WEBVTT

00:00.319 --> 00:03.660
>> Welcome back to the
Cyber Kill Chain course.

00:03.660 --> 00:06.300
This is Abdulrahman
Alnaim and today,

00:06.300 --> 00:10.420
we will cover exploitation
and installation.

00:10.850 --> 00:13.920
Going back to the
Cyber Kill Chain,

00:13.920 --> 00:16.850
we started with reconnaissance
where we gathered

00:16.850 --> 00:18.440
as much information as we can

00:18.440 --> 00:20.465
about the target of the attack.

00:20.465 --> 00:24.095
Then we decided during
reconnaissance that

00:24.095 --> 00:30.520
we will attack a
Windows machine.

00:30.980 --> 00:35.150
It seemed like the best way to

00:35.150 --> 00:39.385
deliver this is through
social engineering.

00:39.385 --> 00:43.725
We move to Phase
two, weaponization.

00:43.725 --> 00:45.740
In weaponization,
now that we know

00:45.740 --> 00:47.975
that we are going to
attack a Windows machine,

00:47.975 --> 00:50.620
we created the open
using MSFvenom.

00:50.620 --> 00:52.990
Then we created another one

00:53.210 --> 00:56.270
to show you how to
evade protection

00:56.270 --> 00:58.299
>> tools using Unicorn.

00:58.299 --> 01:03.050
>> Then we move to
delivery where we went

01:03.050 --> 01:05.150
through social
engineering toolkit and

01:05.150 --> 01:07.715
sending an email using
social engineering toolkit.

01:07.715 --> 01:10.225
Now, an exploitation.

01:10.225 --> 01:13.825
The assumption is we're
attacking a Windows machine,

01:13.825 --> 01:17.840
the payload that we're
going to share or going to

01:17.840 --> 01:24.515
send will be delivered
using a human weakness,

01:24.515 --> 01:25.760
human vulnerability, using

01:25.760 --> 01:29.245
a social engineering technique

01:29.245 --> 01:32.000
to exploit that
weakness and then

01:32.000 --> 01:34.580
move on to installation.

01:34.580 --> 01:36.830
Today, we're going to
cover Phase four and five

01:36.830 --> 01:40.079
because in our example
they're kind of integrated.

01:40.210 --> 01:42.770
On exploitation, I like to

01:42.770 --> 01:44.645
call the step that
the hacking begun,

01:44.645 --> 01:45.770
a lot of people disagree,

01:45.770 --> 01:49.850
but honestly speaking, when
we talk about hacking,

01:49.850 --> 01:52.745
the first thing you think
about is exploitation.

01:52.745 --> 01:54.710
It's just something
that I like to call,

01:54.710 --> 01:57.740
but it's not really agreed

01:57.740 --> 02:01.670
upon in the
cybersecurity industry.

02:01.670 --> 02:04.820
On exploitation, the
goal is to exploit

02:04.820 --> 02:08.430
weaknesses and the
victim's security.

02:08.870 --> 02:13.420
The idea here or what
we're doing here is

02:13.420 --> 02:19.130
we're targeting the weakest
link in any security chain,

02:19.130 --> 02:22.265
which is the human weakness.

02:22.265 --> 02:25.850
Human weakness is
often triggered,

02:25.850 --> 02:28.610
is often used during attacks.

02:28.610 --> 02:31.760
Social engineering and
phishing is one of

02:31.760 --> 02:36.080
the most famous ways
to exploit a system.

02:36.080 --> 02:39.725
What we're going to do is
we're going to send the link.

02:39.725 --> 02:41.210
Again, we're not going through

02:41.210 --> 02:43.420
the technicality of sending
a link that has covered

02:43.420 --> 02:47.060
during delivery and

02:47.060 --> 02:48.709
>> using the social
engineering toolkit,

02:48.709 --> 02:52.085
>> one of the documents that
are available resources.

02:52.085 --> 02:56.015
However, the assumption
as a link is being sent,

02:56.015 --> 02:57.830
an email is being sent,

02:57.830 --> 02:59.210
a link is malicious.

02:59.210 --> 03:00.820
In this link, there's an iframe

03:00.820 --> 03:03.810
that automatically
downloads the payload.

03:04.820 --> 03:09.620
That's why I said
in our example,

03:09.620 --> 03:12.920
exploitation and installation
are working hand in hand.

03:12.920 --> 03:16.580
However, it's not uncommon

03:16.580 --> 03:19.550
>> for hackers to go
to Phase five, six,

03:19.550 --> 03:22.114
>> and then go back to Phase
five to get some more tools,

03:22.114 --> 03:24.170
>> go back to six,
and so on and use

03:24.170 --> 03:26.600
this malware that
we installed at

03:26.600 --> 03:33.020
the beginning to install
more and more tools.

03:33.020 --> 03:35.150
An example is installing Netcat,

03:35.150 --> 03:38.765
which we're going to
do before the end of

03:38.765 --> 03:47.705
the course to extract data
out of the victim's machine.

03:47.705 --> 03:52.165
Let's jump right
into our example.

03:52.165 --> 03:54.785
As I said, we're going to use

03:54.785 --> 03:58.480
MSF console, which
is Metasploit.

