1
00:00:00,210 --> 00:00:03,110
Welcome to Part Eight of this module.

2
00:00:03,210 --> 00:00:09,030
So before we move on and start taking a look at ARMITAGE We need to quickly go over how to update our

3
00:00:09,030 --> 00:00:14,640
met a split installation with the latest and greatest modules and exploits.

4
00:00:14,640 --> 00:00:22,560
The process is actually fairly simple as we'll see all versions of Cally dating back to around 2017

5
00:00:22,740 --> 00:00:29,950
or so have a built in exploit database complete with a search function.

6
00:00:30,000 --> 00:00:37,200
The idea is that you update this database all at once grabbing a large number of new exploits that haven't

7
00:00:37,200 --> 00:00:40,050
yet been plugged into met a split yet.

8
00:00:40,050 --> 00:00:47,750
Then you can add them on an as needed basis without even needing a web browser or an internet connection.

9
00:00:47,880 --> 00:00:54,450
Of course in practice you're probably going to search the internet for a particular exploit that matches

10
00:00:54,450 --> 00:00:58,440
a vulnerability that you have identified in a target system.

11
00:00:58,440 --> 00:01:04,980
Then you'd search the exploit D.B. and upon discovering that you already have the one you saw mentioned

12
00:01:04,980 --> 00:01:05,670
online.

13
00:01:05,670 --> 00:01:08,360
Plug it into Metis Floyd and start using it.

14
00:01:08,400 --> 00:01:12,670
You could just take the entire exploit DP and dump it right into Metis Floyd.

15
00:01:12,690 --> 00:01:15,320
But I really don't recommend doing this.

16
00:01:16,010 --> 00:01:22,880
I am of the opinion that it is best to wait until an exploit has been officially added to the framework

17
00:01:23,360 --> 00:01:28,520
unless it is an exploit that you personally researched and decided you wish to add.

18
00:01:28,520 --> 00:01:35,870
Just plugging them all in is an invitation to disaster since some of them might not be particularly

19
00:01:35,870 --> 00:01:37,090
well made.

20
00:01:37,130 --> 00:01:43,160
It's up to you and we'll cover both approaches but I strongly recommend doing them wondered.

21
00:01:43,190 --> 00:01:45,350
One at a time as needed.

22
00:01:45,350 --> 00:01:52,230
So if you're following along we're actually going to need three terminal windows open here.

23
00:01:52,520 --> 00:01:57,510
As you can see Metis Floyd is already up and running in our first terminal.

24
00:01:57,530 --> 00:02:01,850
If you've been following along this should look very familiar but in case you need a quick refresher

25
00:02:01,850 --> 00:02:14,420
we just you service post rescue l start and then MSF console and that'll bring up your meds split.

26
00:02:14,670 --> 00:02:16,350
So from within minutes Beloit.

27
00:02:16,410 --> 00:02:21,310
Notice the current number of exploits that we have plugged in.

28
00:02:21,450 --> 00:02:25,370
In my case it's one thousand seven hundred sixty nine.

29
00:02:25,380 --> 00:02:26,880
And yours will vary.

30
00:02:26,970 --> 00:02:30,980
This number should be going up by 1 by the end of this video.

31
00:02:31,200 --> 00:02:36,520
So we're gonna go ahead and we're going to open up a second terminal window to maximize it.

32
00:02:36,720 --> 00:02:43,620
All it's going to take to get us going initially here is a single command and we just need a regular

33
00:02:43,620 --> 00:02:44,670
terminal for this.

34
00:02:44,670 --> 00:02:53,100
We don't want to do it in the Mets Floyd console itself and we're gonna type search split tack H for

35
00:02:53,100 --> 00:02:53,610
help.

36
00:02:54,670 --> 00:03:01,400
Now search spoiled is a powerful tool that allows us to query the exploit database of all the current

37
00:03:01,400 --> 00:03:04,940
exploits currently published and available out there.

