1 00:00:00,570 --> 00:00:01,530 Instructor: Welcome back. 2 00:00:01,530 --> 00:00:03,150 In the previous video we talked 3 00:00:03,150 --> 00:00:05,220 about Metasploit framework structure. 4 00:00:05,220 --> 00:00:07,560 We explained all of the modules 5 00:00:07,560 --> 00:00:08,910 and what they are for, 6 00:00:08,910 --> 00:00:12,120 but we haven't really ran the framework itself. 7 00:00:12,120 --> 00:00:14,280 In this video, we're going to run it 8 00:00:14,280 --> 00:00:17,160 and cover some of the basic commands for it. 9 00:00:17,160 --> 00:00:19,560 Okay, I already mentioned in the last video 10 00:00:19,560 --> 00:00:21,330 that to open this framework, 11 00:00:21,330 --> 00:00:22,500 what we must do 12 00:00:22,500 --> 00:00:27,500 is open up our terminal and type msfconsole, press Enter. 13 00:00:28,440 --> 00:00:29,400 And keep in mind 14 00:00:29,400 --> 00:00:31,260 that it might take some time to open, 15 00:00:31,260 --> 00:00:33,963 especially if you're running it for the first time. 16 00:00:35,100 --> 00:00:37,650 And here it is, it already open for me. 17 00:00:37,650 --> 00:00:41,190 And what we get right here is we get the banner 18 00:00:41,190 --> 00:00:42,420 of Metasploit framework, 19 00:00:42,420 --> 00:00:45,360 which changes every time you start this program. 20 00:00:45,360 --> 00:00:48,870 And down here, we get these seven modules 21 00:00:48,870 --> 00:00:50,160 that we talked about. 22 00:00:50,160 --> 00:00:53,850 And we also get the exact number of modules 23 00:00:53,850 --> 00:00:56,280 that we have available to us. 24 00:00:56,280 --> 00:00:59,370 So here we can see 2043 exploits, 25 00:00:59,370 --> 00:01:02,430 1105 auxiliary modules, 26 00:01:02,430 --> 00:01:06,570 344 post exploitation modules, over 500 payloads, 27 00:01:06,570 --> 00:01:10,740 and a little bit of encoders, nops, and evasion modules. 28 00:01:10,740 --> 00:01:12,750 As in every other tool that we covered 29 00:01:12,750 --> 00:01:15,660 to see all the available commands we can use, 30 00:01:15,660 --> 00:01:17,613 we can run the help command. 31 00:01:18,510 --> 00:01:19,890 This will open the help menu 32 00:01:19,890 --> 00:01:21,720 which will give us all the available options 33 00:01:21,720 --> 00:01:23,430 as well as some of the examples 34 00:01:23,430 --> 00:01:25,410 of how we can use Metasploit. 35 00:01:25,410 --> 00:01:28,320 But for now, this is not necessary 36 00:01:28,320 --> 00:01:30,600 as I will show you a few of these commands 37 00:01:30,600 --> 00:01:32,670 that you will use every time. 38 00:01:32,670 --> 00:01:35,370 And by the way, before we get into those commands, 39 00:01:35,370 --> 00:01:38,280 what you can do inside of the Metasploit framework, 40 00:01:38,280 --> 00:01:40,740 you can also run the normal commands 41 00:01:40,740 --> 00:01:44,640 such as ls, such as changing directories, 42 00:01:44,640 --> 00:01:46,830 such as, for example, running ifconfig. 43 00:01:46,830 --> 00:01:50,340 So if I type sudo ifconfig and type in my password, 44 00:01:50,340 --> 00:01:52,740 it'll give me the output of ifconfig. 45 00:01:52,740 --> 00:01:57,150 So you can also run regular terminal commands from this. 46 00:01:57,150 --> 00:01:59,190 But as far as the metal plate framework goes, 47 00:01:59,190 --> 00:02:02,040 let's start with listing some of the modules. 