1
00:00:00,090 --> 00:00:06,810
So now let's talk about launching exploits, so once we determine how our expertise might work and make

2
00:00:06,810 --> 00:00:10,310
sure that I'm not malicious, you know, we can safely launch an attack.

3
00:00:10,560 --> 00:00:15,030
So typically, you're going to do this by exploding it from the command line using the appropriate arguments.

4
00:00:15,660 --> 00:00:20,010
You also might do it, you know, from exploit, for example, as well.

5
00:00:20,550 --> 00:00:24,750
When you launch the exploit, it will mostly turn out like, you know, text on the screen for like

6
00:00:24,750 --> 00:00:29,010
stuff that's happening in all kinds of different updates and stuff, you know, on the status of what's

7
00:00:29,010 --> 00:00:30,120
going on to exploit.

8
00:00:30,270 --> 00:00:35,130
And, you know, if all goes well to be successful and you have, you know, what's called a shell or

9
00:00:35,130 --> 00:00:40,900
a command line, you know, on your host that's connecting out back out to your target.

10
00:00:41,070 --> 00:00:45,510
So let's go see if we can actually launch an exploit and be able to do this.

11
00:00:45,910 --> 00:00:51,150
OK, so you see how you can, you know, search for exploits, download them, check them out.

12
00:00:51,150 --> 00:00:54,270
They actually launch them from the command line manually.

13
00:00:54,270 --> 00:00:56,770
But you don't necessarily need to do that.

14
00:00:57,000 --> 00:01:00,900
So the goal is actually to make this a little bit easier for you guys, though sometimes you may have

15
00:01:00,900 --> 00:01:05,310
to do exploits manually, but for the most part, you can use something that's called.

16
00:01:06,240 --> 00:01:13,680
So the most popular tool for hacking, you know, using callisthenics, Xbox that we're actually using

17
00:01:13,780 --> 00:01:16,290
is a program called Medfly.

18
00:01:16,560 --> 00:01:20,340
So Métis point is really like a one stop shop for hacking.

19
00:01:20,340 --> 00:01:26,010
And it makes it very, very easy for a beginner to do everything that we've done so far.

20
00:01:26,700 --> 00:01:28,800
It's going to give you a little bit less control.

21
00:01:28,800 --> 00:01:29,460
In a sense.

22
00:01:30,300 --> 00:01:37,170
It might not cover as much ground as you can manually, but a lot of your information effectively and

23
00:01:37,170 --> 00:01:39,300
maybe launching attacks a lot easier.

24
00:01:39,390 --> 00:01:45,570
And the searching process as far as exploits is a lot more streamlined and it be easier to actually

25
00:01:45,570 --> 00:01:46,020
set it up.

26
00:01:46,030 --> 00:01:47,630
So let's go check out mercifully.

27
00:01:48,000 --> 00:01:48,650
OK, guys.

28
00:01:48,840 --> 00:01:50,940
So I'm back on my college machine.

29
00:01:50,950 --> 00:01:56,160
So if you want to launch off my display, it is going to take in MSF kosal and then you're going to

30
00:01:56,160 --> 00:01:56,720
enter.

31
00:01:56,910 --> 00:02:01,950
So one thing you might want to also do is just make sure that your machine is actually up to date before

32
00:02:01,950 --> 00:02:02,460
you do it.

33
00:02:02,700 --> 00:02:06,500
It'll take a second to open depending on, you know, your computer three speed.

34
00:02:06,900 --> 00:02:11,200
I have a lot of things ready right now, so I might take a second, but make sure that your system is

35
00:02:11,200 --> 00:02:19,170
as do like a pseudo Abati update and then upgrade just to make sure you have everything that you need,

36
00:02:19,440 --> 00:02:22,740
although it did open up and then we're going to pop back early going and check out my display.

37
00:02:22,830 --> 00:02:27,750
So one of the first things that you're actually going to notice about my display is that it has a lot

38
00:02:27,750 --> 00:02:29,850
of things, you know, inside of it, essentially.

39
00:02:30,690 --> 00:02:37,140
So if you recall before when we did the Help Command, we saw an array of commands that we got that

40
00:02:37,140 --> 00:02:38,490
we could actually do so in.

41
00:02:38,490 --> 00:02:40,050
One of them is DB maps.

42
00:02:40,050 --> 00:02:42,210
So you remember that we did map scans before.

43
00:02:42,510 --> 00:02:48,240
So what we could do is you can import with the DMAE import command and just point select the file like

44
00:02:48,240 --> 00:02:54,570
if you did if you outputted a file from your map scans that you did, you get imported with this command.

