1 00:00:00,810 --> 00:00:02,100 Instructor: Welcome back. 2 00:00:02,100 --> 00:00:04,110 In this small section we're going 3 00:00:04,110 --> 00:00:07,830 to cover SMB Ghost Windows 10 vulnerability. 4 00:00:07,830 --> 00:00:09,870 Since there is no module available 5 00:00:09,870 --> 00:00:11,580 for the Methods Plate framework 6 00:00:11,580 --> 00:00:13,530 regarding this vulnerability, 7 00:00:13,530 --> 00:00:17,220 we are going to need to exploit it manually. 8 00:00:17,220 --> 00:00:19,950 And by manually I mean we will have 9 00:00:19,950 --> 00:00:23,010 to find a working exploit ourselves, 10 00:00:23,010 --> 00:00:24,300 run it ourselves, 11 00:00:24,300 --> 00:00:25,890 and redirect the connection 12 00:00:25,890 --> 00:00:28,383 to our Linux machine ourselves. 13 00:00:29,280 --> 00:00:30,270 All of these tasks 14 00:00:30,270 --> 00:00:33,060 Mathis Point Framework did for us automatically. 15 00:00:33,060 --> 00:00:35,580 And since we can't really rely on tools 16 00:00:35,580 --> 00:00:37,020 we're going to learn through 17 00:00:37,020 --> 00:00:38,700 this Windows 10 vulnerability 18 00:00:38,700 --> 00:00:41,940 how we can do all of that ourselves. 19 00:00:41,940 --> 00:00:45,840 Now the vulnerability that we are exploiting is rather new. 20 00:00:45,840 --> 00:00:49,320 I believe it got disclosed in June 2020 21 00:00:49,320 --> 00:00:51,360 and for this we will need 22 00:00:51,360 --> 00:00:54,120 to install Windows 10 virtual machine. 23 00:00:54,120 --> 00:00:57,300 Not all versions are vulnerable since it got batched 24 00:00:57,300 --> 00:01:00,122 so we will have to install a vulnerable version 25 00:01:00,122 --> 00:01:02,430 of Windows 10 machine. 26 00:01:02,430 --> 00:01:05,550 Since this as well is an SMB vulnerability 27 00:01:05,550 --> 00:01:08,670 we won't need any additional software to run 28 00:01:08,670 --> 00:01:11,490 on our target machine for this exploit to work 29 00:01:11,490 --> 00:01:13,530 which makes it even more dangerous. 30 00:01:13,530 --> 00:01:15,720 Just like the previous two vulnerabilities 31 00:01:15,720 --> 00:01:18,360 which were EternalBlue and the BlueKeep. 32 00:01:18,360 --> 00:01:20,190 But they were attacking Windows 7. 33 00:01:20,190 --> 00:01:23,010 This one attacks Windows 10. 34 00:01:23,010 --> 00:01:26,880 All our target needs to have his Port 4 4 5 open 35 00:01:26,880 --> 00:01:29,343 and some previous version of Windows 10. 36 00:01:30,180 --> 00:01:32,940 The exact vulnerable version that we are looking for 37 00:01:32,940 --> 00:01:37,703 is either Windows 10, 1903 or Windows 10, 1909. 38 00:01:38,700 --> 00:01:42,750 So you will need ISO file as usual to create this machine. 39 00:01:42,750 --> 00:01:45,090 And both of these versions are vulnerable 40 00:01:45,090 --> 00:01:47,160 to the SMB ghost attack. 41 00:01:47,160 --> 00:01:48,690 Let me show you right now 42 00:01:48,690 --> 00:01:50,910 where we can download previous version 43 00:01:50,910 --> 00:01:53,010 of Windows 10 ISO file. 44 00:01:53,010 --> 00:01:56,310 And by the way, we will be using this Windows machine 45 00:01:56,310 --> 00:01:58,980 in the next section as well to test the payloads 46 00:01:58,980 --> 00:02:00,660 that we will create. 