1
00:00:00,134 --> 00:00:01,560
Instructor: Welcome back.

2
00:00:01,560 --> 00:00:05,010
And now that we've got our Windows 10 machines set up,

3
00:00:05,010 --> 00:00:08,310
we want to perform a vulnerability scan real quick

4
00:00:08,310 --> 00:00:09,930
to see whether it is vulnerable.

5
00:00:09,930 --> 00:00:13,110
And then I will show you a tool that we can use

6
00:00:13,110 --> 00:00:15,180
to crash the target system.

7
00:00:15,180 --> 00:00:18,390
So first of all, open up both of your Kali Linux

8
00:00:18,390 --> 00:00:20,340
and Windows 10 machines.

9
00:00:20,340 --> 00:00:22,740
Right here, I ran the IP config command

10
00:00:22,740 --> 00:00:25,860
to check out the IP address of the Windows 10 machine.

11
00:00:25,860 --> 00:00:28,080
And what I'm going to do is

12
00:00:28,080 --> 00:00:30,100
I'm going to scan it real quick

13
00:00:31,200 --> 00:00:34,440
just to see what ports it has open

14
00:00:34,440 --> 00:00:37,773
and whether our setup was correct from the previous video.

15
00:00:38,790 --> 00:00:39,930
Okay, great.

16
00:00:39,930 --> 00:00:44,930
We got the port 445 open, that is all we need.

17
00:00:45,330 --> 00:00:48,900
Now, I have also performed a Nessus vulnerabilities scan

18
00:00:48,900 --> 00:00:50,730
this morning on Windows 10 machine

19
00:00:50,730 --> 00:00:54,000
and for some reason it didn't manage to find

20
00:00:54,000 --> 00:00:56,370
this SMB ghost vulnerability.

21
00:00:56,370 --> 00:01:00,510
Now, that could be some type of a bug, maybe, perhaps.

22
00:01:00,510 --> 00:01:03,870
Since, if I type Locate and then the vulnerability name,

23
00:01:03,870 --> 00:01:08,820
which is CVE dash 2020 dash 0796.

24
00:01:11,220 --> 00:01:14,280
And this is just the name for this particular vulnerability,

25
00:01:14,280 --> 00:01:15,633
and I type Enter.

26
00:01:16,500 --> 00:01:19,170
Here it will find the path to the Nessus

27
00:01:19,170 --> 00:01:22,200
with the module for that vulnerability.

28
00:01:22,200 --> 00:01:24,840
So it seems that it has a plugin for that vulnerability

29
00:01:24,840 --> 00:01:27,120
and it should be able to discover it.

30
00:01:27,120 --> 00:01:28,800
But once again, for me personally,

31
00:01:28,800 --> 00:01:30,360
it didn't manage to find it.

32
00:01:30,360 --> 00:01:31,560
You can try it out.

33
00:01:31,560 --> 00:01:33,210
You know right now how to use Nessus.

34
00:01:33,210 --> 00:01:36,540
So just open it up, open your Windows 10 machine

35
00:01:36,540 --> 00:01:40,410
and run a scan in Nessus on your Windows 10 machine,

36
00:01:40,410 --> 00:01:41,820
and see if you can come up

37
00:01:41,820 --> 00:01:44,040
with this vulnerability from there.

38
00:01:44,040 --> 00:01:46,110
But what we want to do right now is

39
00:01:46,110 --> 00:01:50,553
we want to copy this name, and we want to go to the Firefox.

40
00:01:52,230 --> 00:01:54,060
Since remember, this is something

41
00:01:54,060 --> 00:01:56,220
that we do not have in Mantis play framework,

42
00:01:56,220 --> 00:01:58,923
we must find the exploit of ourselves.

43
00:02:00,510 --> 00:02:02,430
Once the Firefox opens up,

44
00:02:02,430 --> 00:02:05,520
paste the vulnerability name right here,

45
00:02:05,520 --> 00:02:10,520
and I will just type it real quick to 2020, 0796,

46
00:02:10,570 --> 00:02:12,900
and we can add GitHub.

