1
1

00:00:00,519  -->  00:00:02,334 line:15% 
<v ->So, now we're going to discuss the first vulnerability</v>
2

2

00:00:02,334  -->  00:00:03,194 line:15% 
we're going to exploit,
3

3

00:00:03,194  -->  00:00:06,449 line:15% 
and that's the Microsoft 08-067 Vulnerability.
4

4

00:00:06,449  -->  00:00:09,127 line:15% 
This was also known as the Netapi Vulnerability.
5

5

00:00:09,127  -->  00:00:11,372 line:15% 
Now, everyone tends to use this
6

6

00:00:11,372  -->  00:00:12,794 line:15% 
in ethical hacking as the first hack,
7

7

00:00:12,794  -->  00:00:14,742 line:15% 
and the reason why is it's a fairly easy hack.
8

8

00:00:14,742  -->  00:00:15,662 line:15% 
It works really well,
9

9

00:00:15,662  -->  00:00:17,830 line:15% 
and it works pretty much every single time.
10

10

00:00:17,830  -->  00:00:19,914 line:15% 
We're gonna go through this one first and get our feet wet.
11

11

00:00:19,914  -->  00:00:21,523
Where does this attack fall in?
12

12

00:00:21,523  -->  00:00:23,597
Well, we're gonna gain access using this attack
13

13

00:00:23,597  -->  00:00:26,296
and this attack actually gets us a system level user.
14

14

00:00:26,296  -->  00:00:27,832
So, we're actually gonna have an escalation of privilege
15

15

00:00:27,832  -->  00:00:28,849
at the same time.
16

16

00:00:28,849  -->  00:00:30,532
We're gonna be in both phase three
17

17

00:00:30,532  -->  00:00:34,759
and phase four simultaneously as we begin this attack.
18

18

00:00:34,759  -->  00:00:38,767
So, MS08-067, what does that really mean?
19

19

00:00:38,767  -->  00:00:42,260
Well, MS08-067 is the vulnerability number
20

20

00:00:42,260  -->  00:00:43,550
that Microsoft assigned
21

21

00:00:43,550  -->  00:00:46,228
to this particular bug in their code.
22

22

00:00:46,228  -->  00:00:48,039
It is the Microsoft Server Service
23

23

00:00:48,039  -->  00:00:49,795
Relative Path Stack Corruption.
24

24

00:00:49,795  -->  00:00:52,454
Now, this vulnerability allows for remote exploitation
25

25

00:00:52,454  -->  00:00:56,330
of a Windows 2000, 2003, or XP system.
26

26

00:00:56,330  -->  00:00:58,678
Once we got into Windows 7 and above,
27

27

00:00:58,678  -->  00:01:00,540
they have started fixing this vulnerability
28

28

00:01:00,540  -->  00:01:01,746
and taking it out.
29

29

00:01:01,746  -->  00:01:03,790
Sometimes, you'll find that it works on Windows 7,
30

30

00:01:03,790  -->  00:01:04,899
sometimes it doesn't.
31

31

00:01:04,899  -->  00:01:07,088
It depends if the person is actually patched for it.
32

32

00:01:07,088  -->  00:01:08,771
But it works almost all the time
33

33

00:01:08,771  -->  00:01:11,331
on Windows 2000, XP, or 2003
34

34

00:01:11,331  -->  00:01:12,963
if they're using file sharing services
35

35

00:01:12,963  -->  00:01:14,397
on one of those machines.
36

36

00:01:14,397  -->  00:01:17,430
What are the requirements for Microsoft 08-067 to work?
37

37

00:01:17,430  -->  00:01:19,648
Well, you have to have a vulnerable service.
38

38

00:01:19,648  -->  00:01:22,456
In this case, the Server Service is on Port 445.
39

39

00:01:22,456  -->  00:01:24,347
That's why I said, you have to have file sharing enabled
40

40

00:01:24,347  -->  00:01:25,701
for this to work.
41

41

00:01:25,701  -->  00:01:28,580
We set up our lab before for our Windows XP vulnerable box,
42

42

00:01:28,580  -->  00:01:31,350
we went and enabled printer and file sharing.
43

43

00:01:31,350  -->  00:01:33,101
That is so this vulnerability will work
44

44

00:01:33,101  -->  00:01:34,665
and we can attack it.
45

45

00:01:34,665  -->  00:01:37,608
This requires that the Windows Firewall is either disabled
46