47 00:02:00,660 --> 00:02:02,280 But more about that later on. 48 00:02:02,280 --> 00:02:05,760 For now on, let's focus on creating our virtual environment 49 00:02:05,760 --> 00:02:07,440 for this attack. 50 00:02:07,440 --> 00:02:10,289 So what you want to do first is you want to navigate 51 00:02:10,289 --> 00:02:12,630 to this rufus.ie website. 52 00:02:12,630 --> 00:02:14,910 And this software right here 53 00:02:14,910 --> 00:02:16,260 that we're going to download 54 00:02:16,260 --> 00:02:19,020 is used to create bootable USB drives 55 00:02:19,020 --> 00:02:20,520 with the ISO files. 56 00:02:20,520 --> 00:02:22,650 Now you might be asking, "Well why are we 57 00:02:22,650 --> 00:02:23,520 going to need this? 58 00:02:23,520 --> 00:02:27,090 We're not going to boot into our computer over USB drive. 59 00:02:27,090 --> 00:02:29,100 We are installing a virtual machine." 60 00:02:29,100 --> 00:02:30,630 And that is true 61 00:02:30,630 --> 00:02:33,060 but this software also offers us 62 00:02:33,060 --> 00:02:34,860 to download some previous versions 63 00:02:34,860 --> 00:02:37,590 of Windows 10 operating system. 64 00:02:37,590 --> 00:02:40,260 That's why you want to go down here. 65 00:02:40,260 --> 00:02:44,070 Click on this Rufus 3.11 and download the file. 66 00:02:44,070 --> 00:02:46,860 It is the size of 1.1 megabyte. 67 00:02:46,860 --> 00:02:49,050 Once you download it, you should be having 68 00:02:49,050 --> 00:02:51,333 this file right here on the desktop. 69 00:02:52,260 --> 00:02:53,700 Double click on that file 70 00:02:53,700 --> 00:02:55,860 and it'll ask for the administrator password. 71 00:02:55,860 --> 00:02:58,980 You want to click on yes or type in the password. 72 00:02:58,980 --> 00:03:01,260 And right here where we want to go 73 00:03:01,260 --> 00:03:03,720 is this arrow next to the select. 74 00:03:03,720 --> 00:03:06,960 But now here's a small advice. 75 00:03:06,960 --> 00:03:10,170 Sometimes this arrow right here will not appear 76 00:03:10,170 --> 00:03:12,660 and it actually didn't appear to me 77 00:03:12,660 --> 00:03:15,150 once I downloaded this software for the first time. 78 00:03:15,150 --> 00:03:17,910 So what I did is I tried restarting 79 00:03:17,910 --> 00:03:19,440 this program several times. 80 00:03:19,440 --> 00:03:20,970 So just close this. 81 00:03:20,970 --> 00:03:22,350 Open this again. 82 00:03:22,350 --> 00:03:23,880 Close it and open it again. 83 00:03:23,880 --> 00:03:27,600 That might work and what also might work is going right here 84 00:03:27,600 --> 00:03:29,430 to the application settings 85 00:03:29,430 --> 00:03:32,460 and changing this check for updates. 86 00:03:32,460 --> 00:03:33,750 Then click on close. 87 00:03:33,750 --> 00:03:34,980 Restart the program 88 00:03:34,980 --> 00:03:38,940 and eventually this arrow right here should appear. 89 00:03:38,940 --> 00:03:42,630 Once it appears, click on it and click on download. 90 00:03:42,630 --> 00:03:44,610 And once you select the download, click 91 00:03:44,610 --> 00:03:46,110 on download once again, 92 00:03:46,110 --> 00:03:49,380 and this will start running download script. 93 00:03:49,380 --> 00:03:51,630 In just a few seconds you should have 94 00:03:51,630 --> 00:03:53,730 this small window pop up. 95 00:03:53,730 --> 00:03:55,200 Here we want to select 96 00:03:55,200 --> 00:03:58,230 what operating system we want to download. 