1
00:00:00,750 --> 00:00:03,750
-: Time to finally figure out our possibilities

2
00:00:03,750 --> 00:00:05,670
with the meterpreter shell.

3
00:00:05,670 --> 00:00:08,100
In the last section, we focused so much

4
00:00:08,100 --> 00:00:11,100
on how to gain access in many different ways,

5
00:00:11,100 --> 00:00:14,580
and we popped a meterpreter shell so many times.

6
00:00:14,580 --> 00:00:17,190
But we never got to see its true power

7
00:00:17,190 --> 00:00:19,170
and all of its commands.

8
00:00:19,170 --> 00:00:20,700
We only ran a few of them.

9
00:00:20,700 --> 00:00:23,790
Just to make sure the connection was successful.

10
00:00:23,790 --> 00:00:26,190
Now we are going to go real quick

11
00:00:26,190 --> 00:00:27,330
through the basic commands,

12
00:00:27,330 --> 00:00:29,490
that we can do with the meterpreter shell.

13
00:00:29,490 --> 00:00:31,560
And then after it, we will see some

14
00:00:31,560 --> 00:00:34,890
of the post exploitation modules, and how we can run them.

15
00:00:34,890 --> 00:00:37,380
So for this, I already got the shell opened.

16
00:00:37,380 --> 00:00:40,710
As we can see right here, Meterpreter session 1 opened.

17
00:00:40,710 --> 00:00:42,940
I ran my file, which is shell.exe

18
00:00:44,130 --> 00:00:47,100
and by now all of us should know how to do this.

19
00:00:47,100 --> 00:00:49,770
Just send the payloads to the target, execute it,

20
00:00:49,770 --> 00:00:53,910
and you should have a meterpreter session on their machine.

21
00:00:53,910 --> 00:00:58,320
From here, we can run the help command to see all

22
00:00:58,320 --> 00:01:01,263
of the available commands with the meterpreter shell.

23
00:01:02,220 --> 00:01:03,600
If I scroll all the way up,

24
00:01:03,600 --> 00:01:05,853
and we are going to start from the beginning.

25
00:01:07,110 --> 00:01:09,330
The first section of the commands

26
00:01:09,330 --> 00:01:12,780
that we get are called Core Commands.

27
00:01:12,780 --> 00:01:15,870
And these commands we are going to brush through real quick.

28
00:01:15,870 --> 00:01:17,340
We're just going to mention a few of them

29
00:01:17,340 --> 00:01:18,330
that we already know,

30
00:01:18,330 --> 00:01:22,170
such as for example this background or bg.

31
00:01:22,170 --> 00:01:25,500
If you type background in your meterpreter shell,

32
00:01:25,500 --> 00:01:27,510
this will background your session.

33
00:01:27,510 --> 00:01:28,920
And you will be able to use

34
00:01:28,920 --> 00:01:31,350
your method plate framework module.

35
00:01:31,350 --> 00:01:32,820
When is this command useful?

36
00:01:32,820 --> 00:01:36,030
Well, if I type the command sessions that we already know,

37
00:01:36,030 --> 00:01:38,070
we got one session currently.

38
00:01:38,070 --> 00:01:42,030
But you might have a session with multiple targets.

39
00:01:42,030 --> 00:01:45,270
And in order to navigate between each and every session,

40
00:01:45,270 --> 00:01:46,860
you can use the background command

41
00:01:46,860 --> 00:01:49,740
to put this meterpreter session in the background,

42
00:01:49,740 --> 00:01:52,290
and for example enter a different session

43
00:01:52,290 --> 00:01:54,240
with a different machine.

44
00:01:54,240 --> 00:01:56,790
So that command is useful in that sense.

45
00:01:56,790 --> 00:02:00,360
Of course, you don't need to type the background command.

46
00:02:00,360 --> 00:02:02,940
You can simply just type instead bg,

47
00:02:02,940 --> 00:02:04,890
and it will do the same thing.

48
00:02:04,890 --> 00:02:06,573
So if you go back to my session,

49
00:02:07,890 --> 00:02:10,410
and go back to my help command.

50
00:02:10,410 --> 00:02:12,180
We can scroll back to the core commands,

51
00:02:12,180 --> 00:02:15,210
and read some of them, and what do they do?

