1
00:00:00,610 --> 00:00:07,660
Welcome to part three of this module we'll be picking up right where we left off in the last video.

2
00:00:07,690 --> 00:00:13,360
If you're just joining us please keep in mind that while I try to keep all videos as standalone whenever

3
00:00:13,360 --> 00:00:21,070
possible this entire module is dedicated to the Metis point framework and Armitage and as such is intended

4
00:00:21,070 --> 00:00:25,250
to be watched in the order presented in the last video.

5
00:00:25,310 --> 00:00:32,680
We went deeper into what modules actually are and where they exist near Cally operating system.

6
00:00:32,750 --> 00:00:38,490
Now we're going to be looking at some practical examples of how to use them within the Metis flight

7
00:00:38,510 --> 00:00:41,270
framework before we begin.

8
00:00:41,270 --> 00:00:48,530
It is required that I remind all those watching these videos to never use this or any other tool or

9
00:00:48,530 --> 00:00:53,870
technique shown here against any system that you don't personally own or have written permission from

10
00:00:53,870 --> 00:00:57,520
the owner to penetration test for this demonstration.

11
00:00:57,530 --> 00:01:05,630
We'll be using a metal split able to virtual machine which we'll be running on the network like so we're

12
00:01:05,630 --> 00:01:11,660
going to use the IAF config command to grab the IP address of the Met a spoiled evil machine on the

13
00:01:11,660 --> 00:01:16,330
network and use that address in Cali when we target our modules.

14
00:01:16,370 --> 00:01:22,830
In this case it's under the heading AI net a DDR 10 dot 0 0 dot eleven.

15
00:01:22,880 --> 00:01:24,920
Yours may vary.

16
00:01:24,920 --> 00:01:32,700
Now it's worth repeating here that in order for this to work you need to make sure that under your virtual

17
00:01:32,700 --> 00:01:40,590
machine settings under network the adapter is set to bridged adapter.

18
00:01:40,810 --> 00:01:48,750
If your adapter says any t or Nat this process won't work because in that instance both met a split

19
00:01:48,750 --> 00:01:54,820
ABL 2 and the cowling machine that you're running will have the same network IP address meaning you

20
00:01:54,820 --> 00:01:58,860
won't be able to target the Met a split level machine from within Cowley.

21
00:01:58,930 --> 00:02:05,410
Of course if you're running Carly off a dedicated partition or a USP device with persistence.

22
00:02:05,410 --> 00:02:09,870
This may not be an issue if you change to bridge adapter.

23
00:02:09,910 --> 00:02:16,330
Please remember to restart all of your virtual machines so that the change actually takes effect and

24
00:02:16,330 --> 00:02:18,850
just a little aside here before we begin.

25
00:02:18,850 --> 00:02:23,950
This is one of those joke banners I was mentioning that tends to confuse people.

26
00:02:24,160 --> 00:02:29,440
See we are supplied here with what appears to be an error message telling us kernel panic attempted

27
00:02:29,440 --> 00:02:35,170
to kill the idol task swap or not sinking killing interrupt handler.

28
00:02:35,200 --> 00:02:43,610
This is a joke and it can confuse some inexperienced users so there's nothing wrong with your Metis

29
00:02:43,620 --> 00:02:44,800
plate machine.

30
00:02:44,800 --> 00:02:50,330
If you see something like that on the startup banner anyway let's get started.

31
00:02:50,350 --> 00:02:57,460
OK we've reached a point in this class where we will be going over some old ground specifically we'll

32
00:02:57,460 --> 00:03:05,440
be using any map within the Metis Floyd framework to spot open ports and then run a scan against those

33
00:03:05,440 --> 00:03:09,680
ports using a scanner found in the auxiliary modules.

34
00:03:09,760 --> 00:03:15,580
There are already videos in this class which will go into great detail about the use of any map and

35
00:03:15,640 --> 00:03:22,060
I dare say present you with better ways to pin down vulnerabilities in a target system than what you're

36
00:03:22,060 --> 00:03:23,770
about to see here.

37
00:03:23,830 --> 00:03:28,450
If you haven't watched these videos yet I suggest going back and having a look.

38
00:03:28,450 --> 00:03:30,910
However it isn't required.

39
00:03:30,910 --> 00:03:36,880
We can proceed without them but I'm not going to give a full blown explanation of how any map works

40
00:03:36,880 --> 00:03:42,030
here because it really is ground that we've already covered.

41
00:03:42,030 --> 00:03:48,120
I also need to make a comment at this point and this will be somewhat opinionated and controversial.

42
00:03:48,240 --> 00:03:50,510
So take it with a grain of salt.

