Boot a Kali VM, and record it’s Details in terms of MAC Address, IP Address.

Document the details of the Kali Ethernet Interface Name, MAC and IP Addresses of interfaces

Use nmap to sweep the local connected network and discover the IP Address of the target server on the 192.168.1.0/24 network. Use a subnet mask similar to:

192.168.1.0/24 - 1-255 IP Addresses

Perform a network Host sweep, using arguments so no port scanning is done and no name resolution is performed.

Document the details of the target(s) IP Addresses:

Port scan the target, first performing a nmap portscan on the same subnet, for all default TCP ports, with no name resolution, no host discovery, and the use the –oX flag to save the details of the scan to a file.

How may ports in total are open on the target machine? 

What is the format of the saved scan results file? 

When performing complex penetration tests with many targets, keeping track of findings can be difficult. The Metasploit db can be used for this.

The db_import command can be used to import the output from other tools. Check the commands help.

Which format of file can be imported? 

Import the nmap scan xml file into the db.

Check the target hosts currently in the db again.

Which hosts are in the Metasploit db? 

Have the target host OS’s been identified? 

From the msfconsole shell we can use nmap directly to perform scans, and save the output findings into the MSF db, using the db_nmap command.

db_nmap –n … other nmap options

Perform a Port Scan with OS Fingerprinting on the target subnet, using a SYN scan of all default ports, with no name resolution and no host discovery.

Which nmap command is used?

Does nmap return possible matches for the OS fingerprints of the target(s)?

Which OSs does nmap report for the target machine?

From msfconsole shell, check the target host details in the db using the hosts

command.

Have the target host OS’s been identified? 

Has the target XP hosts OS Service pack level been identified?

Use the search command (search type:auxiliary) to find port scanner auxiliary scripts.

Try the TCP Syn Scanner: (COPY+PASTE name), and check the options.

Which options are mandatory and currently not set?

Set any mandatory options needed to run the module.

In another window, use tcpdump to monitor the scan.

To run the auxiliary script module from msfconsole, use the run command 

Which ports are reported open?

From the msf shell, check the services in the msf db with the services command.

Has any detailed info for the services been recorded?

Lets focus on the Server Message Block (SMB) services and use an msf scanner script to check for details. To find a common vulnerability such as MS08-067, giving SYSTEM access to many flavours of Windows can be a effective way of using pen testing time.

Lets check the available SMB scanner modules: (use TAB TAB after the cmd below to check for available scanner modules).

Are any scanner modules relating to version fingerprinting listed?

Let’s use the SMB version fingerprinting script which attempts to fingerprint

versions of Windows OS using the SMB service. The back command can be used to exit the current command context (or simply use another exploit/auxiliary module)

Show the options and set any mandatory options, and run the module against the target host.

Has the Windows OS version been identified?

It should identify the version of windows more precisely than the nmap –O

fingerprinting scan we ran earlier, giving the service pack.

From the msf shell, check the target host details in the msf db with the hosts

command.

Have any detailed info for the OS version been recorded?

From msfconsole shell, try using nmap to perform service fingerprinting, OS

fingerprinting and run NSE scripts for all network services running on the open

ports it finds, a traceroute, and storing the details in the msf db. The –A flag in nmap can be used as ashortcut to do this.

db_nmap –A –n target_IP

From the msf shell, check the target services in the msf db with the services

command.

Has any detailed info for the services been recorded?

As Windows SMB services are running we will again perform a quick assessment, this time using a msf auxiliary scanner module, which checks for our know smb vulnerability.

Use the MS08_067 scanner script.

Now, from msfconsole, check the current host vulnerabilities in the db and any

additional info using the appropriate flag

Has the vulnerability been identified?

The Bind Shell payload starts a listener on the target, allowing Metasploit to connect which is fine, as our target has no host firewall.

To send the exploit and payload to the target use the exploit command.

Did the exploit work, and has the reverse shell payload been launched? (check

using the ipconfig command)

If the exploit was successful you should get a shell on the target!

Use the Windows cd command to check the working directory, and the dir

command to check the contents of the current directory.

What is the current working directory, using cd?

Check the target IP Address using ipconfig?

From Kali, open a new ternimal windows and run: ssvnc

In the Host:Display enter“:52”, select “None” and click Connect, as shown below:

Validate the IP Address and working directory from a Windows command window.

On the Target machine, check the listening services and established connections using netstat –an

Which port is the server listening on?

 Can you locate the established tcp connection which the shell is bound to?

Which port is the metasploit session connected on?

From msfconsole shell, exit the shell on the target, using CTRL+C.

From XP Target check the process id of the listener which will continue to run on the taget with netstat –ano

We should kill off the process. The windows taskkill command can be used for this.

Check the help with taskkill /?

What is the process id for the listener?

Which taskkill argument can be used to kill of by process id?

Port scan the XP target again for all default TCP ports, with no name resolution, no host discovery.

How may ports are open on the target machine now? 

Try using ping to check the XP host is up.

Is the ping responded to?

Try performing an nmap host discovery scan with –sn, to check the host is still up.

Now try to use the same exploit we successfully got a shell with just before the

firewall was switched on:

Did the exploit succeed?

The SRVHOST is the local listener, with 0.0.0.0 meaning it will listen on all interfaces.

Run the exploit, which starts a listening handler on the Kali machine, listening by default on IP 10.0.7.41 on port 80

From Kali, check the listening services and connections using ss –ln and ss –an

Can you locate the browser exploit listener on Kali?

Which port is the server listening on?

From the XP target open Internet Explorer and browse to our listener on 10.0.7.41

From Kali, check the listening services and connections using ss –ln and ss –an

On the Target machine, check the listening services running and connections using netstat –an.

Can you locate the Meterpreter connection?

Which port is the payload communicating to our Kali machine on?

Which port is the Meterpreter listener on?

Check the username we are running as on the target using the Meterpreter command getuid

What is the user we have inherited on the target?

Why is this?

Check the process id of the process we are running as on the target using the

Meterpreter command getpid

What is the process id which Meterpreter is running in?

From the Meterpreter shell, check the running processes on the target using ps

Find the process id of the exploited process which Meterpreter is running inside.

What is the name of the process? 

From the Meterpreter shell use the migrate command to move processes to the winlogon.exe process.

What is the process id which Meterpreter is now running in?

What is the name of the process?