How to hack without Metasploit
1. Finding Exploits
Search for exploits
Copy exploit
If searchsploit fails to find any juicy exploits, try Google. If Google fails, well, there’s probably not a public exploit. TRY HARDER!
It may be exploitable with:
Public POC (github, blog etc.)
Need to understand the code and POC
Try with your own
Bruteforcing
Clear text password in files (need detail enumeration)
2. Customising Payloads
To open a Meterpreter session or a reverse shell so that you can take control of the victim box.
MsfVenom
staged -
windows/shell/reverse_tcp
unstaged -
“windows/shell_reverse_tcp”
Other option
-e
to choose an encoder-b
allows you to set bad characters
List all payloads for msfvenom
3. Privilege Escalation
4. Catching reverse shells
Metasploit multi/handler listener
Netcat listener (unstaged payload)
5. Enumerate more (adithyanak way)
Enumerate more means:
Scan ports, scan all the ports, scan using different scanning techniques,
brute force web dirs, brute force web dirs using different wordlist and tools
check for file permissions, check for registry entries, check for writable folders, check for privileged processes and services, check for interesting files,
look for a more suitable exploit using searchsploit, search google for valuable information, etc.
webserver version, web app version, CMS version, plugin versions
Tip for Foothold :
Password reuse
The default password of the application / CMS
Guess the file location incase of LFI with username
username from any notes inside the machine might be useful for Bruteforce
Try harder doesn’t mean you have to try the same exploit with 200x thread count or with an angry face. Go, enumerate harder.
Refer: https://blog.adithyanak.com/oscp-preparation-guide/enumeration
Last updated