1 1 00:00:00,269 --> 00:00:02,448 Welcome to the Maintaining Access lab. 2 2 00:00:02,448 --> 00:00:04,259 Now in this lab we're gonna do two things. 3 3 00:00:04,259 --> 00:00:06,120 We're gonna learn how to create user accounts 4 4 00:00:06,120 --> 00:00:07,149 and add them into different groups, 5 5 00:00:07,149 --> 00:00:08,629 such as the Administrator group, 6 6 00:00:08,629 --> 00:00:10,386 and then we're also gonna learn how to manipulate 7 7 00:00:10,386 --> 00:00:12,274 the firewall so we can open up access 8 8 00:00:12,274 --> 00:00:15,632 so we'll be able to get back in at a later time. 9 9 00:00:15,632 --> 00:00:17,832 So to begin this lab, we're gonna start with a connection 10 10 00:00:17,832 --> 00:00:19,470 on our Windows XP machine again. 11 11 00:00:19,470 --> 00:00:21,249 We've exploited the same vulnerability, 12 12 00:00:21,249 --> 00:00:24,171 we're back there going through the netapi service again, 13 13 00:00:24,171 --> 00:00:26,094 and we're now at the meterpreter prompt. 14 14 00:00:26,094 --> 00:00:27,192 So, one of the things I want to do 15 15 00:00:27,192 --> 00:00:29,750 is I want to look at what process I am and what user I am. 16 16 00:00:29,750 --> 00:00:32,971 So again, we're gonna do our getpid, 980, 17 17 00:00:32,971 --> 00:00:37,110 and now if I type in ps, we can see that 980 is associated 18 18 00:00:37,110 --> 00:00:40,910 with the system user inside the service host process. 19 19 00:00:40,910 --> 00:00:44,375 So what is that if we do the pid and then getsid, 20 20 00:00:44,375 --> 00:00:47,884 the sid is -18, because it's a system level. 21 21 00:00:47,884 --> 00:00:49,071 Now, what we're gonna do is we're gonna go 22 22 00:00:49,071 --> 00:00:51,181 on to the Windows box and we're gonna start creating 23 23 00:00:51,181 --> 00:00:52,548 some accounts in this lab, 24 24 00:00:52,548 --> 00:00:53,381 and so what I want to do is 25 25 00:00:53,381 --> 00:00:55,365 I want to have an Administrator's account. 26 26 00:00:55,365 --> 00:00:58,125 The system can create users but it has a hard time with some 27 27 00:00:58,125 --> 00:01:00,197 of the groups because it's not used to doing that; 28 28 00:01:00,197 --> 00:01:01,527 it's not really what it's made for. 29 29 00:01:01,527 --> 00:01:03,765 Usually you need to be a Admin level user. 30 30 00:01:03,765 --> 00:01:06,581 We already know that John Sim is a Admin level user, 31 31 00:01:06,581 --> 00:01:07,802 he has those rights. 32 32 00:01:07,802 --> 00:01:09,701 So what we're gonna do is migrate into his process 33 33 00:01:09,701 --> 00:01:11,472 and become John Sim. 34 34 00:01:11,472 --> 00:01:15,552 So we can use process 480, which is the explorer process 35 35 00:01:15,552 --> 00:01:17,213 and we'll go ahead and migrate there. 36 36 00:01:17,213 --> 00:01:19,380 So we'll migrate into 480, 37 37 00:01:21,739 --> 00:01:25,906 and then we'll verify our sid again by doing getsid, 38 38 00:01:28,042 --> 00:01:32,209 and you can see we are now John Sim, the 1003 level user. 39 39 00:01:33,093 --> 00:01:34,859 So that's a good place for us to start. 40 40 00:01:34,859 --> 00:01:37,981 Now, what we're gonna do is we're gonna shell, 41 41 00:01:37,981 --> 00:01:39,573 which is gonna drop us in to a Windows command prompt, 42 42 00:01:39,573 --> 00:01:41,402 because everything we're gonna do from here on out 43 43 00:01:41,402 --> 00:01:43,952 is standard Windows commands. 