1
00:00:00,450 --> 00:00:03,730
Welcome to part two of this module.

2
00:00:03,830 --> 00:00:09,970
We are going to continue with our introduction to a split and for those of you just joining us I will

3
00:00:09,970 --> 00:00:17,110
quickly reiterate that for this particular module it is very important to watch each video in the order

4
00:00:17,110 --> 00:00:19,120
in which they are presented.

5
00:00:19,120 --> 00:00:27,100
While they do try to keep each video a single standalone presentation it isn't always possible or desirable

6
00:00:27,100 --> 00:00:34,330
for more complex applications and met a split is a subject that warrants an entire module dedicated

7
00:00:34,330 --> 00:00:35,650
to it.

8
00:00:35,650 --> 00:00:42,250
We are going to be picking up where we left off in the last module because it is so critically important

9
00:00:42,280 --> 00:00:44,450
to understand before we proceed.

10
00:00:44,470 --> 00:00:49,660
I'm going to be speaking a bit more about the nature of modules and showing you where they live on your

11
00:00:49,660 --> 00:00:51,490
Kelly installation.

12
00:00:51,490 --> 00:00:53,950
This is vital for many reasons.

13
00:00:53,950 --> 00:01:00,070
So please be patient even if this does seem slightly redundant with what you've already learned.

14
00:01:00,130 --> 00:01:07,360
We touched upon what modules are very briefly in the last video but the purpose of that presentation

15
00:01:07,360 --> 00:01:13,090
was to take you through the basic interface of metal spoiled and get you comfortable with the simplest

16
00:01:13,090 --> 00:01:15,850
examples of the command structure.

17
00:01:15,850 --> 00:01:20,940
Now it is time to understand the components and how they all work together.

18
00:01:20,950 --> 00:01:27,250
I recommend following along on your own system since it is often easier to learn and retain information

19
00:01:27,460 --> 00:01:35,440
by doing rather than just watching and I have to admit this won't be an overly exciting video in terms

20
00:01:35,440 --> 00:01:36,640
of examples.

21
00:01:36,820 --> 00:01:42,350
As I sent said at the end of Part One we have to learn to walk before we can run.

22
00:01:42,400 --> 00:01:44,290
So let's get started.

23
00:01:45,200 --> 00:01:52,550
We'll begin by loading up MSF console although we won't really be spending much time in it until the

24
00:01:52,550 --> 00:01:53,760
next video.

25
00:01:53,810 --> 00:01:59,960
While this loads I'll explain a few things that I only glossed over before when met a split opens.

26
00:01:59,960 --> 00:02:06,530
It shows us the type of modules the exploits the payloads the auxiliaries the encoders the knobs and

27
00:02:06,530 --> 00:02:07,850
the post.

28
00:02:07,850 --> 00:02:11,180
We did touch on these briefly in the last video.

29
00:02:11,210 --> 00:02:16,310
In total we have six categories of modules within the Met a split architecture.

30
00:02:16,310 --> 00:02:24,590
The basic structure is that the six modules are categorized which is then superseded by the MSF console

31
00:02:24,620 --> 00:02:29,660
or met a spoilt framework itself which is then superseded by the core.

32
00:02:29,690 --> 00:02:32,200
And finally by the libraries.

33
00:02:32,210 --> 00:02:37,970
This means that we have our command line interface which we can access for many prompt and often is

34
00:02:37,970 --> 00:02:41,070
accessed by other applications that utilize it.

35
00:02:41,120 --> 00:02:44,840
We have the MSF console which we are now in.

36
00:02:45,020 --> 00:02:51,230
And finally we have the graphical user interface or Armitage which we'll be looking at a little further

37
00:02:51,230 --> 00:02:53,070
down the line.

38
00:02:53,120 --> 00:03:01,970
Alright now it is critically important to understand where these modules are stored not only to grasp

39
00:03:01,970 --> 00:03:08,130
the architecture but also because we may want to update them or edit them in the future.

40
00:03:08,630 --> 00:03:18,110
So we'll just go ahead and open up a second terminal window to serve for this demonstration so CDE user

41
00:03:18,770 --> 00:03:22,430
share met a split dash framework

42
00:03:25,250 --> 00:03:32,070
so if you look at the list the files here we can see that there is a sub directory called modules.

43
00:03:32,070 --> 00:03:36,840
Our next step is going to be to see into this folder and see what we have installed

44
00:03:40,890 --> 00:03:42,410
if we list the files in here.

45
00:03:42,410 --> 00:03:47,550
We can see that it is further divided into six categories that have been mentioned earlier.

46
00:03:47,550 --> 00:03:52,770
Auxiliary encoders exploits knobs payloads and post.