38
00:03:05,000 --> 00:03:11,330
As I said it takes a while for these exploits to actually get made into Ruby files and officially plugged

39
00:03:11,330 --> 00:03:13,630
into the Mets plate framework itself.

40
00:03:13,790 --> 00:03:19,930
But many of them are ready to be we're going to go ahead and we're just going to grab them all.

41
00:03:20,210 --> 00:03:22,610
So you will need an internet connection for this.

42
00:03:22,610 --> 00:03:29,510
Now you already have exploit D.B. in your Cally installation assuming that your calling installation

43
00:03:29,510 --> 00:03:35,100
is current and you're not using some very old version of backtrack or something.

44
00:03:35,120 --> 00:03:39,760
However there's no reason not to go ahead and act and update it.

45
00:03:39,890 --> 00:03:45,440
So we're gonna do search split tack you for the update.

46
00:03:46,450 --> 00:03:51,970
And it will begin downloading all of the packages with the latest exploits in them.

47
00:03:51,970 --> 00:03:58,630
Be aware that if this is the first time you've ever run this command it's going to take a very long

48
00:03:58,630 --> 00:04:06,320
time to finish and say yes when prompted say yes again one prompted the process that this is going to

49
00:04:06,320 --> 00:04:14,840
go through is it's going to create a folder called exploit database papers and building the structure

50
00:04:14,840 --> 00:04:16,990
is brutally slow.

51
00:04:17,000 --> 00:04:21,220
1 It is sort of creating it for the first time from scratch.

52
00:04:21,350 --> 00:04:27,950
Now obviously I'll be making an edit to this video to make this process seem much faster than it actually

53
00:04:27,950 --> 00:04:31,810
is because we really don't want to sit here throughout the whole thing.

54
00:04:31,820 --> 00:04:38,450
However it is worth pointing out that after you've done this for the first time subsequent updates will

55
00:04:38,450 --> 00:04:40,520
not take this long.

56
00:04:40,520 --> 00:04:46,370
Also keep in where the amount of time that you spend doing this will vary greatly depending on the strength

57
00:04:46,370 --> 00:04:47,720
of your machine.

58
00:04:47,840 --> 00:04:53,180
If you're doing this in virtual box as I am for the purpose of recording this video this process will

59
00:04:53,180 --> 00:04:59,940
probably be pretty slow if you're doing it on the machine with considerable resources.

60
00:04:59,950 --> 00:05:06,620
You could probably get through this within about an AI at estimate about 5 to 10 minutes.

61
00:05:06,730 --> 00:05:11,770
Actually while this is updating let's go ahead and open that third terminal window and we'll just go

62
00:05:11,770 --> 00:05:16,570
ahead and we'll put these terminals side by side.

63
00:05:16,570 --> 00:05:16,830
All right.

64
00:05:16,840 --> 00:05:17,620
There we go.

65
00:05:17,650 --> 00:05:23,680
As you know everything in Cali is sorted into a directory structure and the modules for met a split

66
00:05:23,710 --> 00:05:25,380
are really no different.

67
00:05:25,390 --> 00:05:31,720
Let's go ahead and list out everything in our root directory now and we want to see the hidden files

68
00:05:31,750 --> 00:05:35,340
because the file that we're going to be looking for is normally hidden.

69
00:05:35,680 --> 00:05:44,330
So we're gonna do l s TAC a R L hidden files are the ones listed with dots in the front of them.

70
00:05:44,460 --> 00:05:52,050
The one that we're looking for is going to be dot M S F 4 which is where our met a split console is

71
00:05:52,050 --> 00:05:53,340
sorted.

72
00:05:53,340 --> 00:05:56,360
What we want to do is see into it.

73
00:05:57,840 --> 00:06:02,510
Seedy MSF for and we'll do.

74
00:06:02,530 --> 00:06:07,300
ELLIS We can see a folder inside called modules.

75
00:06:07,300 --> 00:06:09,400
Let's go ahead and see right into it.

76
00:06:09,400 --> 00:06:15,250
List files as we can see there's nothing in this folder as of yet.