48 00:02:02,040 --> 00:02:04,890 For example, we can use the show command 49 00:02:04,890 --> 00:02:07,890 to list out any type of modules we want. 50 00:02:07,890 --> 00:02:10,199 So we know that there are over 500 payload. 51 00:02:10,199 --> 00:02:13,350 We saw the number once we started the Metasploit. 52 00:02:13,350 --> 00:02:16,260 In order to list all of those 500 payloads, 53 00:02:16,260 --> 00:02:19,650 we can type show and then payloads. 54 00:02:19,650 --> 00:02:21,090 If I press Enter, 55 00:02:21,090 --> 00:02:22,620 it'll take just a few seconds 56 00:02:22,620 --> 00:02:25,080 and it'll list out all of the available payloads 57 00:02:25,080 --> 00:02:26,550 that we have. 58 00:02:26,550 --> 00:02:29,610 Now right here, this is not really that good of an output 59 00:02:29,610 --> 00:02:32,160 because I have my terminal a little bit 60 00:02:32,160 --> 00:02:33,810 more zoomed in than I should have. 61 00:02:33,810 --> 00:02:35,700 So I will just go to the preferences 62 00:02:35,700 --> 00:02:39,060 and lower the font of my letters. 63 00:02:39,060 --> 00:02:42,720 So I'll click on OK, Apply, OK. 64 00:02:42,720 --> 00:02:46,383 Clear the screen and I will type show payloads once again. 65 00:02:47,640 --> 00:02:49,230 It's still not that good. 66 00:02:49,230 --> 00:02:52,680 Let me just go and lower it a little bit more. 67 00:02:52,680 --> 00:02:56,940 So I will just go to 13, Apply and click on OK. 68 00:02:56,940 --> 00:02:59,253 Clear the screen, run the command again. 69 00:03:00,360 --> 00:03:03,630 And here it is, we get a better output. 70 00:03:03,630 --> 00:03:07,290 So let's explain what we see right here. 71 00:03:07,290 --> 00:03:10,470 If I scroll all the way up to the beginning, 72 00:03:10,470 --> 00:03:13,080 we can see this is the number of the payload. 73 00:03:13,080 --> 00:03:15,420 It goes from zero to over 500. 74 00:03:15,420 --> 00:03:18,450 And this right here is the name of the payload. 75 00:03:18,450 --> 00:03:21,240 So as we already know, there are bind shelves 76 00:03:21,240 --> 00:03:23,100 and reverse shells. 77 00:03:23,100 --> 00:03:25,020 So we get different types of them. 78 00:03:25,020 --> 00:03:27,300 We can see the payloads for Android, 79 00:03:27,300 --> 00:03:29,760 the payloads for Apple iOS. 80 00:03:29,760 --> 00:03:33,060 We can see all types of payloads command shells, 81 00:03:33,060 --> 00:03:35,970 we can see Java payloads, Linux payloads. 82 00:03:35,970 --> 00:03:37,850 If I go all the way down, 83 00:03:37,850 --> 00:03:40,800 OSX payloads, PHP payloads, 84 00:03:40,800 --> 00:03:43,740 Python, ruby, and bunch of others as well. 85 00:03:43,740 --> 00:03:45,903 Here's also Windows payloads. 86 00:03:46,800 --> 00:03:49,380 So we get a lot of them. 87 00:03:49,380 --> 00:03:51,300 Under the Rank, they're all manual 88 00:03:51,300 --> 00:03:54,570 because they have to get executed on the target machine. 89 00:03:54,570 --> 00:03:55,950 And in the Description, 90 00:03:55,950 --> 00:03:58,290 we can see for what this payload is. 91 00:03:58,290 --> 00:04:00,090 For example, if we check out this one 92 00:04:00,090 --> 00:04:01,640 Apple meterpreter_reverse_http, 93 00:04:02,883 --> 00:04:05,400 this is the Apple_iOS Meterpreter shell 94 00:04:05,400 --> 00:04:07,890 or Reverse HTTP Inline. 95 00:04:07,890 --> 00:04:09,840 So this means you would use this payload 96 00:04:09,840 --> 00:04:13,200 if you were, for example, attacking an Apple device. 