How to work through a vulnerable host
Discover & Enumerate the target
- Passive Reconnaissance
- Open Source Intelligence (OSINT)
- WHOIS Lookup
- DNS
- Subdomain Enumeration (CA)
- Active Reconnaissance
- DNS Enumeration
- Subdomain Enumeration (AMASS)
- Network Mapping (TraceRoute, Ping)
Scan for vulnerabilities
We're searching for vulnerabilities in the host, application, or information leakage.
- Server Scan (NMAP scanning)
- Web Server Scan (If Web App Check: "Webapp Approach")
Determine Versions
After gathering information about the host and applications, we need to determine what versions they have.
- Banner grabbing
- netcat / telnet
- Shodan and Censys
- Inspect headers
- Throw intentional errors
Find Exploits
Find exploits for identified versions and software on host
- searchsploit
- exploit-db
- Shodan
Craft Payload
Create malicious payload through identified exploit. Allows further exploitation through reverse shells or other similar exploitation routes.
- msfvenom
- searchsploit
Execute Payload
Execute the payload we made, there can be some very interesting and creative ways to achieve this!
- Invoke-Command
- runas
- sudo
Establish Persistence
Ensure that our exploits will stay persistent on the host
- service takeovers
- cron jobs
- startup scripts
Escalate Privileges
Move from a foothold to root!
- get-process
- PowerUp.ps1
- LinEnum.sh
- LinPEAS
- WinPEAS
- suid/guid
- sudo -l
Exfiltrate Data
Steal the data on the host!
- Invoke-WebRequest
- iwr
- curl
- Imagination!!