45
00:02:54,750 --> 00:02:58,530
It would just be debe import, demonically import and then the path to the file.

46
00:02:59,340 --> 00:03:08,010
But we can also do an end map from here in and actually store everything from that and map inside this

47
00:03:08,010 --> 00:03:09,790
database and we can just access all of it.

48
00:03:09,990 --> 00:03:11,650
So let's actually try that out.

49
00:03:11,790 --> 00:03:19,740
So let's do a DBI underscore and map and then we know that the target is one or two one six eight four

50
00:03:19,740 --> 00:03:21,710
six one zero four.

51
00:03:22,410 --> 00:03:27,410
So we can do this typical and I would do for I would be very verbose mode.

52
00:03:27,420 --> 00:03:31,210
It doesn't matter what order you put these tags in, kind of like freestyler every single time I do

53
00:03:31,210 --> 00:03:31,320
it.

54
00:03:32,190 --> 00:03:33,870
So I'm going to be very verbose.

55
00:03:33,870 --> 00:03:35,700
No, I'm just going to do a version scan.

56
00:03:36,060 --> 00:03:40,020
I will do pause one, two, six, five, five, three, five.

57
00:03:40,380 --> 00:03:41,990
That's what I'm going to do.

58
00:03:42,000 --> 00:03:47,820
And then we can go ahead and enter and it's going to start to map and it's going to do the scan and

59
00:03:47,820 --> 00:03:49,620
then it's also going to do a service scan.

60
00:03:49,800 --> 00:03:53,820
So then we know what services are running and it's going to be stored inside of the display database.

61
00:03:54,060 --> 00:03:55,270
So I'm going to let it run.

62
00:03:55,290 --> 00:03:57,660
This is going to take a couple of minutes and then we'll come back.

63
00:03:58,650 --> 00:04:01,200
OK, guys, so I map asking is finished now.

64
00:04:01,200 --> 00:04:08,010
So let's check out, you know, what medicine we put into the database so we can come in and we can

65
00:04:08,010 --> 00:04:10,080
do for scanning, getting multiple hosts.

66
00:04:10,290 --> 00:04:16,860
We just type in command and it'll actually show you a list of the different addresses that you scan

67
00:04:16,860 --> 00:04:18,320
right now is just one.

68
00:04:18,330 --> 00:04:23,460
But now we know, hey, you know, our most vulnerable server is a part of our database.

69
00:04:23,760 --> 00:04:25,610
So now we have information on it.

70
00:04:25,860 --> 00:04:29,220
So another command that you can do is services.

71
00:04:29,220 --> 00:04:32,340
And this will actually list out all the services that it found.

72
00:04:32,520 --> 00:04:38,430
So you don't have to keep going back to a text file is scrolling back to the map output.

73
00:04:38,430 --> 00:04:43,140
You just type in services in and print out all the services for all the hosts.

74
00:04:43,770 --> 00:04:52,290
And I believe also you can specify by IP address here, we only have one here, of course, but you

75
00:04:52,290 --> 00:04:57,330
can specify my IP address and I'll show you just for that IP address, it just lists all the services.

76
00:04:57,570 --> 00:04:59,930
So now you know we're in medicine.

77
00:05:00,240 --> 00:05:05,850
And we have this list right here so we can use this list to actually go through and try to find some

78
00:05:05,850 --> 00:05:10,490
actual exploits to see if we can break into this box.

79
00:05:11,340 --> 00:05:21,830
So another command that we can do, like we do when we do a search for the command line attacks or exploits

80
00:05:21,830 --> 00:05:26,700
search, we can just type in search and then type in, you know, whatever we want to search, kind

81
00:05:26,700 --> 00:05:28,080
of like kind of like an expert.

82
00:05:28,440 --> 00:05:28,740
So.

83
00:05:29,190 --> 00:05:36,040
So right now, let's check out this BSF TPD version two point three point four.

84
00:05:36,060 --> 00:05:38,850
Let's see if that has some type of vulnerability.

85
00:05:38,850 --> 00:05:45,560
So BSF, TPD two point three point four and let's see what comes up.

86
00:05:45,750 --> 00:05:48,080
So, OK, so a few things came up.

87
00:05:48,780 --> 00:05:56,580
What stands out to me after looking at these ViaSat DVD version, two point three point four Back-Door

88
00:05:56,580 --> 00:05:57,590
command injection.

89
00:05:57,610 --> 00:05:59,320
So that might be something that we could use.

