1
00:00:00,180 --> 00:00:02,300
Welcome back to the official Start Cop series.

2
00:00:02,310 --> 00:00:05,610
This is the Web Application Exploitation module.

3
00:00:05,940 --> 00:00:07,980
In this module, we're going to talk about Metasploit.

4
00:00:08,010 --> 00:00:12,150
We're going to look at web app exploitation, we're going to look at cross-site scripting.

5
00:00:12,780 --> 00:00:14,280
We're going to look at SQL injection.

6
00:00:14,670 --> 00:00:16,440
Many different types of arm abilities.

7
00:00:22,350 --> 00:00:23,640
Ah, this is our chapter outline.

8
00:00:24,210 --> 00:00:28,710
We're going to go into an introduction of Metasploit and the Metasploit framework will look at some

9
00:00:28,710 --> 00:00:30,180
different Metasploit modules.

10
00:00:30,510 --> 00:00:34,590
How to generate payloads using MSF console MSF venom.

11
00:00:36,580 --> 00:00:42,000
We'll get into SQL injection as well as cross-site scripting and directory listing.

12
00:00:42,970 --> 00:00:44,410
So where do we get Metasploit?

13
00:00:44,440 --> 00:00:46,420
Well, there's a lot of different places you can get it.

14
00:00:46,690 --> 00:00:49,930
It does come preinstalled with Kelly Linux.

15
00:00:50,080 --> 00:00:59,650
So if we log in to our call box and we go to the start menu and we go down to exploitation tools, notice

16
00:00:59,650 --> 00:01:07,420
we have the Metasploit framework, we have it Metasploit, payload creator, social engineering toolkit,

17
00:01:07,420 --> 00:01:09,010
SQL Map, all kinds of stuff.

18
00:01:09,010 --> 00:01:16,480
So we can click on the Metasploit framework and it actually gives you the commands for running Metasploit.

19
00:01:16,480 --> 00:01:20,410
It first has to start up a database that runs off of a PostgreSQL database.

20
00:01:22,930 --> 00:01:25,810
And it sets up the a database named MSF.

21
00:01:26,500 --> 00:01:26,920
Now.

22
00:01:33,410 --> 00:01:35,990
Sometimes you do get compiler errors, so don't get panic.

23
00:01:36,000 --> 00:01:41,870
If you see something like this, just go ahead and run it again from the command line.

24
00:01:42,260 --> 00:01:46,310
You always want to make sure that you're on the latest and greatest updates.

25
00:01:47,330 --> 00:01:51,200
So we want to go ahead and do a quick apt get update to.

26
00:01:53,640 --> 00:01:54,810
Make sure we have the latest.

27
00:01:56,250 --> 00:02:01,590
Data from the Kelly Lennox repository while that's updating will go ahead and take a look at.

28
00:02:03,140 --> 00:02:06,110
Where to actually get the Metasploit framework from.

29
00:02:09,620 --> 00:02:16,190
So you can go to Metasploit dot com slash download and you can go here to Metasploit and pick the version

30
00:02:16,190 --> 00:02:16,520
you want.

31
00:02:16,550 --> 00:02:19,610
There is a pro version which is commercially supported.

32
00:02:19,940 --> 00:02:22,190
The open source version from rapid7.

33
00:02:22,490 --> 00:02:23,750
This is more of the.

34
00:02:27,730 --> 00:02:30,520
The easier version of running mate is flight or the.

35
00:02:30,760 --> 00:02:32,980
If you want to run on windows they have a.

36
00:02:35,260 --> 00:02:37,420
Desktop supported version.

37
00:02:37,780 --> 00:02:39,520
So they have an MSI install.

38
00:02:39,760 --> 00:02:45,730
But just be aware, when you go to install Metasploit on Windows, it will flag your antivirus.

39
00:02:46,210 --> 00:02:49,990
So just be aware that of course there's you can get it on Linux.

40
00:02:52,290 --> 00:02:54,270
And they provide a script to do just that.

41
00:02:56,190 --> 00:03:00,330
So you have really two options for Metasploit, the Google version or the command line version, which

42
00:03:00,330 --> 00:03:01,290
comes in with Kali.

43
00:03:03,410 --> 00:03:08,330
And the main difference between the gooey version and the command line version is really ease of use.

44
00:03:08,330 --> 00:03:13,790
If you're not real comfortable with command line, you may prefer to start out with the gooey version

45
00:03:13,790 --> 00:03:14,390
initially.

46
00:03:16,380 --> 00:03:18,870
Just to make it a little bit easier to run exploits.

47
00:03:20,070 --> 00:03:23,170
So this is the nightly installers available from GitHub.

48
00:03:23,190 --> 00:03:27,240
Of course, if you get the latest and greatest version, just keep in mind there may be bugs.

49
00:03:28,170 --> 00:03:30,900
These are all things that just it does happen.

50
00:03:30,900 --> 00:03:33,690
It's an exploit framework and it's constantly updated.

51
00:03:34,080 --> 00:03:37,140
So for the latest and greatest version, always check back here.

52
00:03:37,950 --> 00:03:44,280
This is the command you would enter to curl the Metasploit framework and then you run the Metasploit

53
00:03:44,280 --> 00:03:50,160
installer with MSF install and then you have to change the permissions to.

54
00:03:51,770 --> 00:03:52,370
So we can.

55
00:03:54,200 --> 00:04:00,050
This is another way to get Metasploit from any Linux distro, not just call it Linux.

56
00:04:05,860 --> 00:04:07,720
So let's go ahead and clear.

57
00:04:10,450 --> 00:04:14,440
Make sure we don't have any extra packages lying around.

58
00:04:18,550 --> 00:04:19,210
That's fine.

59
00:04:28,330 --> 00:04:35,890
The best way, of course, is to copy and paste this from the site, but I'm just going to type it out.

60
00:05:31,410 --> 00:05:32,700
We'll just run this part of it.

61
00:05:34,500 --> 00:05:35,460
And there we go.

62
00:05:35,880 --> 00:05:36,930
There's the download.

63
00:05:39,830 --> 00:05:42,920
Go and clear the screen just to keep it a little bit cleaner.

64
00:06:04,750 --> 00:06:04,920
You.

65
00:06:28,700 --> 00:06:33,280
All right, now that we have Metasploit running, notice that it gives us a running tally.

66
00:06:33,290 --> 00:06:39,320
We can see the version number right here, 5.0.93 dash developer.

67
00:06:39,710 --> 00:06:47,420
We have over 2000 exploits, some of them auxiliary, which will get into them 562 payloads.

68
00:06:49,570 --> 00:06:52,360
And you can actually open an interactive terminal with this as well.

69
00:06:52,630 --> 00:06:55,630
We can see this is version five because it has an MSRP five.

70
00:06:55,990 --> 00:06:56,560
Next to it.

71
00:07:00,180 --> 00:07:02,370
So let's look at some of the different Metasploit components.

72
00:07:02,370 --> 00:07:10,200
We have, the payloads portion, we have exploits, we have different types of attacks like SQL injection,

73
00:07:10,200 --> 00:07:13,800
cross-site scripting and directory listing.

74
00:07:14,550 --> 00:07:20,490
So the Metasploit framework is a gathering of different projects and different payloads exploits to

75
00:07:20,490 --> 00:07:24,120
that can be then utilized to exploit targets.

76
00:07:24,840 --> 00:07:29,730
So it's the most widely used exploitation slash penetration testing framework.

77
00:07:30,240 --> 00:07:35,130
And it's a collaboration between open source and rapid7.

78
00:07:35,550 --> 00:07:40,260
They not only verify vulnerabilities, they also try to improve security awareness.

79
00:07:40,260 --> 00:07:47,760
So it helps not only the attackers, but also the defenders to be able to stay up to date on the latest

80
00:07:47,760 --> 00:07:50,130
and greatest exploits that are out there.

81
00:07:51,030 --> 00:07:54,450
So this is the MSF console, which you just saw.

82
00:07:54,750 --> 00:08:01,440
It's the preferred way to be able to access it, but it's not the only supported way to access the Metasploit

83
00:08:01,440 --> 00:08:02,520
framework, as we said.

84
00:08:03,570 --> 00:08:07,290
You can run the gooey version, which we will look at in a little bit.

85
00:08:07,950 --> 00:08:14,340
It's an all in one centralized console and allows you to efficiently access essentially all the options

86
00:08:14,580 --> 00:08:15,820
in the Metasploit framework.

