1
00:00:00,360 --> 00:00:01,680
Speaker: Welcome back.

2
00:00:01,680 --> 00:00:05,490
Let's continue with exploiting over our exploitable machine.

3
00:00:05,490 --> 00:00:09,960
So we already found three vulnerabilities regarding telnet,

4
00:00:09,960 --> 00:00:13,443
ftp and the bind shell with no authentication.

5
00:00:14,280 --> 00:00:16,950
Let us see what else can we find.

6
00:00:16,950 --> 00:00:18,930
And what I got in mind for now,

7
00:00:18,930 --> 00:00:22,530
is this samba open port right here.

8
00:00:22,530 --> 00:00:27,530
Matter of fact, these two open ports 139 and 445.

9
00:00:28,680 --> 00:00:29,820
Why them?

10
00:00:29,820 --> 00:00:32,549
Well, because it seems that we do not have

11
00:00:32,549 --> 00:00:35,490
the exact version of samba right here.

12
00:00:35,490 --> 00:00:38,940
It tells us that samba is between three point something

13
00:00:38,940 --> 00:00:40,770
to four point something.

14
00:00:40,770 --> 00:00:44,250
So let's see, how we will figure out what X plate to use

15
00:00:44,250 --> 00:00:45,483
and how to find it.

16
00:00:46,350 --> 00:00:48,030
Here's a small hint.

17
00:00:48,030 --> 00:00:51,090
we don't need to Google it to be able to find it.

18
00:00:51,090 --> 00:00:54,780
We have everything we need right here in Cal Linux.

19
00:00:54,780 --> 00:00:57,309
So don't use Google to find it since it is cheating,

20
00:00:57,309 --> 00:01:01,770
and you will most likely find it on the first link.

21
00:01:01,770 --> 00:01:05,160
Let's see whether we can figure it out by ourselves.

22
00:01:05,160 --> 00:01:08,940
So right here in our scan we have this samba version

23
00:01:08,940 --> 00:01:10,050
right here.

24
00:01:10,050 --> 00:01:13,440
Not the exact version, but it does give us some information

25
00:01:13,440 --> 00:01:17,310
about in between which range does the version belong to.

26
00:01:17,310 --> 00:01:18,930
And that is something.

27
00:01:18,930 --> 00:01:23,930
We also see that ports hosting this are 139 and 445.

28
00:01:24,630 --> 00:01:27,150
So we do get some information.

29
00:01:27,150 --> 00:01:28,350
What now?

30
00:01:28,350 --> 00:01:30,420
Well, let's just search samba inside

31
00:01:30,420 --> 00:01:33,240
of Searchsploit and see what comes up.

32
00:01:33,240 --> 00:01:35,100
So I got this scan right here.

33
00:01:35,100 --> 00:01:37,350
I got my MSF console right here,

34
00:01:37,350 --> 00:01:39,270
and I will open a third terminal

35
00:01:39,270 --> 00:01:41,613
and type searchsploit samba.

36
00:01:45,540 --> 00:01:49,680
Well, it seems that we get a lot of results.

37
00:01:49,680 --> 00:01:52,680
And these are exploits for a bunch of different

38
00:01:52,680 --> 00:01:55,620
samba versions as we can see right here.

39
00:01:55,620 --> 00:01:58,320
Now we could just try all of them out to see

40
00:01:58,320 --> 00:01:59,850
whether they will work,

41
00:01:59,850 --> 00:02:03,090
or we can try to figure out the samba version first

42
00:02:03,090 --> 00:02:06,000
and then narrow down our exploit search

43
00:02:06,000 --> 00:02:09,423
and see whether we find something for that specific version.

44
00:02:10,350 --> 00:02:14,610
So how are we going to find out the samba version?

45
00:02:14,610 --> 00:02:17,643
Our nmap scan didn't manage to do it.

46
00:02:18,510 --> 00:02:22,020
Well, luckily, nmap is not the only scanner

47
00:02:22,020 --> 00:02:24,840
that we can use for these types of things.