03:58.480 --> 04:03.470
Our goal is to
utilize the payload

04:03.470 --> 04:04.730
that we did together in

04:04.730 --> 04:08.270
the Phase two video
on weaponization.

04:08.270 --> 04:09.980
What going to do
is we're going to

04:09.980 --> 04:13.070
create the listener here,

04:13.070 --> 04:18.460
which is exploit multi handler.

04:18.860 --> 04:22.680
Here we're going to
create our payload.

04:22.680 --> 04:25.590
We said we're going to use

04:33.750 --> 04:37.090
Windows/interpreter/reverse_tcp
or lhost

04:37.090 --> 04:46.300
is 192.168.100.21.

04:46.300 --> 04:52.424
Our port is going
to be triple four.

04:52.424 --> 04:56.895
Just to verify,
let's show options.

04:56.895 --> 05:02.235
There you go, you have
your lhost, your lport,

05:02.235 --> 05:08.235
and our payload and our node.

05:08.235 --> 05:12.940
Let's start the listener.

05:13.000 --> 05:18.395
The listener is now
waiting for connectivity.

05:18.395 --> 05:20.960
What we're going to
do is we're going

05:20.960 --> 05:23.885
to jump to our Windows machine,

05:23.885 --> 05:29.330
which already has the link,

05:29.330 --> 05:32.510
which is basically hosted
on the same machine for

05:32.510 --> 05:37.100
the purpose of the course.

05:37.100 --> 05:40.235
Again, as you saw
basically as soon as I hit

05:40.235 --> 05:44.615
"Enter," I got this
doing this payload.exe,

05:44.615 --> 05:49.430
obviously, a more
successful attack

05:49.430 --> 05:52.610
would be at least
not call it payload.

05:52.610 --> 05:55.070
I'm going to run it again for

05:55.070 --> 06:01.860
the purpose to achieve the
objective of the example.

06:03.410 --> 06:05.775
Now we go back,

06:05.775 --> 06:08.750
and that's all we want
from the victim machine,

06:08.750 --> 06:11.805
the Windows machine,
if we go back.

06:11.805 --> 06:15.360
You can see it changed a bit.

06:15.360 --> 06:20.745
Now we have one session open.

06:20.745 --> 06:25.085
Now I successfully exploited and

06:25.085 --> 06:30.085
installed a payload
on the victim's side.

06:30.085 --> 06:32.990
Okay, we went through

06:32.990 --> 06:36.035
installation and
exploitation in one session,

06:36.035 --> 06:37.640
I know there's a lot
of information here.

06:37.640 --> 06:39.530
I tried to make it as
simple as possible,

06:39.530 --> 06:41.930
however, to make sure that
we covered the whole thing.

06:41.930 --> 06:43.849
What is the difference between

06:43.849 --> 06:46.415
exploitation and installation?

06:46.415 --> 06:48.050
As I said, exploitation,

06:48.050 --> 06:50.090
we're trying to exploit
the system to get

06:50.090 --> 06:52.730
beyond the script controls,
and installation,

06:52.730 --> 06:54.245
what we're trying to do is to

06:54.245 --> 06:57.800
install malware or a
backdoor that would allow us

06:57.800 --> 07:03.080
to communicate with the
victim or the machine that

07:03.080 --> 07:06.455
we used during the exploitation

07:06.455 --> 07:09.270
to get inside the
victim's network.

07:09.270 --> 07:13.225
Second is true or
false an exploitation.

07:13.225 --> 07:16.600
The purpose is to find a
vulnerability to exploit.

07:16.600 --> 07:19.510
Actually, this is
not really true

07:19.510 --> 07:22.360
because finding the
vulnerability and

07:22.360 --> 07:23.905
discovering the
vulnerability happens

07:23.905 --> 07:28.135
earlier during reconnaissance,

07:28.135 --> 07:29.320
and in an organization,

07:29.320 --> 07:33.010
we create the tool or
the application or

07:33.010 --> 07:37.640
the payload that would
exploit that vulnerability.

07:37.640 --> 07:41.025
Finally, why is installation
an important step?

07:41.025 --> 07:43.215
As I said from installation,

07:43.215 --> 07:44.570
we'll end the network.

07:44.570 --> 07:47.350
We need to have a successful
installation to be able to

07:47.350 --> 07:51.490
move on to the following steps.

07:51.490 --> 07:53.660
In the following two steps,

07:53.660 --> 07:55.040
we're going to use
the same tool.

07:55.040 --> 07:56.570
We're going to use the same,

07:56.570 --> 08:00.575
basically the meterpreter
session that we have.

08:00.575 --> 08:04.250
Then we're going to run
a number of commands on

08:04.250 --> 08:06.395
the victim's machine
to make sure

08:06.395 --> 08:10.620
that it is a successful attack.

08:10.760 --> 08:14.660
Today, we covered exploitation
and installation.

08:14.660 --> 08:19.300
We run a quote on the
victim's machine.

08:19.300 --> 08:22.220
We received a
connectivity session

08:22.220 --> 08:25.595
with the attacker's machine.

08:25.595 --> 08:27.485
In the next video,

08:27.485 --> 08:33.030
we will cover command and
control. See you then.