1 00:00:00,090 --> 00:00:06,810 So now let's talk about launching exploits, so once we determine how our expertise might work and make 2 00:00:06,810 --> 00:00:10,310 sure that I'm not malicious, you know, we can safely launch an attack. 3 00:00:10,560 --> 00:00:15,030 So typically, you're going to do this by exploding it from the command line using the appropriate arguments. 4 00:00:15,660 --> 00:00:20,010 You also might do it, you know, from exploit, for example, as well. 5 00:00:20,550 --> 00:00:24,750 When you launch the exploit, it will mostly turn out like, you know, text on the screen for like 6 00:00:24,750 --> 00:00:29,010 stuff that's happening in all kinds of different updates and stuff, you know, on the status of what's 7 00:00:29,010 --> 00:00:30,120 going on to exploit. 8 00:00:30,270 --> 00:00:35,130 And, you know, if all goes well to be successful and you have, you know, what's called a shell or 9 00:00:35,130 --> 00:00:40,900 a command line, you know, on your host that's connecting out back out to your target. 10 00:00:41,070 --> 00:00:45,510 So let's go see if we can actually launch an exploit and be able to do this. 11 00:00:45,910 --> 00:00:51,150 OK, so you see how you can, you know, search for exploits, download them, check them out. 12 00:00:51,150 --> 00:00:54,270 They actually launch them from the command line manually. 13 00:00:54,270 --> 00:00:56,770 But you don't necessarily need to do that. 14 00:00:57,000 --> 00:01:00,900 So the goal is actually to make this a little bit easier for you guys, though sometimes you may have 15 00:01:00,900 --> 00:01:05,310 to do exploits manually, but for the most part, you can use something that's called. 16 00:01:06,240 --> 00:01:13,680 So the most popular tool for hacking, you know, using callisthenics, Xbox that we're actually using 17 00:01:13,780 --> 00:01:16,290 is a program called Medfly. 18 00:01:16,560 --> 00:01:20,340 So Métis point is really like a one stop shop for hacking. 19 00:01:20,340 --> 00:01:26,010 And it makes it very, very easy for a beginner to do everything that we've done so far. 20 00:01:26,700 --> 00:01:28,800 It's going to give you a little bit less control. 21 00:01:28,800 --> 00:01:29,460 In a sense. 22 00:01:30,300 --> 00:01:37,170 It might not cover as much ground as you can manually, but a lot of your information effectively and 23 00:01:37,170 --> 00:01:39,300 maybe launching attacks a lot easier. 24 00:01:39,390 --> 00:01:45,570 And the searching process as far as exploits is a lot more streamlined and it be easier to actually 25 00:01:45,570 --> 00:01:46,020 set it up. 26 00:01:46,030 --> 00:01:47,630 So let's go check out mercifully. 27 00:01:48,000 --> 00:01:48,650 OK, guys. 28 00:01:48,840 --> 00:01:50,940 So I'm back on my college machine. 29 00:01:50,950 --> 00:01:56,160 So if you want to launch off my display, it is going to take in MSF kosal and then you're going to 30 00:01:56,160 --> 00:01:56,720 enter. 31 00:01:56,910 --> 00:02:01,950 So one thing you might want to also do is just make sure that your machine is actually up to date before 32 00:02:01,950 --> 00:02:02,460 you do it. 33 00:02:02,700 --> 00:02:06,500 It'll take a second to open depending on, you know, your computer three speed. 34 00:02:06,900 --> 00:02:11,200 I have a lot of things ready right now, so I might take a second, but make sure that your system is 35 00:02:11,200 --> 00:02:19,170 as do like a pseudo Abati update and then upgrade just to make sure you have everything that you need, 36 00:02:19,440 --> 00:02:22,740 although it did open up and then we're going to pop back early going and check out my display. 37 00:02:22,830 --> 00:02:27,750 So one of the first things that you're actually going to notice about my display is that it has a lot 38 00:02:27,750 --> 00:02:29,850 of things, you know, inside of it, essentially. 