97 00:04:13,200 --> 00:04:16,200 Now we can do the same thing with exploits. 98 00:04:16,200 --> 00:04:18,990 If we want to list all of the 2000 exploits, 99 00:04:18,990 --> 00:04:21,540 we can type show exploits. 100 00:04:21,540 --> 00:04:23,220 And this might take a little bit longer 101 00:04:23,220 --> 00:04:26,553 because there is a lot more exploits than there is payloads. 102 00:04:27,480 --> 00:04:28,770 And here they are. 103 00:04:28,770 --> 00:04:31,803 Here are all 2041 exploits. 104 00:04:32,730 --> 00:04:35,340 You can see the output is pretty much the same 105 00:04:35,340 --> 00:04:37,290 as with the payloads. 106 00:04:37,290 --> 00:04:39,420 We get the number right here. 107 00:04:39,420 --> 00:04:42,120 We get the exploit name. 108 00:04:42,120 --> 00:04:45,240 And these exploit names are really well written. 109 00:04:45,240 --> 00:04:46,140 As we can see, 110 00:04:46,140 --> 00:04:49,530 the first part tells us for what is this exploit. 111 00:04:49,530 --> 00:04:53,040 Currently we are inside the Windows exploits. 112 00:04:53,040 --> 00:04:54,720 And if we scroll all the way up, 113 00:04:54,720 --> 00:04:56,820 we should see some other exploits as well. 114 00:04:57,930 --> 00:05:01,080 Let's go and scroll all the way up. 115 00:05:01,080 --> 00:05:03,450 Well, it seems that we can only go up to here 116 00:05:03,450 --> 00:05:05,160 because there is a lot of them. 117 00:05:05,160 --> 00:05:08,370 But nonetheless, we can see for what the exploits are. 118 00:05:08,370 --> 00:05:12,240 For example, this one is for windows and for browser. 119 00:05:12,240 --> 00:05:16,590 And here, it specifies exactly what does it exploit. 120 00:05:16,590 --> 00:05:19,290 If I go down here, and for example, 121 00:05:19,290 --> 00:05:21,420 check out these ones. 122 00:05:21,420 --> 00:05:24,817 Here we can see this is also Windows exploit for the FTP. 123 00:05:26,010 --> 00:05:27,990 So they're very well organized. 124 00:05:27,990 --> 00:05:31,530 And this is the structure that we saw in the previous video, 125 00:05:31,530 --> 00:05:35,910 just this is how the Metasploit framework outputs it for us. 126 00:05:35,910 --> 00:05:38,730 These exploits that belong to Windows FTP 127 00:05:38,730 --> 00:05:41,760 are all located inside the FTP directory 128 00:05:41,760 --> 00:05:44,550 of the Windows exploits directory. 129 00:05:44,550 --> 00:05:46,470 If I go all the way down, 130 00:05:46,470 --> 00:05:48,560 and what we can do right here 131 00:05:48,560 --> 00:05:50,970 is we can choose one of these exploits 132 00:05:50,970 --> 00:05:54,210 just to see how we can select them and run them. 133 00:05:54,210 --> 00:05:56,880 Of course, we are not going to be attacking any target. 134 00:05:56,880 --> 00:06:00,660 We just want to see how we can select one of these exploits. 135 00:06:00,660 --> 00:06:03,240 So let's go with this one. 136 00:06:03,240 --> 00:06:08,240 For example, windows/smb/ms06-040_netapi. 137 00:06:10,740 --> 00:06:12,090 And by the way, to check out 138 00:06:12,090 --> 00:06:13,830 more information about exploits, 139 00:06:13,830 --> 00:06:15,780 we can go onto the right. 140 00:06:15,780 --> 00:06:19,200 So this exploit came out in 2006. 141 00:06:19,200 --> 00:06:22,200 And in the right column, right here, 142 00:06:22,200 --> 00:06:25,953 it tells us what exactly does this exploit do. 143 00:06:26,820 --> 00:06:29,280 So for this particular one, 144 00:06:29,280 --> 00:06:30,510 we get that it is an exploit 145 00:06:30,510 --> 00:06:32,490 for Microsoft Server Service 146 00:06:32,490 --> 00:06:35,670 and it overflows this function. 