77
00:06:15,340 --> 00:06:23,350
We don't want to start dumping things into the framework without any organization because in the long

78
00:06:23,350 --> 00:06:26,410
run that is a recipe for unpleasantness.

79
00:06:26,470 --> 00:06:29,470
Instead let's go ahead and make a directory.

80
00:06:29,650 --> 00:06:34,670
And since this isn't very pretty to look at I think I'm just going to minimize this or maximize the

81
00:06:34,670 --> 00:06:35,390
screen.

82
00:06:35,530 --> 00:06:40,810
And we're gonna go ahead and we're going to make directory exploits

83
00:06:44,650 --> 00:06:51,310
you really want to do yourself a favor and be as organized as you can when adding modules to MSF console.

84
00:06:51,310 --> 00:06:56,950
You don't want exploits and other things like encoders and auxiliaries living together in a big tangled

85
00:06:56,950 --> 00:07:04,630
Mess with other files in the long run it is going to be a huge headache it's coming back over here for

86
00:07:04,630 --> 00:07:05,310
just a second.

87
00:07:05,320 --> 00:07:08,710
We can see that this is about 83 percent done.

88
00:07:09,070 --> 00:07:16,720
So for the next step we're going to need this process to be completely resolved so I'm going to make

89
00:07:16,750 --> 00:07:20,820
a brief pause to the recording here.

90
00:07:20,830 --> 00:07:26,440
Keep in mind this is the part that's going to take you the most time as it will have to build the paper's

91
00:07:26,440 --> 00:07:30,430
database just be patient it will finish.

92
00:07:30,520 --> 00:07:40,040
OK so once that's done we're gonna go ahead and we're gonna come over to our met a split window and

93
00:07:40,040 --> 00:07:46,100
you'll notice that the number of exploits has not actually gone up and this is not a mistake and it

94
00:07:46,100 --> 00:07:49,300
won't help to reload MSF console.

95
00:07:49,550 --> 00:07:54,990
What we've done is we've updated the database but we haven't actually plugged any of these in yet.

96
00:07:55,400 --> 00:08:02,610
So let's go ahead and do that now do that over here.

97
00:08:02,620 --> 00:08:11,170
So now we're going to use the search split command to search the database and let's say that we found

98
00:08:11,170 --> 00:08:12,510
a popular one online.

99
00:08:12,510 --> 00:08:23,560
I'm going to use M.S. 15 dash 100 because it's a common one and as soon as we press enter it will recall

100
00:08:23,560 --> 00:08:26,710
the information that we need onto the screen.

101
00:08:26,860 --> 00:08:28,570
Let's look at over real quick.

102
00:08:28,570 --> 00:08:35,530
There are two ways that this particular exploit comes packaged as a Python script and is a ruby file.

103
00:08:35,530 --> 00:08:40,060
Generally speaking you shouldn't have any problem plugging in Ruby files.

104
00:08:40,060 --> 00:08:43,680
You'll notice that next to the name of the exploit.

105
00:08:44,410 --> 00:08:50,620
And the short name for the exploit which in this case is M.S. 15 dash one hundred.

106
00:08:50,750 --> 00:08:59,600
It has parentheses Metis Floyd meaning that this ruby file is made to be compatible and plugged right

107
00:08:59,600 --> 00:09:06,040
into better split but you may run into problems trying to plug in python scripts.

108
00:09:06,080 --> 00:09:11,840
Remember these are published exploits that haven't been officially added to the Mets plate framework

109
00:09:11,870 --> 00:09:12,400
yet.

110
00:09:12,530 --> 00:09:15,920
So bugs and errors are a distinct possibility.

111
00:09:15,920 --> 00:09:20,810
Either way we're going to add the ruby file which is the DOT RB B file.

112
00:09:20,810 --> 00:09:27,470
So let's move back over to our directory window and our exploits folder is empty.

113
00:09:27,470 --> 00:09:35,870
Let's go ahead and do make directory windows and we'll see into it.