44 44 00:01:43,952 --> 00:01:45,592 So, what we're gonna do from here 45 45 00:01:45,592 --> 00:01:47,813 is we want to actually see what user accounts 46 46 00:01:47,813 --> 00:01:49,602 are on the system. 47 47 00:01:49,602 --> 00:01:50,680 So the first thing we're gonna do 48 48 00:01:50,680 --> 00:01:53,680 is do net user, and when you do that 49 49 00:01:54,869 --> 00:01:56,640 you'll see the accounts that are created. 50 50 00:01:56,640 --> 00:01:58,352 You'll see here we have the Administrator account, 51 51 00:01:58,352 --> 00:02:00,272 the Guest account, the HelpAssistant account, 52 52 00:02:00,272 --> 00:02:02,802 John Sim, and two SUPPORT accounts, 53 53 00:02:02,802 --> 00:02:04,552 and what this second SUPPORT account 54 54 00:02:04,552 --> 00:02:07,507 is one that I have created, just to show you an example 55 55 00:02:07,507 --> 00:02:09,717 of how to do that, and so what we're gonna do here 56 56 00:02:09,717 --> 00:02:10,944 is we're gonna create another one, 57 57 00:02:10,944 --> 00:02:12,747 and so the real SUPPORT account was actually this one, 58 58 00:02:12,747 --> 00:02:15,497 the 388945, I created one 338945, 59 59 00:02:17,802 --> 00:02:19,595 and you notice there's just one digit difference, 60 60 00:02:19,595 --> 00:02:21,074 so we'll do the same type of thing, 61 61 00:02:21,074 --> 00:02:23,416 because it's very well, it's easy to hide 62 62 00:02:23,416 --> 00:02:24,563 from your System Administrator 63 63 00:02:24,563 --> 00:02:26,133 by having these additional accounts. 64 64 00:02:26,133 --> 00:02:28,475 If I put something in there that said hacked 65 65 00:02:28,475 --> 00:02:31,222 or ethical hacker, or anything that just looks out 66 66 00:02:31,222 --> 00:02:33,348 of the ordinary, it'd be very easy. 67 67 00:02:33,348 --> 00:02:35,158 Now in this particular PC, there's very few users, 68 68 00:02:35,158 --> 00:02:36,491 so it would be very obvious. 69 69 00:02:36,491 --> 00:02:37,779 If you're in a domain environment though 70 70 00:02:37,779 --> 00:02:39,768 there's hundreds and thousands of users, 71 71 00:02:39,768 --> 00:02:41,307 so you can blend in very easily, 72 72 00:02:41,307 --> 00:02:43,208 as long as you use the same naming scheme. 73 73 00:02:43,208 --> 00:02:44,507 So in our case, what we're gonna do 74 74 00:02:44,507 --> 00:02:47,910 is to create a new account, we're gonna type in net user 75 75 00:02:47,910 --> 00:02:49,219 and then the user name we want. 76 76 00:02:49,219 --> 00:02:52,430 We'll go ahead and use SUPPORT, just straight up SUPPORT, 77 77 00:02:52,430 --> 00:02:53,790 and then we'll give it a password. 78 78 00:02:53,790 --> 00:02:57,957 I'm gonna use a1b2c3, just to keep things easy as we play, 79 79 00:02:58,920 --> 00:03:00,859 and then /add. 80 80 00:03:00,859 --> 00:03:03,248 When I do that, that account has now been created. 81 81 00:03:03,248 --> 00:03:06,147 We could type in net user and hit Enter, 82 82 00:03:06,147 --> 00:03:10,350 and you'll see that account now exists, the SUPPORT account. 83 83 00:03:10,350 --> 00:03:12,920 Now, what rights does that SUPPORT account have? 84 84 00:03:12,920 --> 00:03:14,145 Well that's a great question. 85 85 00:03:14,145 --> 00:03:15,405 Let's go ahead and look at it. 86 86 00:03:15,405 --> 00:03:18,412 The way that we're gonna do that is by typing net user 87 87 00:03:18,412 --> 00:03:19,755 and then the username. 