39 00:02:30,690 --> 00:02:37,140 So if you recall before when we did the Help Command, we saw an array of commands that we got that 40 00:02:37,140 --> 00:02:38,490 we could actually do so in. 41 00:02:38,490 --> 00:02:40,050 One of them is DB maps. 42 00:02:40,050 --> 00:02:42,210 So you remember that we did map scans before. 43 00:02:42,510 --> 00:02:48,240 So what we could do is you can import with the DMAE import command and just point select the file like 44 00:02:48,240 --> 00:02:54,570 if you did if you outputted a file from your map scans that you did, you get imported with this command. 45 00:02:54,750 --> 00:02:58,530 It would just be debe import, demonically import and then the path to the file. 46 00:02:59,340 --> 00:03:08,010 But we can also do an end map from here in and actually store everything from that and map inside this 47 00:03:08,010 --> 00:03:09,790 database and we can just access all of it. 48 00:03:09,990 --> 00:03:11,650 So let's actually try that out. 49 00:03:11,790 --> 00:03:19,740 So let's do a DBI underscore and map and then we know that the target is one or two one six eight four 50 00:03:19,740 --> 00:03:21,710 six one zero four. 51 00:03:22,410 --> 00:03:27,410 So we can do this typical and I would do for I would be very verbose mode. 52 00:03:27,420 --> 00:03:31,210 It doesn't matter what order you put these tags in, kind of like freestyler every single time I do 53 00:03:31,210 --> 00:03:31,320 it. 54 00:03:32,190 --> 00:03:33,870 So I'm going to be very verbose. 55 00:03:33,870 --> 00:03:35,700 No, I'm just going to do a version scan. 56 00:03:36,060 --> 00:03:40,020 I will do pause one, two, six, five, five, three, five. 57 00:03:40,380 --> 00:03:41,990 That's what I'm going to do. 58 00:03:42,000 --> 00:03:47,820 And then we can go ahead and enter and it's going to start to map and it's going to do the scan and 59 00:03:47,820 --> 00:03:49,620 then it's also going to do a service scan. 60 00:03:49,800 --> 00:03:53,820 So then we know what services are running and it's going to be stored inside of the display database. 61 00:03:54,060 --> 00:03:55,270 So I'm going to let it run. 62 00:03:55,290 --> 00:03:57,660 This is going to take a couple of minutes and then we'll come back. 63 00:03:58,650 --> 00:04:01,200 OK, guys, so I map asking is finished now. 64 00:04:01,200 --> 00:04:08,010 So let's check out, you know, what medicine we put into the database so we can come in and we can 65 00:04:08,010 --> 00:04:10,080 do for scanning, getting multiple hosts. 66 00:04:10,290 --> 00:04:16,860 We just type in command and it'll actually show you a list of the different addresses that you scan 67 00:04:16,860 --> 00:04:18,320 right now is just one. 68 00:04:18,330 --> 00:04:23,460 But now we know, hey, you know, our most vulnerable server is a part of our database. 69 00:04:23,760 --> 00:04:25,610 So now we have information on it. 70 00:04:25,860 --> 00:04:29,220 So another command that you can do is services. 71 00:04:29,220 --> 00:04:32,340 And this will actually list out all the services that it found. 72 00:04:32,520 --> 00:04:38,430 So you don't have to keep going back to a text file is scrolling back to the map output. 73 00:04:38,430 --> 00:04:43,140 You just type in services in and print out all the services for all the hosts. 74 00:04:43,770 --> 00:04:52,290 And I believe also you can specify by IP address here, we only have one here, of course, but you 75 00:04:52,290 --> 00:04:57,330 can specify my IP address and I'll show you just for that IP address, it just lists all the services. 76 00:04:57,570 --> 00:04:59,930 So now you know we're in medicine. 77 00:05:00,240 --> 00:05:05,850 And we have this list right here so we can use this list to actually go through and try to find some 78 00:05:05,850 --> 00:05:10,490 actual exploits to see if we can break into this box. 79 00:05:11,340 --> 00:05:21,830 So another command that we can do, like we do when we do a search for the command line attacks or exploits 80 00:05:21,830 --> 00:05:26,700 search, we can just type in search and then type in, you know, whatever we want to search, kind 81 00:05:26,700 --> 00:05:28,080 of like kind of like an expert. 