147 00:06:35,670 --> 00:06:37,590 Now the good part about this 148 00:06:37,590 --> 00:06:41,100 is that you don't really need to know how these work 149 00:06:41,100 --> 00:06:42,700 in order to be able to run them. 150 00:06:43,680 --> 00:06:44,670 Let me show you. 151 00:06:44,670 --> 00:06:48,000 If you copy this exploit name right here, 152 00:06:48,000 --> 00:06:50,853 so copy windows/smb/ms06_040_netapi. 153 00:06:53,340 --> 00:06:55,080 In order to select it, 154 00:06:55,080 --> 00:06:56,670 let us clear the screen. 155 00:06:56,670 --> 00:06:58,773 We can type the command use. 156 00:06:59,730 --> 00:07:01,110 And you type use 157 00:07:01,110 --> 00:07:03,180 and then the module name that you want to use. 158 00:07:03,180 --> 00:07:06,090 In our case, we want to use an exploit. 159 00:07:06,090 --> 00:07:08,370 And after it, all we have to do 160 00:07:08,370 --> 00:07:10,710 is paste the exploit name. 161 00:07:10,710 --> 00:07:14,370 So use exploit/windows/smb/, 162 00:07:14,370 --> 00:07:17,613 and then the name of the exploit, press Enter. 163 00:07:18,690 --> 00:07:22,650 And we will see that this exploit configured payload 164 00:07:22,650 --> 00:07:25,410 windows/meterpreter/reverse_tcp. 165 00:07:25,410 --> 00:07:28,230 And we will talk about this in just a second. 166 00:07:28,230 --> 00:07:30,330 For now, we can see that it is currently 167 00:07:30,330 --> 00:07:32,730 using the module that we selected, 168 00:07:32,730 --> 00:07:35,280 because it is printed out in red right here 169 00:07:35,280 --> 00:07:38,130 and it also tells us that it is an exploit. 170 00:07:38,130 --> 00:07:40,140 So let's check out all the information 171 00:07:40,140 --> 00:07:42,750 that we can get for this exploit. 172 00:07:42,750 --> 00:07:44,880 The first thing that I always like to do 173 00:07:44,880 --> 00:07:48,210 is type the command show info. 174 00:07:48,210 --> 00:07:50,760 And this show info command tells us more 175 00:07:50,760 --> 00:07:52,830 about this particular exploit. 176 00:07:52,830 --> 00:07:55,320 So if you go down here to the description, 177 00:07:55,320 --> 00:07:57,870 it'll tell us this module exploits 178 00:07:57,870 --> 00:08:00,060 a stack buffer overflow. 179 00:08:00,060 --> 00:08:02,700 So this is a buffer overflow exploit 180 00:08:02,700 --> 00:08:07,380 in the NetApi32 CanonicalizePathName function 181 00:08:07,380 --> 00:08:09,990 using this RPC. 182 00:08:09,990 --> 00:08:14,100 And you can read about any exploit that you select. 183 00:08:14,100 --> 00:08:15,930 Another information that we get right here 184 00:08:15,930 --> 00:08:17,580 are some of the references. 185 00:08:17,580 --> 00:08:19,710 So you can visit these links right here 186 00:08:19,710 --> 00:08:23,100 to read more about this particular exploit. 187 00:08:23,100 --> 00:08:25,890 Besides this, another command that we can do 188 00:08:25,890 --> 00:08:28,140 is show options. 189 00:08:28,140 --> 00:08:30,120 And this is the important part. 190 00:08:30,120 --> 00:08:31,440 Let me just clear the screen 191 00:08:31,440 --> 00:08:32,520 and type it once again 192 00:08:32,520 --> 00:08:35,700 just so we can see only the options part. 193 00:08:35,700 --> 00:08:39,690 Here is where you select your options for the exploit. 