87
00:08:15,840 --> 00:08:22,470
It can seem very daunting at first, but once you get the syntax, you'll be able to run commands much

88
00:08:22,470 --> 00:08:26,070
more efficiently and most of the features.

89
00:08:26,700 --> 00:08:30,750
And it's essentially the most stable Metasploit framework interface.

90
00:08:34,840 --> 00:08:36,520
So these are some of the different commands.

91
00:08:36,970 --> 00:08:40,960
So let's go ahead and go back.

92
00:08:40,990 --> 00:08:47,860
If we type the the word banner in here, we can actually change our banner.

93
00:08:50,140 --> 00:08:51,100
You can get different.

94
00:08:52,830 --> 00:08:53,520
Pictures.

95
00:08:54,780 --> 00:08:56,000
So things you.

96
00:08:56,490 --> 00:08:58,450
This is really more of just a preference thing.

97
00:08:58,470 --> 00:09:03,420
It's not really anything to do with functionality or making it better, but it is one of the options.

98
00:09:04,170 --> 00:09:05,490
Now we can type the help.

99
00:09:05,490 --> 00:09:13,740
Command and help will give you a basic tutorial, gives you a lot of information about the different

100
00:09:13,740 --> 00:09:14,790
commands that are there.

101
00:09:15,360 --> 00:09:17,460
You can change the current working directory.

102
00:09:19,060 --> 00:09:24,030
If you want to exit the console, you type exit, you can actually grep the output of other commands.

103
00:09:29,510 --> 00:09:31,370
You can load different plug ins.

104
00:09:32,030 --> 00:09:33,440
You can check the version.

105
00:09:35,570 --> 00:09:40,280
And it has some different commands for working with the database itself.

106
00:09:40,950 --> 00:09:44,510
So you wanted to see what credentials you had.

107
00:09:44,510 --> 00:09:47,240
They would show up here if you want to see the version.

108
00:09:47,240 --> 00:09:48,260
This is the current version.

109
00:09:48,260 --> 00:09:48,740
Where on.

110
00:09:51,650 --> 00:09:53,180
Lots of different commands.

111
00:09:54,950 --> 00:09:55,460
So.

112
00:09:56,770 --> 00:10:00,220
If you want to get into scripting mode, you can type I RB.

113
00:10:04,430 --> 00:10:06,680
I notice we get into an hour b shell.

114
00:10:16,530 --> 00:10:20,700
So you can pick what functions you want to look at if you.

115
00:10:25,670 --> 00:10:26,360
Type exit.

116
00:10:26,370 --> 00:10:31,790
You can get back out to the Metasploit framework, change the banner again.

117
00:10:32,750 --> 00:10:33,260
So.

118
00:10:37,730 --> 00:10:44,240
If you want to launch the Web, go from here, you can type in go underscore pro and if it's installed,

119
00:10:44,240 --> 00:10:45,170
it will launch the web.

120
00:10:45,440 --> 00:10:48,470
Again, this these things do change from time to time.

121
00:10:48,470 --> 00:10:49,940
So the web query is normally.

122
00:10:53,730 --> 00:10:54,900
Installed separately.

123
00:10:56,850 --> 00:10:58,080
So let's go ahead and.

124
00:11:05,660 --> 00:11:09,800
So we have Metasploit installed on our Windows Workstation, which will open up here in a moment.

125
00:11:12,600 --> 00:11:18,960
Now let's talk a little bit about vulnerabilities of our ability is essentially any flaw in code or

126
00:11:18,960 --> 00:11:21,210
some type of weakness in software.

127
00:11:21,510 --> 00:11:23,370
It could be hardware related, but.

128
00:11:25,190 --> 00:11:34,310
It's a way that attackers can compromise different systems, attack vectors, vulnerabilities come out

129
00:11:34,670 --> 00:11:35,510
all the time.

130
00:11:36,500 --> 00:11:43,970
Vulnerabilities, or actually there's a list of vulnerabilities called the National Vulnerability Database.

131
00:11:45,950 --> 00:11:49,640
If we go back to our open up our Web browser here.

132
00:11:53,460 --> 00:11:59,040
Now we go to Nvidia dot nest dot gov.

133
00:11:59,400 --> 00:12:01,770
This is the National Vulnerability Database.

134
00:12:02,260 --> 00:12:07,770
If you're in the U.S., this is kind of one of the standardized places where new vulnerabilities come

135
00:12:07,770 --> 00:12:12,870
out and they have essentially a ID number that is.

136
00:12:14,330 --> 00:12:22,940
It always starts with the three letters CV and you add in the year and then the four digit number at

137
00:12:22,940 --> 00:12:23,300
the end.

138
00:12:23,300 --> 00:12:29,510
So and then over on the right hand side, you can see the severity or these cvss score, the common

139
00:12:29,510 --> 00:12:31,130
vulnerability scoring system.

140
00:12:31,520 --> 00:12:33,440
So these are individual vulnerabilities.

141
00:12:33,440 --> 00:12:38,720
If you click on one, it will give you some more information about the vulnerability and even links

142
00:12:38,720 --> 00:12:44,960
to the vendor website where the vulnerability is posted.

143
00:12:44,990 --> 00:12:50,630
Now there may be Metasploit modules that actually show up down here, potentially.

144
00:12:50,990 --> 00:12:56,060
Now, not always, but there are lots of different vulnerabilities.

145
00:12:57,390 --> 00:13:00,520
We can go over to the search menu.

146
00:13:00,540 --> 00:13:04,980
We can actually search for all different types we want.

147
00:13:05,160 --> 00:13:06,420
We can search by number.

148
00:13:06,810 --> 00:13:07,980
We can search by vendor.

149
00:13:07,990 --> 00:13:12,660
Let's say we want all the Microsoft vulnerabilities.

150
00:13:12,870 --> 00:13:19,590
We can actually click on that and just hit search and or turn us any vulnerability.

151
00:13:21,650 --> 00:13:23,630
That it finds based on Microsoft.

152
00:13:25,690 --> 00:13:26,020
Notice.

153
00:13:26,020 --> 00:13:26,620
We've got

154
00:13:30,070 --> 00:13:31,810
lots of different vulnerabilities here.

155
00:13:31,840 --> 00:13:33,790
So you can search, you can filter.

156
00:13:33,790 --> 00:13:39,400
But those are those are the vulnerabilities, the weaknesses that create attack vectors.

157
00:13:39,400 --> 00:13:45,250
And where we run into problems is when there's a vulnerability and there's no fix or there's no patch,

158
00:13:45,250 --> 00:13:45,820
there's no.

159
00:13:47,300 --> 00:13:55,790
So attackers may use malware or payloads, as we'll get to talk about later, that use or exploit multiple

160
00:13:55,850 --> 00:13:56,660
vulnerabilities.

161
00:14:00,030 --> 00:14:05,520
The vulnerabilities, allow attackers to take advantage of systems, elevate privileges and potentially

162
00:14:06,270 --> 00:14:07,950
take over certain systems.

163
00:14:10,440 --> 00:14:15,420
So what our exploits well, exploits are what we have in Metasploit.

164
00:14:15,430 --> 00:14:17,220
These are essentially.

165
00:14:18,350 --> 00:14:22,640
Payloads that take advantage of some vulnerability.

166
00:14:24,370 --> 00:14:26,500
But an attacker can use to take over a system.

167
00:14:27,610 --> 00:14:35,500
So if we go to show exploits on Metasploit, we're going to get a whole bunch of information returned.

168
00:14:38,230 --> 00:14:43,330
Usually if you just type the show command and there's too many results, it it'll ask you, are you

169
00:14:43,330 --> 00:14:44,770
sure you want to show all this?

170
00:14:44,770 --> 00:14:45,820
Because there's too many.

171
00:14:48,610 --> 00:14:49,720
Values to return.

172
00:14:54,850 --> 00:14:59,080
So it takes a little bit of time, but eventually you'll get something similar.

173
00:15:03,930 --> 00:15:05,060
To this screen here.

174
00:15:05,070 --> 00:15:10,710
And so the vulnerabilities will have a name, the date they were found, and they will have a description.

175
00:15:10,710 --> 00:15:13,680
So keep in mind that not all of our abilities work for all systems.

176
00:15:14,370 --> 00:15:16,380
These are some of the different modules.

177
00:15:16,380 --> 00:15:22,140
With respect to Metasploit, you have the MSF console which is in the center here and then you have

178
00:15:22,140 --> 00:15:24,420
exploits, you have payloads.