46

00:01:37,608  -->  00:01:40,575
or file and print sharing is enabled.
47

47

00:01:40,575  -->  00:01:42,673
What we did is we left the firewall on,
48

48

00:01:42,673  -->  00:01:46,017
but we opened up the port for file and print sharing.
49

49

00:01:46,017  -->  00:01:47,868
Is the machine still vulnerable?
50

50

00:01:47,868  -->  00:01:51,682
Microsoft released a patch back in October 2008.
51

51

00:01:51,682  -->  00:01:53,662
Microsoft Windows XP Service Pack 3
52

52

00:01:53,662  -->  00:01:55,490
was released in May of 2008,
53

53

00:01:55,490  -->  00:01:57,037
so this was before the patch was released.
54

54

00:01:57,037  -->  00:01:59,667
If you have a brand new Windows Service Pack 3 system
55

55

00:01:59,667  -->  00:02:02,204
like the one we made, it's still vulnerable.
56

56

00:02:02,204  -->  00:02:04,649
Again, even though there's a patch available,
57

57

00:02:04,649  -->  00:02:06,699
not everyone puts those patches out.
58

58

00:02:06,699  -->  00:02:11,140
The hotfix Knowledge Base article is KB958644.
59

59

00:02:11,140  -->  00:02:12,624
If you want to learn more about this vulnerability,
60

60

00:02:12,624  -->  00:02:14,511
you can go in there and read all about it,
61

61

00:02:14,511  -->  00:02:16,955
where Microsoft gives you the technical details.
62

62

00:02:16,955  -->  00:02:18,540
Because they've given us those technical details,
63

63

00:02:18,540  -->  00:02:20,784
the attackers have been able to reverse engineer it
64

64

00:02:20,784  -->  00:02:22,627
and now we have this exploit available.
65

65

00:02:22,627  -->  00:02:24,561
In Metasploit, in the Metasploit framework,
66

66

00:02:24,561  -->  00:02:26,891
we have to have an exploit to be able to go against
67

67

00:02:26,891  -->  00:02:28,987
that particular vulnerability.
68

68

00:02:28,987  -->  00:02:31,646
The nice thing is, with Metasploit they tend to keep
69

69

00:02:31,646  -->  00:02:33,634
the same naming scheme as Microsoft
70

70

00:02:33,634  -->  00:02:35,559
to make it easy for us to find.
71

71

00:02:35,559  -->  00:02:37,224
We talked about the fact that Microsoft
72

72

00:02:37,224  -->  00:02:40,288
called it the MS08-067 vulnerability.
73

73

00:02:40,288  -->  00:02:44,719
Well, Metasploit calls is the ms08_067_netapi exploit.
74

74

00:02:44,719  -->  00:02:46,166
So when we search for that,
75

75

00:02:46,166  -->  00:02:47,476
we'll be able to find it there.
76

76

00:02:47,476  -->  00:02:49,612
What this module is gonna do is it's actually gonna exploit
77

77

00:02:49,612  -->  00:02:52,920
a parcing flaw in the canonicalization code path
78

78

00:02:52,920  -->  00:02:56,825
of the NetAPI 32 dll through the Server Service.
79

79

00:02:56,825  -->  00:02:59,563
If the process reaches a state where the next instruction
80

80

00:02:59,563  -->  00:03:00,431
to execute is in the stack,
81

81

00:03:00,431  -->  00:03:01,891
the exception is raised.
82

82

00:03:01,891  -->  00:03:03,192
If it's not handled properly,
83

83

00:03:03,192  -->  00:03:05,137
then the process is gonna be terminated.
84

84

00:03:05,137  -->  00:03:06,491
So the developers of the exploit
85

85

00:03:06,491  -->  00:03:07,860
have actually taken the vulnerability,
86

86

00:03:07,860  -->  00:03:09,192
reverse engineered it,
87

87

00:03:09,192  -->  00:03:10,703
so they now have an exploit that works.
88

88

00:03:10,703  -->  00:03:13,352
When the flaw is introduced,
89

89

00:03:13,352  -->  00:03:15,339
instead of terminating, it's gonna actually go
90

90

00:03:15,339  -->  00:03:17,361
and run the payload that we desire,
91

91

00:03:17,361  -->  00:03:20,266
which in our case is gonna be a reverse shell.
92