43
00:03:50,550 --> 00:03:56,340
We've already covered information gathering and reconnaissance and if you've been following along with

44
00:03:56,340 --> 00:04:02,370
these videos in order you should have a pretty good idea by now of how to spot vulnerabilities on a

45
00:04:02,370 --> 00:04:03,430
system.

46
00:04:03,510 --> 00:04:10,290
The modular nature of metal split means that we have tools within the framework for doing this very

47
00:04:10,290 --> 00:04:10,830
thing.

48
00:04:11,340 --> 00:04:14,880
So which method is superior.

49
00:04:14,880 --> 00:04:22,960
Does it make more sense to scan a target for ports and vulnerabilities using a tool like say Sparta.

50
00:04:22,960 --> 00:04:29,710
Or is it better to stick to tools within Metis ploy itself such as the scanners that are going to be

51
00:04:29,710 --> 00:04:32,490
presented in the auxiliary modules section.

52
00:04:32,560 --> 00:04:36,190
This is ultimately a matter of personal preference.

53
00:04:36,220 --> 00:04:43,900
It is entirely possible to use only met a split every step of the way but in my case whenever I launch

54
00:04:43,900 --> 00:04:50,230
met a spoiled I'm already past the information gathering phase of my pen test.

55
00:04:50,290 --> 00:04:54,730
This is something you'll have to determine for yourself through experience.

56
00:04:54,730 --> 00:05:01,900
So to begin with let's perform a basic bare bones and map port scan.

57
00:05:02,080 --> 00:05:08,830
To that end let's pretend like we have a target which in this case is going to be the IP address of

58
00:05:08,830 --> 00:05:12,260
the Met hospitable to virtual machine.

59
00:05:12,280 --> 00:05:22,140
We do this exactly as we would in the normal terminal window and map tack lowercase s uppercase t 10

60
00:05:22,140 --> 00:05:25,710
dot 0 0 dot eleven.

61
00:05:25,800 --> 00:05:27,690
So this is just the basic scan.

62
00:05:27,840 --> 00:05:29,220
Nothing fancy.

63
00:05:29,310 --> 00:05:34,860
We initiate a three way handshake with the s t switch and have a look at our target.

64
00:05:35,100 --> 00:05:42,810
Since the target is met exploitable too will get a lot of open ports returned back to us rather quickly.

65
00:05:42,840 --> 00:05:45,560
You can see all the ports that are open.

66
00:05:45,600 --> 00:05:51,120
We have FCP shell H2 GDP telnet and so on and so forth.

67
00:05:51,270 --> 00:05:52,620
And that's great.

68
00:05:52,620 --> 00:05:56,120
It is the end map that we know and love within the Metis point framework.

69
00:05:56,130 --> 00:05:58,260
No real surprises here.

70
00:05:58,260 --> 00:06:01,410
Again please see the video dedicated to any map.

71
00:06:01,410 --> 00:06:08,390
If you have any questions about how to use the tool itself I suppose since we're pretending our target

72
00:06:08,420 --> 00:06:15,200
is real we should do a stealth scan since a real target might have a firewall and we can do that just

73
00:06:15,200 --> 00:06:20,950
like normal which is to say exactly as if we were running it in the normal terminal window.

74
00:06:21,080 --> 00:06:33,130
We'll do an map tack lowercase S. uppercase s supply our AP IP address and again it should come up pretty

75
00:06:33,130 --> 00:06:36,700
fast with a real target or a range of targets.

76
00:06:36,700 --> 00:06:43,050
This process might take a little bit longer and of course a virtual box tends to be a little slow anyway.

77
00:06:45,230 --> 00:06:51,740
But what matters here is that one way or another we are able to achieve a list of open ports at the

78
00:06:51,740 --> 00:06:52,570
end of the day.

79
00:06:52,580 --> 00:06:55,900
It doesn't matter how you get this information.

80
00:06:56,000 --> 00:07:01,470
Once we have at least one open port we can proceed to the next step.

81
00:07:01,490 --> 00:07:07,820
Now we can use the auxiliary modules that come with metal split assuming we haven't already gained this

82
00:07:07,820 --> 00:07:10,190
information through other tools.

83
00:07:10,190 --> 00:07:16,970
Remember that the auxiliary modules contain many built in scanners which are considered to be information

84
00:07:16,970 --> 00:07:23,680
gathering tools met exploited really is a Swiss army knife of pen testing tools.

85
00:07:23,900 --> 00:07:31,100
We'll use the SS H scanner for this demonstration although any of the scanning tools will work and they

86
00:07:31,100 --> 00:07:35,450
all tend to work in met a split the way you expect them to.

