1 00:00:00,134 --> 00:00:01,560 Instructor: Welcome back. 2 00:00:01,560 --> 00:00:05,010 And now that we've got our Windows 10 machines set up, 3 00:00:05,010 --> 00:00:08,310 we want to perform a vulnerability scan real quick 4 00:00:08,310 --> 00:00:09,930 to see whether it is vulnerable. 5 00:00:09,930 --> 00:00:13,110 And then I will show you a tool that we can use 6 00:00:13,110 --> 00:00:15,180 to crash the target system. 7 00:00:15,180 --> 00:00:18,390 So first of all, open up both of your Kali Linux 8 00:00:18,390 --> 00:00:20,340 and Windows 10 machines. 9 00:00:20,340 --> 00:00:22,740 Right here, I ran the IP config command 10 00:00:22,740 --> 00:00:25,860 to check out the IP address of the Windows 10 machine. 11 00:00:25,860 --> 00:00:28,080 And what I'm going to do is 12 00:00:28,080 --> 00:00:30,100 I'm going to scan it real quick 13 00:00:31,200 --> 00:00:34,440 just to see what ports it has open 14 00:00:34,440 --> 00:00:37,773 and whether our setup was correct from the previous video. 15 00:00:38,790 --> 00:00:39,930 Okay, great. 16 00:00:39,930 --> 00:00:44,930 We got the port 445 open, that is all we need. 17 00:00:45,330 --> 00:00:48,900 Now, I have also performed a Nessus vulnerabilities scan 18 00:00:48,900 --> 00:00:50,730 this morning on Windows 10 machine 19 00:00:50,730 --> 00:00:54,000 and for some reason it didn't manage to find 20 00:00:54,000 --> 00:00:56,370 this SMB ghost vulnerability. 21 00:00:56,370 --> 00:01:00,510 Now, that could be some type of a bug, maybe, perhaps. 22 00:01:00,510 --> 00:01:03,870 Since, if I type Locate and then the vulnerability name, 23 00:01:03,870 --> 00:01:08,820 which is CVE dash 2020 dash 0796. 24 00:01:11,220 --> 00:01:14,280 And this is just the name for this particular vulnerability, 25 00:01:14,280 --> 00:01:15,633 and I type Enter. 26 00:01:16,500 --> 00:01:19,170 Here it will find the path to the Nessus 27 00:01:19,170 --> 00:01:22,200 with the module for that vulnerability. 28 00:01:22,200 --> 00:01:24,840 So it seems that it has a plugin for that vulnerability 29 00:01:24,840 --> 00:01:27,120 and it should be able to discover it. 30 00:01:27,120 --> 00:01:28,800 But once again, for me personally, 31 00:01:28,800 --> 00:01:30,360 it didn't manage to find it. 32 00:01:30,360 --> 00:01:31,560 You can try it out. 33 00:01:31,560 --> 00:01:33,210 You know right now how to use Nessus. 34 00:01:33,210 --> 00:01:36,540 So just open it up, open your Windows 10 machine 35 00:01:36,540 --> 00:01:40,410 and run a scan in Nessus on your Windows 10 machine, 36 00:01:40,410 --> 00:01:41,820 and see if you can come up 37 00:01:41,820 --> 00:01:44,040 with this vulnerability from there. 38 00:01:44,040 --> 00:01:46,110 But what we want to do right now is 39 00:01:46,110 --> 00:01:50,553 we want to copy this name, and we want to go to the Firefox. 40 00:01:52,230 --> 00:01:54,060 Since remember, this is something 41 00:01:54,060 --> 00:01:56,220 that we do not have in Mantis play framework, 42 00:01:56,220 --> 00:01:58,923 we must find the exploit of ourselves. 43 00:02:00,510 --> 00:02:02,430 Once the Firefox opens up, 44 00:02:02,430 --> 00:02:05,520 paste the vulnerability name right here, 45 00:02:05,520 --> 00:02:10,520 and I will just type it real quick to 2020, 0796, 46 00:02:10,570 --> 00:02:12,900 and we can add GitHub. 47 00:02:12,900 --> 00:02:16,110 Let us check out whether there are some available tools 48 00:02:16,110 --> 00:02:18,540 on GitHub repository. 