52
00:02:15,210 --> 00:02:16,620
So just go to this menu,

53
00:02:16,620 --> 00:02:18,603
and most of them we are going to cover later on.

54
00:02:18,603 --> 00:02:21,150
From now we are not going to touch them,

55
00:02:21,150 --> 00:02:24,720
because most of these are not needed for us at the moment.

56
00:02:24,720 --> 00:02:26,550
For example, you know that you can exit

57
00:02:26,550 --> 00:02:28,950
the meterpreter shell with this exit command.

58
00:02:28,950 --> 00:02:31,110
Background command.

59
00:02:31,110 --> 00:02:32,670
Here we can see how we can switch

60
00:02:32,670 --> 00:02:34,110
between different sessions.

61
00:02:34,110 --> 00:02:36,360
And you can get the user ID.

62
00:02:36,360 --> 00:02:38,910
I believe get UID command is right here.

63
00:02:38,910 --> 00:02:39,810
Here it is.

64
00:02:39,810 --> 00:02:42,510
Get UID. Get the session UID.

65
00:02:42,510 --> 00:02:44,670
So if I type that right here,

66
00:02:44,670 --> 00:02:46,380
it will tell me the session UID.

67
00:02:46,380 --> 00:02:50,010
We also know the command get user ID.

68
00:02:50,010 --> 00:02:51,150
And this will tell us,

69
00:02:51,150 --> 00:02:54,270
which user are we on the target machine.

70
00:02:54,270 --> 00:02:56,400
Okay, so these are just some of the core commands,

71
00:02:56,400 --> 00:02:58,410
and of course you can experiment with others.

72
00:02:58,410 --> 00:03:00,690
But some of them we're going to cover later on.

73
00:03:00,690 --> 00:03:02,700
For now on you can just read through this menu,

74
00:03:02,700 --> 00:03:05,760
and go to the file system commands.

75
00:03:05,760 --> 00:03:07,320
And these file system commands,

76
00:03:07,320 --> 00:03:10,260
you can just picture them as commands that we use inside

77
00:03:10,260 --> 00:03:11,310
of a terminal.

78
00:03:11,310 --> 00:03:13,020
So we can change directories.

79
00:03:13,020 --> 00:03:15,000
We can print current working directories,

80
00:03:15,000 --> 00:03:17,580
list all of the files on the target system,

81
00:03:17,580 --> 00:03:19,530
and let's see how that would work.

82
00:03:19,530 --> 00:03:24,360
So if I go down here, and to see in which directory I am.

83
00:03:24,360 --> 00:03:27,510
I can type the command print working directory.

84
00:03:27,510 --> 00:03:28,980
It will tell me that I am currently

85
00:03:28,980 --> 00:03:32,610
in this slash desktop directory on the target machine.

86
00:03:32,610 --> 00:03:33,960
Now why am I here?

87
00:03:33,960 --> 00:03:37,440
Well, because this shell.exe inside of that directory,

88
00:03:37,440 --> 00:03:39,480
and once the target executed it,

89
00:03:39,480 --> 00:03:42,360
our meterpreter session will automatically be inside

90
00:03:42,360 --> 00:03:45,180
with the directory where the payload is.

91
00:03:45,180 --> 00:03:48,900
Okay, if I wanted to list all of the files inside of here,

92
00:03:48,900 --> 00:03:50,400
I can type the dir command.

93
00:03:50,400 --> 00:03:53,430
And I can also type the ls command,

94
00:03:53,430 --> 00:03:57,390
so it supports both Linux command and Windows command.

95
00:03:57,390 --> 00:04:01,023
Dir is used to list files inside of a Windows system,

96
00:04:01,950 --> 00:04:04,860
so we can see what files we have right here.

97
00:04:04,860 --> 00:04:07,620
And maybe we could find something interesting right here.

98
00:04:07,620 --> 00:04:11,850
For example, we get this passwords.txt file, and

99
00:04:11,850 --> 00:04:15,450
of course, I created this on purpose just for this tutorial.

100
00:04:15,450 --> 00:04:18,660
But this is something that occurs quite often.