48
00:02:24,840 --> 00:02:27,120
Remember that in method split framework,

49
00:02:27,120 --> 00:02:30,150
besides having all of these exploits and payloads,

50
00:02:30,150 --> 00:02:33,000
we also get those auxiliary modules

51
00:02:33,000 --> 00:02:37,413
and those auxiliary modules can sometimes be scanners.

52
00:02:38,550 --> 00:02:43,170
Let's search and see whether we can find a scanner for this.

53
00:02:43,170 --> 00:02:44,883
If we just type in the Metasploit,

54
00:02:46,190 --> 00:02:50,460
search samba and press enter.

55
00:02:50,460 --> 00:02:52,800
We get some of the results right here.

56
00:02:52,800 --> 00:02:55,350
Matter of fact, we will get a lot of the results

57
00:02:55,350 --> 00:02:56,910
once again.

58
00:02:56,910 --> 00:03:00,480
Some are exploits, some are auxiliary modules,

59
00:03:00,480 --> 00:03:02,550
and down here I believe there is one

60
00:03:02,550 --> 00:03:04,620
post exploitation module.

61
00:03:04,620 --> 00:03:06,810
And if we go to the auxiliary modules,

62
00:03:06,810 --> 00:03:11,700
it'll only give us two auxiliary scanner modules.

63
00:03:11,700 --> 00:03:14,940
These aren't the scanners that we need.

64
00:03:14,940 --> 00:03:17,370
Let's try to find it ourselves.

65
00:03:17,370 --> 00:03:20,220
If I go down here, clear the screen

66
00:03:20,220 --> 00:03:23,370
and type use auxiliary

67
00:03:23,370 --> 00:03:25,620
and then we search for a scanner

68
00:03:25,620 --> 00:03:28,530
and then smb, because that is the port that

69
00:03:28,530 --> 00:03:30,120
we are enumerating,

70
00:03:30,120 --> 00:03:31,860
and then type vise,

71
00:03:31,860 --> 00:03:34,410
these are all of the available auxiliary scanners

72
00:03:34,410 --> 00:03:36,243
that we have for smb.

73
00:03:37,290 --> 00:03:39,840
The one that we are particularly interested in

74
00:03:39,840 --> 00:03:42,780
is this smb version.

75
00:03:42,780 --> 00:03:44,707
So let's copy it.

76
00:03:44,707 --> 00:03:46,830
If I copy the entire command right here,

77
00:03:46,830 --> 00:03:48,287
paste it

78
00:03:48,287 --> 00:03:49,623
press enter,

79
00:03:50,880 --> 00:03:54,780
Oops, let me just delete this, we type the command twice.

80
00:03:54,780 --> 00:03:58,830
So use auxiliary scanner, smb, and then smb version.

81
00:03:58,830 --> 00:04:01,383
And if I type show info right here,

82
00:04:02,310 --> 00:04:04,140
it'll tell me in the description,

83
00:04:04,140 --> 00:04:08,160
display version information about each system.

84
00:04:08,160 --> 00:04:10,830
This looks like something that we need.

85
00:04:10,830 --> 00:04:14,160
Let's type all of the needed information for this to run.

86
00:04:14,160 --> 00:04:16,410
So we're going to type show options first

87
00:04:16,410 --> 00:04:18,570
and we require our hosts.

88
00:04:18,570 --> 00:04:20,339
We got some other things as well

89
00:04:20,339 --> 00:04:22,710
but these three things are not required.

90
00:04:22,710 --> 00:04:23,823
As it says right here.

91
00:04:24,720 --> 00:04:26,760
The threads we leave on one

92
00:04:26,760 --> 00:04:29,760
and the RHOST will be the IP address

93
00:04:29,760 --> 00:04:31,260
of our meta exploitable,

94
00:04:31,260 --> 00:04:35,310
in my case 192.168.1.9

95
00:04:35,310 --> 00:04:37,410
I will set this right here,

96
00:04:37,410 --> 00:04:38,853
and if we run it,

97
00:04:41,820 --> 00:04:43,860
well it worked.

