Projects using Metasploit in LahoreProjects using Metasploit in LahoreI simulated a real-world Active Directory (AD) attack to identify and exploit misconfigurations within a Windows domain environment. The goal was to practice enumeration techniques, escalate privileges to domain admin, and establish persistent access.
I started with LDAP enumeration using ldapsearch to map domain users and groups. Using BloodHound, I visualized attack paths and identified a Kerberoastable service account — a weak SPN tied to an outdated service. I extracted the hash using GetUserSPNs.py (http://GetUserSPNs.py) and cracked it with Hashcat, revealing the cleartext password. I then used Pass-the-Hash to authenticate as a domain admin using PsExec. To maintain persistence, I added a domain admin backdoor account using Mimikatz. Finally, I cleared event logs to avoid detection and exported a full attack report for remediation.
Tools Used: ldapsearch, BloodHound, Hashcat, GetUserSPNs.py (http://GetUserSPNs.py), PsExec, Mimikatz, eventlog (for cleanup)
Deliverable: Full attack timeline with screenshots, enumeration outputs, and security recommendations. I performed a complete network penetration test on a deliberately vulnerable Linux machine (Metasploitable2) to simulate a real-world attacker scenario. The objective was to identify exploitable services, gain initial access, escalate privileges to root, and extract sensitive data.
I started with reconnaissance using nmap to discover open ports and services. I identified outdated and vulnerable services including vsftpd 2.3.4 and Samba 3.0.20. Using Metasploit, I exploited the vsftpd backdoor to gain initial shell access. I then used shell_to_meterpreter to upgrade my session to a Meterpreter shell, giving me greater control. I dumped password hashes from /etc/shadow and cracked them using John the Ripper. Finally, I escalated privileges to root using the Samba usermap_script exploit and documented the entire process with screenshots.
Tools Used: nmap, Metasploit, Meterpreter, John the Ripper, searchsploit
Deliverable: A comprehensive report including attack timeline, exploited CVEs, and remediation recommendations.