1

00:00:00,700  -->  00:00:03,550
Gaining access phase. So here's the point

2

00:00:03,550  -->  00:00:04,600
we're going to start gaining our

3

00:00:04,600  -->  00:00:07,089
foothold into the system. So we've done

4

00:00:07,089  -->  00:00:08,620
all of our research, we've done all of

5

00:00:08,620  -->  00:00:10,750
our enumeration or scanning, and now is

6

00:00:10,750  -->  00:00:12,280
the time to actually launch that attack,

7

00:00:12,280  -->  00:00:14,620
we're going to gain our access. So at

8

00:00:14,620  -->  00:00:16,450
this point in the attackers methodology, we are

9

00:00:16,450  -->  00:00:18,970
going to exploit something in the

10

00:00:18,970  -->  00:00:20,290
operating system to be able to get

11

00:00:20,290  -->  00:00:22,210
ourselves into that. Whether that's going

12

00:00:22,210  -->  00:00:24,490
to be a client-side, a remote side, or

13

00:00:24,490  -->  00:00:26,170
other type of attack, this is where we're going

14

00:00:26,170  -->  00:00:29,350
to do our exploitation. So step three is

15

00:00:29,350  -->  00:00:30,880
gaining access, and this is where we're

16

00:00:30,880  -->  00:00:32,110
going to perform our exploits for the

17

00:00:32,110  -->  00:00:34,390
first time in order to gain our access

18

00:00:34,390  -->  00:00:36,730
into the system. So we can do this

19

00:00:36,730  -->  00:00:38,170
through a client-side, or remote

20

00:00:38,170  -->  00:00:40,030
exploitation attack. That's things like

21

00:00:40,030  -->  00:00:41,920
social engineering, open wireless

22

00:00:41,920  -->  00:00:44,140
connections, software bugs, unpatched

23

00:00:44,140  -->  00:00:45,670
systems, web application vulnerabilities,

24

00:00:45,670  -->  00:00:48,370
backdoors, buffer overflows, Trojans,

25

00:00:48,370  -->  00:00:50,470
there's numerous ways to gain access. And it

26

00:00:50,470  -->  00:00:51,670
really doesn't matter which way we're

27

00:00:51,670  -->  00:00:53,739
going to use to gain access, the point is

28

00:00:53,739  -->  00:00:55,030
we're going to get our access into the

29

00:00:55,030  -->  00:00:57,190
system. Now, as we start going through

30

00:00:57,190  -->  00:00:58,570
this in our lab, what we're going to

31

00:00:58,570  -->  00:01:00,489
use is a simple buffer overflow type

32

00:01:00,489  -->  00:01:02,170
attack. We're also going to use in our

33

00:01:02,170  -->  00:01:03,850
lab some other types of things, such as

34

00:01:03,850  -->  00:01:05,710
the unpatched software. So, if there's a

35

00:01:05,710  -->  00:01:07,119
system that hasn't been patched with the

36

00:01:07,119  -->  00:01:09,429
latest update, we can take that, use that

37

00:01:09,429  -->  00:01:10,749
to our advantage, and break into the

38

00:01:10,749  -->  00:01:13,840
system that way. So gaining access, how do

39

00:01:13,840  -->  00:01:15,880
we gain access? Well, it's really just a

40

00:01:15,880  -->  00:01:17,409
three-step process. We're going to

41

00:01:17,409  -->  00:01:18,579
identify the target with the

42

00:01:18,579  -->  00:01:20,079
vulnerability, we're going to find a

43

00:01:20,079  -->  00:01:21,429
matching exploit, and then we're going to

44

00:01:21,429  -->  00:01:23,020
select a payload. Now what do those

45

00:01:23,020  -->  00:01:24,999
three things really mean? Well, a

46

00:01:24,999  -->  00:01:26,979
vulnerability is a software coding error,

47

00:01:26,979  -->  00:01:28,899
so if usually a software bug. It could

48

00:01:28,899  -->  00:01:30,399
also be a misconfiguration of the

49

00:01:30,399  -->  00:01:32,469
software as well, that allows us to gain

50

00:01:32,469  -->  00:01:36,189
access to the target operating system. So

51

00:01:36,189  -->  00:01:38,020
for instance if you're running Microsoft

52

00:01:38,020  -->  00:01:39,609
Windows, and you didn't apply the patch

53

00:01:39,609  -->  00:01:41,679
that came out last Tuesday that is a

54

00:01:41,679  -->  00:01:43,569
known vulnerability, that can be

55

00:01:43,569  -->  00:01:45,459
something that I can attack. So that

56

00:01:45,459  -->  00:01:46,749
vulnerability just means that there's a

57

00:01:46,749  -->  00:01:49,420
hole that can be exploited, it doesn't

58

00:01:49,420  -->  00:01:51,490
mean that it was exploited. Now if we

59

00:01:51,490  -->  00:01:53,380
move on to an exploit, an exploit is

60

00:01:53,380  -->  00:01:55,060
actually the method of delivery that the

61

00:01:55,060  -->  00:01:56,950
payload uses to accomplish the goal that

62

00:01:56,950  -->  00:01:59,889
it wants to do to get access. So to

63

00:01:59,889  -->  00:02:01,719
exploit it is actually to take that

64

00:02:01,719  -->  00:02:04,539
vulnerability, and find a way to break

65

00:02:04,539  -->  00:02:06,969
into the system using that vulnerability.

