1
00:00:00,770 --> 00:00:07,820
Welcome to part four of this module we'll be picking up right where we left off after the last video.

2
00:00:07,830 --> 00:00:14,760
So if you're just joining us please consider watching all videos in this module in order.

3
00:00:14,790 --> 00:00:18,260
Now it's time to get into some basic exploitation.

4
00:00:18,390 --> 00:00:22,350
We've been through the lengthy explanation of what everything is.

5
00:00:22,350 --> 00:00:26,110
So let's see a system actually get penetrated.

6
00:00:26,130 --> 00:00:28,470
Imagine the following scenario.

7
00:00:28,470 --> 00:00:34,570
We have just gained access to the local network perhaps by cracking the router password.

8
00:00:34,770 --> 00:00:39,140
So let's hack another system on that network.

9
00:00:39,150 --> 00:00:42,230
Remember this could be any network that we've broken into.

10
00:00:42,300 --> 00:00:44,300
Or it could be a public Wi-Fi.

11
00:00:44,310 --> 00:00:46,850
Like a coffee shop or something.

12
00:00:46,860 --> 00:00:52,240
So once again our target is going to be met hospitable to a virtual machine.

13
00:00:52,290 --> 00:00:57,650
But don't worry we'll be getting to Windows examples very soon to save time.

14
00:00:57,720 --> 00:01:03,030
I've already gone ahead and loaded up the MSF console because by now I trust that you all know how to

15
00:01:03,030 --> 00:01:03,950
do that.

16
00:01:04,020 --> 00:01:10,500
And because this video was not recorded immediately after the last I'm going to run Zend map to refresh

17
00:01:10,500 --> 00:01:17,040
our list of open ports if you'd like more information on z map please see the video dedicated to it

18
00:01:17,520 --> 00:01:20,340
and your IP range may of course vary.

19
00:01:20,370 --> 00:01:27,210
So if you aren't sure Just use the F command to see what your network has assigned you and then use

20
00:01:27,210 --> 00:01:33,080
the Net discovered a command to find other machines on the network as has been shown.

21
00:01:33,090 --> 00:01:36,650
Okay so we have a nice long list of open ports.

22
00:01:36,990 --> 00:01:39,120
So what do we need to do first.

23
00:01:39,120 --> 00:01:43,900
Well the first thing we need to do is know what service we are attacking.

24
00:01:44,190 --> 00:01:49,770
In this case we're trying to attack port 21 the F T.P. port.

25
00:01:49,770 --> 00:01:58,470
We can see from our scan that our target is running V S F T.P. version two point three point four which

26
00:01:58,500 --> 00:02:03,090
is a version of the service that is extremely vulnerable.

27
00:02:03,120 --> 00:02:08,270
We know our target IP and we know the point of compromise that we are attacking.

28
00:02:08,310 --> 00:02:15,750
So now we just need to run the right exploit if you've been following along the syntax should hopefully

29
00:02:15,750 --> 00:02:18,220
look pretty familiar to you by now.

30
00:02:18,330 --> 00:02:25,050
Let's use the search command to bring up an exploit suitable for the point of attack that we've chosen.

31
00:02:25,050 --> 00:02:31,140
Generally speaking met a split has a wide range of exploits available but if you run into a machine

32
00:02:31,140 --> 00:02:36,870
that is fully up to date and met exploitive all seems to be lacking and exploit for it.

33
00:02:36,870 --> 00:02:44,310
Be sure to do some checking around online you may be able to find one an update on the fly so we do

34
00:02:44,310 --> 00:02:51,930
our search and from here it is very simple to go off the information that we have.

35
00:02:51,930 --> 00:02:59,790
We know that it's version 2.0 3.0 for but we'll just search for BSF T.P. and see what comes up and our

36
00:02:59,790 --> 00:03:01,870
exploit comes up right away.

37
00:03:01,920 --> 00:03:08,220
Now again if you get a message saying that your module database cachet is not built yet and your search

38
00:03:08,250 --> 00:03:14,040
ends up taking forever please use the optional commands provided in the first video to sort this problem

39
00:03:14,040 --> 00:03:14,890
out.