47
00:03:52,770 --> 00:03:59,030
The main point here is to understand the file directory structure and how it is all sorted.

48
00:03:59,130 --> 00:04:06,060
If we drill down further into a particular module let's start with exploits exploits are really our

49
00:04:06,060 --> 00:04:07,300
bread and butter.

50
00:04:07,350 --> 00:04:15,330
These are bits of code that take advantage of a weakness on a target system.

51
00:04:15,430 --> 00:04:23,530
So if we open the directory and list out the files we can see subcategories for all the types of exploits

52
00:04:23,530 --> 00:04:31,390
that we currently have sorted in terms of operating system that contains the particular vulnerability.

53
00:04:31,390 --> 00:04:41,290
For example we have Android for Android operating systems Linux Unix Solaris Apple OS Windows et cetera

54
00:04:41,290 --> 00:04:42,370
et cetera.

55
00:04:42,400 --> 00:04:49,630
We also have exploits for things like Firefox listed here as well because Firefox is a cross platform

56
00:04:49,630 --> 00:04:52,900
browser used on many of these systems.

57
00:04:52,960 --> 00:04:58,660
Pretty much any set of exploits that would be used for an application that has cross platform would

58
00:04:58,660 --> 00:05:01,920
be located here alongside the operating systems.

59
00:05:01,930 --> 00:05:04,660
Let's say that we're trying to target windows.

60
00:05:04,660 --> 00:05:14,530
We can do city windows as we can see we have a lot of further sub directories sorted into the forms

61
00:05:14,530 --> 00:05:15,930
of vulnerabilities.

62
00:05:15,940 --> 00:05:26,560
For example my sequel FCP post grass SS H FCP you get the idea it is worth pointing out that the syntax

63
00:05:26,560 --> 00:05:30,370
for the search command always follows this structure.

64
00:05:30,370 --> 00:05:38,350
So as we saw in the first video if we were to look for a Windows Adobe exploit we would freeze it as

65
00:05:38,350 --> 00:05:48,410
follows within the MSF console search type colon exploit platform colon.

66
00:05:48,430 --> 00:05:58,430
Windows flash and that tells Metis ploy to look in the exploit folder the windows sub folder and search

67
00:05:58,430 --> 00:06:05,580
out and list everything flash related so this has been one type of module.

68
00:06:05,830 --> 00:06:08,550
It's back out of here and see what else we have.

69
00:06:12,530 --> 00:06:16,950
The next type of module that we will have is payloads.

70
00:06:16,970 --> 00:06:21,030
These are files that are left on the exploited system.

71
00:06:21,170 --> 00:06:27,030
Simply speaking they give the attacker access or control over the system.

72
00:06:27,110 --> 00:06:34,040
They are sometimes universally called root kits although this isn't strictly speaking always accurate.

73
00:06:34,070 --> 00:06:41,720
Many payloads do indeed allow an attacker remote access but not all of them work like that payloads

74
00:06:41,750 --> 00:06:49,730
allow the attacker to own the system they are left in will S.D. into payloads to drill down a little

75
00:06:49,730 --> 00:06:58,100
deeper and see what we have payloads is further divided into three directories singles stages and stages

76
00:06:58,280 --> 00:07:05,630
singles are like small bits of code that are usually designed to take one single action on the target

77
00:07:05,630 --> 00:07:12,920
system stages on the other hand are used to create a line of communication between the attacker and

78
00:07:12,920 --> 00:07:17,390
the target which is often used to deliver other payloads.

79
00:07:17,480 --> 00:07:24,920
Stages are very large payloads that can give the attacker the aforementioned control over the target

80
00:07:25,460 --> 00:07:34,550
for instance through Metro printer sessions VANOC reverse shells and so forth singles are very small

81
00:07:34,640 --> 00:07:42,260
things like key log key loggers for example stages create communication between the attacker and the

82
00:07:42,260 --> 00:07:50,370
target and stages are what give the attacker control over the target so hopefully that makes sense.

83
00:07:51,050 --> 00:08:00,140
One last thing I want to add is that as I said not all stages are remote access the most dangerous from

84
00:08:00,140 --> 00:08:07,400
a security point of view are those that sit on a system long term like a sleeper agent never setting

85
00:08:07,400 --> 00:08:15,200
off any alarms and keeping a system compromised in very subtle ways while your average hacker might

86
00:08:15,200 --> 00:08:22,580
go for direct control over a system that sort of thing often gets detected sooner or later higher level

87
00:08:22,580 --> 00:08:29,960
groups like intelligence agencies prefer to create a point of compromise that allow them to maintain

88
00:08:29,990 --> 00:08:35,440
a very subtle presence on a network over a long period of time.