90
00:05:59,340 --> 00:06:05,160
So if you ever want to find an exploit, so you see over on the left here, there's a column with a

91
00:06:05,190 --> 00:06:06,570
Pouncy right here for number.

92
00:06:06,900 --> 00:06:10,400
So each one of these has a number if you want to use one of these.

93
00:06:10,650 --> 00:06:13,230
So like, for example, this one has the number three beside it.

94
00:06:13,890 --> 00:06:21,470
So you just have to use three and this is going to take us into the exploit.

95
00:06:21,540 --> 00:06:26,280
So any time that you get into an exploit and you don't really know what it is or you don't know how

96
00:06:26,280 --> 00:06:31,800
to use it, you can just type in info in order to give you information typically about it, you can

97
00:06:31,800 --> 00:06:33,470
scroll up typically.

98
00:06:33,730 --> 00:06:39,780
Sometimes they'll have like an explanation, like I had a description, figure out the name of the exploit.

99
00:06:39,970 --> 00:06:43,790
Our platform is for different information about it.

100
00:06:43,980 --> 00:06:45,790
And this is showing you the options right here.

101
00:06:46,110 --> 00:06:50,640
I typically like to do that and then read the little description here where it tells you, you know,

102
00:06:50,640 --> 00:06:53,730
what the exploit is doing exactly.

103
00:06:54,420 --> 00:06:55,890
Or you know what it's for.

104
00:06:56,070 --> 00:06:57,430
So that's pretty helpful.

105
00:06:57,450 --> 00:07:02,750
So what I also what you also can do, they just type in options and tell you the options.

106
00:07:03,060 --> 00:07:09,690
So with each module, which is what this is inside of Medfly, there are options that you have to set

107
00:07:10,050 --> 00:07:14,180
and these options are what the exploit is actually going to use when it runs.

108
00:07:14,220 --> 00:07:21,520
Think of it as setting variables so that the exploit just automatically knows what to do.

109
00:07:21,840 --> 00:07:29,070
So like, for example, here, the two options are our hosts, which stands for remote hosts, which

110
00:07:29,070 --> 00:07:34,470
would be our target, you know, typically, and then our port, which is like what port or what's our

111
00:07:34,470 --> 00:07:35,450
destination port.

112
00:07:35,790 --> 00:07:38,400
So this one in particular is FTP.

113
00:07:38,700 --> 00:07:42,080
And, you know, FTP runs over Port twenty one.

114
00:07:42,510 --> 00:07:45,060
So the ports are already set.

115
00:07:45,420 --> 00:07:48,740
So what we need to do is actually set our host variable.

116
00:07:49,050 --> 00:07:54,870
So what we can do is just to set our hosts.

117
00:07:54,870 --> 00:07:56,270
You don't have to do a capital.

118
00:07:56,280 --> 00:07:57,510
I figured that out a while back.

119
00:07:57,640 --> 00:07:59,460
I think that you had to but you really don't.

120
00:07:59,790 --> 00:08:02,750
It's smart enough to know and then you're going to put the IP address.

121
00:08:02,750 --> 00:08:09,080
So one on two one six eight five six one two four in this case, Bamp.

122
00:08:09,150 --> 00:08:14,430
So now our host is set today and you can confirm it by just typing options again.

123
00:08:14,430 --> 00:08:15,930
And I'll tell you what is setsu.

124
00:08:16,110 --> 00:08:19,890
So you always want to do this before you run and exploit, just to make sure that everything is good

125
00:08:19,890 --> 00:08:20,270
to go.

126
00:08:20,550 --> 00:08:26,940
So when the exploit is an exploit is all set up correctly, you have your variables set.

127
00:08:27,060 --> 00:08:32,820
What you can do is you give you the time run or you get time and exploit type minute exploit feels a

128
00:08:32,820 --> 00:08:34,920
little bit cooler, but they both work.

129
00:08:34,920 --> 00:08:36,150
The same doesn't make a difference.

130
00:08:36,330 --> 00:08:40,980
So you timing X winner and then is actually going to go through and actually attempt to exploit.

131
00:08:41,250 --> 00:08:47,580
So right now and you typically you'll see stuff pop up on the screen, just output of what's going on,

132
00:08:47,580 --> 00:08:48,230
what's happening.

133
00:08:48,480 --> 00:08:50,310
A lot of the time you might run into areas.

134
00:08:50,310 --> 00:08:54,510
You might have to go back and fix things or change report change and address change.