87
00:07:35,450 --> 00:07:42,900
One exception is I found that it is difficult to export Excel files using any map from within Metis

88
00:07:42,910 --> 00:07:46,990
Floyd and there may be a few other little quirks.

89
00:07:47,210 --> 00:07:53,960
It is best at least to start out that you use a scanner for a service indicated to be running based

90
00:07:53,960 --> 00:07:57,180
on the open ports on your target system.

91
00:07:57,200 --> 00:08:03,530
Just bear in mind that some system administrators like to mix things up and just because a particular

92
00:08:03,530 --> 00:08:11,560
service runs on a particular port by default doesn't mean it will use that port on your target system.

93
00:08:11,690 --> 00:08:14,020
And this can get a little confusing.

94
00:08:14,210 --> 00:08:22,070
So any map is detected that port 22 is in an open state so we can be reasonably certain that SSA H is

95
00:08:22,070 --> 00:08:23,450
using it.

96
00:08:23,450 --> 00:08:31,160
So our goal here is going to be to use an SS H scanner found in the auxiliary modules to determine which

97
00:08:31,160 --> 00:08:38,870
version of SS h the target is having an operation so that we can later find a suitable exploit to use

98
00:08:38,870 --> 00:08:40,190
against it.

99
00:08:40,190 --> 00:08:47,500
We aren't quite running yet but we are working up to a brisk jog so let's get started.

100
00:08:49,560 --> 00:08:52,810
Before we can run the scanner we have to find it.

101
00:08:52,860 --> 00:08:55,490
So for that we're going to just can use the search command.

102
00:08:55,680 --> 00:08:56,970
So we'll do search.

103
00:08:56,970 --> 00:09:01,020
SS H underscore version.

104
00:09:01,020 --> 00:09:06,720
Now it should come up pretty quickly if you get a message telling you that the module database cachet

105
00:09:06,720 --> 00:09:10,080
is not built yet and that your searches are slow.

106
00:09:10,080 --> 00:09:16,020
Please go back to the first video and use the optional commands provided to rebuild the cachet and that

107
00:09:16,020 --> 00:09:17,390
should speed things up for you.

108
00:09:18,410 --> 00:09:20,650
So we don't need phasers right now.

109
00:09:20,720 --> 00:09:27,920
We need the auxiliary scanner so for that to utilize that we're going to use the use command somewhat

110
00:09:27,920 --> 00:09:28,670
redundant.

111
00:09:28,670 --> 00:09:35,320
Sorry use auxiliary scanner.

112
00:09:35,540 --> 00:09:42,400
S H slash SS H underscore version.

113
00:09:42,530 --> 00:09:46,310
You also could have copy pasted that if you didn't feel like typing it.

114
00:09:46,310 --> 00:09:48,550
And there we go it comes right up.

115
00:09:48,650 --> 00:09:55,790
The prompt has now changed from just MSF to include the scanner name in red which means that it is ready

116
00:09:55,790 --> 00:10:04,940
to use of course ready to use does not actually mean properly configured so we'll have to use our show

117
00:10:05,000 --> 00:10:11,460
options command to supply the scanner with the target data that it needs.

118
00:10:11,520 --> 00:10:15,690
This is very simple if you recall we just use the set command.

119
00:10:15,690 --> 00:10:21,840
So we're going to set the R hosts field to include our current target which is the IP address of the

120
00:10:21,840 --> 00:10:23,340
Met hospitable machine.

121
00:10:24,440 --> 00:10:30,580
Our hosts.

122
00:10:30,620 --> 00:10:31,820
There we go.

123
00:10:31,820 --> 00:10:36,880
And now I suggest setting the threads to something high although not too high.

124
00:10:37,730 --> 00:10:42,130
It depends on your system specifications for this demonstration.

125
00:10:42,200 --> 00:10:46,220
I think we'll probably be okay setting threads to about 75

126
00:10:54,130 --> 00:10:54,800
notice.

127
00:10:54,880 --> 00:10:56,410
Our data is now all entered.

128
00:10:56,560 --> 00:10:57,520
Excellent.

129
00:10:57,550 --> 00:11:04,420
Now a common mistake people make here is that they get excited and they type exploit and they wonder

130
00:11:04,420 --> 00:11:06,520
why the module doesn't work.

131
00:11:06,760 --> 00:11:13,930
The exploit command is really only for launching the actual exploit this module is considered information

132
00:11:13,930 --> 00:11:14,870
gathering.

133
00:11:14,890 --> 00:11:22,140
So for this we're simply going to type run and right away we get a lot of information in the return

134
00:11:22,140 --> 00:11:23,090
field.