89
00:08:35,480 --> 00:08:42,050
This can obviously get really really complicated and it is quite a deep subject but for now it is enough

90
00:08:42,050 --> 00:08:45,000
to understand basically what these are.

91
00:08:45,140 --> 00:08:53,210
So we'll go back once again and take a look at the other types of modules

92
00:08:58,340 --> 00:09:02,630
so change directory and auxiliary and listed out right away.

93
00:09:02,660 --> 00:09:06,790
We can see that it is further sorted into some very interesting things.

94
00:09:06,950 --> 00:09:14,910
Scanners spoof furs crawlers parsers sniffers buzzers and DOS stuff et cetera.

95
00:09:14,960 --> 00:09:22,040
The primary use of the auxiliary is to scan the target and detect vulnerabilities which you can then

96
00:09:22,040 --> 00:09:30,260
leverage using exploits to drop a stager to allow you to then drop a larger payload.

97
00:09:30,260 --> 00:09:41,950
Another way of describing this category might be to call it miscellaneous so now we'll head back again.

98
00:09:42,160 --> 00:09:47,270
Next up we have the encoders and these are more or less what you think they are.

99
00:09:47,470 --> 00:09:52,570
The encoders are used to re encode packages and exploits.

100
00:09:52,570 --> 00:09:57,350
They're used to get past security systems such as anti viruses.

101
00:09:57,580 --> 00:10:03,860
Another term for encoder is often crypto her although they aren't completely the same thing.

102
00:10:03,910 --> 00:10:09,520
The encoders job is to take a payload that an antivirus would detect as hostile.

103
00:10:09,790 --> 00:10:15,550
Let's say a rootkit for example and make it look innocent so that it slips past detection

104
00:10:20,640 --> 00:10:23,630
so this shouldn't look too confusing at this point.

105
00:10:23,640 --> 00:10:31,600
Here we have the same subcategories and as we dig a little further let's do X 60 for

106
00:10:36,010 --> 00:10:42,100
we can see the code files for the specific modules themselves within this category and they all have

107
00:10:42,340 --> 00:10:44,730
the DOT RB on the end.

108
00:10:44,740 --> 00:10:49,540
Now if you have the expertise you can't edit many of these files.

109
00:10:49,570 --> 00:10:54,940
I don't really recommend it unless you are very confident that you know what you're doing but it is

110
00:10:54,970 --> 00:11:02,260
also important to remember that if you acquire a new module you can just drag it into the proper directory.

111
00:11:02,290 --> 00:11:09,840
For example let's say that you download some promising new exploits from a trustworthy source.

112
00:11:09,970 --> 00:11:14,920
You just stick them into the appropriate sub directories of the exploits folder and then they should

113
00:11:14,920 --> 00:11:20,320
come up and be accessible when you look for them in the MSF console.

114
00:11:20,560 --> 00:11:28,330
Of course do your due diligence and make sure you only download new modules from trustworthy sources.

115
00:11:28,330 --> 00:11:35,110
There are many groups online that produce unofficial modules for met a split as new exploits are being

116
00:11:35,110 --> 00:11:37,090
discovered almost daily.

117
00:11:37,090 --> 00:11:42,700
And of course you can always get more when you update which you should be doing fairly regularly.

118
00:11:42,700 --> 00:11:49,000
The key thing to take away here is that you have many options for encoders and you want to use an encoder

119
00:11:49,000 --> 00:11:51,700
that is appropriate to the target system.

120
00:11:51,730 --> 00:12:01,390
X 86 for example would be for 32 bit operating systems X 64 for 64 bit and so on modules will sometimes

121
00:12:01,390 --> 00:12:08,560
tell you which encoders are recommended but there may be times when the encoder or the encoders that

122
00:12:08,560 --> 00:12:12,880
met a split recommends are not really the correct choice.

123
00:12:12,880 --> 00:12:17,950
In these instances you'll have to find the ones you want to use yourself and they all pretty much live

124
00:12:17,950 --> 00:12:18,490
here.

125
00:12:19,760 --> 00:12:28,350
This really all does get quite a lot easier once you understand how all of this is divided and structured.

126
00:12:28,410 --> 00:12:30,030
Next up Noffs

127
00:12:33,070 --> 00:12:37,410
knobs are a little hard to explain.

128
00:12:37,560 --> 00:12:42,040
A NOP is more commonly known as a no operation.

129
00:12:42,040 --> 00:12:43,510
Essentially what they are.