47
00:02:12,900 --> 00:02:16,110
Let us check out whether there are some available tools

48
00:02:16,110 --> 00:02:18,540
on GitHub repository.

49
00:02:18,540 --> 00:02:21,513
So we got a few responses right here.

50
00:02:22,830 --> 00:02:25,290
And what we want to go with first

51
00:02:25,290 --> 00:02:27,240
is the vulnerability scanner.

52
00:02:27,240 --> 00:02:29,310
And what I mean by vulnerability scanner

53
00:02:29,310 --> 00:02:31,200
is we want the tool that will tell us

54
00:02:31,200 --> 00:02:33,150
whether the target machine is vulnerable

55
00:02:33,150 --> 00:02:36,930
to this attack without crashing or exploiting it.

56
00:02:36,930 --> 00:02:38,853
So we'll go to this link right here,

57
00:02:39,780 --> 00:02:43,290
and it seems that this is the tool that we need.

58
00:02:43,290 --> 00:02:47,073
It says the vulnerability name, scanner.py,

59
00:02:47,940 --> 00:02:52,827
identifying and mitigating the CVE 2020, 0796

60
00:02:53,760 --> 00:02:55,023
flaw in the fly.

61
00:02:55,950 --> 00:02:57,390
So let's check it out.

62
00:02:57,390 --> 00:03:00,090
Let's copy the name of this vulnerability.

63
00:03:00,090 --> 00:03:02,100
Then we will go to our desktop,

64
00:03:02,100 --> 00:03:05,310
and we will, Git clone that repository

65
00:03:05,310 --> 00:03:07,053
to our desktop directory.

66
00:03:09,750 --> 00:03:12,660
Once it finishes downloading, we can type Ls.

67
00:03:12,660 --> 00:03:14,910
Here it is, right here.

68
00:03:14,910 --> 00:03:18,360
Let's change directory to there by typing CD,

69
00:03:18,360 --> 00:03:21,420
and let's see which files we have.

70
00:03:21,420 --> 00:03:25,470
So we have only this scanner.py file,

71
00:03:25,470 --> 00:03:27,180
so it is a Python file.

72
00:03:27,180 --> 00:03:30,060
Let us go to this page and just check real quick

73
00:03:30,060 --> 00:03:32,250
whether it is a Python two or three program

74
00:03:32,250 --> 00:03:35,160
and by the usage that we can see right here,

75
00:03:35,160 --> 00:03:38,160
it seems that it is a Python three program.

76
00:03:38,160 --> 00:03:39,930
So let's test it out.

77
00:03:39,930 --> 00:03:42,180
If I go right here, check out the IP address

78
00:03:42,180 --> 00:03:43,560
of Windows 10 machine.

79
00:03:43,560 --> 00:03:46,860
For me it is 192.168.1.5.

80
00:03:46,860 --> 00:03:48,933
Let's run the program, Python three.

81
00:03:51,150 --> 00:03:53,763
And then type the IP address.

82
00:03:55,740 --> 00:03:58,530
Well, we get a response that we wanted.

83
00:03:58,530 --> 00:04:02,160
It says right here, Vulnerable, great.

84
00:04:02,160 --> 00:04:04,920
Now we can test other tools that will crash

85
00:04:04,920 --> 00:04:07,260
and exploit the target.

86
00:04:07,260 --> 00:04:10,260
First I want to show you a tool that you can use

87
00:04:10,260 --> 00:04:12,090
to just crash the target.

88
00:04:12,090 --> 00:04:15,180
And for this tool we don't need anything else

89
00:04:15,180 --> 00:04:18,060
besides the IP address of the target machine.

90
00:04:18,060 --> 00:04:21,750
So you can crash any target just by knowing its IP address.

91
00:04:21,750 --> 00:04:24,840
For the exploit that we will cover in the next video,

92
00:04:24,840 --> 00:04:26,880
we're going to cheat a little bit.

93
00:04:26,880 --> 00:04:29,790
We need something in order for the exploit to work.

94
00:04:29,790 --> 00:04:32,010
And I will show you that in the next video.