179
00:15:24,750 --> 00:15:33,060
So in exploits you have different systems like Windows, Android, Unix, and then you have these auxiliary

180
00:15:33,330 --> 00:15:35,250
modules which deal with.

181
00:15:36,370 --> 00:15:43,810
Things like skater systems, databases, and then the payloads could be designed for particular systems

182
00:15:43,810 --> 00:15:44,680
like Android.

183
00:15:45,420 --> 00:15:46,840
They could be happy.

184
00:15:47,350 --> 00:15:48,820
It could be a lot of different things.

185
00:15:48,850 --> 00:15:56,620
So payloads are an important component to understand as well as the different Metasploit framework modules.

186
00:16:04,910 --> 00:16:08,030
So you can think about payloads as the dangerous part of Metasploit.

187
00:16:08,030 --> 00:16:09,740
So what is an auxiliary module?

188
00:16:10,220 --> 00:16:12,830
And that's the modules used for gathering information.

189
00:16:18,170 --> 00:16:26,060
So Metasploit framework has hundreds of auxiliary modules that perform scanning, fuzzing, sniffing,

190
00:16:26,060 --> 00:16:28,370
and many, many more different functions.

191
00:16:28,610 --> 00:16:33,920
So these models will not give you a shell, but they're extremely valuable when conducting a penetration

192
00:16:33,920 --> 00:16:38,480
test, things like SQL databases and also doing men in the middle attacks.

193
00:16:39,110 --> 00:16:40,940
Then you have exploit modules.

194
00:16:53,750 --> 00:16:57,560
Exploit models are commonly used to convey code.

195
00:16:58,100 --> 00:17:01,340
They are the actual exploit.

196
00:17:02,320 --> 00:17:05,020
And these are constantly updated and developed.

197
00:17:06,820 --> 00:17:07,240
So.

198
00:17:09,610 --> 00:17:17,420
You can look at what these are, the things that actually make Metasploit unique versus other platforms.

199
00:17:17,440 --> 00:17:20,800
This actually gives Metasploit its exploit capability.

200
00:17:21,220 --> 00:17:29,860
So things like exploit modules will handle the payload, the encoding, the no operate instruction generation

201
00:17:30,460 --> 00:17:31,630
and many other things.

202
00:17:31,630 --> 00:17:38,440
So because there's so many exploits already in Metasploit, there's a good chance that there's already

203
00:17:38,440 --> 00:17:40,960
a module you can just edit for your own purposes.

204
00:17:44,890 --> 00:17:46,990
And there are lots of different samples.

205
00:17:48,610 --> 00:17:51,100
That you can modify yourself within Metasploit.

206
00:17:52,630 --> 00:17:55,630
So this is an example of running an exploit under.

207
00:17:58,040 --> 00:18:01,760
Metasploit So if we go back over to our our system here.

208
00:18:05,890 --> 00:18:07,630
Too many, too many windows open now.

209
00:18:08,200 --> 00:18:09,100
Too many command windows.

210
00:18:09,130 --> 00:18:10,570
Let's close one of these here.

211
00:18:12,440 --> 00:18:12,830
Okay.

212
00:18:13,160 --> 00:18:13,730
So.

213
00:18:16,720 --> 00:18:19,120
We got our list of exploits that came back.

214
00:18:19,950 --> 00:18:23,950
Is it's a very long list because we didn't specify anything in particular.

215
00:18:23,950 --> 00:18:27,580
So let's go ahead and say we're going to use exploit.

216
00:18:31,310 --> 00:18:35,510
Windows will say SMB.

217
00:18:35,960 --> 00:18:42,080
Then if you hit tab, it'll actually give you different options about which ones you want to pick.

218
00:18:44,510 --> 00:18:52,010
So let's say I wanted to use the May 17 underscore 010 underscore piece exact.

219
00:18:53,790 --> 00:18:54,540
Vulnerability.

220
00:18:56,630 --> 00:18:57,680
And then I hit enter.

221
00:18:58,670 --> 00:19:05,770
Once I do that, notice the prompt changes here so it becomes red and now I have some different options.

222
00:19:05,770 --> 00:19:07,130
So let's do a show command.

223
00:19:09,140 --> 00:19:12,440
So these are the different options for this particular exploit.

224
00:19:13,460 --> 00:19:21,560
So you can pick out what you want to to do what you want to be the target host or the receiving host

225
00:19:21,800 --> 00:19:23,300
and the receiving port number.

226
00:19:25,110 --> 00:19:25,530
And then you.

227
00:19:26,940 --> 00:19:31,050
Give it a domain that you want to try and use a password.

228
00:19:32,580 --> 00:19:39,570
So right now it's just made some decisions about the local host, which is the system.

229
00:19:39,570 --> 00:19:41,940
I'm currently on the local port.

230
00:19:44,580 --> 00:19:46,440
And right now, there's no exploit target.

231
00:19:52,110 --> 00:19:53,880
So you can do different things.

232
00:19:56,250 --> 00:19:57,660
So if I wanted to set.

233
00:20:01,640 --> 00:20:02,360
Exploit.

234
00:20:07,930 --> 00:20:09,280
I'm sorry I set our host.

235
00:20:11,260 --> 00:20:16,190
And then it's going to if it has a value, it'll give that value.

236
00:20:18,020 --> 00:20:21,770
This one doesn't actually have an R host variable, but that's that's very common.

237
00:20:21,770 --> 00:20:27,230
So let's do the show payloads to see if we have any payloads yet.

238
00:20:32,440 --> 00:20:36,100
So there's it's going to return a lot of payloads because there's a whole bunch.

239
00:20:38,180 --> 00:20:41,420
And then you pick which payload you actually want to utilize.

240
00:20:43,790 --> 00:20:45,710
So again, there's there's a lot of options there.

241
00:20:47,660 --> 00:20:50,660
So let's look at some of the different types of auxiliaries.

242
00:20:50,990 --> 00:20:55,460
So there's different scanners for SMB remote procedure call.

243
00:20:55,940 --> 00:20:57,380
There's port scanners.

244
00:20:57,380 --> 00:20:59,510
There's wireless auxiliary modules.

245
00:20:59,990 --> 00:21:02,000
There's denial of service modules, even.

246
00:21:09,270 --> 00:21:11,760
So a lot of different types of auxiliaries.

247
00:21:12,780 --> 00:21:15,000
So let's talk about what a payload actually is.

248
00:21:15,330 --> 00:21:18,840
A payload is a piece of software that's used to control the remote system.

249
00:21:20,130 --> 00:21:26,520
So the payload is like the device you're going to detonate or, you know, it's the weapon portion of

250
00:21:26,520 --> 00:21:27,150
the exploit.

251
00:21:27,630 --> 00:21:31,320
So they're different depending upon what type of system architecture.

252
00:21:31,320 --> 00:21:35,250
So if it's a 64 bit system versus a 32 bit.

253
00:21:36,730 --> 00:21:39,720
So there's four different types of payload in Metasploit.

254
00:21:41,860 --> 00:21:47,350
There's three main types and there's one that's not really a type itself.

255
00:21:47,680 --> 00:21:50,080
So you have in-line or non staged.

256
00:21:50,590 --> 00:21:56,050
So this is a single payload for a task that has the full exploit and full shell code.

257
00:21:56,440 --> 00:22:01,630
So inline payloads are more stable because they're, they're all all in one, they're self-contained.

258
00:22:02,500 --> 00:22:06,640
So some exploits, however, will not support the resolving size of the payloads.

259
00:22:07,390 --> 00:22:08,650
The payload is too large.

260
00:22:09,100 --> 00:22:09,910
They may not work.

261
00:22:10,510 --> 00:22:15,910
Then you have a stage or a stage works with stage payloads to perform a particular task.

262
00:22:17,490 --> 00:22:23,370
Stager creates a channel between the attacker and the victim and reads the execution on the remote host.

263
00:22:25,340 --> 00:22:26,720
Then you have an interpreter.

264
00:22:27,170 --> 00:22:30,500
Motor operator is short for meter interpreter.

265
00:22:31,010 --> 00:22:34,970
It's the payload generation tool for Metasploit.

266
00:22:36,040 --> 00:22:40,300
So it remains in most memory and leaves no traces on the hard drive.

267
00:22:40,690 --> 00:22:45,310
So it's very hard to locate the interpreter with traditional forensic techniques.