194 00:08:39,690 --> 00:08:42,360 First thing we see is module options 195 00:08:42,360 --> 00:08:46,080 and it asks us for three different things. 196 00:08:46,080 --> 00:08:48,060 And keep in mind, different exploits 197 00:08:48,060 --> 00:08:50,130 will want different things. 198 00:08:50,130 --> 00:08:53,910 Usually they will all have these RHOSTS and RPORT, 199 00:08:53,910 --> 00:08:56,970 which is just the remote host and the remote port. 200 00:08:56,970 --> 00:08:59,610 Or in our case, the targets IP address 201 00:08:59,610 --> 00:09:03,300 and the targets port that we are attacking. 202 00:09:03,300 --> 00:09:06,990 So we can see two of these are already automatically set. 203 00:09:06,990 --> 00:09:09,990 The RPORT is already set to be 445 204 00:09:09,990 --> 00:09:13,590 and the SMBPIPE is already set to be the browser. 205 00:09:13,590 --> 00:09:17,190 All we are left to specify right here is the RHOSTS 206 00:09:17,190 --> 00:09:20,130 or the IP address of the target machine. 207 00:09:20,130 --> 00:09:21,960 So if we were attacking a Windows Server 208 00:09:21,960 --> 00:09:24,180 that was vulnerable to this attack, 209 00:09:24,180 --> 00:09:26,460 we would specify here the IP address 210 00:09:26,460 --> 00:09:28,830 of that Windows Server machine. 211 00:09:28,830 --> 00:09:30,810 And in this column right here, 212 00:09:30,810 --> 00:09:34,320 you will notice that some of these things will be required 213 00:09:34,320 --> 00:09:36,840 and some of these things will not be required. 214 00:09:36,840 --> 00:09:39,390 In our case, in this particular exploit, 215 00:09:39,390 --> 00:09:42,240 all of these three things are required to specify 216 00:09:42,240 --> 00:09:44,163 in order for exploit to work. 217 00:09:45,210 --> 00:09:46,080 In the description, 218 00:09:46,080 --> 00:09:48,210 it tells us exactly what it wants from us. 219 00:09:48,210 --> 00:09:50,880 So the RHOSTS is the target host 220 00:09:50,880 --> 00:09:52,890 or the target's IP address. 221 00:09:52,890 --> 00:09:57,600 The RPORT is the SMB service port on the target machine. 222 00:09:57,600 --> 00:10:00,363 And the SMBPIPE is the pipe name to use. 223 00:10:01,350 --> 00:10:03,990 So these are the exploit options. 224 00:10:03,990 --> 00:10:07,800 And down here we get payload options. 225 00:10:07,800 --> 00:10:09,210 Now what does this mean? 226 00:10:09,210 --> 00:10:11,910 Well, remember, after exploiting the target, 227 00:10:11,910 --> 00:10:13,770 we drop a payload. 228 00:10:13,770 --> 00:10:15,540 So by the default, 229 00:10:15,540 --> 00:10:18,480 remember once we ran the command to use this exploit, 230 00:10:18,480 --> 00:10:22,980 it gave us windows/meterpreter/reverse_tcp by default. 231 00:10:22,980 --> 00:10:26,160 This means that we're using a payload for Windows. 232 00:10:26,160 --> 00:10:27,480 It is a Meterpreter shell, 233 00:10:27,480 --> 00:10:30,810 which remembers it is the best shell that we can get. 234 00:10:30,810 --> 00:10:33,603 And it is a reverse shell over TCP connection. 235 00:10:34,530 --> 00:10:36,420 You can change this if you want to. 236 00:10:36,420 --> 00:10:38,910 And down here, we get the options 237 00:10:38,910 --> 00:10:41,250 that we need to set for payload. 238 00:10:41,250 --> 00:10:43,530 Remember, once using reverse shell, 239 00:10:43,530 --> 00:10:45,990 we must listen on our Kali Linux machine 240 00:10:45,990 --> 00:10:48,150 for the incoming connection. 