135
00:08:54,510 --> 00:08:59,890
One of the options stuff happens like that, and it's just trial and error to figure it out.

136
00:09:00,540 --> 00:09:01,980
That's the beauty of princesse.

137
00:09:02,520 --> 00:09:08,090
So for this one, hey, is they found the shell and it looks like it's the root, so the root account.

138
00:09:08,100 --> 00:09:14,700
So we have a session open, which means that we have pretty much access to a command line, you know,

139
00:09:14,730 --> 00:09:15,810
on that hosts.

140
00:09:16,080 --> 00:09:17,400
So let's actually see.

141
00:09:17,400 --> 00:09:22,020
So one way you can confirm is something actually worked is type in who am I?

142
00:09:22,890 --> 00:09:23,220
Enter.

143
00:09:23,340 --> 00:09:23,960
Oh wow.

144
00:09:24,080 --> 00:09:24,450
Group.

145
00:09:25,020 --> 00:09:32,560
So we just gained access to this computer using numerously, literally within minutes.

146
00:09:32,610 --> 00:09:33,150
Pretty easy.

147
00:09:33,300 --> 00:09:34,500
And you can do different things.

148
00:09:34,500 --> 00:09:40,080
You know, you do a president working director, you figure out what you are doing, let's figure out

149
00:09:40,440 --> 00:09:44,460
what's here like what's what's in the current location.

150
00:09:44,460 --> 00:09:46,380
You can sense we're a route.

151
00:09:46,380 --> 00:09:47,640
We try to do whatever we want.

152
00:09:47,640 --> 00:09:48,390
We can make our stuff.

153
00:09:48,400 --> 00:09:59,760
And how we can do casts a shadow, which is actually the file on Linux that actually holds.

154
00:09:59,920 --> 00:10:05,680
The hashes for all the user accounts, so there we go now we own the hashes, so maybe we could take

155
00:10:05,680 --> 00:10:08,670
some of these hashes and, you know, try to crack them later on.

156
00:10:08,680 --> 00:10:09,830
That's something that we could do.

157
00:10:10,540 --> 00:10:14,400
So as you can see, my response is very powerful and it's very, very quick.

158
00:10:14,560 --> 00:10:20,380
So we're able to exploit FCP in a matter of minutes.

159
00:10:20,440 --> 00:10:21,280
So that's pretty neat.

160
00:10:22,300 --> 00:10:24,340
So now let's go ahead and try another site.

161
00:10:24,790 --> 00:10:30,040
So what we can do now is we can actually, you know, just from here, we can either do back and get

162
00:10:30,040 --> 00:10:32,830
out of this exploit or you can just stay there.

163
00:10:32,830 --> 00:10:33,790
But it doesn't really matter.

164
00:10:33,820 --> 00:10:40,390
So what we can do is actually let's see, let's do services again and let's try to get into another

165
00:10:40,390 --> 00:10:40,600
one.

166
00:10:40,610 --> 00:10:41,320
So let's see.

167
00:10:42,280 --> 00:10:42,670
Let's see.

168
00:10:42,670 --> 00:10:45,150
We have the telnet, Tonette, right here.

169
00:10:45,160 --> 00:10:46,560
So we're not telnet is open.

170
00:10:46,780 --> 00:10:51,120
So we already kind of whatever way to exploit so on it before at least take advantage of it.

171
00:10:51,430 --> 00:10:56,890
So let's try to do something similar, a little bit more direct, I guess we could say, or just show

172
00:10:56,890 --> 00:11:00,400
you how you can do it with display without having to take those extra steps.

173
00:11:00,700 --> 00:11:05,360
So what we can do is actually just search Toinette, and a lot of stuff's probably going to come up.

174
00:11:05,380 --> 00:11:06,970
If you want to actually look through these.

175
00:11:07,930 --> 00:11:10,450
A lot of things come up depending on what you search sometimes.

176
00:11:10,450 --> 00:11:17,020
So you'll be ready for that and just make sure that you're looking and reading and making sure that,

177
00:11:17,020 --> 00:11:21,850
you know, you're looking at, you know, each exploit and trying to figure out which one that you actually

178
00:11:21,850 --> 00:11:22,270
want.

179
00:11:23,760 --> 00:11:27,960
I found that the more search terms you put in and the more resource that you will get, so that's not

180
00:11:27,960 --> 00:11:28,910
necessarily good.

181
00:11:28,920 --> 00:11:35,040
You want to be specific, but also not, I guess, too specific because they'll start to search based

182
00:11:35,040 --> 00:11:36,930
on each term and then it gets confusing.