268
00:22:47,800 --> 00:22:53,350
Then lastly, we have the passive x passive axis of the payload which can help circumvent firewalls

269
00:22:53,680 --> 00:22:54,790
that are restrictive.

270
00:22:58,250 --> 00:23:05,390
It essentially builds a hidden Internet Explorer instance using an active X control and is able to communicate

271
00:23:05,390 --> 00:23:13,130
with the attacker via Acdp request because HDP traffic generally will be allowed to pass through the

272
00:23:13,130 --> 00:23:13,720
firewall.

273
00:23:13,730 --> 00:23:16,610
Otherwise, there will be no internet access or no web access.

274
00:23:20,600 --> 00:23:23,510
So how do we generate payloads and metasploit?

275
00:23:23,840 --> 00:23:27,890
We can do this from within the Metasploit console.

276
00:23:28,880 --> 00:23:32,150
So there is generate pry and reload commands.

277
00:23:36,380 --> 00:23:41,030
Again, keep in mind that these tutorials do change periodically.

278
00:23:41,360 --> 00:23:43,310
So what works now?

279
00:23:43,580 --> 00:23:48,620
Always consult the documentation for the latest and greatest options.

280
00:23:56,560 --> 00:23:59,630
You know, back into Arkansas because.

281
00:24:01,400 --> 00:24:03,260
I'll go ahead and close this because this is.

282
00:24:05,360 --> 00:24:07,430
Or at least minimize it because it's distracting.

283
00:24:16,380 --> 00:24:18,330
Serrano use a load.

284
00:24:19,830 --> 00:24:25,530
Slash windows shell find underscore TCP.

285
00:24:31,340 --> 00:24:34,670
So we have the listening port and the receiving house.

286
00:24:34,670 --> 00:24:37,310
So pick what target we want to be.

287
00:24:42,630 --> 00:24:46,740
Well, set it to the system I'm currently hosting this virtual machine on.

288
00:24:54,630 --> 00:24:56,220
And so there's the options.

289
00:25:02,600 --> 00:25:04,160
And then if we want to actually.

290
00:25:06,230 --> 00:25:08,990
Generate the payload, then we're going to use the generate command.

291
00:25:14,530 --> 00:25:17,470
So this is do we want to force encoding?

292
00:25:17,470 --> 00:25:19,330
We can set the payload size.

293
00:25:20,690 --> 00:25:25,520
Any characters we should avoid and what output format we want it to be in.

294
00:25:30,210 --> 00:25:38,040
And if we just type in the word generate, we can just either just use the most common default payload

295
00:25:41,010 --> 00:25:42,690
and there's our actual payload.

296
00:25:49,540 --> 00:25:50,920
Similar to the example here.

297
00:25:52,180 --> 00:25:53,770
So let's say maybe we want to generate.

298
00:25:55,570 --> 00:25:57,970
The same shell code, but as before.

299
00:25:58,240 --> 00:26:02,680
Only this time we're going to tell Metasploit to remove some unwanted bytes.

300
00:26:05,690 --> 00:26:07,990
So you're getting a no bite free payload.

301
00:26:15,380 --> 00:26:20,810
So it tells you if you wanted to set it to verbose mode, you would get a little bit more information.

302
00:26:20,900 --> 00:26:23,300
Notice the size here, 328 bytes.

303
00:26:23,840 --> 00:26:30,140
So if we do this time with a generate dash B and we'll do.

304
00:26:32,570 --> 00:26:37,430
Apostrophe Backslash x00 or the null byte.

305
00:26:39,400 --> 00:26:39,760
Character.

306
00:26:42,610 --> 00:26:43,750
Let's see what happened here.

307
00:26:43,780 --> 00:26:47,770
Oh, it does happen.

308
00:26:48,640 --> 00:26:49,630
I make a mistake.

309
00:26:50,830 --> 00:26:51,640
And there we go.

310
00:26:53,860 --> 00:26:57,760
Notice there was a little bit bigger size this time.

311
00:27:07,310 --> 00:27:08,710
That's generating payloads.

312
00:27:08,740 --> 00:27:17,470
How can we use this to go after web applications so we can integrate some different tools like End Map

313
00:27:18,310 --> 00:27:19,650
and wmp?

314
00:27:22,080 --> 00:27:25,260
And maybe find a website that's vulnerable to sequel injection.

315
00:27:25,830 --> 00:27:29,040
There's also the browser exploitation framework.

316
00:27:30,200 --> 00:27:30,800
Project.

317
00:27:36,310 --> 00:27:36,590
All right.

318
00:27:36,630 --> 00:27:40,210
Now we're going to do a sample exploit.

319
00:27:42,540 --> 00:27:45,980
Or of attack or how you would attack web applications inside of Metasploit.

320
00:27:45,990 --> 00:27:49,350
Keep in mind that you only want to attack applications that you have.

321
00:27:50,810 --> 00:27:51,770
Permission to.

322
00:27:53,630 --> 00:27:56,040
So we open up our Metasploit console.

323
00:27:58,060 --> 00:28:00,500
I go ahead and clear the screen so you can see all these.

324
00:28:00,800 --> 00:28:02,450
We're going to use the auxiliary.

325
00:28:05,840 --> 00:28:06,470
Scanner.

326
00:28:07,130 --> 00:28:08,480
ICP crawler.

327
00:28:12,650 --> 00:28:14,480
And once we do that, we're going to hit enter.

328
00:28:14,960 --> 00:28:23,960
And then as our text went to read, we're going to set the our host value as local host because we're

329
00:28:23,960 --> 00:28:25,490
just going to run it on our local machine.

330
00:28:26,030 --> 00:28:30,080
We're going to set the local port to 9000.

331
00:28:31,790 --> 00:28:38,180
And then we're going to type in run to run the crawler.

332
00:28:42,010 --> 00:28:47,110
And it's going to take a little while and it'll come back with some information.

333
00:28:59,780 --> 00:29:00,020
All right.

334
00:29:00,020 --> 00:29:04,640
Now we're going to load that map.

335
00:29:06,650 --> 00:29:15,500
So this is the plug in everyone's VW map underscore sites dash a for any use local host if this is a

336
00:29:15,500 --> 00:29:20,600
remote host, she loves to use the host IP and port number.

337
00:29:22,810 --> 00:29:24,490
And the site has been created.

338
00:29:26,740 --> 00:29:30,550
And to type the map and score sites.

339
00:29:31,690 --> 00:29:32,530
Dash L.

340
00:29:34,670 --> 00:29:36,980
And we see we've got some available.

341
00:29:39,100 --> 00:29:39,970
Sites here now.

342
00:29:40,690 --> 00:29:48,970
So now we're going to use map underscore target dash D zero.

343
00:29:58,150 --> 00:30:02,470
And W map underscore run dash.

344
00:30:04,310 --> 00:30:04,700
E.

345
00:30:07,130 --> 00:30:07,730
Let's see.

346
00:30:07,760 --> 00:30:09,560
Something went wrong with the target selection.

347
00:30:10,520 --> 00:30:14,210
So again, sometimes these commands do change.

348
00:30:25,230 --> 00:30:30,420
So just be aware that some time, some commands may change between versions of Metasploit.

349
00:30:38,110 --> 00:30:39,490
So I had a small typo in there.

350
00:30:40,360 --> 00:30:41,890
Its targets is the command.

351
00:30:41,920 --> 00:30:43,180
So now I've got my target.

352
00:30:43,540 --> 00:30:48,910
So now I can run my map run command.

353
00:30:49,570 --> 00:30:53,640
And it's going to start doing a test against the local website.

354
00:30:53,650 --> 00:30:54,850
Port 9000.

355
00:30:56,770 --> 00:30:58,540
And it's going to load in those modules.

356
00:31:05,590 --> 00:31:07,570
And we can see the time the testing started.

357
00:31:08,470 --> 00:31:10,420
And I'll take a little bit of time to finish.

358
00:31:20,260 --> 00:31:28,780
Now we're going to take a look at some SQL injection, which is also known as School II.

359
00:31:29,050 --> 00:31:35,800
It's a common attack vector that uses malicious SQL code for back end databases, essentially things

360
00:31:35,800 --> 00:31:43,330
that the developer or the creator of the database maybe didn't necessarily intend on being displayed.

361
00:31:45,660 --> 00:31:47,790
SQL injection is very common on.

362
00:31:48,660 --> 00:31:53,730
Matter of fact, one of the top vulnerabilities that is out there on OWASP.

363
00:31:55,590 --> 00:31:57,720
The Open Web Application Security Project.