66

00:02:06,969  -->  00:02:09,610
So an exploit is a method of delivery of

67

00:02:09,610  -->  00:02:11,200
a payload, and we're going talk about

68

00:02:11,200  -->  00:02:12,730
payloads here in a second, but we want to

69

00:02:12,730  -->  00:02:14,140
deliver that payload to accomplish

70

00:02:14,140  -->  00:02:15,640
a specific goal. So when we have that

71

00:02:15,640  -->  00:02:16,810
vulnerability, it just means there's a

72

00:02:16,810  -->  00:02:18,459
hole there. But now how do we actually

73

00:02:18,459  -->  00:02:20,740
break in to get through that hole is the

74

00:02:20,740  -->  00:02:22,450
exploit itself. So if there was a

75

00:02:22,450  -->  00:02:24,430
software bug or misconfiguration out

76

00:02:24,430  -->  00:02:26,170
there that was identified, that's the

77

00:02:26,170  -->  00:02:27,850
vulnerability. Now if we reverse-engineer

78

00:02:27,850  -->  00:02:30,220
that, and find a way that we can exploit

79

00:02:30,220  -->  00:02:31,959
that, that's where that exploit and that

80

00:02:31,959  -->  00:02:34,930
exploitation can occur. Now when we get into

81

00:02:34,930  -->  00:02:37,570
payloads, this is the effect. A payload of

82

00:02:37,570  -->  00:02:39,250
the effect caused by a virus or other

83

00:02:39,250  -->  00:02:41,680
malicious code that we want something to

84

00:02:41,680  -->  00:02:43,810
happen. So when we have a vulnerability,

85

00:02:43,810  -->  00:02:45,970
that's the hole, we have the exploit the

86

00:02:45,970  -->  00:02:48,610
method, we then do the thing which is the

87

00:02:48,610  -->  00:02:50,980
payload. So the payload is the actual

88

00:02:50,980  -->  00:02:52,870
code that's going to be run once the

89

00:02:52,870  -->  00:02:54,970
exploit occurs. So if we think about it

90

00:02:54,970  -->  00:02:56,860
like a house for instance, just because

91

00:02:56,860  -->  00:02:58,360
you left the front door open doesn't

92

00:02:58,360  -->  00:03:00,100
mean the bad guys going to break in, but

93

00:03:00,100  -->  00:03:01,420
if the bad guy finds that you left the

94

00:03:01,420  -->  00:03:03,010
front door open and he turns the handle,

95

00:03:03,010  -->  00:03:05,080
that's the exploit that allows him to

96

00:03:05,080  -->  00:03:06,760
open the door. But he hasn't really done

97

00:03:06,760  -->  00:03:08,320
anything yet. Now once he steps through

98

00:03:08,320  -->  00:03:09,940
that door and grabs your TV, and walks

99

00:03:09,940  -->  00:03:11,650
off, that was the payload, the theft of

100

00:03:11,650  -->  00:03:13,390
the TV. So those are how we have that

101

00:03:13,390  -->  00:03:14,980
vulnerability, that exploit, and that

102

00:03:14,980  -->  00:03:16,390
payload and how they relate to each other.

103

00:03:16,390  -->  00:03:19,540
Now, as we go into our next couple of

104

00:03:19,540  -->  00:03:20,769
lectures, we're going to go into a deeper

105

00:03:20,769  -->  00:03:21,910
dive here. We're going to go into the lab

106

00:03:21,910  -->  00:03:23,230
environment, and we're going to walk

107

00:03:23,230  -->  00:03:25,120
through how a buffer overflow occurs,

108

00:03:25,120  -->  00:03:27,970
what a buffer overflow is, why it

109

00:03:27,970  -->  00:03:29,650
occurred, and how we can use that to our

110

00:03:29,650  -->  00:03:31,060
advantage. We're also going to talk about

111

00:03:31,060  -->  00:03:32,560
different payloads. We're going to talk

112

00:03:32,560  -->  00:03:33,970
about shellcode, we're gonna talk about

113

00:03:33,970  -->  00:03:35,860
bind and reverse shell code, and we're

114

00:03:35,860  -->  00:03:37,209
also going to talk about meterpreter,

115

00:03:37,209  -->  00:03:39,310
which is a specific type of shell code

116

00:03:39,310  -->  00:03:41,170
that we use inside the metasploit

117

00:03:41,170  -->  00:03:42,280
environment, the metasploit framework

118

00:03:42,280  -->  00:03:44,200
that we're using as our attack platform.

119

00:03:44,200  -->  00:03:46,030
So as we keep going through this, we're

120

00:03:46,030  -->  00:03:47,049
going to go through this gaining access

121

00:03:47,049  -->  00:03:48,400
phase, we're going to dive in just a

122

00:03:48,400  -->  00:03:49,870
little bit deeper into each of these

123

00:03:49,870  -->  00:03:51,970
areas, but again the gaining access is

124

00:03:51,970  -->  00:03:53,829
just a big concept of finding a

125

00:03:53,829  -->  00:03:55,209
vulnerability, exploiting that

126

00:03:55,209  -->  00:03:56,739
vulnerability, and delivering and

127

00:03:56,739  -->  00:03:59,910
executing a payload.