88 88 00:03:19,755 --> 00:03:22,395 So, net user, and then the username, 89 89 00:03:22,395 --> 00:03:24,670 which in our case was SUPPORT, 90 90 00:03:24,670 --> 00:03:29,260 and you'll see that the SUPPORT account was created 91 91 00:03:29,260 --> 00:03:31,462 and it's password was last set just now, 92 92 00:03:31,462 --> 00:03:33,741 the password is good for 60 days, 93 93 00:03:33,741 --> 00:03:37,001 it does require a password change every 60 days, 94 94 00:03:37,001 --> 00:03:38,310 but it is changeable right now, 95 95 00:03:38,310 --> 00:03:39,949 so we could change our password if we wanted to. 96 96 00:03:39,949 --> 00:03:42,549 Now, it can log on to all workstations, 97 97 00:03:42,549 --> 00:03:45,909 and it has all login hours, but the only membership it has 98 98 00:03:45,909 --> 00:03:48,050 is a standard user account at this point. 99 99 00:03:48,050 --> 00:03:49,119 So it is a standard user account 100 100 00:03:49,119 --> 00:03:50,829 is not gonna be very useful for us, 101 101 00:03:50,829 --> 00:03:53,637 we're gonna want to get that into the Administrator group. 102 102 00:03:53,637 --> 00:03:54,747 So the first thing we want to do is 103 103 00:03:54,747 --> 00:03:57,479 we want to learn what type of groups are on this machine, 104 104 00:03:57,479 --> 00:03:58,498 and so what we're gonna do there is 105 105 00:03:58,498 --> 00:04:01,165 we're gonna type net localgroup. 106 106 00:04:02,399 --> 00:04:04,799 So, when we type in net localgroup, 107 107 00:04:04,799 --> 00:04:06,519 you'll see the groups that are on this computer. 108 108 00:04:06,519 --> 00:04:09,098 There's the Administrator group, the Backup Operators group, 109 109 00:04:09,098 --> 00:04:11,071 the Guest group, the HelpServicesGroup, 110 110 00:04:11,071 --> 00:04:13,061 the Network Configuration, Power Users, 111 111 00:04:13,061 --> 00:04:15,399 Remote Desktop Users, Replicator, and Users. 112 112 00:04:15,399 --> 00:04:17,661 The only group we're a member of though is the Users. 113 113 00:04:17,661 --> 00:04:19,229 We want to be a member of the Admin group. 114 114 00:04:19,229 --> 00:04:20,437 So how are we gonna do that? 115 115 00:04:20,437 --> 00:04:23,854 Well, we're just gonna do net localgroup, 116 116 00:04:26,738 --> 00:04:28,610 and we're gonna see who's in the Administrator group first. 117 117 00:04:28,610 --> 00:04:32,193 So we're just gonna type in Administrators, 118 118 00:04:35,301 --> 00:04:36,901 and you can see right now, the only two Administrators 119 119 00:04:36,901 --> 00:04:39,869 in the system, are the Administrator and John Sim. 120 120 00:04:39,869 --> 00:04:41,271 Well we want to be Administrator too, 121 121 00:04:41,271 --> 00:04:45,479 so we can just do net localgroup, the name of the group, 122 122 00:04:45,479 --> 00:04:49,312 which in our case is Administrators, and then, 123 123 00:04:50,685 --> 00:04:52,439 we're gonna type the username we want to add, 124 124 00:04:52,439 --> 00:04:55,439 which is SUPPORT, and then /add, 125 125 00:04:55,439 --> 00:04:58,119 and now it tells us that it was successfully added. 126 126 00:04:58,119 --> 00:04:59,445 Now, how do we verify that? 127 127 00:04:59,445 --> 00:05:00,959 Well, we can look in the group membership 128 128 00:05:00,959 --> 00:05:02,406 or we can look at our user. 129 129 00:05:02,406 --> 00:05:04,418 We're gonna go ahead and do both just to verify. 