364
00:31:57,720 --> 00:31:59,730
So if we go out to.

365
00:32:02,010 --> 00:32:02,850
Our browser.

366
00:32:08,220 --> 00:32:14,790
And we look up OWASP top ten, we can see that SQL injection.

367
00:32:17,540 --> 00:32:23,090
Is essentially the number one flaw, not just skill, but any kind of command injection, essentially

368
00:32:23,090 --> 00:32:28,790
where some information gets sent that maybe the application wasn't expecting.

369
00:32:29,600 --> 00:32:34,760
So the only way to prevent these types of injections is through input sanitization, which we'll get

370
00:32:34,760 --> 00:32:35,630
into a little bit later.

371
00:32:35,930 --> 00:32:40,430
But OWASP has a cheat sheet for how to prevent the different.

372
00:32:42,470 --> 00:32:43,790
Types of SQL injection.

373
00:32:44,950 --> 00:32:54,190
SQL injection may result in the authorized viewing of passwords, maybe deleting tables or dumping out

374
00:32:54,880 --> 00:33:00,550
the hashed versions of passwords, since in many cases, passwords are no longer stored in plain text.

375
00:33:00,550 --> 00:33:02,080
They're stored in their hashed version.

376
00:33:04,280 --> 00:33:10,190
Ultimately, if a website is vulnerable to SQL injection, then that means that an attacker can do many,

377
00:33:10,190 --> 00:33:16,670
many things to exploit that site and gain access to potentially private company data.

378
00:33:19,990 --> 00:33:21,210
So this is an example.

379
00:33:21,220 --> 00:33:28,420
When you go to a web storefront and you click on an item, notice this item is has an ID number, and

380
00:33:28,420 --> 00:33:31,390
then at the very end it has this little or one equals one.

381
00:33:32,200 --> 00:33:32,650
So.

382
00:33:34,220 --> 00:33:37,580
What that means is that over one equals one is always true.

383
00:33:38,180 --> 00:33:45,380
So if when you're doing a select which that is the way in which you select tables of information inside

384
00:33:45,380 --> 00:33:49,490
of sequel and sequel is the back end logic.

385
00:33:49,500 --> 00:33:58,160
So that web page that you're viewing the store on in your browser has to convert that query to a SQL

386
00:33:58,160 --> 00:34:04,670
query, and then it has to take that and essentially say select item name item description from the

387
00:34:04,670 --> 00:34:11,120
table called items where the item number is nine, 99 or one equals one.

388
00:34:11,540 --> 00:34:18,410
So instead of just returning that item, it's going to return everything potentially in the database.

389
00:34:19,920 --> 00:34:23,760
So that's one example of a sequel injection attack using a pathology.

390
00:34:24,570 --> 00:34:25,800
And we'll see how this is done.

391
00:34:25,800 --> 00:34:31,500
Of course, you can manually do this, but there are automated tools that will do this as well.

392
00:34:32,490 --> 00:34:39,090
So maybe in this case, the attacker sends the the web string and we're going to.

393
00:34:41,410 --> 00:34:41,650
Debbie.

394
00:34:41,650 --> 00:34:42,260
Debbie, Debbie.

395
00:34:42,260 --> 00:34:54,730
Adopt East Tor.com slash items slash items that ASP and item ID equals 999 semicolon and then drop table.

396
00:34:55,600 --> 00:34:59,010
So essentially this could be drop table users.

397
00:34:59,020 --> 00:35:05,980
So if the database is vulnerable, then that website is going to convert that string into a query and

398
00:35:05,980 --> 00:35:08,680
it's going to go back and it's going to delete the user tables.

399
00:35:09,400 --> 00:35:17,440
You can also use the union command, which if you want to essentially get data from a database and stick

400
00:35:17,440 --> 00:35:23,920
it on top of your query, you can use the union command essentially just taking two columns and putting

401
00:35:23,920 --> 00:35:25,300
them on top of each other.

402
00:35:26,900 --> 00:35:30,310
Unless you're if you're doing row by row, that's called a join.

403
00:35:32,570 --> 00:35:37,430
So let's look at some of the tools inside of Call for doing SQL injection.

404
00:35:42,590 --> 00:35:48,440
We have a tool called SQL Map and it's actually in the menu.

405
00:35:48,440 --> 00:35:54,710
If you go to a Web application analysis, it's in this.

406
00:35:56,430 --> 00:35:59,130
Menu right here, but we'll go ahead and look at the main page.

407
00:36:00,960 --> 00:36:03,650
So SQL Map is an automatic SQL injection tool.

408
00:36:03,660 --> 00:36:11,880
So the basic way of doing SQL injections you don't need to do because this will this Python script will

409
00:36:11,880 --> 00:36:12,690
handle it for you.

410
00:36:13,530 --> 00:36:15,300
So you basically do SQL map.

411
00:36:15,720 --> 00:36:22,830
Dash, you know, the URL, you pick out what you want it to do, what sites you want it to go after.

412
00:36:27,650 --> 00:36:29,180
So let's go ahead and scroll down.

413
00:36:29,180 --> 00:36:32,930
And the nice thing about the main page is it even gives you some examples.

414
00:36:39,230 --> 00:36:46,670
So that you can do regular expressions, you can do OS shells, you can do elevation of privileges,

415
00:36:46,670 --> 00:36:51,020
lots of different things with SQL injection.

416
00:36:58,360 --> 00:37:03,050
So here we have a site that we're allowed to actually go after with school maps.

417
00:37:03,050 --> 00:37:03,520
So we're going to.

418
00:37:08,870 --> 00:37:10,550
We're going to go after this test site.

419
00:37:10,580 --> 00:37:14,420
We're going to try to enumerate what type of database it actually has.

420
00:37:19,220 --> 00:37:24,590
So of course, using SQL injection for science you don't have permission for is problematic.

421
00:37:25,430 --> 00:37:28,340
We're testing on a get parameter, which is a.

422
00:37:30,750 --> 00:37:33,720
A GDP parameter to see if it might be vulnerable.

423
00:37:35,410 --> 00:37:38,290
To cross-site scripting so you can sometimes combine.

424
00:37:42,260 --> 00:37:43,520
These attacks together.

425
00:37:43,520 --> 00:37:46,790
So it looks like the back end database management system is my ask.

426
00:37:46,790 --> 00:37:49,880
You are and do I want to skip the payloads for other ones?

427
00:37:49,880 --> 00:37:57,890
So if it finds my sequel, single map can also look at things like Postgres database, it can look at

428
00:37:59,000 --> 00:38:01,340
Microsoft sequel, it can look at Oracles.

429
00:38:01,610 --> 00:38:06,260
So they're very, very similar relational database management languages.

430
00:38:06,260 --> 00:38:09,200
But in the order of time, we'll go ahead and skip.

431
00:38:13,400 --> 00:38:19,470
And says, Do I want to include all the tests for my sequel provided level one and risk value.

432
00:38:19,490 --> 00:38:20,510
So I say yes.

433
00:38:22,280 --> 00:38:24,440
So it's going to run through some different testing.

434
00:38:27,500 --> 00:38:32,720
And it's going to even do some blind SQL injection where it's querying with a sleep function to see

435
00:38:32,720 --> 00:38:34,220
how long it takes to come back.

436
00:38:34,640 --> 00:38:40,160
So blind SQL injection works in a way that essentially, if you're not getting any output, you can

437
00:38:40,160 --> 00:38:43,580
send things to the screen or send commands.

438
00:38:45,370 --> 00:38:51,130
Whereas even if you don't get any output return, you can just tell by how long it takes for something

439
00:38:51,130 --> 00:38:51,820
to come back.

440
00:38:52,090 --> 00:38:56,320
What type of database management system it might run.

441
00:38:56,590 --> 00:39:00,670
So this particular one is a it is vulnerable.

442
00:39:00,820 --> 00:39:07,240
So do I want to keep testing the others and we'll just say no because we already found the vulnerable

443
00:39:07,240 --> 00:39:07,630
one.

444
00:39:08,840 --> 00:39:11,690
So we we now have the database name.

445
00:39:12,910 --> 00:39:18,160
And we have the information schema, which is the information about the different tables.

446
00:39:19,150 --> 00:39:27,520
So most SQL or MySchool has a table called Information Schema Tables, which is actually essentially

447
00:39:27,520 --> 00:39:30,460
the like a table of tables.

448
00:39:30,790 --> 00:39:35,950
It's the information that is on the back end of the database.