92

00:03:20,266  -->  00:03:21,747
So whenever you're setting up Metasploit,
93

93

00:03:21,747  -->  00:03:23,378
you have to set up two main things
94

94

00:03:23,378  -->  00:03:25,105
and that's your exploit and your payload.
95

95

00:03:25,105  -->  00:03:27,198
It's how are you gonna break into that vulnerability,
96

96

00:03:27,198  -->  00:03:29,506
and what are you gonna do once you've broke in?
97

97

00:03:29,506  -->  00:03:32,178
In our case, you'll see here that we search
98

98

00:03:32,178  -->  00:03:34,928
for the exploit, ms08_067_netapi.
99

99

00:03:36,316  -->  00:03:38,405
We use that exploit.
100

100

00:03:38,405  -->  00:03:39,827
We then are gonna set a payload,
101

101

00:03:39,827  -->  00:03:42,144
which is what we're gonna do once the exploit is thrown.
102

102

00:03:42,144  -->  00:03:43,669
In our case, we're gonna use
103

103

00:03:43,669  -->  00:03:46,971
the Windows/Meterpreter/reverse_tcp.
104

104

00:03:46,971  -->  00:03:48,531
And then I showed you the options.
105

105

00:03:48,531  -->  00:03:50,829
From here you'll see that we need to set a remote host.
106

106

00:03:50,829  -->  00:03:52,663
That's gonna be who we're gonna attack.
107

107

00:03:52,663  -->  00:03:54,066
We need to set a local host.
108

108

00:03:54,066  -->  00:03:56,593
That's ourself, our IP,
109

109

00:03:56,593  -->  00:03:58,548
so we know who that remote host is gonna call back to.
110

110

00:03:58,548  -->  00:04:00,522
You'll see here, our exploit and our payload
111

111

00:04:00,522  -->  00:04:02,275
are shown here on the screen.
112

112

00:04:02,275  -->  00:04:03,528
So if I run this exploit,
113

113

00:04:03,528  -->  00:04:06,045
what are the forensic examiners gonna be able to see?
114

114

00:04:06,045  -->  00:04:07,515
Here, I pulled up the log files,
115

115

00:04:07,515  -->  00:04:10,094
the application, system, and security log files.
116

116

00:04:10,094  -->  00:04:11,891
Notice that before the attack,
117

117

00:04:11,891  -->  00:04:15,176
the numbers have not changed from before to after.
118

118

00:04:15,176  -->  00:04:16,601
Again, that's because we're using
119

119

00:04:16,601  -->  00:04:18,086
the Meterpreter reverse shell
120

120

00:04:18,086  -->  00:04:20,515
and Meterpreter runs exclusively from memory.
121

121

00:04:20,515  -->  00:04:23,231
It doesn't actually even get logged in the system.
122

122

00:04:23,231  -->  00:04:25,120
It's not in the applications, it's not in the system,
123

123

00:04:25,120  -->  00:04:26,882
and it's not in the security.
124

124

00:04:26,882  -->  00:04:28,093
As you can see, there's very little trace
125

125

00:04:28,093  -->  00:04:29,478
of our efforts here.
126

126

00:04:29,478  -->  00:04:32,913
Now, once we've broke in, depending on what we do,
127

127

00:04:32,913  -->  00:04:34,664
that can change the number of records
128

128

00:04:34,664  -->  00:04:37,241
because we might trip on things that launch applications
129

129

00:04:37,241  -->  00:04:39,859
that we actually hit the security trip points
130

130

00:04:39,859  -->  00:04:41,425
or that we actually affect the system
131

131

00:04:41,425  -->  00:04:42,978
but just running the exploit itself
132

132

00:04:42,978  -->  00:04:44,896
has no effect on our log files,
133

133

00:04:44,896  -->  00:04:48,047
making it a very quiet exploit for us to use.
134

134

00:04:48,047  -->  00:04:49,710
And so now that we've walked through this
135

135

00:04:49,710  -->  00:04:52,025
and you see that we're gonna be able to gain our access
136

136

00:04:52,025  -->  00:04:53,506
and our escalation of privileges,
137

137

00:04:53,506  -->  00:04:54,934
we're gonna walk through it interactively
138

138

00:04:54,934  -->  00:04:59,017 line:15% 
as I go through the attack in a lab environment.