130 130 00:05:04,418 --> 00:05:07,251 So, net localgroup Administrators, 131 131 00:05:08,429 --> 00:05:10,749 and you can now see that SUPPORT has been added 132 132 00:05:10,749 --> 00:05:13,069 to that Administrator group. 133 133 00:05:13,069 --> 00:05:16,138 The second thing we're gonna do is net user 134 134 00:05:16,138 --> 00:05:18,885 and then SUPPORT, and we'll see that they now 135 135 00:05:18,885 --> 00:05:21,255 have the ability of being an Administrator 136 136 00:05:21,255 --> 00:05:23,765 as well as a User, their in both groups. 137 137 00:05:23,765 --> 00:05:25,394 Now, this is just a very simple example 138 138 00:05:25,394 --> 00:05:27,432 but it shows you the power of what you have. 139 139 00:05:27,432 --> 00:05:29,653 Once you've got an Administrator account, 140 140 00:05:29,653 --> 00:05:31,753 you can start spreading out and creating your own accounts 141 141 00:05:31,753 --> 00:05:34,034 and your own ways back into the system, 142 142 00:05:34,034 --> 00:05:35,333 and that's the way we wanted to show you 143 143 00:05:35,333 --> 00:05:37,509 is just a simple way of creating additional accounts 144 144 00:05:37,509 --> 00:05:38,569 from the command line. 145 145 00:05:38,569 --> 00:05:40,960 Once you're in this command line, you can do anything 146 146 00:05:40,960 --> 00:05:42,267 that the Windows system will allow you to do 147 147 00:05:42,267 --> 00:05:44,120 from the command prompt, so it's really important 148 148 00:05:44,120 --> 00:05:46,267 to have that Windows System Administrator background 149 149 00:05:46,267 --> 00:05:49,998 because than you know how to actually operate the system. 150 150 00:05:49,998 --> 00:05:51,008 Now in the second part of this lab, 151 151 00:05:51,008 --> 00:05:53,787 we're gonna play with manipulating the firewall. 152 152 00:05:53,787 --> 00:05:56,176 So, the firewall can actually be manipulated 153 153 00:05:56,176 --> 00:05:57,909 from the command prompt as well, 154 154 00:05:57,909 --> 00:06:01,459 and the way we do that is by using the netsh command. 155 155 00:06:01,459 --> 00:06:05,626 So if we do netsh, this will drop us into the netsh shell. 156 156 00:06:10,851 --> 00:06:12,438 So now that we're at the shell, 157 157 00:06:12,438 --> 00:06:14,056 we want to go into the firewall settings, 158 158 00:06:14,056 --> 00:06:17,046 so we'll type in firewall. 159 159 00:06:17,046 --> 00:06:19,676 So now you'll see our prompt says netsh firewall. 160 160 00:06:19,676 --> 00:06:21,922 So if I type in ?, you'll be able to see all 161 161 00:06:21,922 --> 00:06:25,010 of the commands that are available for us. 162 162 00:06:25,010 --> 00:06:26,805 So, in the context of our firewall, 163 163 00:06:26,805 --> 00:06:28,784 we can add a firewall configuration, 164 164 00:06:28,784 --> 00:06:30,944 we can delete a firewall configuration, 165 165 00:06:30,944 --> 00:06:33,904 we can dump and display the entire configuration script, 166 166 00:06:33,904 --> 00:06:36,464 we can get help, which is what we did by the question mark, 167 167 00:06:36,464 --> 00:06:38,135 and then we can reset it or set it, 168 168 00:06:38,135 --> 00:06:40,045 or show the firewall configuration. 169 169 00:06:40,045 --> 00:06:41,848 So what we're gonna do first is we're gonna look 170 170 00:06:41,848 --> 00:06:43,296 at the current firewall. 171 171 00:06:43,296 --> 00:06:47,296 So what we're gonna do is do show and hit Enter. 