449
00:39:37,960 --> 00:39:41,740
So now that we have our database names, we're going to go ahead and run this command.

450
00:39:43,210 --> 00:39:47,230
We're going to test out to see what actual tables we can get.

451
00:39:51,960 --> 00:39:56,100
So it found out that it's greater than 5.0 and.

452
00:39:57,440 --> 00:39:58,760
It did not paste correctly.

453
00:39:58,760 --> 00:40:00,380
So let's try that one more time.

454
00:40:16,170 --> 00:40:19,620
Now we're going to run this command with the correct parameters.

455
00:40:21,090 --> 00:40:28,680
And it's trying to do a union of the table so those unable to retrieve the table names for the database,

456
00:40:28,680 --> 00:40:31,530
do you want to use common table exist and check and say yes.

457
00:40:32,430 --> 00:40:33,660
So this does happen.

458
00:40:44,210 --> 00:40:45,770
And we're just going to press enter.

459
00:40:48,230 --> 00:40:50,360
And in the number of threads we're going to do one.

460
00:40:52,360 --> 00:40:55,810
Says If we run it in single thread mode, it could take a while.

461
00:41:05,090 --> 00:41:08,090
So we'll pause and we'll come back when this is finished.

462
00:41:10,030 --> 00:41:13,750
So our database test didn't return any tables, but we did get.

463
00:41:15,630 --> 00:41:17,880
Confirmation of the database existing.

464
00:41:18,300 --> 00:41:20,130
And we got a little bit of information from it.

465
00:41:20,520 --> 00:41:26,250
Again, this is just a sample of how you do a website to test and see whether it's vulnerable to SQL

466
00:41:26,250 --> 00:41:26,880
injection.

467
00:41:29,780 --> 00:41:38,150
And there are several different other SQL injection tools like SQL Mapper, Burp Suite, many, many

468
00:41:38,150 --> 00:41:38,870
other tools.

469
00:41:40,130 --> 00:41:42,200
So how do we protect against SQL injection?

470
00:41:42,230 --> 00:41:52,100
Well, there's, of course, source code review, and there are tools to employ to help fix the vulnerabilities

471
00:41:52,100 --> 00:41:53,540
that lead to sequel injection.

472
00:41:54,380 --> 00:41:59,060
You can utilize something called a secure library, which.

473
00:42:00,740 --> 00:42:02,180
That will help you to an extent.

474
00:42:03,650 --> 00:42:05,210
Another option is to.

475
00:42:09,220 --> 00:42:11,380
Utilize prepared statements.

476
00:42:13,990 --> 00:42:15,250
Sanitise your inputs.

477
00:42:15,250 --> 00:42:16,630
Make sure that you only allow.

478
00:42:20,300 --> 00:42:22,670
Sanitised inputs and appropriate characters.

479
00:42:23,270 --> 00:42:26,120
Certain characters that are unsafe.

480
00:42:27,660 --> 00:42:31,790
You need to make sure that your developers know to filter those things out.

481
00:42:36,080 --> 00:42:40,640
Of course, checking account permissions to the database is also important.

482
00:42:40,640 --> 00:42:45,130
Using strong passwords for your essay and any administrator accounts you have.

483
00:42:47,240 --> 00:42:52,340
Intrusion detection systems and improvement prevention systems like SNORT can also go a long way to

484
00:42:52,340 --> 00:42:54,950
help protect against sequel injection.

485
00:42:58,010 --> 00:42:59,660
Because SQL injection is such a.

486
00:43:01,450 --> 00:43:06,040
Dangerous threat to proprietary data, company data, private data.

487
00:43:06,400 --> 00:43:12,670
All these things that attackers might seek to exploit to get access to other systems.

488
00:43:12,880 --> 00:43:15,820
So ultimately, you want to use the best.

489
00:43:18,060 --> 00:43:19,590
Protection possible.

490
00:43:19,860 --> 00:43:26,070
OWASP recommends use of prepared statements which are parameter IIS queries instead of taking direct

491
00:43:26,070 --> 00:43:27,180
input from the user.

492
00:43:28,370 --> 00:43:35,840
I put parameters instead of the just raw input data store procedures, which are essentially just groups

493
00:43:35,840 --> 00:43:40,070
of signal statements that can be used of course.

494
00:43:40,220 --> 00:43:44,420
Input, validation and escaping user supplied input.

495
00:43:48,820 --> 00:43:51,910
So waitlist is really a secondary defense.

496
00:43:52,930 --> 00:43:56,770
So now let's talk about some of the other types of our abilities cross-site scripting.

497
00:43:57,130 --> 00:43:59,940
This is otherwise known as X, s s.

498
00:44:00,610 --> 00:44:04,780
This is a one of the most well known application layer attacks.

499
00:44:05,440 --> 00:44:06,850
And if you want to look and see.

500
00:44:08,650 --> 00:44:11,220
Just how bad some of these vulnerabilities can be.

501
00:44:13,840 --> 00:44:23,740
We can go over to exploit DB AECOM, not the Google hacking database, but we can actually search cross-site

502
00:44:23,740 --> 00:44:28,750
scripting and we can see that they are still vulnerable.

503
00:44:30,040 --> 00:44:32,170
Are they are still showing up even today.

504
00:44:32,710 --> 00:44:36,490
And then we have SQL injection as well.

505
00:44:38,980 --> 00:44:46,000
So if SQL injection is still alive and well, and if you click on one of the exploits, you can actually

506
00:44:46,390 --> 00:44:49,420
just copy the code and run it on a vulnerable website.

507
00:44:49,420 --> 00:44:54,220
So these are for this particular content management system.

508
00:44:55,120 --> 00:45:00,730
So SQL injection can be done with minimal tools.

509
00:45:00,730 --> 00:45:05,500
And of course, we've talked about the legal repercussions and then we have cross-site scripting.

510
00:45:05,500 --> 00:45:15,310
So cross-site scripting is usually done by storing some information on a page that gets run client side.

511
00:45:15,310 --> 00:45:17,350
So you have client side versus server side.

512
00:45:17,680 --> 00:45:19,900
Client side is basically the browser.

513
00:45:20,350 --> 00:45:23,890
The server side is of course the back end logic where everything is stored at.

514
00:45:24,490 --> 00:45:32,380
So the idea of cross-site scripting is to be able to modify a web application to run some code, maybe

515
00:45:32,380 --> 00:45:38,140
install some content on a page, and cross-site scripting attacks can be done via the.

516
00:45:39,450 --> 00:45:42,930
Web page itself, or it can be sent via email.

517
00:45:44,040 --> 00:45:48,600
Many different ways of getting a cross-site scripting attack onto a web application.

518
00:45:48,600 --> 00:45:50,250
So this is the basic flowchart.

519
00:45:50,730 --> 00:45:52,740
You've got the attacker and the user.

520
00:45:53,040 --> 00:45:56,460
The attacker puts the malicious script on a vulnerable website.

521
00:45:57,240 --> 00:46:01,200
The user takes the vulnerable website and sends data to the attacker.

522
00:46:03,050 --> 00:46:09,920
And then the malicious script can also go into the backend database and steal data and whatnot.

523
00:46:11,820 --> 00:46:15,330
So there are some different types of cross-site scripting attacks.

524
00:46:15,330 --> 00:46:19,430
There's the stored cross-site scripting attack or type one.

525
00:46:19,440 --> 00:46:25,950
These are usually persistent where the input is stored on the server, such as a database in a message

526
00:46:25,950 --> 00:46:30,330
forum, maybe in a blog post.

527
00:46:30,720 --> 00:46:36,390
So essentially the victim retrieves the stored data from the application without that data being made

528
00:46:36,390 --> 00:46:37,740
safe in the browser.

529
00:46:38,730 --> 00:46:44,370
Then there's the reflected cross-site scripting, which is also known as non persistent or type two.

530
00:46:44,700 --> 00:46:51,930
This is essentially when user input gets immediately returned by the web application in an error message,

531
00:46:52,590 --> 00:46:58,350
search result or any other response that includes some or all of the input.

532
00:47:04,110 --> 00:47:11,030
So all of these attacks essentially come down to the concept of malicious code running on your site,

533
00:47:11,040 --> 00:47:12,510
for example, JavaScript.

534
00:47:12,930 --> 00:47:20,160
So the ability to execute arbitrary JavaScript on another user's browser can allow attackers to perform

535
00:47:20,460 --> 00:47:28,340
theft of things like session cookies, session IDs, log keystrokes.