82 00:05:28,440 --> 00:05:28,740 So. 83 00:05:29,190 --> 00:05:36,040 So right now, let's check out this BSF TPD version two point three point four. 84 00:05:36,060 --> 00:05:38,850 Let's see if that has some type of vulnerability. 85 00:05:38,850 --> 00:05:45,560 So BSF, TPD two point three point four and let's see what comes up. 86 00:05:45,750 --> 00:05:48,080 So, OK, so a few things came up. 87 00:05:48,780 --> 00:05:56,580 What stands out to me after looking at these ViaSat DVD version, two point three point four Back-Door 88 00:05:56,580 --> 00:05:57,590 command injection. 89 00:05:57,610 --> 00:05:59,320 So that might be something that we could use. 90 00:05:59,340 --> 00:06:05,160 So if you ever want to find an exploit, so you see over on the left here, there's a column with a 91 00:06:05,190 --> 00:06:06,570 Pouncy right here for number. 92 00:06:06,900 --> 00:06:10,400 So each one of these has a number if you want to use one of these. 93 00:06:10,650 --> 00:06:13,230 So like, for example, this one has the number three beside it. 94 00:06:13,890 --> 00:06:21,470 So you just have to use three and this is going to take us into the exploit. 95 00:06:21,540 --> 00:06:26,280 So any time that you get into an exploit and you don't really know what it is or you don't know how 96 00:06:26,280 --> 00:06:31,800 to use it, you can just type in info in order to give you information typically about it, you can 97 00:06:31,800 --> 00:06:33,470 scroll up typically. 98 00:06:33,730 --> 00:06:39,780 Sometimes they'll have like an explanation, like I had a description, figure out the name of the exploit. 99 00:06:39,970 --> 00:06:43,790 Our platform is for different information about it. 100 00:06:43,980 --> 00:06:45,790 And this is showing you the options right here. 101 00:06:46,110 --> 00:06:50,640 I typically like to do that and then read the little description here where it tells you, you know, 102 00:06:50,640 --> 00:06:53,730 what the exploit is doing exactly. 103 00:06:54,420 --> 00:06:55,890 Or you know what it's for. 104 00:06:56,070 --> 00:06:57,430 So that's pretty helpful. 105 00:06:57,450 --> 00:07:02,750 So what I also what you also can do, they just type in options and tell you the options. 106 00:07:03,060 --> 00:07:09,690 So with each module, which is what this is inside of Medfly, there are options that you have to set 107 00:07:10,050 --> 00:07:14,180 and these options are what the exploit is actually going to use when it runs. 108 00:07:14,220 --> 00:07:21,520 Think of it as setting variables so that the exploit just automatically knows what to do. 109 00:07:21,840 --> 00:07:29,070 So like, for example, here, the two options are our hosts, which stands for remote hosts, which 110 00:07:29,070 --> 00:07:34,470 would be our target, you know, typically, and then our port, which is like what port or what's our 111 00:07:34,470 --> 00:07:35,450 destination port. 112 00:07:35,790 --> 00:07:38,400 So this one in particular is FTP. 113 00:07:38,700 --> 00:07:42,080 And, you know, FTP runs over Port twenty one. 114 00:07:42,510 --> 00:07:45,060 So the ports are already set. 115 00:07:45,420 --> 00:07:48,740 So what we need to do is actually set our host variable. 116 00:07:49,050 --> 00:07:54,870 So what we can do is just to set our hosts. 117 00:07:54,870 --> 00:07:56,270 You don't have to do a capital. 118 00:07:56,280 --> 00:07:57,510 I figured that out a while back. 119 00:07:57,640 --> 00:07:59,460 I think that you had to but you really don't. 120 00:07:59,790 --> 00:08:02,750 It's smart enough to know and then you're going to put the IP address. 