172 172 00:06:48,747 --> 00:06:50,872 Now, from show, we want to see 173 173 00:06:50,872 --> 00:06:52,648 what the service configuration is. 174 174 00:06:52,648 --> 00:06:55,883 So what services are allowed to run? 175 175 00:06:55,883 --> 00:06:58,872 Right now, they have enabled File and Print Sharing. 176 176 00:06:58,872 --> 00:07:00,382 So that's good, that's one of the things we use 177 177 00:07:00,382 --> 00:07:01,720 as a way to get back in. 178 178 00:07:01,720 --> 00:07:04,120 Now, what about our port configurations? 179 179 00:07:04,120 --> 00:07:06,703 Well let's do show portopening, 180 180 00:07:07,923 --> 00:07:10,283 and so here we can see what open ports we have. 181 181 00:07:10,283 --> 00:07:12,866 We have 139, 445, 137, and 138. 182 182 00:07:14,411 --> 00:07:16,802 What are all those ports used for? 183 183 00:07:16,802 --> 00:07:19,992 That's right, all those ports are used in the firewall 184 184 00:07:19,992 --> 00:07:21,750 to allow file and print sharing. 185 185 00:07:21,750 --> 00:07:23,363 Since we have File and Print Sharing enabled, 186 186 00:07:23,363 --> 00:07:26,683 those ports are also available for us to use. 187 187 00:07:26,683 --> 00:07:30,111 In our case, we use 445 as the port that we exploited, 188 188 00:07:30,111 --> 00:07:31,774 that's the one that we came in on. 189 189 00:07:31,774 --> 00:07:34,087 Now, let's see what the loggging on our firewall is. 190 190 00:07:34,087 --> 00:07:37,420 So if we do show logging, you'll be able to see 191 191 00:07:37,420 --> 00:07:39,500 that right now Dropped packets are disabled, 192 192 00:07:39,500 --> 00:07:41,422 we don't log those, Connections are disabled, 193 193 00:07:41,422 --> 00:07:43,400 they don't log those, and where is the location 194 194 00:07:43,400 --> 00:07:44,784 of the log file? 195 195 00:07:44,784 --> 00:07:46,822 It's in the Windows directory. 196 196 00:07:46,822 --> 00:07:48,083 Why is that important to us? 197 197 00:07:48,083 --> 00:07:50,773 Well, in our last step, we want to cover our tracks, 198 198 00:07:50,773 --> 00:07:52,592 and so if we've made changes to the firewall, 199 199 00:07:52,592 --> 00:07:54,340 all those are gonna get logged. 200 200 00:07:54,340 --> 00:07:55,820 We'll want to go and clean those out 201 201 00:07:55,820 --> 00:07:58,497 in the log file later on. 202 202 00:07:58,497 --> 00:08:00,769 So what are some examples of things that we can do here? 203 203 00:08:00,769 --> 00:08:02,721 Well, one of the things that the System Administrator 204 204 00:08:02,721 --> 00:08:06,481 might have disabled is ICMP or ping traffic echoing, 205 205 00:08:06,481 --> 00:08:08,540 and that way we couldn't footprint the network. 206 206 00:08:08,540 --> 00:08:10,441 Well one of the ways that we can do now 207 207 00:08:10,441 --> 00:08:12,354 that we're inside the network is we can turn that back on 208 208 00:08:12,354 --> 00:08:14,076 if we wanted to, or if it was on 209 209 00:08:14,076 --> 00:08:16,007 and it was a vulnerability we used to figure out 210 210 00:08:16,007 --> 00:08:18,978 where the network was, we can turn it off. 211 211 00:08:18,978 --> 00:08:20,167 So let's go ahead and turn it on, 212 212 00:08:20,167 --> 00:08:21,730 I'll show ya how to do that just so you can get used 213 213 00:08:21,730 --> 00:08:23,119 to using this tool. 214 214 00:08:23,119 --> 00:08:27,330 One of the ways you do that, is you type in set icmpsetting, 215 215 00:08:27,330 --> 00:08:29,044 8, which is the echo reply, 216 216 00:08:29,044 --> 00:08:32,832 and then you're gonna type in ENABLE, and by doing that, 217 217 00:08:32,832 --> 00:08:34,623 we've now set that setting, 218 218 00:08:34,623 --> 00:08:37,423 so that other people should be able to ping it. 219 219 00:08:37,423 --> 00:08:39,463 Now, if we wanted to disable that, 220 220 00:08:39,463 --> 00:08:43,046 we would just do set icmpsetting 8 DISABLE, 221 221 00:08:45,245 --> 00:08:47,394 and again, this goes back to what we talked about before. 