40
00:03:14,970 --> 00:03:20,770
If worse comes to worse you can also reinstall met a split although that shouldn't be necessary.

41
00:03:20,790 --> 00:03:27,000
I know that some older systems particularly 32 bit versions of Carly seem to have a little bit of trouble

42
00:03:27,000 --> 00:03:30,950
with the database based cachet and I'm really not too sure why that is.

43
00:03:30,960 --> 00:03:36,150
But this shouldn't be an issue that will affect many of you not in this day and age.

44
00:03:36,180 --> 00:03:42,540
Also as a side note even though we are only seeing a single result from this current search it is not

45
00:03:42,540 --> 00:03:46,320
unusual to pull up a rather long list of possibilities.

46
00:03:46,470 --> 00:03:53,880
If this happens don't panic unless you have some specific reason to use a particular exploit and in

47
00:03:53,880 --> 00:03:55,160
some cases you might.

48
00:03:55,310 --> 00:04:03,000
I recommend that you go with the exploits ranking this one on our screen right now as ranked excellent

49
00:04:03,030 --> 00:04:06,750
so we can be pretty confident that it is going to work well for us.

50
00:04:06,930 --> 00:04:14,070
The ranking is more important than you might think at first glance when you are in the comfort of home

51
00:04:14,070 --> 00:04:20,250
or sitting in an office with virtually unlimited time to conduct day sanctioned penetration test you

52
00:04:20,250 --> 00:04:26,460
can afford to spend time studying the various exploits and figuring out which one you want to use.

53
00:04:26,460 --> 00:04:29,920
Sometimes though you can't afford to sit there and dilly dally.

54
00:04:30,060 --> 00:04:34,260
Particularly if systems are coming and going off a network frequently.

55
00:04:34,470 --> 00:04:40,710
Now obviously it is best to know what each exploit you're using actually does and how it works whenever

56
00:04:40,710 --> 00:04:42,210
possible.

57
00:04:42,210 --> 00:04:47,970
But if push comes to shove it's best to just go with whatever is ranked highest.

58
00:04:47,970 --> 00:04:54,860
I also need to quickly mention if you watch the video dedicated to end map then you know that ports

59
00:04:54,860 --> 00:04:59,540
can have additional states beyond just open and not open.

60
00:04:59,660 --> 00:05:06,680
It is sometimes possible to attack ports in the more advanced states such as filtered determining whether

61
00:05:06,680 --> 00:05:12,050
or not this is possible for a particular services outside of the scope of this current video.

62
00:05:12,050 --> 00:05:17,450
But just Barrett bear that in mind if all else fails and you aren't sure.

63
00:05:17,450 --> 00:05:20,330
It usually doesn't hurt to try.

64
00:05:20,510 --> 00:05:24,440
So this is the exploit that we're going to be using under match modules.

65
00:05:24,440 --> 00:05:33,080
It has found one and in the path presented we can see that it is a Unix exploit for F T.P. and that

66
00:05:33,080 --> 00:05:35,030
it is a type of backdoor.

67
00:05:35,150 --> 00:05:41,360
We can also see that this specific exploit exactly matches what we're looking for which is fantastic

68
00:05:42,520 --> 00:05:43,590
this exploit.

69
00:05:43,600 --> 00:05:51,730
As I said as a backdoor we can see it was disclosed in 2011 so it is a very old vulnerability and back

70
00:05:51,730 --> 00:05:54,100
doors are essentially what you think they are.

71
00:05:54,100 --> 00:05:58,570
They allow us to obtain backdoor access to a target computer.

72
00:05:58,810 --> 00:05:59,620
Let's use it.

73
00:05:59,620 --> 00:06:05,380
What we're gonna do is we're going to highlight the name we could just type it out but we'll copy it

74
00:06:05,890 --> 00:06:10,960
and then we're going to use use and we'll paste in the exploit name

75
00:06:14,220 --> 00:06:15,410
Easy as pie.

76
00:06:15,480 --> 00:06:20,550
And now that the exploit is all loaded up and displayed in red we know that it's basically ready to

77
00:06:20,550 --> 00:06:21,340
use.

78
00:06:21,390 --> 00:06:27,730
You've seen this before but repetition helps with the learning process and the next part is very important.