183
00:11:37,680 --> 00:11:43,010
But anyway, so for this one, we are going to look at this one right here.

184
00:11:43,290 --> 00:11:44,880
That's number 12.

185
00:11:45,150 --> 00:11:47,990
So it's this is the path for us.

186
00:11:47,990 --> 00:11:54,400
So this is an auxiliary scanner telnet version of this garbage, and that's what we're going to use.

187
00:11:54,630 --> 00:11:57,540
So we're going to do a use 12.

188
00:11:58,050 --> 00:12:03,420
And once again, like I said before, you know, figure out the info, get some information audit to

189
00:12:03,430 --> 00:12:04,260
see what's going on.

190
00:12:04,470 --> 00:12:07,350
So this is Tonette service, better detection.

191
00:12:07,530 --> 00:12:11,010
So it's pretty much going to try to figure out what version it's running.

192
00:12:12,270 --> 00:12:18,630
So once again, the options are there, but you can also do options, come in and see what you have

193
00:12:18,630 --> 00:12:19,170
to set.

194
00:12:19,470 --> 00:12:24,630
And what's good to know is that when you're setting these options, look at what's under the required

195
00:12:24,780 --> 00:12:25,260
column.

196
00:12:25,440 --> 00:12:29,180
So some experts will have a lot more options.

197
00:12:29,220 --> 00:12:31,170
Other ones like this one has a lot more than the other one.

198
00:12:31,470 --> 00:12:34,040
Some are required and some aren't required.

199
00:12:34,320 --> 00:12:38,610
So you want to make sure that you look at that and make sure that all the ones that have it.

200
00:12:38,610 --> 00:12:39,030
Yes.

201
00:12:39,030 --> 00:12:42,700
Under it have something set over here under the current setting column.

202
00:12:42,990 --> 00:12:45,120
So this one, we don't have it for our hosts.

203
00:12:45,120 --> 00:12:49,730
We're probably going to have to set this every time we're going to new exploit some once again, which

204
00:12:49,740 --> 00:12:57,690
to our host set our hosts one on two one six eight five six one zero four bam.

205
00:12:57,870 --> 00:13:03,120
Now we can do options again just to make sure that we're good to go and make sure that is that it doesn't

206
00:13:03,120 --> 00:13:03,910
hurt to confirm.

207
00:13:04,290 --> 00:13:10,740
So then we can do run or exploit depending on how you feel if you like it sounds better, but we can

208
00:13:10,740 --> 00:13:17,220
just do run and hey and pull it out to try to connect over that port and pull down the banner or whatever

209
00:13:17,220 --> 00:13:18,600
it got back from trying to connect.

210
00:13:18,840 --> 00:13:20,990
So was useful about this one.

211
00:13:21,010 --> 00:13:23,730
Now this won't always be the case and probably never will be.

212
00:13:24,330 --> 00:13:30,780
But in this case, it it's, you know, hey, we're able to do successfully connect and then actually

213
00:13:30,780 --> 00:13:31,500
pull down.

214
00:13:31,500 --> 00:13:36,450
What happens when you try to connect this metal box in particular?

215
00:13:36,810 --> 00:13:44,910
It turns out a banner and we see, hey, you can log in with Amazon Admins admin.

216
00:13:45,600 --> 00:13:46,500
So that's pretty neat.

217
00:13:46,510 --> 00:13:53,460
So now we'll be able to go through and just do like a telnet command and actually be able to, you know,

218
00:13:53,460 --> 00:13:54,090
log in.

219
00:13:54,090 --> 00:13:55,380
But we've already done that before.

220
00:13:55,380 --> 00:14:03,480
We know that it works, but it's definitely useful to, you know, run like this particular module or

221
00:14:03,750 --> 00:14:10,950
auxiliary scanner just to make if you ever find, like, you know, telnet open on a computer, it doesn't

222
00:14:10,950 --> 00:14:14,580
hurt to run his command because you could pull some information like this.

223
00:14:14,580 --> 00:14:15,180
You never know.

224
00:14:15,870 --> 00:14:18,130
Some places are very bad security practices.

225
00:14:18,180 --> 00:14:21,450
So I wouldn't be surprised if you find something like this somewhere.

226
00:14:21,790 --> 00:14:23,480
OK, OK, guys.

227
00:14:23,490 --> 00:14:25,410
So let's try another exploit right now.

228
00:14:25,410 --> 00:14:31,100
So let's use it to find a way to actually get into the system.