536
00:47:28,350 --> 00:47:35,340
It could be even used in phishing attacks so an attacker could send a fake login form.

537
00:47:37,660 --> 00:47:42,940
Through direct object manipulation, which is the the third type, which is otherwise known as type

538
00:47:42,940 --> 00:47:43,420
zero.

539
00:47:43,810 --> 00:47:46,060
But this is essentially where the entire.

540
00:47:47,560 --> 00:47:53,350
Data flow or the source of data is in direct object access and it never leaves the browser.

541
00:47:54,340 --> 00:48:01,120
So the attacker will set a form in a web page to target his own malicious server and trick the user

542
00:48:01,120 --> 00:48:03,940
into submitting sensitive information.

543
00:48:04,360 --> 00:48:07,070
So you might ask, how can attacks like this succeed?

544
00:48:07,090 --> 00:48:12,970
Well, reflected attacks might seem harmless because it requires the victim to actually send a request

545
00:48:12,970 --> 00:48:17,200
containing a malicious string since nobody would willingly attack themselves.

546
00:48:17,650 --> 00:48:20,980
Well, there seems to be no way of performing the actual attack.

547
00:48:21,490 --> 00:48:26,890
As it turns out, there are at least two common ways to get a victim to launch a reflected attack against

548
00:48:26,890 --> 00:48:27,520
their self.

549
00:48:27,550 --> 00:48:34,150
So an attacker can send a malicious URL to the victim, either via email or instant message, and trick

550
00:48:34,150 --> 00:48:35,140
him into visiting it.

551
00:48:35,680 --> 00:48:43,330
If the user targets a large group of people, he could potentially put the link to his own website or

552
00:48:43,330 --> 00:48:49,510
and be honest, social network like Facebook or maybe on a site that a lot of individuals from his target

553
00:48:49,810 --> 00:48:51,010
the company visit.

554
00:48:52,620 --> 00:48:57,330
The attacker will craft a URL containing the malicious string and send it to the victim.

555
00:48:57,780 --> 00:49:02,490
The victim was tricked by the attacker into requesting that URL from the website.

556
00:49:03,150 --> 00:49:07,860
The website gets the request but doesn't include the malicious string in the response.

557
00:49:08,250 --> 00:49:11,310
So now the browser looks at the JavaScript and says That's legitimate.

558
00:49:11,310 --> 00:49:12,150
I'm going to run that.

559
00:49:12,690 --> 00:49:13,680
I'm going to run that code.

560
00:49:14,310 --> 00:49:19,590
And the browser executes the malicious script, thus sending the victim's cookies to the attacker's

561
00:49:19,590 --> 00:49:20,100
server.

562
00:49:20,910 --> 00:49:23,580
Now let's look at how this actually works in.

563
00:49:24,630 --> 00:49:27,690
But in a sample environment or a test environment.

564
00:49:29,760 --> 00:49:33,220
We're going to go to first before we do that.

565
00:49:33,240 --> 00:49:36,570
There's actually a website called Cross-Site Scripting.

566
00:49:37,470 --> 00:49:42,420
It's essentially all the different attacks, information on cross-site scripting and submit data now.

567
00:49:42,420 --> 00:49:45,510
But you can see all the different sites that have been.

568
00:49:47,330 --> 00:49:57,050
Victim to cross-site scripting, the L.A. Tribune, Microsoft, Harvard, every major site at one point

569
00:49:57,050 --> 00:49:57,980
or another has had.

570
00:50:00,300 --> 00:50:01,530
This type of threat.

571
00:50:07,340 --> 00:50:13,160
So let's open up the cross-site scripting game and this is actually a free website.

572
00:50:13,160 --> 00:50:15,770
You can actually run this yourself.

573
00:50:16,610 --> 00:50:20,390
I've done this demo before, and in this case I'm just going to.

574
00:50:22,550 --> 00:50:25,850
Write some code to pop up an alert message.

575
00:50:25,850 --> 00:50:30,530
And essentially that alert message is everything that is contained within this script.

576
00:50:30,560 --> 00:50:36,140
Now, imagine if you were to write this on a on a box, on a website, and as long as the code is valid

577
00:50:36,610 --> 00:50:42,230
and as long as the box is big enough, then potentially you can run this vulnerability on a vulnerable

578
00:50:42,230 --> 00:50:42,620
site.

579
00:50:45,090 --> 00:50:45,810
Forgot the.

580
00:50:49,240 --> 00:50:49,990
This should be.

581
00:51:00,440 --> 00:51:07,700
I noticed that we were able to pop up an alert box on the screen, which means that we were effectively.

582
00:51:09,850 --> 00:51:13,510
Taken over the website or the site is in fact vulnerable.

583
00:51:15,670 --> 00:51:20,260
So there are different hints here you can use and it'll tell you to see the source of the application.

584
00:51:20,260 --> 00:51:26,860
You can right click and you can view the actual code of the website and see that it is actually vulnerable.

585
00:51:28,480 --> 00:51:35,500
And it'll show you other hands, too, like when you when you change different tags to the code.

586
00:51:40,830 --> 00:51:45,930
So what if you were to modify this inside of the developer options on Chrome?

587
00:51:49,020 --> 00:51:50,690
The script and then something to learn.

588
00:51:50,700 --> 00:51:57,540
So we go to the next level and this one, this is actually just a sample blog that is vulnerable.

589
00:51:57,540 --> 00:52:01,440
So the welcome page has a HTML in it.

590
00:52:02,040 --> 00:52:09,750
So you'll notice that this is a telltale sign that this does not escape.

591
00:52:11,750 --> 00:52:12,770
Strings properly.

592
00:52:15,600 --> 00:52:18,660
So we can't do a script tag on this one.

593
00:52:18,660 --> 00:52:21,180
We have to do an element with a JavaScript attribute.

594
00:52:33,060 --> 00:52:36,870
So there are lots of different cross-site scripting tools that are out there.

595
00:52:36,990 --> 00:52:38,700
If we want to be able to

596
00:52:44,040 --> 00:52:49,830
prevent cross-site scripting, we can go to OWASP and they have a whole cheat sheet for doing just that

597
00:52:50,370 --> 00:52:53,340
and different ways to be able to prevent.

598
00:52:56,120 --> 00:53:03,590
So essentially never allow untrusted data inside of the script, always do premature eyes, quite make

599
00:53:03,590 --> 00:53:09,560
sure you properly escape your untrusted data so you convert what they mean by escaping as you're going

600
00:53:09,560 --> 00:53:17,780
to take your unsafe characters like Ampersand and convert it to the Ampersand amp semicolon and you're

601
00:53:17,780 --> 00:53:21,800
less than symbol into this ampersand less than sign.

602
00:53:21,800 --> 00:53:23,660
So that's properly escaping.

603
00:53:24,020 --> 00:53:27,410
Characters, of course, there's other things you can do.

604
00:53:27,620 --> 00:53:30,830
And the libraries that call this will.

605
00:53:33,210 --> 00:53:33,840
We'll help you.

606
00:53:33,850 --> 00:53:36,570
Using a secure library will help you prevent some of these.

607
00:53:37,020 --> 00:53:40,760
But whatever you're going to do, make sure that you use a secure library.

608
00:53:40,770 --> 00:53:48,120
There's lots of different cross-site scripting tools like OWASP, Zap, Zen Attack, Proxy, Burp Suite

609
00:53:48,870 --> 00:53:49,920
and many others.

610
00:53:51,150 --> 00:53:56,130
So again, never insert untrusted data except in allowed locations.

611
00:53:56,130 --> 00:54:01,200
Make sure you do those escape characters, escape your JavaScript properly.

612
00:54:02,430 --> 00:54:06,270
Sanitize your HTML inputs with a library that's meant for that.

613
00:54:07,590 --> 00:54:10,320
Use a CDP only cookie flags.

614
00:54:10,860 --> 00:54:17,280
So the way there's a browser extension is very useful, and I actually want to give that to you guys

615
00:54:17,280 --> 00:54:17,760
as well.

616
00:54:18,330 --> 00:54:23,820
It's called edit this cookie, and I believe that they have it for most of the browsers as well.

617
00:54:25,380 --> 00:54:30,600
Essentially, it's one of the most popular cookie editors for Chrome, and it allows you to edit cookies,

618
00:54:31,020 --> 00:54:32,010
export cookies.

619
00:54:32,010 --> 00:54:38,370
And essentially on this site we're currently on, we can see all of the cookies that are here in the

620
00:54:38,400 --> 00:54:39,060
browser.