79
00:06:27,750 --> 00:06:33,210
The first thing to do with any exploit is to do show options.

80
00:06:33,210 --> 00:06:34,250
There we are.

81
00:06:34,320 --> 00:06:37,040
These are the options that are available for this exploit.

82
00:06:38,600 --> 00:06:40,730
Let's go through this step by step.

83
00:06:40,730 --> 00:06:46,520
Different exploits and different modules have different options that you can customize depending on

84
00:06:46,520 --> 00:06:48,100
the attack vector.

85
00:06:48,140 --> 00:06:56,510
In this case we have our host which is the IP address or target IP that we will set to tell the module

86
00:06:56,510 --> 00:06:58,780
what we are aiming or exploit at.

87
00:06:59,000 --> 00:07:05,300
And then we can set the R port which in this case is Port 21.

88
00:07:05,300 --> 00:07:07,610
Keep in mind and this is very important.

89
00:07:08,150 --> 00:07:16,160
If a port is incorrectly configured by default or if an administrator does some shenanigans to change

90
00:07:16,160 --> 00:07:22,210
which port certain services work on you may need to manually change the setting.

91
00:07:22,250 --> 00:07:25,990
This strategy of security by obscurity really doesn't work.

92
00:07:26,000 --> 00:07:31,970
As I've mentioned before but it does throw off beginners depending on what kind of scan you run and

93
00:07:31,970 --> 00:07:36,030
how you run your scan during the information gathering phase.

94
00:07:36,080 --> 00:07:43,760
Port 21 for example might come up and be listed as FTB but unless your scanner is configured to actually

95
00:07:43,760 --> 00:07:51,050
check it may just assume that port 21 is FCP when it is actually something else.

96
00:07:51,050 --> 00:07:53,030
I've seen this happen.

97
00:07:53,030 --> 00:07:58,580
What I've never actually seen happen although I've heard about it is some system admins who like to

98
00:07:58,580 --> 00:08:06,350
run dummy services on ports that are obviously points of attack which act like trip wires to alert them

99
00:08:06,350 --> 00:08:07,900
of hacking attempts.

100
00:08:07,940 --> 00:08:10,810
This sort of thing comes up a lot in the movies.

101
00:08:11,000 --> 00:08:14,590
Rarely in real life but it can be done.

102
00:08:14,780 --> 00:08:16,580
So just be aware of it.

103
00:08:16,640 --> 00:08:21,770
It is also important to spend some time during the information gathering phase of a penetration test

104
00:08:22,370 --> 00:08:24,800
to make sure what's what.

105
00:08:24,800 --> 00:08:26,480
Now we need to set the R host.

106
00:08:26,540 --> 00:08:28,340
We've seen this before.

107
00:08:28,340 --> 00:08:36,320
It's just set our host and in my case it'll be 10 0 0 0 at eleven.

108
00:08:36,320 --> 00:08:39,460
Remember that your IP will likely be different.

109
00:08:42,800 --> 00:08:45,910
We'll do show options again to confirm that it did set.

110
00:08:45,920 --> 00:08:47,690
And of course it did.

111
00:08:47,900 --> 00:08:53,980
And all that is really left to do is run the exploit by typing.

112
00:08:53,980 --> 00:08:56,230
Exploit.

113
00:08:56,340 --> 00:09:01,410
Now if everything works correctly we should get a back door in the form of a reverse shell

114
00:09:04,180 --> 00:09:13,000
we can see the port that it is going that is outgoing and the port that is incoming good.

115
00:09:13,070 --> 00:09:19,790
It may not be immediately apparent what has just happened because my display doesn't exactly tell you

116
00:09:19,790 --> 00:09:21,160
or provide a prompt.

117
00:09:21,320 --> 00:09:25,050
Kind of like you'd expect but we've just hacked into our target.

118
00:09:25,190 --> 00:09:30,250
We have a command shell and we can start executing commands on the target computer.

119
00:09:31,170 --> 00:09:40,440
For example you name tack lowercase a we can see that we are now inside the Mideast applicable to a

120
00:09:40,430 --> 00:09:41,870
virtual machine.