49 00:02:18,540 --> 00:02:21,513 So we got a few responses right here. 50 00:02:22,830 --> 00:02:25,290 And what we want to go with first 51 00:02:25,290 --> 00:02:27,240 is the vulnerability scanner. 52 00:02:27,240 --> 00:02:29,310 And what I mean by vulnerability scanner 53 00:02:29,310 --> 00:02:31,200 is we want the tool that will tell us 54 00:02:31,200 --> 00:02:33,150 whether the target machine is vulnerable 55 00:02:33,150 --> 00:02:36,930 to this attack without crashing or exploiting it. 56 00:02:36,930 --> 00:02:38,853 So we'll go to this link right here, 57 00:02:39,780 --> 00:02:43,290 and it seems that this is the tool that we need. 58 00:02:43,290 --> 00:02:47,073 It says the vulnerability name, scanner.py, 59 00:02:47,940 --> 00:02:52,827 identifying and mitigating the CVE 2020, 0796 60 00:02:53,760 --> 00:02:55,023 flaw in the fly. 61 00:02:55,950 --> 00:02:57,390 So let's check it out. 62 00:02:57,390 --> 00:03:00,090 Let's copy the name of this vulnerability. 63 00:03:00,090 --> 00:03:02,100 Then we will go to our desktop, 64 00:03:02,100 --> 00:03:05,310 and we will, Git clone that repository 65 00:03:05,310 --> 00:03:07,053 to our desktop directory. 66 00:03:09,750 --> 00:03:12,660 Once it finishes downloading, we can type Ls. 67 00:03:12,660 --> 00:03:14,910 Here it is, right here. 68 00:03:14,910 --> 00:03:18,360 Let's change directory to there by typing CD, 69 00:03:18,360 --> 00:03:21,420 and let's see which files we have. 70 00:03:21,420 --> 00:03:25,470 So we have only this scanner.py file, 71 00:03:25,470 --> 00:03:27,180 so it is a Python file. 72 00:03:27,180 --> 00:03:30,060 Let us go to this page and just check real quick 73 00:03:30,060 --> 00:03:32,250 whether it is a Python two or three program 74 00:03:32,250 --> 00:03:35,160 and by the usage that we can see right here, 75 00:03:35,160 --> 00:03:38,160 it seems that it is a Python three program. 76 00:03:38,160 --> 00:03:39,930 So let's test it out. 77 00:03:39,930 --> 00:03:42,180 If I go right here, check out the IP address 78 00:03:42,180 --> 00:03:43,560 of Windows 10 machine. 79 00:03:43,560 --> 00:03:46,860 For me it is 192.168.1.5. 80 00:03:46,860 --> 00:03:48,933 Let's run the program, Python three. 81 00:03:51,150 --> 00:03:53,763 And then type the IP address. 82 00:03:55,740 --> 00:03:58,530 Well, we get a response that we wanted. 83 00:03:58,530 --> 00:04:02,160 It says right here, Vulnerable, great. 84 00:04:02,160 --> 00:04:04,920 Now we can test other tools that will crash 85 00:04:04,920 --> 00:04:07,260 and exploit the target. 86 00:04:07,260 --> 00:04:10,260 First I want to show you a tool that you can use 87 00:04:10,260 --> 00:04:12,090 to just crash the target. 88 00:04:12,090 --> 00:04:15,180 And for this tool we don't need anything else 89 00:04:15,180 --> 00:04:18,060 besides the IP address of the target machine. 90 00:04:18,060 --> 00:04:21,750 So you can crash any target just by knowing its IP address. 91 00:04:21,750 --> 00:04:24,840 For the exploit that we will cover in the next video, 92 00:04:24,840 --> 00:04:26,880 we're going to cheat a little bit. 93 00:04:26,880 --> 00:04:29,790 We need something in order for the exploit to work. 94 00:04:29,790 --> 00:04:32,010 And I will show you that in the next video. 95 00:04:32,010 --> 00:04:36,808 For now, we want to see how we can crash the target machine. 