121 00:08:02,750 --> 00:08:09,080 So one on two one six eight five six one two four in this case, Bamp. 122 00:08:09,150 --> 00:08:14,430 So now our host is set today and you can confirm it by just typing options again. 123 00:08:14,430 --> 00:08:15,930 And I'll tell you what is setsu. 124 00:08:16,110 --> 00:08:19,890 So you always want to do this before you run and exploit, just to make sure that everything is good 125 00:08:19,890 --> 00:08:20,270 to go. 126 00:08:20,550 --> 00:08:26,940 So when the exploit is an exploit is all set up correctly, you have your variables set. 127 00:08:27,060 --> 00:08:32,820 What you can do is you give you the time run or you get time and exploit type minute exploit feels a 128 00:08:32,820 --> 00:08:34,920 little bit cooler, but they both work. 129 00:08:34,920 --> 00:08:36,150 The same doesn't make a difference. 130 00:08:36,330 --> 00:08:40,980 So you timing X winner and then is actually going to go through and actually attempt to exploit. 131 00:08:41,250 --> 00:08:47,580 So right now and you typically you'll see stuff pop up on the screen, just output of what's going on, 132 00:08:47,580 --> 00:08:48,230 what's happening. 133 00:08:48,480 --> 00:08:50,310 A lot of the time you might run into areas. 134 00:08:50,310 --> 00:08:54,510 You might have to go back and fix things or change report change and address change. 135 00:08:54,510 --> 00:08:59,890 One of the options stuff happens like that, and it's just trial and error to figure it out. 136 00:09:00,540 --> 00:09:01,980 That's the beauty of princesse. 137 00:09:02,520 --> 00:09:08,090 So for this one, hey, is they found the shell and it looks like it's the root, so the root account. 138 00:09:08,100 --> 00:09:14,700 So we have a session open, which means that we have pretty much access to a command line, you know, 139 00:09:14,730 --> 00:09:15,810 on that hosts. 140 00:09:16,080 --> 00:09:17,400 So let's actually see. 141 00:09:17,400 --> 00:09:22,020 So one way you can confirm is something actually worked is type in who am I? 142 00:09:22,890 --> 00:09:23,220 Enter. 143 00:09:23,340 --> 00:09:23,960 Oh wow. 144 00:09:24,080 --> 00:09:24,450 Group. 145 00:09:25,020 --> 00:09:32,560 So we just gained access to this computer using numerously, literally within minutes. 146 00:09:32,610 --> 00:09:33,150 Pretty easy. 147 00:09:33,300 --> 00:09:34,500 And you can do different things. 148 00:09:34,500 --> 00:09:40,080 You know, you do a president working director, you figure out what you are doing, let's figure out 149 00:09:40,440 --> 00:09:44,460 what's here like what's what's in the current location. 150 00:09:44,460 --> 00:09:46,380 You can sense we're a route. 151 00:09:46,380 --> 00:09:47,640 We try to do whatever we want. 152 00:09:47,640 --> 00:09:48,390 We can make our stuff. 153 00:09:48,400 --> 00:09:59,760 And how we can do casts a shadow, which is actually the file on Linux that actually holds. 154 00:09:59,920 --> 00:10:05,680 The hashes for all the user accounts, so there we go now we own the hashes, so maybe we could take 155 00:10:05,680 --> 00:10:08,670 some of these hashes and, you know, try to crack them later on. 156 00:10:08,680 --> 00:10:09,830 That's something that we could do. 157 00:10:10,540 --> 00:10:14,400 So as you can see, my response is very powerful and it's very, very quick. 158 00:10:14,560 --> 00:10:20,380 So we're able to exploit FCP in a matter of minutes. 159 00:10:20,440 --> 00:10:21,280 So that's pretty neat. 160 00:10:22,300 --> 00:10:24,340 So now let's go ahead and try another site. 161 00:10:24,790 --> 00:10:30,040 So what we can do now is we can actually, you know, just from here, we can either do back and get 162 00:10:30,040 --> 00:10:32,830 out of this exploit or you can just stay there. 163 00:10:32,830 --> 00:10:33,790 But it doesn't really matter. 