241 00:10:48,150 --> 00:10:51,300 And that's the information that it asks us right here. 242 00:10:51,300 --> 00:10:54,570 The LHOST is our own IP address. 243 00:10:54,570 --> 00:10:56,910 the IP address of Kali Linux machine, 244 00:10:56,910 --> 00:11:00,000 or as it says right here the listening address. 245 00:11:00,000 --> 00:11:02,190 We specify our IP address right here. 246 00:11:02,190 --> 00:11:06,750 So you just need to type sudo ifconfig 247 00:11:06,750 --> 00:11:09,840 and we can see 192.168,1.9. 248 00:11:09,840 --> 00:11:14,310 Usually the Metasploit framework will set it by default. 249 00:11:14,310 --> 00:11:16,140 So let me just clear the screen, 250 00:11:16,140 --> 00:11:18,030 run show options once again, 251 00:11:18,030 --> 00:11:21,030 and the LPORT is the listening port 252 00:11:21,030 --> 00:11:23,640 or Kali Linux port that we want to listen 253 00:11:23,640 --> 00:11:25,440 for the incoming connections. 254 00:11:25,440 --> 00:11:30,180 And it is usually set by default to be 4444. 255 00:11:30,180 --> 00:11:32,550 And all of these options you can change. 256 00:11:32,550 --> 00:11:35,370 For example, if you notice that Metasploit framework 257 00:11:35,370 --> 00:11:37,110 set the incorrect IP address 258 00:11:37,110 --> 00:11:40,230 for a Kali Linux machine, you can type set 259 00:11:40,230 --> 00:11:43,650 and then the parameter name, in our case LHOST 260 00:11:43,650 --> 00:11:45,660 to be a different IP address. 261 00:11:45,660 --> 00:11:49,200 For example, 192.168.1.15. 262 00:11:49,200 --> 00:11:51,990 And it'll set the LHOST parameter 263 00:11:51,990 --> 00:11:54,870 to be a different IP address 264 00:11:54,870 --> 00:11:56,120 as we can see right here. 265 00:11:57,330 --> 00:11:58,890 Inside of these RHOSTS 266 00:11:58,890 --> 00:12:00,990 as we can see this is also required, 267 00:12:00,990 --> 00:12:03,510 we would set the IP address of our target machine. 268 00:12:03,510 --> 00:12:05,310 So let's say we had a Windows Server 269 00:12:05,310 --> 00:12:09,445 and its IP address was 192.168.1.20. 270 00:12:09,445 --> 00:12:14,445 We would type it right here, so 192.168.1.20. 271 00:12:15,930 --> 00:12:18,210 And if I type show options once again, 272 00:12:18,210 --> 00:12:21,360 now we got this set as well. 273 00:12:21,360 --> 00:12:24,330 Now payload is something that you can change. 274 00:12:24,330 --> 00:12:26,670 Usually you want to leave it what Metasploit framework 275 00:12:26,670 --> 00:12:27,780 already gave you 276 00:12:27,780 --> 00:12:30,390 because the default one is usually the best one. 277 00:12:30,390 --> 00:12:32,400 But sometimes, some of the payloads 278 00:12:32,400 --> 00:12:35,220 will not work and others will work. 279 00:12:35,220 --> 00:12:38,100 So in order to see all of the available payloads 280 00:12:38,100 --> 00:12:41,700 that you can use for this particular exploit, 281 00:12:41,700 --> 00:12:45,330 you can type show payloads once again. 282 00:12:45,330 --> 00:12:47,297 Just this time, it'll not list out 283 00:12:47,297 --> 00:12:49,740 all the 500 possible payloads, 284 00:12:49,740 --> 00:12:52,110 it'll only list out the possible payloads 285 00:12:52,110 --> 00:12:54,150 for this particular exploit. 286 00:12:54,150 --> 00:12:56,195 And this will be all the Windows payloads. 