95
00:04:32,010 --> 00:04:36,808
For now, we want to see how we can crash the target machine.

96
00:04:36,808 --> 00:04:38,460
So if you go all the way down,

97
00:04:38,460 --> 00:04:40,350
you will see this GitHub link.

98
00:04:40,350 --> 00:04:43,830
It is from Jiasiting and it has the name

99
00:04:43,830 --> 00:04:45,033
of our vulnerability.

100
00:04:45,960 --> 00:04:49,350
If I go right here, we can see we've got a few files.

101
00:04:49,350 --> 00:04:51,630
Once again, this is a Python tool.

102
00:04:51,630 --> 00:04:53,220
Under here we got the usage.

103
00:04:53,220 --> 00:04:55,860
So we got a demo gif.

104
00:04:55,860 --> 00:04:58,320
Here we can see the command that he's running.

105
00:04:58,320 --> 00:05:01,053
And if we go right here and copy the tool,

106
00:05:03,390 --> 00:05:06,030
and once again we can go to our desktop,

107
00:05:06,030 --> 00:05:11,030
and get clone the tool name, the link based right here,

108
00:05:11,760 --> 00:05:13,320
wait for the download to finish.

109
00:05:13,320 --> 00:05:17,610
And if I type Ls, we now have two directories.

110
00:05:17,610 --> 00:05:19,050
This one is the scanner

111
00:05:19,050 --> 00:05:21,630
and this one is the one that we just downloaded.

112
00:05:21,630 --> 00:05:26,460
So let's go, CD, CVE, we got the demo gif,

113
00:05:26,460 --> 00:05:29,103
the readme file, and the vulnerability itself.

114
00:05:29,940 --> 00:05:33,270
Of course, if we want to we can nano the vulnerability file

115
00:05:33,270 --> 00:05:37,110
or the Python file, and we can scroll all the way down

116
00:05:37,110 --> 00:05:39,330
to see the code of this exploit,

117
00:05:39,330 --> 00:05:41,940
and down here we get the usage.

118
00:05:41,940 --> 00:05:44,790
So all we need to specify as it says right here,

119
00:05:44,790 --> 00:05:47,310
is the target IP address.

120
00:05:47,310 --> 00:05:48,720
Let's try it out.

121
00:05:48,720 --> 00:05:50,880
If I go right here and type Python,

122
00:05:50,880 --> 00:05:55,740
I believe it's Python three once again, and then cve.py

123
00:05:55,740 --> 00:05:58,770
and then the IP address of the target machine.

124
00:05:58,770 --> 00:06:02,340
Before I run it, I will lower this screen so we can see both

125
00:06:02,340 --> 00:06:05,490
of our targets before running this program.

126
00:06:05,490 --> 00:06:10,490
And right here, if I press Enter, well here it is.

127
00:06:10,920 --> 00:06:13,623
We successfully crashed the target machine.

128
00:06:14,490 --> 00:06:15,990
It got the blue screen of death

129
00:06:15,990 --> 00:06:20,010
as we can see right here, and it is now restarting.

130
00:06:20,010 --> 00:06:22,710
And this is also critical vulnerability.

131
00:06:22,710 --> 00:06:24,690
Once again, I need to mention that you should never

132
00:06:24,690 --> 00:06:27,180
be able to crash the target machine

133
00:06:27,180 --> 00:06:29,490
just by knowing its IP address.

134
00:06:29,490 --> 00:06:33,240
This is something that we would also 100% write down

135
00:06:33,240 --> 00:06:35,583
inside of our penetration testing report.

136
00:06:36,840 --> 00:06:38,490
Now that we managed to scan the target

137
00:06:38,490 --> 00:06:39,870
to see whether it is vulnerable,

138
00:06:39,870 --> 00:06:42,810
and we used another tool to crash the target,

139
00:06:42,810 --> 00:06:46,110
let's see in the next video how we can exploit

140
00:06:46,110 --> 00:06:48,630
the target machine and gain shell back

141
00:06:48,630 --> 00:06:50,283
inside of our Kali Linux machine.

142
00:06:51,374 --> 00:06:52,624
See you in the next video