114
00:09:36,110 --> 00:09:42,650
And now we're going to make yet another directory within this newly created Windows directory called

115
00:09:43,190 --> 00:09:44,790
remote.

116
00:09:44,810 --> 00:09:50,210
Now the reason that we're doing this is that we're following the naming convention shown here which

117
00:09:50,210 --> 00:09:56,840
in this case is exploits windows remote and then the file name.

118
00:09:56,840 --> 00:10:02,760
Now obviously there are a couple of ways we can copy the silver but let's do it via the terminal.

119
00:10:02,810 --> 00:10:12,620
So we're going to do C.P. for copy forward slash user that's USSR forward slash share for forward slash

120
00:10:12,800 --> 00:10:21,590
exploit D.B. forward slash exploits forward slash windows forward slash remote forward slash and then

121
00:10:21,590 --> 00:10:29,960
the exploit Ruby file which is 3 8 1 9 5 dot RB we'll give it another space.

122
00:10:29,970 --> 00:10:38,340
And now we're going to tell it to copy into our forward slash route forward slash dot MSF 4 forward

123
00:10:38,340 --> 00:10:46,890
slash modules forward slash exploits forward slash windows forward slash remote.

124
00:10:46,920 --> 00:10:47,590
Great.

125
00:10:47,640 --> 00:10:56,520
Now if we see into remote and Ellison side remote we can see the newly copied exploit displayed in green.

126
00:10:56,620 --> 00:11:00,760
Now this is the same Ruby file that we downloaded into the database.

127
00:11:00,760 --> 00:11:06,450
However we aren't done yet even though we've placed the exploit in the correct spot.

128
00:11:06,490 --> 00:11:13,810
You won't find it in the MSF console because there is one more step that we need to take in a regular

129
00:11:13,810 --> 00:11:17,820
terminal window not the MSF console.

130
00:11:18,010 --> 00:11:24,370
We have to type update D.B. which is short for update database.

131
00:11:24,370 --> 00:11:30,130
This is going to update the file location database throughout Cali itself.

132
00:11:30,130 --> 00:11:38,140
Now after that will exit MSF console and reloaded and the newly imported exploit should be available

133
00:11:47,970 --> 00:11:49,540
and there we go.

134
00:11:49,830 --> 00:11:53,660
Our total number of exploits has increased by 1.

135
00:11:53,700 --> 00:11:59,370
So this tells us that the exploit has been plugged in successfully so let's go ahead and search for

136
00:11:59,370 --> 00:12:08,990
it with the search command search M.S. 15 dash one hundred we can see that it comes up and is located

137
00:12:08,990 --> 00:12:11,030
in the directory that we created for it.

138
00:12:11,060 --> 00:12:20,270
Oh neat and tidy to summarize Carly has an exploit database already on it full of unpublished files

139
00:12:20,360 --> 00:12:26,900
or rather published files that haven't yet been added to the Metis flight framework yet we updated it

140
00:12:27,230 --> 00:12:34,340
which downloaded even more files and then we selected one of those files and manually added it to the

141
00:12:34,340 --> 00:12:36,350
Metis flight framework itself.

142
00:12:36,500 --> 00:12:42,260
Since the framework is all modular you can do this with pretty much anything although I don't promise

143
00:12:42,260 --> 00:12:46,380
that you won't run into bugs and errors with various pieces of code.

144
00:12:46,400 --> 00:12:52,180
One thing to remember too is that this method pulls down files from a trusted source.

145
00:12:52,340 --> 00:12:58,310
You might be able to find them individually on the web but who knows if they've been fiddled around

146
00:12:58,310 --> 00:12:59,360
with.

147
00:12:59,360 --> 00:13:06,590
The nice thing about the exploit database on Cowley is that when you hear about an exploit and find

148
00:13:06,590 --> 00:13:11,290
you don't have it already you probably do in fact have it.

149
00:13:11,330 --> 00:13:20,940
So let's come back over to r prompt window and we're just going to clear out of this and just to show

150
00:13:20,940 --> 00:13:21,230
you.