222 222 00:08:47,394 --> 00:08:48,962 When you break into the machine, 223 223 00:08:48,962 --> 00:08:51,061 if you want to make sure nobody else can break in, 224 224 00:08:51,061 --> 00:08:53,071 because you want to keep that machine to yourself, 225 225 00:08:53,071 --> 00:08:54,573 you might go in and actually secure the machine, 226 226 00:08:54,573 --> 00:08:56,413 even better than it was before 227 227 00:08:56,413 --> 00:08:58,784 such as disabling features like this. 228 228 00:08:58,784 --> 00:09:00,464 Now, File and Print Sharing is already enabled 229 229 00:09:00,464 --> 00:09:01,800 so we don't have to worry about that, 230 230 00:09:01,800 --> 00:09:03,760 but we could actually disable it at this point. 231 231 00:09:03,760 --> 00:09:06,744 So once we set our backdoor and we have another way in, 232 232 00:09:06,744 --> 00:09:08,424 we can actually hack the vulnerability 233 233 00:09:08,424 --> 00:09:10,201 that we first exploited, 234 234 00:09:10,201 --> 00:09:12,563 and then we can disable File and Print Sharing, 235 235 00:09:12,563 --> 00:09:14,580 so that other people can't get in as well. 236 236 00:09:14,580 --> 00:09:15,413 We're not gonna do that right now 237 237 00:09:15,413 --> 00:09:17,102 because we haven't set our backdoor yet, 238 238 00:09:17,102 --> 00:09:18,211 so we want to make sure that's still open 239 239 00:09:18,211 --> 00:09:19,742 and available for us, 240 240 00:09:19,742 --> 00:09:21,360 but to do that, what you would do 241 241 00:09:21,360 --> 00:09:25,527 is do set service FILEANDPRINT, and then you do DISABLE, 242 242 00:09:29,942 --> 00:09:31,102 and then you would hit Enter, 243 243 00:09:31,102 --> 00:09:32,491 and that would disable the service. 244 244 00:09:32,491 --> 00:09:33,324 We don't want to do that right now 245 245 00:09:33,324 --> 00:09:35,191 'cause we're gonna need it to be able to break back 246 246 00:09:35,191 --> 00:09:36,622 in to this box later on. 247 247 00:09:36,622 --> 00:09:37,992 Now, one of the other things you can do 248 248 00:09:37,992 --> 00:09:40,584 is you can just disable the firewall completely, 249 249 00:09:40,584 --> 00:09:44,252 and to do that you just do set opmode disable, 250 250 00:09:44,252 --> 00:09:47,412 and right now the entire firewall for that machine is off, 251 251 00:09:47,412 --> 00:09:51,012 and we can verify that by going over to that Windows machine 252 252 00:09:51,012 --> 00:09:52,512 and looking at it. 253 253 00:09:59,991 --> 00:10:02,913 So once we're on that machine, we can just go over here, 254 254 00:10:02,913 --> 00:10:05,256 look at the computer might be at risk, 255 255 00:10:05,256 --> 00:10:08,507 and you'll see now, the firewall is off. 256 256 00:10:08,507 --> 00:10:11,757 Now, if we enable that, and we go back, 257 257 00:10:13,646 --> 00:10:16,846 you'll see the firewall is now on, 258 258 00:10:16,846 --> 00:10:17,835 and that's the type of thing that you can do 259 259 00:10:17,835 --> 00:10:19,723 with this firewall, is you can turn things on and off 260 260 00:10:19,723 --> 00:10:22,256 as needed because you now have control. 