97 00:03:58,230 --> 00:03:59,350 If I click on here 98 00:04:01,020 --> 00:04:03,240 it will ask me if I want Windows 8 99 00:04:03,240 --> 00:04:04,073 or Windows 10. 100 00:04:04,073 --> 00:04:05,370 I want to select Windows 10. 101 00:04:05,370 --> 00:04:06,423 Click on continue. 102 00:04:07,680 --> 00:04:09,330 In the next step it will ask me 103 00:04:09,330 --> 00:04:11,700 which exact release do I want to select. 104 00:04:11,700 --> 00:04:15,360 And right here we want to go with this one 105 00:04:15,360 --> 00:04:20,360 which is 19 H 1, build 1 8 3 6 2 dot 3 5 6. 106 00:04:21,990 --> 00:04:25,920 And it says right here the date is 2019 September 107 00:04:25,920 --> 00:04:28,020 or ninth month. 108 00:04:28,020 --> 00:04:30,360 So click on this right here. 109 00:04:30,360 --> 00:04:32,100 Then click on continue. 110 00:04:32,100 --> 00:04:34,113 You can select Windows 10 home. 111 00:04:34,980 --> 00:04:37,290 Click on continue here as well. 112 00:04:37,290 --> 00:04:39,273 Language we can leave on English. 113 00:04:41,460 --> 00:04:44,220 And the last step, which is architecture, we can leave 114 00:04:44,220 --> 00:04:45,840 on Act 64. 115 00:04:45,840 --> 00:04:48,570 Then you can click on download right here 116 00:04:48,570 --> 00:04:51,090 or you can download using a browser. 117 00:04:51,090 --> 00:04:52,050 If you simply just click 118 00:04:52,050 --> 00:04:55,140 on download it'll open the file explorer. 119 00:04:55,140 --> 00:04:57,900 And here you can pick where you want to save it 120 00:04:57,900 --> 00:04:59,040 on your desktop. 121 00:04:59,040 --> 00:05:00,540 Keep in mind that the size of the file 122 00:05:00,540 --> 00:05:01,740 is around five gigabytes. 123 00:05:01,740 --> 00:05:03,750 So this will take some time. 124 00:05:03,750 --> 00:05:05,880 Since I already have it downloaded I will not 125 00:05:05,880 --> 00:05:07,260 be downloading it again. 126 00:05:07,260 --> 00:05:09,540 For you, just wait for the download to finish 127 00:05:09,540 --> 00:05:13,410 and you should have a Windows 10 ISO file ready. 128 00:05:13,410 --> 00:05:15,780 Make sure that you pick the exact same version 129 00:05:15,780 --> 00:05:17,460 that I did right here. 130 00:05:17,460 --> 00:05:19,818 And once all of that is finished you can close 131 00:05:19,818 --> 00:05:21,780 this program. 132 00:05:21,780 --> 00:05:26,280 The next step is to install Windows 10 virtual machine. 133 00:05:26,280 --> 00:05:28,860 So I already got one running right here 134 00:05:28,860 --> 00:05:31,290 and for you, you can do it the same way that we did 135 00:05:31,290 --> 00:05:32,280 with any other machine. 136 00:05:32,280 --> 00:05:36,030 So just type Windows 10. 137 00:05:36,030 --> 00:05:39,780 Select right here, Microsoft Windows, Windows 10, 64 bit. 138 00:05:39,780 --> 00:05:41,040 Click on next. 139 00:05:41,040 --> 00:05:43,680 Choose two gigabytes of RAM or choose the same amount 140 00:05:43,680 --> 00:05:45,570 of RAM that you use for the Windows 7. 141 00:05:45,570 --> 00:05:46,800 Click on Next. 142 00:05:46,800 --> 00:05:48,810 Here we want to create a virtual hard disc. 143 00:05:48,810 --> 00:05:51,180 All of these steps we can next, next, next. 144 00:05:51,180 --> 00:05:55,920 Here, I got 25 gigabytes in my case. 145 00:05:55,920 --> 00:05:58,230 And you can choose whatever you want right here. 146 00:05:58,230 --> 00:06:01,170 And this will create your virtual machine. 