101
00:04:18,660 --> 00:04:22,170
Matter of fact, years ago even I had this file

102
00:04:22,170 --> 00:04:24,630
where I've written down all of the passwords

103
00:04:24,630 --> 00:04:27,480
that I couldn't remember for different websites.

104
00:04:27,480 --> 00:04:31,380
And to read the content of this passwords.txt file,

105
00:04:31,380 --> 00:04:33,570
we can use a familiar command for us,

106
00:04:33,570 --> 00:04:35,370
which is the cat command.

107
00:04:35,370 --> 00:04:40,170
See if I type cat passwords.txt, press enter.

108
00:04:40,170 --> 00:04:44,040
This will print out all of the content inside of this file.

109
00:04:44,040 --> 00:04:46,680
We can see the router: username, and password;

110
00:04:46,680 --> 00:04:48,330
the Facebook: username and password;

111
00:04:48,330 --> 00:04:52,290
and the PayPal: email and password.

112
00:04:52,290 --> 00:04:55,410
So this is something that you could possibly run on,

113
00:04:55,410 --> 00:04:58,893
and you want to see the contents just type the cat command.

114
00:04:59,940 --> 00:05:02,400
Of course, we don't need to be inside of these directory,

115
00:05:02,400 --> 00:05:03,510
if we don't want to.

116
00:05:03,510 --> 00:05:07,140
We can use our regular cd command to go one directory back.

117
00:05:07,140 --> 00:05:09,840
And if we type pwd, we're no longer

118
00:05:09,840 --> 00:05:12,090
in the slash desktop directory.

119
00:05:12,090 --> 00:05:14,160
Here, we can type dir once again

120
00:05:14,160 --> 00:05:18,150
to list out all of the files inside of this directory.

121
00:05:18,150 --> 00:05:20,490
If we wanted to choose one of these directories,

122
00:05:20,490 --> 00:05:21,510
we can go back to them.

123
00:05:21,510 --> 00:05:24,933
But for now let's just go back to the desktop directory.

124
00:05:25,830 --> 00:05:26,663
Great.

125
00:05:26,663 --> 00:05:29,520
If I type dir, here are our desktop files,

126
00:05:29,520 --> 00:05:33,000
and if we wanted to we could also download the file

127
00:05:33,000 --> 00:05:34,740
from the target machine.

128
00:05:34,740 --> 00:05:36,090
So how can we do that?

129
00:05:36,090 --> 00:05:39,663
Well, it is as simple as just typing download,

130
00:05:41,010 --> 00:05:42,750
and then the file name.

131
00:05:42,750 --> 00:05:45,270
In this case, let us say we want to download,

132
00:05:45,270 --> 00:05:47,913
for example passwords.txt.

133
00:05:51,270 --> 00:05:55,473
I press enter and here it is. It'll download it for us.

134
00:05:56,760 --> 00:05:57,690
Now, I'm not sure where

135
00:05:57,690 --> 00:06:01,380
by default the meterpreter saves these files.

136
00:06:01,380 --> 00:06:03,750
But it could be right here on the desktop.

137
00:06:03,750 --> 00:06:07,440
And here it is, here is the passwords.txt.

138
00:06:07,440 --> 00:06:10,680
And you can also upload files, if you want to.

139
00:06:10,680 --> 00:06:11,520
For example,

140
00:06:11,520 --> 00:06:15,270
let's say we want to upload this RatBackdoor.exe

141
00:06:15,270 --> 00:06:18,600
from one of the previous videos to the target machine.

142
00:06:18,600 --> 00:06:21,270
We can see right now, we don't have it on the desktop

143
00:06:21,270 --> 00:06:22,920
on the target machine.

144
00:06:22,920 --> 00:06:27,920
But if I type upload, and then RatBackdoor.exe,

145
00:06:28,290 --> 00:06:29,970
press enter,

146
00:06:29,970 --> 00:06:32,070
go back to the desktop just to check it out.

147
00:06:32,070 --> 00:06:33,960
And here is our file.

148
00:06:33,960 --> 00:06:36,750
We successfully uploaded another executable

149
00:06:36,750 --> 00:06:38,490
to the target system.