261 261 00:10:22,256 --> 00:10:23,696 Normally though what we're gonna do is 262 262 00:10:23,696 --> 00:10:25,955 we're just gonna allow specific programs or ports 263 263 00:10:25,955 --> 00:10:27,654 through the firewall. 264 264 00:10:27,654 --> 00:10:30,734 Let's say for example, I wanted to have a netcat listener 265 265 00:10:30,734 --> 00:10:32,995 sitting on port 5000 on the machine. 266 266 00:10:32,995 --> 00:10:34,409 Well, the way that we would do that 267 267 00:10:34,409 --> 00:10:36,588 is we would have to set an exception in there. 268 268 00:10:36,588 --> 00:10:39,921 So what we can do is set allowedprogram, 269 269 00:10:41,150 --> 00:10:42,699 whatever the path of the program is, 270 270 00:10:42,699 --> 00:10:44,526 in our case it'd be Netcat, 271 271 00:10:44,526 --> 00:10:49,118 and then allow, nc is the name of what we're gonna allow 272 272 00:10:49,118 --> 00:10:50,451 and then ENABLE. 273 273 00:10:51,726 --> 00:10:54,678 Now, we have not setup Netcat, we have not uploaded 274 274 00:10:54,678 --> 00:10:57,755 that tool yet, so there's no benefit of setting this 275 275 00:10:57,755 --> 00:10:59,937 and it's probably gonna error out if we do it 276 276 00:10:59,937 --> 00:11:02,644 but I just wanted to show you what the command is. 277 277 00:11:02,644 --> 00:11:04,017 Again, we'll play with that one more 278 278 00:11:04,017 --> 00:11:08,184 when we start doing our backdoor's in a future lesson. 279 279 00:11:09,545 --> 00:11:11,127 Now what if we just wanted to open up certain ports 280 280 00:11:11,127 --> 00:11:12,087 on the firewall? 281 281 00:11:12,087 --> 00:11:14,136 Well, let's go ahead and look at that again. 282 282 00:11:14,136 --> 00:11:15,773 So again, if we wanted to add something, 283 283 00:11:15,773 --> 00:11:18,013 we would do that with the add command. 284 284 00:11:18,013 --> 00:11:19,322 Now, what are we gonna add? 285 285 00:11:19,322 --> 00:11:22,103 In our case, we want to add ?, 286 286 00:11:22,103 --> 00:11:24,255 I'm gonna show you the different things that you can add. 287 287 00:11:24,255 --> 00:11:27,385 So here you can see, you can add a port, 288 288 00:11:27,385 --> 00:11:28,565 or you can add a program. 289 289 00:11:28,565 --> 00:11:31,291 I just showed you the program with the Netcat example. 290 290 00:11:31,291 --> 00:11:34,078 Now, for a portopening, let's see what 291 291 00:11:34,078 --> 00:11:36,421 the configuration setup is for that. 292 292 00:11:36,421 --> 00:11:40,880 Well, what you have to do is do add portopening, TCP, UDP, 293 293 00:11:40,880 --> 00:11:43,526 or ALL, the port you want, 294 294 00:11:43,526 --> 00:11:45,203 and then you're gonna give it a name, whether it's you know, 295 295 00:11:45,203 --> 00:11:49,026 WebPort, if it's IKE, if it's DNS, it could be hacker, 296 296 00:11:49,026 --> 00:11:52,176 whatever you want, ENABLE, and then ALL or CUSTOM. 