147 00:06:01,170 --> 00:06:03,630 Now since I already have it I will delete it 148 00:06:03,630 --> 00:06:06,360 but before I delete it, another two settings 149 00:06:06,360 --> 00:06:07,920 that you want to choose 150 00:06:07,920 --> 00:06:10,200 is as we did with the Windows 7 machine 151 00:06:10,200 --> 00:06:14,190 under the storage, under the empty, you want to remove, 152 00:06:14,190 --> 00:06:18,600 and you want to add the Windows 10 ISO file 153 00:06:18,600 --> 00:06:20,580 which I have right here. 154 00:06:20,580 --> 00:06:22,650 The next setting that you want to change 155 00:06:22,650 --> 00:06:25,650 is from Net to Bridged Adapter. 156 00:06:25,650 --> 00:06:27,690 Once you do all of that you can start 157 00:06:27,690 --> 00:06:31,020 the process of installing Windows 10. 158 00:06:31,020 --> 00:06:33,330 Now there is not any important step 159 00:06:33,330 --> 00:06:34,680 in Windows 10 installation 160 00:06:34,680 --> 00:06:36,660 so you can do it however you want. 161 00:06:36,660 --> 00:06:38,490 But just a pro tip. 162 00:06:38,490 --> 00:06:40,920 Once it gets to the part where it asks you 163 00:06:40,920 --> 00:06:42,960 for the account creation 164 00:06:42,960 --> 00:06:46,290 where you need to specify an email address and all of that. 165 00:06:46,290 --> 00:06:49,401 You can skip that part by unplugging your device 166 00:06:49,401 --> 00:06:51,300 from the internet. 167 00:06:51,300 --> 00:06:53,040 And then it'll allow you to create 168 00:06:53,040 --> 00:06:54,510 an offline Windows account. 169 00:06:54,510 --> 00:06:56,850 So you won't need to create an email 170 00:06:56,850 --> 00:06:58,590 for the Windows 10 account. 171 00:06:58,590 --> 00:07:00,360 All of the other steps are not important. 172 00:07:00,360 --> 00:07:01,950 You can do them as you like. 173 00:07:01,950 --> 00:07:03,750 And once you do all of that 174 00:07:03,750 --> 00:07:06,333 you can start your Windows 10 machine. 175 00:07:07,350 --> 00:07:08,880 Another thing that we need to do 176 00:07:08,880 --> 00:07:11,160 to get our Windows 10 machine fully ready 177 00:07:11,160 --> 00:07:14,340 for this attack is to disable the firewall. 178 00:07:14,340 --> 00:07:15,540 So go down here. 179 00:07:15,540 --> 00:07:16,773 Type control panel. 180 00:07:18,180 --> 00:07:19,470 And the way we disable it 181 00:07:19,470 --> 00:07:22,050 on Windows 10 is the same way that we disable it 182 00:07:22,050 --> 00:07:23,460 on Windows 7. 183 00:07:23,460 --> 00:07:26,100 So click on control panel right here. 184 00:07:26,100 --> 00:07:28,023 Click on system and security. 185 00:07:29,250 --> 00:07:31,090 Click on Windows Defender Firewall 186 00:07:32,280 --> 00:07:35,100 and turn it off in this button right here 187 00:07:35,100 --> 00:07:38,640 which says turn Windows Defender Firewall on or off. 188 00:07:38,640 --> 00:07:40,710 Mine is currently off. 189 00:07:40,710 --> 00:07:42,840 Once you do that, everything is ready 190 00:07:42,840 --> 00:07:44,550 and you should be good to go. 191 00:07:44,550 --> 00:07:47,250 For the next video where we are going to try to search 192 00:07:47,250 --> 00:07:50,970 for the exploit for this particular attack. 193 00:07:50,970 --> 00:07:52,070 See in the next video.