will be unable to use sqlmap. This can be for a variety of reasons, such as a the target has set up a firewall or a request limit. In this case it is worth knowing how to do basic manual SQL Injection, if only to confirm that there is SQL Injection. A list of ways to check for SQL Injection can be found (https://owasp.org/www-community/attacks/SQL_Injection)
Metasploit
Metasploit, an open-source pentesting framework, is a powerful tool utilized by security engineers around the world. Maintained by Rapid 7, Metasploit is a collection of not only thoroughly tested exploits but also auxiliary and post-exploitation tools. Throughout this room, we will explore the basics of using this massive framework and a few of the modules it includes.
Initialize Database
msfdb init
Core Modules
Metasploit consists of six core modules that make up the bulk of the tools you will utilize within it:
Exploit
holds all of the exploit code we will use
Payload
contains the various bits of shellcode we send to have executed following exploitation
Encoder
utilized in payload obfuscation, which module allows us to modify the 'appearance' of our exploit such that we may avoid signature detection
NOP
used with buffer overflow and ROP attacks
Auxiliary
used in scanning and verification machines are exploitable
Post
provides looting and pivoting after exploitation
Nmap within Metasploit
Metasploit comes with a built-in way to run nmap and feed it's results directly into our database. Let's run that now by using the command db_nmap -s(flag) (ip)
Scan results get stored in metasploit database
hosts : get host details
services : get scanned services details
vulns : discovered vulnerabilities
Cheat Sheets
Reverse Shell
Kali Linux Built in WebShells
Kali Linux also comes pre-installed with a variety of webshells located at /usr/share/webshells
. The SecLists repo, though primarily used for wordlists, also contains some very useful code for obtaining shells.
PowerView
PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows "net *" commands. https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
Last updated