151
00:13:21,230 --> 00:13:29,370
You can look at the entire database by typing C.D. forward slash user forward slash share forward slash

152
00:13:29,460 --> 00:13:36,840
exploit D.B. Ellis and we can see how it's divided we'll do seedy exploits

153
00:13:39,170 --> 00:13:44,910
unless the very they're of course divided by the various types of exploits.

154
00:13:45,140 --> 00:13:54,610
So we'll go into seedy windows and then from here further subdivided we'll do seedy remote because that's

155
00:13:54,610 --> 00:13:58,270
where we pulled the one we're working on we'll do less

156
00:14:01,880 --> 00:14:05,250
as you can see it's a very big list.

157
00:14:05,510 --> 00:14:11,110
Now this isn't the only way to move these around you don't have to do it through the terminal window.

158
00:14:11,150 --> 00:14:16,970
The way I just showed you and you might not even prefer to do it that way we can always go into the

159
00:14:16,970 --> 00:14:22,840
file manager provided that we have enabled the show hidden files.

160
00:14:22,940 --> 00:14:32,720
Option and I'll back out of this a bit and we'll just go into user share

161
00:14:35,170 --> 00:14:40,620
and scroll down a bit until we find exploit.

162
00:14:40,640 --> 00:14:41,210
D.B.

163
00:14:44,080 --> 00:14:47,240
exploits.

164
00:14:47,330 --> 00:14:53,840
Here we have the same subdivisions go into Windows remote.

165
00:14:54,200 --> 00:14:55,530
And there we go.

166
00:14:55,570 --> 00:15:01,490
And I really want to stress that trying to plug all of these in at once or even just grabbing a lot

167
00:15:01,490 --> 00:15:06,070
of them that sound really nice is a supremely bad idea.

168
00:15:06,110 --> 00:15:12,080
It's better to have a few tools that work well than an overflowing tool box that is too unwieldy to

169
00:15:12,080 --> 00:15:19,950
carry now in principle and downloading an exploit off the Internet instead of adding it from the exploit

170
00:15:19,950 --> 00:15:22,350
database works the same.

171
00:15:22,350 --> 00:15:23,440
Take the file.

172
00:15:23,520 --> 00:15:28,380
Plug it into the relevant folder and run the update DB command.

173
00:15:28,380 --> 00:15:31,640
In theory you should then be good to go.

174
00:15:31,650 --> 00:15:36,750
The wonderful thing about the modular nature of metal spoiled is that you can add things to it very

175
00:15:36,810 --> 00:15:37,890
easily.

176
00:15:37,890 --> 00:15:45,150
So as long as you keep things well organized and sorted the framework will continue to be a worthwhile

177
00:15:45,150 --> 00:15:48,320
tool for you long into the future.

178
00:15:48,330 --> 00:15:52,740
Remember also that new exploits are constantly being discovered.

179
00:15:52,740 --> 00:15:59,100
So if you use metal exploit often it is very worth your time to do a little research and see if you

180
00:15:59,100 --> 00:16:03,590
can find something wonderful that hasn't yet made it into the official release yet.

181
00:16:03,840 --> 00:16:12,590
Newer payloads that have seen less use are also at least in theory anyway less likely to be detected.

182
00:16:12,700 --> 00:16:19,400
And remember that you'll need to reload MSF console any time you add anything new to the framework.

183
00:16:19,420 --> 00:16:20,000
All right.

184
00:16:20,080 --> 00:16:21,720
That should about cover it.

185
00:16:21,730 --> 00:16:23,500
Hopefully this has been clear.

186
00:16:23,680 --> 00:16:27,670
If there is any special module you want to add met a split.

187
00:16:27,670 --> 00:16:34,750
Let's say from GitHub there are usually instructions included with these files and they tend to follow

188
00:16:34,750 --> 00:16:37,600
the same general schema.

189
00:16:37,600 --> 00:16:38,020
Thank you.