297 297 00:11:52,176 --> 00:11:53,677 So in our case, what we're gonna do is 298 298 00:11:53,677 --> 00:11:57,765 we're gonna do a add portopening TCP 80, 299 299 00:11:57,765 --> 00:12:01,525 we'll call it WWW and then we'll enable it for all. 300 300 00:12:01,525 --> 00:12:05,525 So what we'll do is add portopening TCP port 80, 301 301 00:12:08,677 --> 00:12:11,776 we'll call is WWW as if they were running a web server, 302 302 00:12:11,776 --> 00:12:14,443 and then we're gonna ENABLE ALL. 303 303 00:12:16,296 --> 00:12:17,475 Now it says it's good. 304 304 00:12:17,475 --> 00:12:19,238 How do we verify it's good? 305 305 00:12:19,238 --> 00:12:21,291 Well, we can do that from the command prompt, 306 306 00:12:21,291 --> 00:12:22,672 or again we can look on the machine 307 307 00:12:22,672 --> 00:12:24,603 and see what it's gonna look like to the victim. 308 308 00:12:24,603 --> 00:12:25,891 What we're gonna do here is we're gonna look at it 309 309 00:12:25,891 --> 00:12:27,131 from the command prompt. 310 310 00:12:27,131 --> 00:12:31,771 So, what we're gonna do is we're gonna do show 311 311 00:12:31,771 --> 00:12:35,910 and then we want to show the portopenings, 312 312 00:12:35,910 --> 00:12:36,851 and if you remember correctly, 313 313 00:12:36,851 --> 00:12:39,129 we had four ports before that were all associated 314 314 00:12:39,129 --> 00:12:41,710 with file and print services. 315 315 00:12:41,710 --> 00:12:44,507 Now we should see port 80 added to that list, 316 316 00:12:44,507 --> 00:12:46,227 and so you see that port 80 is open. 317 317 00:12:46,227 --> 00:12:48,049 Now we can verify that on the victim's side. 318 318 00:12:48,049 --> 00:12:49,308 What will that look like to them? 319 319 00:12:49,308 --> 00:12:50,985 Well for them to see that, their gonna have to actually 320 320 00:12:50,985 --> 00:12:54,566 go in to their firewall, and their gonna actually have 321 321 00:12:54,566 --> 00:12:56,668 to look at the configuration and the setup for it. 322 322 00:12:56,668 --> 00:12:57,846 Now, where do you get to the firewall 323 323 00:12:57,846 --> 00:12:59,617 on a Windows XP machine? 324 324 00:12:59,617 --> 00:13:02,137 You just scroll down and click on Windows Firewall. 325 325 00:13:02,137 --> 00:13:04,344 Then from here, we go to Exceptions, 326 326 00:13:04,344 --> 00:13:07,698 and you'll see there's now this exception for WWW, 327 327 00:13:07,698 --> 00:13:10,191 and if we Edit it, we can see TCP port 80, 328 328 00:13:10,191 --> 00:13:12,303 that's what they actually did. 329 329 00:13:12,303 --> 00:13:14,781 And so you can see that from the victim perspective, 330 330 00:13:14,781 --> 00:13:16,452 their not gonna see anything unless they really 331 331 00:13:16,452 --> 00:13:19,055 are checking their firewall all the time and looking at it. 332 332 00:13:19,055 --> 00:13:22,850 In this case, their not, and so they don't see it. 333 333 00:13:22,850 --> 00:13:24,679 So those are just some basics of how to use the firewall 334 334 00:13:24,679 --> 00:13:26,159 and set it up. 335 335 00:13:26,159 --> 00:13:28,317 The nice thing about it is that you can do everything 336 336 00:13:28,317 --> 00:13:29,930 from the command line, but you've got to get used 337 337 00:13:29,930 --> 00:13:31,254 to the way the command prompt works. 338 338 00:13:31,254 --> 00:13:32,113 You have to get used to the way 339 339 00:13:32,113 --> 00:13:34,177 the netsh firewall tool works. 340 340 00:13:34,177 --> 00:13:35,505 There's lots of things you can do 341 341 00:13:35,505 --> 00:13:37,585 once you have the exploitation of the machine, 342 342 00:13:37,585 --> 00:13:39,876 it's just a matter of determining what your intent is 343 343 00:13:39,876 --> 00:13:41,721 and what it is you want to accomplish.