229
00:14:31,290 --> 00:14:37,020
So in this one, we're going to just type my services again and see what services and you'll see that

230
00:14:37,020 --> 00:14:41,160
an updated so that, you know, with that information from the barrier that we grabbed before.

231
00:14:41,160 --> 00:14:42,870
So metastable is very good.

232
00:14:42,870 --> 00:14:44,070
It's very dynamic.

233
00:14:44,310 --> 00:14:47,070
It's always going to be updating as you're doing things.

234
00:14:47,820 --> 00:14:50,130
So it's very, very helpful, very useful.

235
00:14:50,970 --> 00:14:55,680
So this time we want to go for we've got to try to get into The Da Vinci.

236
00:14:56,070 --> 00:14:58,800
So let's see Protocol three point three.

237
00:14:59,400 --> 00:15:01,620
So this is the one that we want to look at next.

238
00:15:01,620 --> 00:15:03,540
Just try to see if we can get to this one.

239
00:15:04,330 --> 00:15:08,070
So let's actually do a search together and see.

240
00:15:09,090 --> 00:15:10,920
And it came up with a lot of stuff.

241
00:15:12,060 --> 00:15:18,550
So we want to actually look through this and try to see, you know, what you could potentially use.

242
00:15:18,960 --> 00:15:25,170
So one thing that I found is actually pretty useful is actually the Vincey login right here.

243
00:15:25,620 --> 00:15:26,820
So we can go ahead.

244
00:15:27,090 --> 00:15:29,280
And there's a description over here as well.

245
00:15:29,280 --> 00:15:31,050
This is obviously authentication scanner.

246
00:15:31,590 --> 00:15:40,320
So you use three and then we do info and figure out, you know, what the information about this exploit

247
00:15:40,320 --> 00:15:44,850
is, what options are required, what aren't required.

248
00:15:45,060 --> 00:15:46,500
You definitely always want to do that.

249
00:15:46,500 --> 00:15:52,890
So Brigaded description says this module will test the server on a range of machines and report on successful

250
00:15:52,890 --> 00:15:53,460
organs.

251
00:15:53,500 --> 00:15:57,380
OK, so this is going to check hey, can we log in using.

252
00:15:57,540 --> 00:16:04,770
And so what we know from the services for not the services being is one point fifty nine hundred.

253
00:16:05,130 --> 00:16:07,380
So we know that that's already set here.

254
00:16:07,770 --> 00:16:09,480
So we're good to go on that.

255
00:16:09,900 --> 00:16:13,500
We just need to make sure that we said to our hosts, I actually already said it before.

256
00:16:13,980 --> 00:16:17,820
So we have our Métis floatable address here.

257
00:16:17,970 --> 00:16:22,710
So we want to make sure that those two are set and then we should be good to go on every.

258
00:16:23,450 --> 00:16:33,860
So what we can do is actually we can just type and run, and it's a long and successful and this Colen

259
00:16:33,860 --> 00:16:40,160
right here and then Password is showing that there was the user name was blank and they were able to

260
00:16:40,160 --> 00:16:41,210
login with password.

261
00:16:41,210 --> 00:16:45,060
And this might be something that you guys should find in a while a lot, because a lot of people want

262
00:16:45,060 --> 00:16:49,570
to reset the default password on a lot of things, on a lot of services.

263
00:16:49,730 --> 00:16:51,560
So it's definitely something to look for.

264
00:16:51,590 --> 00:16:58,250
So now that we know that we can use different commands and actually try to connect, you know, via

265
00:16:58,250 --> 00:17:05,720
VANOC, so and VSC is just kind of a way to have almost like a remote desktop and like a Linux kind

266
00:17:05,720 --> 00:17:13,130
of way so we can actually use commands that are actually already installed onto the coffee machine to

267
00:17:13,130 --> 00:17:16,100
try to connect, you know, to the machine.

268
00:17:16,340 --> 00:17:26,500
So what we can do is we can type in VSC Connect and then one nine two dot one six eight dot five six

269
00:17:26,850 --> 00:17:32,160
one zero four and enter and actually execute it.

270
00:17:32,300 --> 00:17:39,800
So now that we connected with A, B and C, which is a good time to be in C viewer and now is asking,

271
00:17:39,800 --> 00:17:42,290
hey, what B and C server do you want to connect to.

272
00:17:42,620 --> 00:17:47,480
We do one on two one six eight five six one zero four.

273
00:17:48,440 --> 00:17:50,720
And I was going to ask for a password.

274
00:17:51,020 --> 00:17:56,480
So we know from our metastable exploit that the password is password.