96 00:04:36,808 --> 00:04:38,460 So if you go all the way down, 97 00:04:38,460 --> 00:04:40,350 you will see this GitHub link. 98 00:04:40,350 --> 00:04:43,830 It is from Jiasiting and it has the name 99 00:04:43,830 --> 00:04:45,033 of our vulnerability. 100 00:04:45,960 --> 00:04:49,350 If I go right here, we can see we've got a few files. 101 00:04:49,350 --> 00:04:51,630 Once again, this is a Python tool. 102 00:04:51,630 --> 00:04:53,220 Under here we got the usage. 103 00:04:53,220 --> 00:04:55,860 So we got a demo gif. 104 00:04:55,860 --> 00:04:58,320 Here we can see the command that he's running. 105 00:04:58,320 --> 00:05:01,053 And if we go right here and copy the tool, 106 00:05:03,390 --> 00:05:06,030 and once again we can go to our desktop, 107 00:05:06,030 --> 00:05:11,030 and get clone the tool name, the link based right here, 108 00:05:11,760 --> 00:05:13,320 wait for the download to finish. 109 00:05:13,320 --> 00:05:17,610 And if I type Ls, we now have two directories. 110 00:05:17,610 --> 00:05:19,050 This one is the scanner 111 00:05:19,050 --> 00:05:21,630 and this one is the one that we just downloaded. 112 00:05:21,630 --> 00:05:26,460 So let's go, CD, CVE, we got the demo gif, 113 00:05:26,460 --> 00:05:29,103 the readme file, and the vulnerability itself. 114 00:05:29,940 --> 00:05:33,270 Of course, if we want to we can nano the vulnerability file 115 00:05:33,270 --> 00:05:37,110 or the Python file, and we can scroll all the way down 116 00:05:37,110 --> 00:05:39,330 to see the code of this exploit, 117 00:05:39,330 --> 00:05:41,940 and down here we get the usage. 118 00:05:41,940 --> 00:05:44,790 So all we need to specify as it says right here, 119 00:05:44,790 --> 00:05:47,310 is the target IP address. 120 00:05:47,310 --> 00:05:48,720 Let's try it out. 121 00:05:48,720 --> 00:05:50,880 If I go right here and type Python, 122 00:05:50,880 --> 00:05:55,740 I believe it's Python three once again, and then cve.py 123 00:05:55,740 --> 00:05:58,770 and then the IP address of the target machine. 124 00:05:58,770 --> 00:06:02,340 Before I run it, I will lower this screen so we can see both 125 00:06:02,340 --> 00:06:05,490 of our targets before running this program. 126 00:06:05,490 --> 00:06:10,490 And right here, if I press Enter, well here it is. 127 00:06:10,920 --> 00:06:13,623 We successfully crashed the target machine. 128 00:06:14,490 --> 00:06:15,990 It got the blue screen of death 129 00:06:15,990 --> 00:06:20,010 as we can see right here, and it is now restarting. 130 00:06:20,010 --> 00:06:22,710 And this is also critical vulnerability. 131 00:06:22,710 --> 00:06:24,690 Once again, I need to mention that you should never 132 00:06:24,690 --> 00:06:27,180 be able to crash the target machine 133 00:06:27,180 --> 00:06:29,490 just by knowing its IP address. 134 00:06:29,490 --> 00:06:33,240 This is something that we would also 100% write down 135 00:06:33,240 --> 00:06:35,583 inside of our penetration testing report. 136 00:06:36,840 --> 00:06:38,490 Now that we managed to scan the target 137 00:06:38,490 --> 00:06:39,870 to see whether it is vulnerable, 138 00:06:39,870 --> 00:06:42,810 and we used another tool to crash the target, 139 00:06:42,810 --> 00:06:46,110 let's see in the next video how we can exploit 140 00:06:46,110 --> 00:06:48,630 the target machine and gain shell back 141 00:06:48,630 --> 00:06:50,283 inside of our Kali Linux machine. 142 00:06:51,374 --> 00:06:52,624 See you in the next video