150
00:06:38,490 --> 00:06:40,830
Then we could use something like a shell

151
00:06:40,830 --> 00:06:43,173
to execute that file.

152
00:06:44,070 --> 00:06:45,900
Okay, but we are not going to do that right now.

153
00:06:45,900 --> 00:06:48,210
Let us exit out of the shell.

154
00:06:48,210 --> 00:06:50,370
And run the help command once again,

155
00:06:50,370 --> 00:06:52,323
just to see what else we can do.

156
00:06:53,250 --> 00:06:56,930
Inside of the file system commands we also get the commands

157
00:06:56,930 --> 00:06:59,640
on how we can create and remove files.

158
00:06:59,640 --> 00:07:02,640
So we can use rmdir to remove a folder.

159
00:07:02,640 --> 00:07:05,670
We can use rm to delete the specified files.

160
00:07:05,670 --> 00:07:08,310
So for example, we want to delete the file on their desktop.

161
00:07:08,310 --> 00:07:11,160
We can do that using the regular rm command.

162
00:07:11,160 --> 00:07:14,973
We can also create a directory, and create files if want to.

163
00:07:15,870 --> 00:07:17,340
So let's see, for example,

164
00:07:17,340 --> 00:07:20,070
if we manage to delete the ratbackdoor

165
00:07:20,070 --> 00:07:21,540
that we just uploaded.

166
00:07:21,540 --> 00:07:22,620
We don't want it there.

167
00:07:22,620 --> 00:07:24,960
So let us just delete it real quick.

168
00:07:24,960 --> 00:07:29,250
Run the rm command, and it is no longer here.

169
00:07:29,250 --> 00:07:32,733
And let's say we want to create the test directory,

170
00:07:33,990 --> 00:07:38,990
and we want to copy passwords.txt in the test directory.

171
00:07:39,240 --> 00:07:41,790
Hmm, access is denied.

172
00:07:41,790 --> 00:07:43,620
Let us just check out right here.

173
00:07:43,620 --> 00:07:44,850
We got the test directory,

174
00:07:44,850 --> 00:07:48,840
but for some reason we can't seem to copy this file.

175
00:07:48,840 --> 00:07:51,600
And this could be due to many different reasons,

176
00:07:51,600 --> 00:07:53,130
but the main reason will probably be,

177
00:07:53,130 --> 00:07:56,850
because we are not an administrator on the target machine.

178
00:07:56,850 --> 00:07:59,940
And we are going to check out in some future video,

179
00:07:59,940 --> 00:08:03,810
how we can become an administrator in system level account,

180
00:08:03,810 --> 00:08:07,350
just by getting them meterpreter shell as a regular user.

181
00:08:07,350 --> 00:08:11,430
Remember if I run the getuid, we're just a regular user.

182
00:08:11,430 --> 00:08:14,430
We are not the system level account,

183
00:08:14,430 --> 00:08:15,870
but more about that later on.

184
00:08:15,870 --> 00:08:19,410
For now on, let us run the help command once again.

185
00:08:19,410 --> 00:08:22,020
And you can play with this file system commands

186
00:08:22,020 --> 00:08:23,010
that we have right here.

187
00:08:23,010 --> 00:08:25,770
But they're just regular commands that we can run inside

188
00:08:25,770 --> 00:08:27,000
of a Kali Linux terminal.

189
00:08:27,000 --> 00:08:30,360
Just this time you're running it on the target machine.

190
00:08:30,360 --> 00:08:32,549
Inside of the networking commands,

191
00:08:32,549 --> 00:08:33,990
we only have a few of them,

192
00:08:33,990 --> 00:08:35,970
so lets just test two or three of them.

193
00:08:35,970 --> 00:08:38,010
For example, this arp command,

194
00:08:38,010 --> 00:08:40,200
will display the host ARP cache.

195
00:08:40,200 --> 00:08:43,470
So with this, we should be able to see the IP addresses,

196
00:08:43,470 --> 00:08:46,200
and their correspondent MAC addresses.

197
00:08:46,200 --> 00:08:48,900
These are all of the IP addresses that are inside

198
00:08:48,900 --> 00:08:51,870
of our ARP tables on the Windows machine.