275
00:17:57,020 --> 00:18:05,990
So ssw d enter and bam now we have a desktop on the Métis political machine.

276
00:18:06,000 --> 00:18:06,920
So it's pretty neat.

277
00:18:06,920 --> 00:18:08,000
It's pretty useful.

278
00:18:08,690 --> 00:18:09,500
Pretty quick.

279
00:18:10,250 --> 00:18:12,950
You can play around with this and do anything.

280
00:18:12,950 --> 00:18:19,250
Just like before when we had the root shell for the ATP Command, we pretty much had access to this

281
00:18:19,250 --> 00:18:19,730
machine.

282
00:18:20,330 --> 00:18:24,130
So that's pretty useful and pretty cool is very, very quick.

283
00:18:24,130 --> 00:18:30,640
See, I hope you start to see how useful and how quick things are when using better split-Level and

284
00:18:30,640 --> 00:18:36,470
it allows you to really dig in and be able to get all the information that you need and actually be

285
00:18:36,470 --> 00:18:40,850
able to find your expertise pretty easily and run them pretty quickly.

286
00:18:41,060 --> 00:18:44,330
OK, guys, so we're back at the display menu.

287
00:18:44,330 --> 00:18:49,400
So what we can do is type in services just to see what's going on and let's try to check out something

288
00:18:49,400 --> 00:18:49,640
else.

289
00:18:49,640 --> 00:18:51,650
So I see my superior.

290
00:18:51,920 --> 00:18:54,380
So we know my school is used for databases.

291
00:18:54,560 --> 00:19:00,230
So maybe we can get into the Marsico database, maybe we can find some sensitive information.

292
00:19:00,980 --> 00:19:02,990
So let's actually go in and try that.

293
00:19:03,020 --> 00:19:08,050
So what we can do is search my school and see what comes up.

294
00:19:08,180 --> 00:19:10,760
So there's thirty two things, the things that came up.

295
00:19:10,760 --> 00:19:11,560
So that's not too bad.

296
00:19:11,570 --> 00:19:18,410
So we just go to the top and start looking through and you can try a bunch of these different things,

297
00:19:18,410 --> 00:19:24,050
you know, especially like the auxiliary ones, because those are just for confirming and finding information

298
00:19:24,260 --> 00:19:26,400
and then they actually get you in there.

299
00:19:26,840 --> 00:19:31,280
So we're going to look for is the my school login.

300
00:19:31,280 --> 00:19:33,500
So which is right here.

301
00:19:33,500 --> 00:19:34,610
So it's number ten.

302
00:19:35,570 --> 00:19:39,860
So use ten and then there we go.

303
00:19:39,860 --> 00:19:45,590
We had the my school log in module loaded so we could just typing info, get some information about

304
00:19:45,590 --> 00:19:45,770
it.

305
00:19:45,950 --> 00:19:51,950
So this modules simply queries the my single instance for a specific user and pass.

306
00:19:52,190 --> 00:19:59,930
So the default is going to be a sort of default username that's on here if you don't say anything specifically

307
00:19:59,930 --> 00:20:03,200
is going to be just through and then the password is going to be blank.

308
00:20:03,470 --> 00:20:09,650
So if you want to, as you can see from these options, you can set up a password file.

309
00:20:09,890 --> 00:20:12,710
So you would just do like if you wanted to do this.

310
00:20:13,490 --> 00:20:26,940
User said user on the score file user pass is a pass fail and then you can just go to the directory

311
00:20:26,960 --> 00:20:32,600
whenever you have a password file set up and you can also do a user file.

312
00:20:32,600 --> 00:20:41,000
So user on this file and like linked to a directory where you have a list of username and a text file

313
00:20:41,000 --> 00:20:41,480
or something.

314
00:20:42,020 --> 00:20:44,420
So that's an option that you can do right now.

315
00:20:44,420 --> 00:20:49,940
We're just going to keep it how it is right now and see if we can get into my school, you know, using

316
00:20:50,150 --> 00:20:54,980
what the default credentials are, because more often or not, you might actually find that out in a

317
00:20:54,980 --> 00:20:55,340
while.

318
00:20:55,490 --> 00:21:01,640
But know that you can also, you know, if you want to set username, you know, to, I don't know,

319
00:21:02,000 --> 00:21:05,120
eight there, say you can do that.

320
00:21:06,140 --> 00:21:08,750
So that's an option.

321
00:21:08,750 --> 00:21:12,980
And then you can always check and was said to there you go.