98
00:04:43,860 --> 00:04:45,300
Even though it says right here,

99
00:04:45,300 --> 00:04:47,430
host could not be identified,

100
00:04:47,430 --> 00:04:50,610
in the brackets we get the exact samba version

101
00:04:50,610 --> 00:04:52,050
on the metasploitable.

102
00:04:52,050 --> 00:04:55,320
Which is 3.0.20,

103
00:04:55,320 --> 00:04:56,460
cool.

104
00:04:56,460 --> 00:04:58,740
Let's see what we can find from exploits

105
00:04:58,740 --> 00:05:01,170
now that we know what version it runs.

106
00:05:01,170 --> 00:05:04,440
So I'll copy this 3.0.20

107
00:05:04,440 --> 00:05:06,300
and go back to my searchsploit,

108
00:05:06,300 --> 00:05:08,010
clear the screen and type it.

109
00:05:08,010 --> 00:05:12,069
Once again, just this time I will paste the entire version.

110
00:05:12,069 --> 00:05:15,810
Press enter and we manage to narrow it down

111
00:05:15,810 --> 00:05:17,910
to only five results.

112
00:05:17,910 --> 00:05:20,970
And it seems that these two are the same results.

113
00:05:20,970 --> 00:05:23,553
So it's actually four results in total.

114
00:05:24,540 --> 00:05:28,320
The first one, seems to be some type of a security bypass

115
00:05:28,320 --> 00:05:33,320
and it affects our version since it's between 3.0.10

116
00:05:33,330 --> 00:05:34,163
and 3.3 0.5,

117
00:05:35,735 --> 00:05:38,850
but it also seems to be a txt file,

118
00:05:38,850 --> 00:05:41,400
which really don't want to bother with right now.

119
00:05:41,400 --> 00:05:45,150
We want something that we can execute right away.

120
00:05:45,150 --> 00:05:47,700
The most interesting thing we have right here

121
00:05:47,700 --> 00:05:52,700
is this samba username map script or the command execution.

122
00:05:53,460 --> 00:05:54,330
Why?

123
00:05:54,330 --> 00:05:56,220
Well, it's a Ruby exploit,

124
00:05:56,220 --> 00:05:59,340
and it belongs to Metasploit framework.

125
00:05:59,340 --> 00:06:03,090
Plus it also affects our version of samba,

126
00:06:03,090 --> 00:06:04,320
As we can see right here.

127
00:06:04,320 --> 00:06:07,590
These two down here are also txt files,

128
00:06:07,590 --> 00:06:08,670
not really interested in,

129
00:06:08,670 --> 00:06:11,910
and they also don't seem to actually affect our version.

130
00:06:11,910 --> 00:06:15,000
They only affect the versions below our version.

131
00:06:15,000 --> 00:06:17,400
And the last one, which is the denial of service

132
00:06:17,400 --> 00:06:18,840
or DOS attacks.

133
00:06:18,840 --> 00:06:20,490
Seems to be affecting our version

134
00:06:20,490 --> 00:06:23,130
but we are once again not interested

135
00:06:23,130 --> 00:06:25,320
in the denial of service attacks.

136
00:06:25,320 --> 00:06:27,180
But in a real penetration test,

137
00:06:27,180 --> 00:06:30,510
you would 100% write this on a report

138
00:06:30,510 --> 00:06:33,120
with the references to the possible attack.

139
00:06:33,120 --> 00:06:35,610
For now, let's just go with the Metasploit module

140
00:06:35,610 --> 00:06:36,960
that we found.

141
00:06:36,960 --> 00:06:40,200
Let's remember the name, username, map script,

142
00:06:40,200 --> 00:06:42,120
command execution.

143
00:06:42,120 --> 00:06:44,080
And if I search once again

144
00:06:45,000 --> 00:06:48,303
in my Metasploit, search samba,

145
00:06:50,040 --> 00:06:52,260
That is trying to find the exploit that we found

146
00:06:52,260 --> 00:06:54,090
using searchsploit.

147
00:06:54,090 --> 00:06:57,963
If I go up here, go through all of these results.

148
00:06:58,920 --> 00:07:03,570
And here it is, under the 13 exploit multi samba

149
00:07:03,570 --> 00:07:07,080
usermap script command execution.