199
00:08:51,870 --> 00:08:54,300
So we have our Kali Linux IP address

200
00:08:54,300 --> 00:08:56,730
because we are currently communicating

201
00:08:56,730 --> 00:09:00,030
with our target machine from our Kali Linux IP address.

202
00:09:00,030 --> 00:09:02,670
Therefore, it must have our Kali Linux IP address

203
00:09:02,670 --> 00:09:04,680
in the ARP tables.

204
00:09:04,680 --> 00:09:07,500
We also get the router's IP address,

205
00:09:07,500 --> 00:09:09,090
the broadcast IP address,

206
00:09:09,090 --> 00:09:12,330
and all of these down here are not that important.

207
00:09:12,330 --> 00:09:14,640
If I run the ifconfig command, of course,

208
00:09:14,640 --> 00:09:17,310
I will be able to see all the networking interfaces

209
00:09:17,310 --> 00:09:20,610
on the target system, as well as the IP address

210
00:09:20,610 --> 00:09:23,190
that the target currently has.

211
00:09:23,190 --> 00:09:25,893
If I run the command, for example, netstat,

212
00:09:27,240 --> 00:09:29,790
this will print out all of the connections

213
00:09:29,790 --> 00:09:32,700
that our target machine currently has.

214
00:09:32,700 --> 00:09:37,620
So we can see right here, the connections, the IP addresses,

215
00:09:37,620 --> 00:09:40,710
which protocol are they using in case these are using tcp,

216
00:09:40,710 --> 00:09:43,620
and down here we have udp protocol.

217
00:09:43,620 --> 00:09:44,790
If I go up here,

218
00:09:44,790 --> 00:09:48,420
we should be able to find our shell.exe

219
00:09:48,420 --> 00:09:49,920
that established the connection

220
00:09:49,920 --> 00:09:52,020
with the Kali Linux IP address.

221
00:09:52,020 --> 00:09:55,860
So we know that 192.168.1.4 is the IP address

222
00:09:55,860 --> 00:09:58,290
of my Windows 10 target machine.

223
00:09:58,290 --> 00:10:01,020
And here if I go and find the IP address

224
00:10:01,020 --> 00:10:03,420
of Kali Linux machine, and here it is.

225
00:10:03,420 --> 00:10:06,780
We can see, it is running on port 5555.

226
00:10:06,780 --> 00:10:08,700
The connection is established,

227
00:10:08,700 --> 00:10:11,280
and the process that is causing this connection

228
00:10:11,280 --> 00:10:14,703
is Shell.exe or our payload.

229
00:10:15,870 --> 00:10:16,703
Great.

230
00:10:16,703 --> 00:10:18,600
Now if you want to, you can go up here,

231
00:10:18,600 --> 00:10:21,600
and experiment with the other commands as well.

232
00:10:21,600 --> 00:10:23,280
But these are not that interesting

233
00:10:23,280 --> 00:10:25,920
or important for us at the moment.

234
00:10:25,920 --> 00:10:28,170
What is important and what we will cover

235
00:10:28,170 --> 00:10:31,380
in the next video are these system commands

236
00:10:31,380 --> 00:10:33,810
and user interface commands.

237
00:10:33,810 --> 00:10:36,450
We want to see some of the cool stuff such as

238
00:10:36,450 --> 00:10:39,480
capturing keystrokes, or running a keylogger,

239
00:10:39,480 --> 00:10:42,360
running a screenshot on the target desktop,

240
00:10:42,360 --> 00:10:46,230
maybe for example, recording microphone, recording webcam,

241
00:10:46,230 --> 00:10:48,180
all of that we want to check out.

242
00:10:48,180 --> 00:10:50,040
And see how we can run them.

243
00:10:50,040 --> 00:10:52,560
And we will do that in the next video.

244
00:10:52,560 --> 00:10:54,330
So experiment with the commands

245
00:10:54,330 --> 00:10:55,710
that we covered a little bit.

246
00:10:55,710 --> 00:10:57,840
Feel free to run the others as well,

247
00:10:57,840 --> 00:10:59,970
if you want to check out what do they do.

248
00:10:59,970 --> 00:11:02,643
And I will see you in the next lecture.