621
00:54:39,060 --> 00:54:45,960
So and what they're used for and the type of cookies or whether they're HTP only or whether they're

622
00:54:45,960 --> 00:54:49,620
secure and the different flags that are set on them.

623
00:54:51,750 --> 00:54:55,710
So it's a very useful tool for cookies.

624
00:54:55,720 --> 00:54:57,630
Then let's talk about directory listing.

625
00:54:58,110 --> 00:54:59,340
So a directory listing.

626
00:55:02,050 --> 00:55:08,200
Is a function that essentially displays all the files when there is not a index file like index TCP

627
00:55:08,530 --> 00:55:08,950
IP.

628
00:55:13,960 --> 00:55:15,010
Or something like that.

629
00:55:28,930 --> 00:55:37,000
So Web servers, you know, have to have if they don't have the record page, an attacker will be able

630
00:55:37,000 --> 00:55:38,390
to more easily find things.

631
00:55:38,410 --> 00:55:43,870
So if you go to a website without specifying a file, that request is going to get processed by the

632
00:55:43,870 --> 00:55:46,820
web server and it's going to return back that index file.

633
00:55:46,840 --> 00:55:48,340
The index does not exist.

634
00:55:48,730 --> 00:55:52,060
Then the web server must return a list of the contents.

635
00:55:53,670 --> 00:55:56,910
So this could be something like the directory structure on Windows.

636
00:56:03,790 --> 00:56:07,420
So for example, if we go to this website.

637
00:56:09,830 --> 00:56:11,480
Then close some of these tabs down.

638
00:56:25,760 --> 00:56:30,110
So this is one example of what would be returned from a vulnerable website.

639
00:56:30,110 --> 00:56:35,870
So if it returned something like this, the directory and it also notice at the bottom it gives you

640
00:56:35,870 --> 00:56:39,260
the version of Apache and what library it's actually running.

641
00:56:40,100 --> 00:56:44,990
This can be advantageous for an attacker to be able to get directory information.

642
00:56:48,850 --> 00:56:56,800
So things like passwords, database connections, logs, those types of information can be found from

643
00:56:56,800 --> 00:56:57,610
directory listings.

644
00:56:57,610 --> 00:57:02,650
So there's not really a good reason to provide directory listings and disabling them may at least put

645
00:57:02,650 --> 00:57:06,430
some level of protection against an attacker.

646
00:57:07,360 --> 00:57:12,580
So you want to configure whatever web server that you're using to prevent directory listings for all

647
00:57:13,030 --> 00:57:20,320
paths beneath the web route and place into that directory an index dot h HTML or some type of index

648
00:57:20,320 --> 00:57:25,480
file that the website will display instead of returning a directory listing.

649
00:57:27,810 --> 00:57:33,840
So in summary, we talked about in the Metasploit framework and the ability to conduct exploits and

650
00:57:34,140 --> 00:57:35,310
pen test systems.

651
00:57:35,910 --> 00:57:41,270
We looked at the various payloads interfaces that can be used.

652
00:57:41,640 --> 00:57:47,010
We talked about vulnerabilities and vulnerability, how they lead to exploits.

653
00:57:47,700 --> 00:57:53,280
And so exploits are part of Metasploit, but there are some exploits that are custom that are outside

654
00:57:53,280 --> 00:57:54,000
of Metasploit.

655
00:57:54,540 --> 00:57:56,640
We looked at how Metasploit should.

656
00:57:57,970 --> 00:58:02,380
Shows you the different exploits that are available and how they map to different vulnerabilities.

657
00:58:02,890 --> 00:58:05,590
We also looked at payload creation and generation.

658
00:58:06,070 --> 00:58:12,970
So once you create a payload, you can send payloads by email, SMS, drive by download and many other

659
00:58:12,970 --> 00:58:13,450
ways.

660
00:58:13,960 --> 00:58:20,440
We also looked at some of the auxiliary modules for doing things like data collection, port mapping.

661
00:58:22,440 --> 00:58:23,040
Etcetera.

662
00:58:23,730 --> 00:58:28,740
So we looked at the different stages in attacking a web application using and map.

663
00:58:29,100 --> 00:58:29,780
That would be a map.

664
00:58:29,790 --> 00:58:30,840
We looked at Metasploit.

665
00:58:33,400 --> 00:58:36,700
And how Metasploit can integrate with the browser exploitation framework.

666
00:58:37,360 --> 00:58:42,430
We also looked at ways in which we could discover databases that are vulnerable to signal injection.

667
00:58:43,030 --> 00:58:49,630
We can use Google Dorking or the Google Hacking database as well as SQL Map to automate the process

668
00:58:49,630 --> 00:58:51,850
of enumerating Web servers.

669
00:58:54,800 --> 00:58:56,240
These are some of the acronyms.

670
00:58:59,620 --> 00:59:02,620
This is not an all inclusive list, but there are many more.

671
00:59:04,840 --> 00:59:07,930
To add to our already growing list of acronyms for this course.

672
00:59:08,830 --> 00:59:10,620
Now let's do some practice questions.

673
00:59:14,440 --> 00:59:20,890
So what are the little programs which are used to perform malicious act to actions on a particular vulnerability

674
00:59:21,370 --> 00:59:23,560
in order to get into a system called.

675
00:59:27,950 --> 00:59:29,030
A vulnerability.

676
00:59:30,020 --> 00:59:31,010
B A payload.

677
00:59:32,360 --> 00:59:34,700
C MSF or.

678
00:59:34,700 --> 00:59:36,020
D Exploits.

679
00:59:42,520 --> 00:59:42,940
Answer.

680
00:59:42,940 --> 00:59:45,390
It is exploits deep.

681
00:59:46,450 --> 00:59:53,970
These are the vulnerabilities or the the malicious code or the malicious action to exploit the vulnerability.

682
59:53.980 --> 1:00:05.170
Number two, which one of the following is not a type of payload in line b stagger c multi-line or D

683
1:00:05.230 --> 1:00:05.860
interpreter?

684
1:00:13.070 --> 1:00:19.400
Answer is c multi-line so inline stagger and interpreter are types of payloads and metasploit.

685
1:00:22.040 --> 1:00:23.870
Then we have number three.

686
1:00:23.870 --> 1:00:29.480
What is the module in Metasploit which is used to generate payloads without accessing the Metasploit

687
1:00:29.480 --> 1:00:30.140
console?

688
1:00:33.980 --> 1:00:43.010
MSF venom, MSF, MSF, DV, IRM or MSF console.

689
1:00:45.700 --> 1:00:47.680
The answer is, of course, a massive venom.

690
1:00:47.680 --> 1:00:51.850
So if you want to generate payloads outside of the Metasploit console, you can do that.

691
1:00:53.640 --> 1:00:58.740
Number four, what is the module which is used to embed the payload with the exploit?

692
1:01:03.210 --> 1:01:09.750
Is it console virus maker, a rapper or an even better.

693
1:01:12.770 --> 1:01:14.380
Answer is see the rapper.

694
1:01:18.050 --> 1:01:21.090
Number five, which of the following is not a security exploit?

695
1:01:23.390 --> 1:01:24.500
A eavesdropping.

696
1:01:24.950 --> 1:01:26.330
B Cross-Site scripting.

697
1:01:27.110 --> 1:01:30.410
C Authentication or signal injection?

698
1:01:35.890 --> 1:01:37.090
Or E none of the above.

699
1:01:38.260 --> 1:01:40.190
The correct answer is C.

700
1:01:40.210 --> 1:01:41.140
Authentication.

701
1:01:41.500 --> 1:01:43.230
Authentication is not a type of exploit.

702
1:01:43.240 --> 1:01:45.100
It is a type of security parameter.

703
1:01:45.820 --> 1:01:52.810
Eavesdropping is where you're listening on someone else's communication, either via email sniffing.

704
1:01:54.950 --> 1:01:57.020
Tapping someone's cell phone, things like that.

705
1:01:58.310 --> 1:02:01.700
And then, of course, we talked about cross-site scripting and sequel injection.

706
1:02:03.920 --> 1:02:08.090
And that is the end of the Web application, vulnerability module and exploit module.

707
1:02:08.790 --> 1:02:13.970
I appreciate your attention and hope you learn a lot about exploit development, Metasploit Cross-Site

708
1:02:13.970 --> 1:02:16.580
Scripting, and we'll see you in the next module.