121
00:09:42,090 --> 00:09:49,830
We have access to the server itself and now we can list files and it can be seen that we have access

122
00:09:49,830 --> 00:09:53,370
to everything and we could do literally anything.

123
00:09:53,370 --> 00:09:58,490
I'm sure I don't have to explain all the ways we could do damage here if we wanted to.

124
00:09:58,560 --> 00:10:02,870
Let's enter the root directory will list that out.

125
00:10:02,910 --> 00:10:09,250
Not having a prompt can be somewhat disconcerting we can also check the desktop.

126
00:10:09,250 --> 00:10:14,560
But since it's meant exploitable nothing will come up although if this was a Windows system it might

127
00:10:14,560 --> 00:10:15,700
be worth doing.

128
00:10:15,700 --> 00:10:19,000
Don't worry we'll get to a Windows example soon.

129
00:10:19,000 --> 00:10:24,670
What you really want to do here is set things up so that you have access to the system again in the

130
00:10:24,670 --> 00:10:25,680
future.

131
00:10:25,870 --> 00:10:33,010
You can upload and run any sort of remote access tool you want key loggers other back doors you name

132
00:10:33,010 --> 00:10:33,970
it.

133
00:10:33,970 --> 00:10:39,550
These are outside of the scope of this video but my point here is that once you have access on this

134
00:10:39,550 --> 00:10:46,680
level you may want to make sure that you can get back in even after the target has left the local network.

135
00:10:46,810 --> 00:10:50,050
Exactly how you go about doing that is up to you.

136
00:10:50,050 --> 00:10:52,650
There are a wide range of options.

137
00:10:52,690 --> 00:10:59,800
It is a good idea to practice on your own and develop a plan and a strategy of what to do here so that

138
00:10:59,800 --> 00:11:03,190
you can put that plan into action very quickly.

139
00:11:03,190 --> 00:11:09,400
Just to give you an example you might want to disable certain security features like antivirus or firewall

140
00:11:09,400 --> 00:11:12,920
while making it appear to the user that they are still functional.

141
00:11:13,090 --> 00:11:19,900
Or better yet authorize your remote access tool to go through the defenses while leaving them otherwise

142
00:11:19,900 --> 00:11:21,850
completely alone.

143
00:11:21,850 --> 00:11:23,250
The sky is the limit.

144
00:11:23,320 --> 00:11:29,680
It is of course not necessary to escalate privileges in this example but that is also something you

145
00:11:29,680 --> 00:11:33,300
can work on when you're dealing with certain systems.

146
00:11:33,310 --> 00:11:39,190
Last but not least it is possible to set up a bot which we'll be talking about will make it to the module

147
00:11:39,190 --> 00:11:41,410
covering bots and bought nets.

148
00:11:42,560 --> 00:11:49,840
So a lot of options here and I'm sure you probably have some ideas at this point everything you do here

149
00:11:50,230 --> 00:11:51,930
should be invisible to the user.

150
00:11:51,940 --> 00:11:58,330
And if you aren't sure test it out using your own metal split able to machine in windowed mode so that

151
00:11:58,330 --> 00:12:01,060
you can see both screens at the same time.

152
00:12:02,600 --> 00:12:05,330
Control C will abort the session.

153
00:12:05,380 --> 00:12:06,170
All right.

154
00:12:06,350 --> 00:12:13,340
I know this was a short one but now we've seen how to get a reverse shell against a machine so our feet

155
00:12:13,370 --> 00:12:14,930
are now good and wet.

156
00:12:14,960 --> 00:12:20,390
Hopefully you feel that your patience with the lengthy explanations given in the first videos is paying

157
00:12:20,390 --> 00:12:25,220
off and will pick up again in the next video with more direct examples.

158
00:12:26,630 --> 00:12:29,690
And as always I have to say this in every video.

159
00:12:29,690 --> 00:12:35,960
Never use this or any other tool to hack into any machine that you do not personally own or have written

160
00:12:35,960 --> 00:12:37,650
permission to penetration test.

161
00:12:37,670 --> 00:12:40,760
Always obey the law and be careful.

162
00:12:40,760 --> 00:12:41,120
Thank you.