150
00:07:07,080 --> 00:07:10,440
This is the same script that we saw right here.

151
00:07:10,440 --> 00:07:11,940
Here it is.

152
00:07:11,940 --> 00:07:14,280
If a copy the script name,

153
00:07:14,280 --> 00:07:18,120
so exploit multi samba, here's our map script

154
00:07:18,120 --> 00:07:21,663
and type right here, use then pays the script name.

155
00:07:23,640 --> 00:07:26,910
It'll set the default payload to be command unix

156
00:07:26,910 --> 00:07:28,530
reverse netcat.

157
00:07:28,530 --> 00:07:30,964
And by the way, this multi right here

158
00:07:30,964 --> 00:07:35,610
means that it can be targeted on multiple operating systems.

159
00:07:35,610 --> 00:07:38,280
While as if you had only Windows or Linux

160
00:07:38,280 --> 00:07:40,350
specified right here,

161
00:07:40,350 --> 00:07:43,530
it would mean that only that specific operating system

162
00:07:43,530 --> 00:07:45,480
is vulnerable to this attack.

163
00:07:45,480 --> 00:07:48,120
So let's show information about this exploit.

164
00:07:48,120 --> 00:07:51,240
I will first clear the screen and type show info

165
00:07:51,240 --> 00:07:53,520
and it'll tell us this module exploits

166
00:07:53,520 --> 00:07:58,320
a command execution vulnerability in samba versions 3.0.20

167
00:07:58,320 --> 00:08:00,810
through 3.0.25

168
00:08:00,810 --> 00:08:03,270
when using the non default username map script

169
00:08:03,270 --> 00:08:05,160
configuration operation.

170
00:08:05,160 --> 00:08:08,523
And if I also set up all of the things that we need,

171
00:08:09,532 --> 00:08:11,490
so show options,

172
00:08:11,490 --> 00:08:14,130
seems that we need one thing which is the RHOST,

173
00:08:14,130 --> 00:08:15,600
so let's set it up right away.

174
00:08:15,600 --> 00:08:18,570
This is the IP address of Metasploitable.

175
00:08:18,570 --> 00:08:20,970
The port right here, we do not want to change

176
00:08:20,970 --> 00:08:23,760
since it is already set correctly as we can see right here,

177
00:08:23,760 --> 00:08:27,060
Port 139 is running samba.

178
00:08:27,060 --> 00:08:30,660
And down here is our payload, which is the reverse netcat.

179
00:08:30,660 --> 00:08:33,330
We set the IP address of our Cal Linux machine here

180
00:08:33,330 --> 00:08:35,970
and any port that we want.

181
00:08:35,970 --> 00:08:39,633
Once all of this is ready, we can run our exploit.

182
00:08:40,890 --> 00:08:42,570
And here it is.

183
00:08:42,570 --> 00:08:46,470
We once again got command shell opened on target system

184
00:08:46,470 --> 00:08:48,870
using Samba vulnerability.

185
00:08:48,870 --> 00:08:51,240
And we can as usual execute commands.

186
00:08:51,240 --> 00:08:54,390
If I type, who am I? It will tell me root.

187
00:08:54,390 --> 00:08:58,140
So we are already highest privilege on that machine.

188
00:08:58,140 --> 00:09:01,530
Great. This is the fourth vulnerability we found.

189
00:09:01,530 --> 00:09:02,820
To close the connection,

190
00:09:02,820 --> 00:09:04,450
we can just control C this

191
00:09:05,760 --> 00:09:06,873
and click on Y,

192
00:09:07,770 --> 00:09:10,980
and you would write this down as another successful exploit

193
00:09:10,980 --> 00:09:13,530
if this was a real penetration test.

194
00:09:13,530 --> 00:09:15,570
In the next video, we're going to cover

195
00:09:15,570 --> 00:09:17,280
a different type of the attack

196
00:09:17,280 --> 00:09:19,470
that we haven't performed yet.

197
00:09:19,470 --> 00:09:22,503
Which is brute force attack on Port SSH.