322
00:21:12,990 --> 00:21:15,850
It's so what we're going to do actually we're just going to keep it as root.

323
00:21:15,860 --> 00:21:20,540
And then I believe that everything else is set that needs to be set.

324
00:21:21,050 --> 00:21:22,630
So what we can do is.

325
00:21:22,720 --> 00:21:32,880
Actually run this exploit, so this type of explainer, and so I found my school version 5.0 A's, we

326
00:21:32,880 --> 00:21:35,820
have a successful logging from route and then call them right there.

327
00:21:35,820 --> 00:21:37,250
So there's a blank password.

328
00:21:37,800 --> 00:21:45,010
So now we know that overreport 33 06, we can connect to my school with the route account.

329
00:21:45,390 --> 00:21:53,490
So now knowing that information, what we can do is actually typing my school and actually connectivity

330
00:21:53,490 --> 00:21:53,730
BS.

331
00:21:53,940 --> 00:22:00,480
So the way that you can connect to my school database is my school that you are then using.

332
00:22:00,630 --> 00:22:07,130
So in this case, Root and H then put the this is going to be the IP address of the target.

333
00:22:07,350 --> 00:22:13,530
So this be one or two one six eight five six one zero four.

334
00:22:14,010 --> 00:22:20,160
And then after that we could just sit here and say we just got access to the high school degree.

335
00:22:20,200 --> 00:22:21,000
So that's pretty neat.

336
00:22:21,330 --> 00:22:27,630
So just to quickly show you guys a little bit in case you don't know any Marsico, I know a little bit

337
00:22:27,630 --> 00:22:31,560
just for, you know, just to be able to use it in the field very quickly to get information.

338
00:22:31,830 --> 00:22:37,140
So what you can do is like a show database's, come in and make sure you always have a calling out.

339
00:22:37,230 --> 00:22:43,440
Everything for my school's part of the syntax so you can't enter and it's going to show you the different

340
00:22:43,440 --> 00:22:44,160
databases.

341
00:22:44,370 --> 00:22:48,390
So what we can do is actually select one of these databases.

342
00:22:48,840 --> 00:23:01,650
So if we want to, for example, use a tent, this will actually select the OOS 10 database so we can

343
00:23:01,650 --> 00:23:01,950
do that.

344
00:23:02,520 --> 00:23:04,620
And then now, hey, we changed our database.

345
00:23:04,650 --> 00:23:12,990
So what we can do now is actually look at the tables inside of the database so we can show tables and

346
00:23:12,990 --> 00:23:14,790
then that's semicolon.

347
00:23:15,450 --> 00:23:19,100
And then now it's shown it's, hey, these are the tables inside of this database.

348
00:23:19,110 --> 00:23:21,180
So now this is where the fun part comes.

349
00:23:21,180 --> 00:23:22,940
We can select information from it.

350
00:23:23,220 --> 00:23:26,810
So, uh, I like the credit cards one.

351
00:23:26,820 --> 00:23:29,240
So I want to go buy something on Amazon.

352
00:23:29,250 --> 00:23:33,990
So select star from credit cards.

353
00:23:34,380 --> 00:23:36,270
So just briefly go over it.

354
00:23:36,540 --> 00:23:38,220
This is going to select.

355
00:23:39,550 --> 00:23:48,250
Everything this star means everything from the credit cards table, so we're selecting everything from

356
00:23:48,250 --> 00:23:49,390
this credit card table.

357
00:23:49,420 --> 00:23:53,410
So now let's see what is actually going to give us.

358
00:23:54,190 --> 00:23:57,250
And hey, oh, we got some credit card numbers.

359
00:23:57,250 --> 00:23:58,090
Nice.

360
00:23:58,360 --> 00:24:02,610
So we have the credit card number to see as we the expiration date.

361
00:24:03,550 --> 00:24:06,100
This is pretty much everything we need to go by something that happens.

362
00:24:06,100 --> 00:24:06,910
Not if you want to see this.

363
00:24:07,080 --> 00:24:07,810
That's pretty neat.

364
00:24:07,960 --> 00:24:15,410
So you can look into more in depth as you all come in and practice a little bit.

365
00:24:15,860 --> 00:24:19,960
Definitely get used to it, because if you're going to be ethical hacker, you know, these kind of

366
00:24:19,960 --> 00:24:21,310
skills are going to be pretty useful.

367
00:24:22,030 --> 00:24:26,440
So I recommend that you guys kind of look into that and yet you're going to be on your way to becoming

368
00:24:26,440 --> 00:24:26,820
a pro.