287 00:12:56,195 --> 00:12:58,290 Since we are attacking a Windows machine 288 00:12:58,290 --> 00:13:00,630 with this exploit, the Windows payloads 289 00:13:00,630 --> 00:13:02,618 will be something that we can use. 290 00:13:02,618 --> 00:13:06,180 So we can see some bind shells, reverse shells, 291 00:13:06,180 --> 00:13:08,370 we can see some of the Meterpreter shells. 292 00:13:08,370 --> 00:13:10,920 So for example, let us say that 293 00:13:10,920 --> 00:13:13,050 you don't want to use our reverse shell, 294 00:13:13,050 --> 00:13:14,820 you want to use a bind shell. 295 00:13:14,820 --> 00:13:16,980 How would you change the payload? 296 00:13:16,980 --> 00:13:18,570 Well, you would copy the bind shell. 297 00:13:18,570 --> 00:13:21,210 Let's say we want to use the Meterpreter bind shell. 298 00:13:21,210 --> 00:13:22,353 So copy its name. 299 00:13:24,060 --> 00:13:25,920 And go all the way down 300 00:13:25,920 --> 00:13:29,430 and type set payload 301 00:13:29,430 --> 00:13:31,710 and then paste the payload name. 302 00:13:31,710 --> 00:13:34,260 So Paste Selection, press Enter, 303 00:13:34,260 --> 00:13:36,870 and it'll tell us the payload has been changed. 304 00:13:36,870 --> 00:13:39,543 If we clear the screen, show options, 305 00:13:40,590 --> 00:13:42,540 we will see different payload. 306 00:13:42,540 --> 00:13:45,630 We no longer have the meterpreter/reverse_tcp, 307 00:13:45,630 --> 00:13:48,420 we now have the bind_tcp Meterpreter. 308 00:13:48,420 --> 00:13:49,785 And it'll also ask us 309 00:13:49,785 --> 00:13:52,950 for different information about the payload. 310 00:13:52,950 --> 00:13:54,780 We no longer get the LHOSTS, 311 00:13:54,780 --> 00:13:56,760 since remember with bind_tcp, 312 00:13:56,760 --> 00:13:59,100 it is not our Kali Linux machine that is listening 313 00:13:59,100 --> 00:14:00,210 for the connection, 314 00:14:00,210 --> 00:14:01,320 it is the target machine 315 00:14:01,320 --> 00:14:02,700 that is listening for the connection 316 00:14:02,700 --> 00:14:05,640 and we are the ones that connect to it. 317 00:14:05,640 --> 00:14:08,760 So in this case, it is asking us for RHOSTS 318 00:14:08,760 --> 00:14:10,710 or the remote host. 319 00:14:10,710 --> 00:14:14,820 Or as the description says, the target IP address. 320 00:14:14,820 --> 00:14:17,430 So we would select right here the same IP address 321 00:14:17,430 --> 00:14:19,500 that we select right here, 322 00:14:19,500 --> 00:14:22,050 because it is the target that has to open the port. 323 00:14:22,050 --> 00:14:24,390 And the local port will be the local port 324 00:14:24,390 --> 00:14:25,740 on the target machine 325 00:14:25,740 --> 00:14:28,050 that will open for us to connect to. 326 00:14:28,050 --> 00:14:30,250 And you would select here whatever you want. 327 00:14:31,110 --> 00:14:33,780 So what is important to get out all of this 328 00:14:33,780 --> 00:14:37,020 is that we can change different options using set command. 329 00:14:37,020 --> 00:14:38,100 So you just type set. 330 00:14:38,100 --> 00:14:41,250 And then for example, we want to change the LPORT, 331 00:14:41,250 --> 00:14:45,150 we type LPORT and then make it whatever we want. 332 00:14:45,150 --> 00:14:47,790 And if we type show options, 333 00:14:47,790 --> 00:14:50,070 it'll be changed right here. 334 00:14:50,070 --> 00:14:53,820 And the last part that we see down here are the targets. 