1
00:00:02,700 --> 00:00:07,500
Get acquainted with the former Met a split module that is not included in backtrack and must be installed

2
00:00:07,500 --> 00:00:14,300
manually D.B. autopen was included only in the third version of modestly.

3
00:00:14,310 --> 00:00:16,920
Now it's an independent module.

4
00:00:16,960 --> 00:00:19,110
It is in fact a perl script

5
00:00:22,520 --> 00:00:29,620
such a script can easily be adjusted to the newest Maeder split version and quickly implemented.

6
00:00:29,680 --> 00:00:37,120
Let's see what options it gives Madis point is a framework often used for security testing.

7
00:00:37,500 --> 00:00:42,900
It includes a database of known software vulnerabilities which is updated on a regular basis.

8
00:00:46,670 --> 00:00:51,950
The parameter option which the script offers allows you to select well-known exploits stored in the

9
00:00:51,950 --> 00:00:58,560
database the selection is based on the information about the victims computer we've managed to collect

10
00:01:00,720 --> 00:01:08,290
that display it will try to execute those exploits on a designated remote host the parameter option

11
00:01:08,290 --> 00:01:11,650
will additionally force the remote host to make a callback connection.

12
00:01:11,680 --> 00:01:13,630
If the whole operation is successful

13
00:01:16,240 --> 00:01:18,130
this will establish a connection session

14
00:01:20,830 --> 00:01:27,840
the parameter option initiates the scanning of all hosts saved on the database we know you can see with

15
00:01:27,850 --> 00:01:29,260
the full command should look like

16
00:01:34,340 --> 00:01:36,980
having executed this command.

17
00:01:37,050 --> 00:01:42,750
You can watch individual exploits being sent to open ports of the target computer with the IP number

18
00:01:42,750 --> 00:01:47,970
ending in 1 1 5 skinning the victim's computer.

19
00:01:48,060 --> 00:01:51,440
We've learn which ports are open and what services are listening on them.

20
00:01:54,680 --> 00:02:01,970
If the services are not updated which in turn make it vulnerable to any of the 108 exploits on the remote

21
00:02:01,970 --> 00:02:03,960
host we'll make a callback connection.

22
00:02:05,190 --> 00:02:11,740
This will give us full control over.

23
00:02:11,790 --> 00:02:15,130
Now we're waiting for all the exploits that were sent to have been executed.

24
00:02:17,410 --> 00:02:20,560
The following piece of information is particularly important.

25
00:02:23,200 --> 00:02:25,810
The remote computer has made a callback connection.

26
00:02:26,860 --> 00:02:32,060
This means it was vulnerable to at least one of the security loopholes.

27
00:02:32,110 --> 00:02:39,950
The situation exemplifies a principle we mentioned in previous modules.

28
00:02:40,160 --> 00:02:43,190
It's much easier to attack a computer system than to defend

29
00:02:48,490 --> 00:02:55,470
the attacker wins if she finds only one weak point in the system the defender must make sure that his

30
00:02:55,470 --> 00:02:58,550
system is protected against all kinds of attacks.

31
00:03:00,350 --> 00:03:04,070
In our demonstration one vulnerability has been detected.

32
00:03:06,500 --> 00:03:12,850
After the last exploit is executed we'll get through the split and be able to list all the active sessions

33
00:03:15,220 --> 00:03:20,970
the list will include the session with the loophole we mentioned we'll be able to switch to that session

34
00:03:21,030 --> 00:03:23,620
and execute a program on the victim's computer.

35
00:03:25,090 --> 00:03:31,780
We'll also be able to find out what privileges the program has access to if the program is running with

36
00:03:31,780 --> 00:03:37,320
administrator or system privileges it will give the attack full control over the remote system.

37
00:03:38,860 --> 00:03:44,200
The complete attack procedure consisted of only typing three instructions provided the metal split has

38
00:03:44,200 --> 00:03:46,110
been configured to use the database

39
00:03:50,950 --> 00:03:57,240
we have already learned that a session is established therefore we will terminate the last module of

40
00:03:57,240 --> 00:04:05,750
the procedure and check active sessions.

41
00:04:05,780 --> 00:04:11,780
We see that a session with the remote computer is established later on we will have the opportunity

42
00:04:11,780 --> 00:04:15,210
to break into remote computers and harvest information from them.

43
00:04:16,380 --> 00:04:20,010
Now we will connect to the active session.

44
00:04:20,020 --> 00:04:28,810
Next we will try to connect to the remote system as you can see its Windows XP we've recognize the system.

45
00:04:28,810 --> 00:04:30,600
Now let's try to run something on it.

46
00:04:33,090 --> 00:04:38,880
After connecting with the system we're able to see the processes running on the victim's computer.

47
00:04:40,650 --> 00:04:45,740
One of the names signifies the calculator application which we've remotely started.

48
00:04:45,790 --> 00:04:48,180
So it's not that it's running with system privileges.

49
00:04:49,470 --> 00:04:52,730
This means we have full control over the remote host.

50
00:04:52,890 --> 00:04:54,750
There's nothing that we could not do.

51
00:04:56,520 --> 00:05:03,380
Regardless of the user logged in at the moment of attack we have acquired maximum privileges.

52
00:05:03,490 --> 00:05:05,290
We've seen that from the transport layer.

53
00:05:05,410 --> 00:05:11,920
It's very easy to gather information about computer configuration and running services even system services.