130
00:12:43,510 --> 00:12:50,680
For those of you who have done a lot of programming on machine language is an instruction to the system

131
00:12:50,680 --> 00:12:58,060
microprocessor or CPE you causing it to do nothing for an entire clock cycle.

132
00:12:58,090 --> 00:12:59,320
What is the point of that.

133
00:12:59,320 --> 00:13:02,690
I hear you ask how and how will this help us.

134
00:13:02,800 --> 00:13:09,670
Will knobs are very good for getting a system to perform in a certain way or execute certain files at

135
00:13:09,670 --> 00:13:14,520
certain times after you have already exploited a buffer overflow.

136
00:13:14,710 --> 00:13:17,290
They have other potential uses as well.

137
00:13:17,320 --> 00:13:23,140
You really don't have to worry about them at this stage of the game because we may be coming back to

138
00:13:23,140 --> 00:13:24,090
them later.

139
00:13:24,130 --> 00:13:30,550
A lot of people who use met exploited don't tend to take not seriously because for many exploits they

140
00:13:30,550 --> 00:13:32,620
simply aren't necessary.

141
00:13:32,650 --> 00:13:37,030
However true masters of menace ploy may get a lot of mileage out of them.

142
00:13:37,060 --> 00:13:39,690
It really all depends on what you're doing.

143
00:13:40,760 --> 00:13:49,050
Again we can browse into Noffs And it's the same type of deal here subdivided and sorted into multiple

144
00:13:49,050 --> 00:13:50,470
architectures.

145
00:13:50,730 --> 00:13:57,180
Right now all you need to know is that knobs are mainly for exploiting the buffer overflow that come

146
00:13:57,180 --> 00:13:59,860
in handy for more complex operations.

147
00:14:00,000 --> 00:14:06,120
When going against very tightly defended systems but you really don't need to stress about understanding

148
00:14:06,120 --> 00:14:07,040
them right now

149
00:14:12,670 --> 00:14:19,060
so we've looked at all these module categories and they all provided us with many different ways of

150
00:14:19,060 --> 00:14:20,720
getting into a system.

151
00:14:20,740 --> 00:14:24,970
Last but not least we have posts or post exploitation.

152
00:14:25,210 --> 00:14:30,260
These are going to be used after a system has been exploited.

153
00:14:30,340 --> 00:14:37,600
They allow you to perform extra pieces of functionality once you've gained access in penetration testing

154
00:14:37,600 --> 00:14:42,340
terms that they allow you to carry out further attacks on a system.

155
00:14:42,340 --> 00:14:50,190
After that system has been owned these can be things like key loggers spying on the web cam hacking

156
00:14:50,190 --> 00:14:55,990
a microphone opening the seedy drawer or anything else you can really think of.

157
00:14:56,110 --> 00:15:01,370
Again everything here is subdivided into the operating system of choice.

158
00:15:01,480 --> 00:15:09,700
So if we do see windows just for example again we have our different categories capture escalate which

159
00:15:09,700 --> 00:15:17,530
is privilege escalation gather which has your key loggers manage recon w land let's open up gather

160
00:15:20,180 --> 00:15:26,060
as you can see there is a lot of stuffing here and that is of course because Windows is the most vulnerable

161
00:15:26,060 --> 00:15:28,990
operating system ever created by human beings.

162
00:15:29,060 --> 00:15:36,070
With the possible exception of men exploited while each one of these does something interesting for

163
00:15:36,070 --> 00:15:46,640
example this one allows you to enumerate the Windows product key and deactivate the windows authentication

164
00:15:46,640 --> 00:15:53,630
protocol on the computer after deleting the key which is a really mean way to force your windows using

165
00:15:53,630 --> 00:16:02,330
friends to make the move over to Linux and Oh oh what's this.

166
00:16:02,390 --> 00:16:11,480
This is a new one I'll have to make a note of that one but I'm sure none of my students would be even

167
00:16:11,480 --> 00:16:14,350
the slightest bit interested in a module like that.

168
00:16:14,390 --> 00:16:16,990
So moving right along.

169
00:16:17,000 --> 00:16:25,850
OK so looking back to summarize we have our auxiliary encoders exploit knobs payloads and post.

170
00:16:25,850 --> 00:16:32,270
I hope you now understand more clearly what these are and have at least a general idea of how they are

171
00:16:32,270 --> 00:16:33,910
all structured.

172
00:16:33,920 --> 00:16:39,800
This may have been a boring video but if you can understand this stuff than using met a split really

173
00:16:39,800 --> 00:16:41,560
will be a breeze.

174
00:16:41,570 --> 00:16:47,780
We are still learning to walk but we're moving our way up to a run and I want to thank you for your

175
00:16:47,780 --> 00:16:48,530
patience.