335 00:14:53,820 --> 00:14:55,410 And these targets right here 336 00:14:55,410 --> 00:14:57,090 are all of the vulnerable targets 337 00:14:57,090 --> 00:14:59,160 for this particular exploit. 338 00:14:59,160 --> 00:15:03,813 To list all of them out, we can type show and then targets. 339 00:15:04,650 --> 00:15:06,780 This will give us a list of all the targets 340 00:15:06,780 --> 00:15:09,540 that we can exploit using this attack. 341 00:15:09,540 --> 00:15:11,970 So we get Windows NT, Windows XP, 342 00:15:11,970 --> 00:15:14,430 and now different versions of Windows XP, 343 00:15:14,430 --> 00:15:16,800 and Windows 2003. 344 00:15:16,800 --> 00:15:18,660 So this is an older exploit 345 00:15:18,660 --> 00:15:21,030 that attacks Windows XP machines. 346 00:15:21,030 --> 00:15:23,820 Now you can either, if you know exactly which version 347 00:15:23,820 --> 00:15:25,800 of Windows is the target running, 348 00:15:25,800 --> 00:15:30,300 you can select it right here by specifying set target 349 00:15:30,300 --> 00:15:31,230 and then the number, 350 00:15:31,230 --> 00:15:32,880 for example, let's say the target 351 00:15:32,880 --> 00:15:35,370 is using Windows XP SP1 English. 352 00:15:35,370 --> 00:15:36,540 You could type it like this. 353 00:15:36,540 --> 00:15:38,100 So set target three, 354 00:15:38,100 --> 00:15:41,253 because the ID for that particular version is three. 355 00:15:42,690 --> 00:15:44,670 Or if you didn't know exactly which version, 356 00:15:44,670 --> 00:15:46,470 you would just leave it on automatic, 357 00:15:46,470 --> 00:15:48,120 which means that Metasploit framework 358 00:15:48,120 --> 00:15:49,710 will figure it out on its own. 359 00:15:49,710 --> 00:15:51,660 So we don't need to specify it. 360 00:15:51,660 --> 00:15:53,040 The only important thing 361 00:15:53,040 --> 00:15:55,860 is that it is one of these versions. 362 00:15:55,860 --> 00:15:58,380 If it is, for example, a Windows 7 machine, 363 00:15:58,380 --> 00:16:01,350 this exploit will not work. 364 00:16:01,350 --> 00:16:04,050 And once you set all of these options, 365 00:16:04,050 --> 00:16:07,233 the last thing you need to do is type exploit. 366 00:16:09,900 --> 00:16:11,730 In our case, this will not work 367 00:16:11,730 --> 00:16:13,500 because we don't really have a vulnerable 368 00:16:13,500 --> 00:16:15,150 Windows XP machine, 369 00:16:15,150 --> 00:16:18,180 so it'll give us an exploit failed error. 370 00:16:18,180 --> 00:16:19,800 In this case, it is unreachable, 371 00:16:19,800 --> 00:16:21,660 because this IP address right here 372 00:16:21,660 --> 00:16:24,780 on my local network is not even online. 373 00:16:24,780 --> 00:16:26,523 That's why this will not work. 374 00:16:27,660 --> 00:16:30,360 And this is pretty much it. 375 00:16:30,360 --> 00:16:32,250 Now there are other commands as well 376 00:16:32,250 --> 00:16:33,390 that could be useful, 377 00:16:33,390 --> 00:16:35,850 but these are the main ones that we always use 378 00:16:35,850 --> 00:16:37,830 to choose exploits and payloads 379 00:16:37,830 --> 00:16:40,170 and to set their options. 380 00:16:40,170 --> 00:16:42,120 Finally, the time has come. 381 00:16:42,120 --> 00:16:44,280 In the next video, we are going to apply 382 00:16:44,280 --> 00:16:47,507 what we've learned for now to perform our first exploit 383 00:16:47,507 --> 00:16:49,713 on the Metasploitable machine. 384 00:16:50,700 --> 00:16:52,000 See you in the next video.