This guide outlines a systematic approach to compromising a target host, starting from reconnaissance to post-exploitation. By following these steps, you'll identify vulnerabilities, exploit weaknesses, maintain persistence, and exfiltrate valuable data, all while covering your tracks.
Steps
1. Initial Reconnaissance
Passive Reconnaissance
Gather initial intel without interacting directly with the target:
- OSINT: Open Source Intelligence gathering (public records, websites).
- WHOIS Lookup: Domain registration info and ownership.
- DNS Enumeration: Identify domain records and potential subdomains.
- Subdomain Enumeration: Use tools like
Sublist3rorcrt.shto discover additional attack surfaces.
Active Reconnaissance
Interact with the network to build a picture of services and systems:
- DNS Enumeration: Identify zone transfers or brute-force subdomains.
- Network Mapping: Use tools like
traceroute,ping, and ARP scans to map the network structure. - Port Scanning: Conduct a port scan using
NMAP(nmap -sC -sV) to identify open services.
2. Scanning for Vulnerabilities
Service & Vulnerability Scanning
Uncover vulnerabilities in the host's software and services:
- NMAP: Scan for open ports and services.
- Vulnerability Scanners: Tools like
Nessus,OpenVAS, orNexposeto automate vulnerability identification. - Web Server Scanning: If a web application is detected, switch to web-focused scanning (e.g.,
Nikto,DirBuster).
3. Identifying Software Versions
Gather detailed information about software and OS versions to pinpoint specific vulnerabilities:
- Banner Grabbing: Use
netcat,telnet, orcurlto extract version details from services. - Shodan / Censys: Search for exposed services and their versions online.
- Error Responses: Trigger errors (e.g., with malformed input) to reveal software details.
- Header Inspection: Review service headers (especially HTTP or FTP) for version details.
4. Finding Exploits
Identify known vulnerabilities for the versions of software discovered:
- searchsploit: Search
Exploit-DBfor known vulnerabilities. - exploit-db: Direct database for manual searches.
- Google: Research CVEs (Common Vulnerabilities and Exposures).
- Shodan: Cross-reference exposed services with known exploits.
5. Crafting Payloads
Generate malicious payloads to exploit identified vulnerabilities and gain access to the target:
- msfvenom: Use Metasploit’s
msfvenomto craft payloads (reverse shells, bind shells, etc.). - Manual Exploit Creation: Customize exploits from
searchsploitorExploit-DB.
6. Executing Payloads
Deliver and execute the payload to gain initial access to the target:
- Remote Code Execution (RCE): Use tools like
Invoke-Command,runas, orsudoto execute the payload. - Exploitation Methods: May include remote file inclusion (RFI), SQL injection (for RCE), or privilege escalation vectors.
7. Establishing Persistence
Ensure long-term access to the compromised host, even after reboots:
- Service Hijacking: Replace or take over legitimate services (
systemctl,service). - Scheduled Tasks/Cron Jobs: Set up automated tasks to reinstate access.
- Startup Scripts: Add payloads to startup services or system scripts.
8. Privilege Escalation
Move from a lower privilege user to a higher (root/admin):
- Local Enumeration Tools: Use
LinEnum,LinPEAS, orWinPEASto discover privilege escalation paths. - SUID/SGID Abuse: Exploit files with improper
SUID/SGIDpermissions. - sudo -l: Check for misconfigurations in sudo permissions to execute privileged commands.
9. Data Exfiltration
Extract valuable data from the compromised host:
- Invoke-WebRequest (iwr): Use PowerShell to download/upload files.
- curl/wget: Transfer files to a remote location.
- Creative Exfiltration: Leverage encrypted traffic, steganography, or DNS tunneling to stealthily extract data.
10. Clean Up & Exit
- Clear Logs: Remove or manipulate logs (
/var/log,Event Viewer). - Terminate Processes: Shut down any lingering reverse shells or processes.
- Cover Tracks: Disable persistence and hide traces of exploitation.