135
00:11:23,250 --> 00:11:27,000
We can see the SSA version number 2.0.

136
00:11:27,000 --> 00:11:32,140
We can see with the Linux OS version number is et cetera et cetera.

137
00:11:32,250 --> 00:11:37,910
And this is valuable information for the exploitation stage which is coming next.

138
00:11:38,100 --> 00:11:45,390
And there are a lot of other things that you can do in terms of information gathering such as FCP scanners

139
00:11:45,810 --> 00:11:50,840
banner grabbing and so on much of which we've seen in prior modules.

140
00:11:50,940 --> 00:11:57,900
Generally speaking met a split always has a tool buried somewhere in the auxiliary modules category

141
00:11:58,140 --> 00:12:01,790
to help you along with this information gathering process.

142
00:12:01,830 --> 00:12:08,910
It really is a standalone tool but as you can see the way it presents you with information is maybe

143
00:12:08,910 --> 00:12:16,440
not as pretty as some of the more streamlined information gathering tools out there.

144
00:12:16,450 --> 00:12:22,090
Please understand I'm not trying to rag on the tools that metal split provides for this.

145
00:12:22,090 --> 00:12:29,080
In fact there may be circumstances where using these scanners within met a split is the more sensible

146
00:12:29,080 --> 00:12:36,180
choice on that junky little laptop I got for some of these demonstrations for example.

147
00:12:36,250 --> 00:12:43,330
It is a 32 bit operating system with only 2 gigs of ram a single core processor that would make a Commodore

148
00:12:43,330 --> 00:12:52,780
64 look brisk by comparison programs like Sparta and Zen map and even goal a ceremony are major resource

149
00:12:52,780 --> 00:12:58,240
hogs and don't function well whereas MSF console works very smoothly.

150
00:12:58,270 --> 00:13:05,800
This would also be true perhaps on a system like a raspberry pi or a chip where it's very small and

151
00:13:05,800 --> 00:13:16,150
resources are in short supply so real quick just to make sure the idea of how this works is clear.

152
00:13:16,150 --> 00:13:18,180
Let's go ahead and do another one.

153
00:13:18,400 --> 00:13:26,040
We'll do search f T.P. versions whoops I'm sorry.

154
00:13:26,050 --> 00:13:28,200
That's FCP version.

155
00:13:28,240 --> 00:13:29,720
My apologies.

156
00:13:29,740 --> 00:13:38,200
So let's pretend that we didn't detect an open and open SS H port but that there is an open FCP port.

157
00:13:38,200 --> 00:13:41,500
So for that we'd use an FTE P scanner.

158
00:13:41,500 --> 00:13:56,620
So we'll do use auxiliary scanner f T.P. F G P underscore version and we'll do show options.

159
00:13:59,150 --> 00:14:00,400
Same as before.

160
00:14:00,410 --> 00:14:05,440
We're going to set or hosts to our target

161
00:14:09,940 --> 00:14:17,900
and we don't know the FTB password or user name so we'll just leave those as they are for right now.

162
00:14:17,920 --> 00:14:21,890
Again this is where a program like Sparta comes in handy.

163
00:14:22,000 --> 00:14:31,750
Not to belabor a point and we'll set threads to 75 all right and we'll go ahead and run it.

164
00:14:32,140 --> 00:14:34,380
And we were able to grab the banner that time.

165
00:14:34,420 --> 00:14:36,080
Wonderful.

166
00:14:36,140 --> 00:14:39,530
All right so that pretty much covers it.

167
00:14:39,530 --> 00:14:46,400
You can use scanners within met a split and even end map itself or you can do your information gathering

168
00:14:46,400 --> 00:14:51,890
with other tools before you even load up the MSF console or both.

169
00:14:51,890 --> 00:14:58,600
It really is up to you and as you practice and improve you'll learn what works best for you.

170
00:14:58,610 --> 00:15:06,230
Remember that almost any Windows operating system is likely to have at least one or two UN patched vulnerabilities

171
00:15:06,260 --> 00:15:12,500
or key applications that are not up to date and contrary to what people say.

172
00:15:12,530 --> 00:15:17,910
This is often true of Linux as well just not as often.

173
00:15:17,930 --> 00:15:23,150
Be patient and be persistent and remember practice makes perfect.

174
00:15:23,230 --> 00:15:30,530
We're almost to the point of using this information for real exploits so I hope this was all clear and

175
00:15:30,530 --> 00:15:32,860
we'll pick up in the next video.

176
00:15:32,870 --> 00:15:33,280
Thank you.