164 00:10:33,820 --> 00:10:40,390 So what we can do is actually let's see, let's do services again and let's try to get into another 165 00:10:40,390 --> 00:10:40,600 one. 166 00:10:40,610 --> 00:10:41,320 So let's see. 167 00:10:42,280 --> 00:10:42,670 Let's see. 168 00:10:42,670 --> 00:10:45,150 We have the telnet, Tonette, right here. 169 00:10:45,160 --> 00:10:46,560 So we're not telnet is open. 170 00:10:46,780 --> 00:10:51,120 So we already kind of whatever way to exploit so on it before at least take advantage of it. 171 00:10:51,430 --> 00:10:56,890 So let's try to do something similar, a little bit more direct, I guess we could say, or just show 172 00:10:56,890 --> 00:11:00,400 you how you can do it with display without having to take those extra steps. 173 00:11:00,700 --> 00:11:05,360 So what we can do is actually just search Toinette, and a lot of stuff's probably going to come up. 174 00:11:05,380 --> 00:11:06,970 If you want to actually look through these. 175 00:11:07,930 --> 00:11:10,450 A lot of things come up depending on what you search sometimes. 176 00:11:10,450 --> 00:11:17,020 So you'll be ready for that and just make sure that you're looking and reading and making sure that, 177 00:11:17,020 --> 00:11:21,850 you know, you're looking at, you know, each exploit and trying to figure out which one that you actually 178 00:11:21,850 --> 00:11:22,270 want. 179 00:11:23,760 --> 00:11:27,960 I found that the more search terms you put in and the more resource that you will get, so that's not 180 00:11:27,960 --> 00:11:28,910 necessarily good. 181 00:11:28,920 --> 00:11:35,040 You want to be specific, but also not, I guess, too specific because they'll start to search based 182 00:11:35,040 --> 00:11:36,930 on each term and then it gets confusing. 183 00:11:37,680 --> 00:11:43,010 But anyway, so for this one, we are going to look at this one right here. 184 00:11:43,290 --> 00:11:44,880 That's number 12. 185 00:11:45,150 --> 00:11:47,990 So it's this is the path for us. 186 00:11:47,990 --> 00:11:54,400 So this is an auxiliary scanner telnet version of this garbage, and that's what we're going to use. 187 00:11:54,630 --> 00:11:57,540 So we're going to do a use 12. 188 00:11:58,050 --> 00:12:03,420 And once again, like I said before, you know, figure out the info, get some information audit to 189 00:12:03,430 --> 00:12:04,260 see what's going on. 190 00:12:04,470 --> 00:12:07,350 So this is Tonette service, better detection. 191 00:12:07,530 --> 00:12:11,010 So it's pretty much going to try to figure out what version it's running. 192 00:12:12,270 --> 00:12:18,630 So once again, the options are there, but you can also do options, come in and see what you have 193 00:12:18,630 --> 00:12:19,170 to set. 194 00:12:19,470 --> 00:12:24,630 And what's good to know is that when you're setting these options, look at what's under the required 195 00:12:24,780 --> 00:12:25,260 column. 196 00:12:25,440 --> 00:12:29,180 So some experts will have a lot more options. 197 00:12:29,220 --> 00:12:31,170 Other ones like this one has a lot more than the other one. 198 00:12:31,470 --> 00:12:34,040 Some are required and some aren't required. 199 00:12:34,320 --> 00:12:38,610 So you want to make sure that you look at that and make sure that all the ones that have it. 200 00:12:38,610 --> 00:12:39,030 Yes. 201 00:12:39,030 --> 00:12:42,700 Under it have something set over here under the current setting column. 202 00:12:42,990 --> 00:12:45,120 So this one, we don't have it for our hosts. 203 00:12:45,120 --> 00:12:49,730 We're probably going to have to set this every time we're going to new exploit some once again, which 204 00:12:49,740 --> 00:12:57,690 to our host set our hosts one on two one six eight five six one zero four bam. 205 00:12:57,870 --> 00:13:03,120 Now we can do options again just to make sure that we're good to go and make sure that is that it doesn't 206 00:13:03,120 --> 00:13:03,910 hurt to confirm. 207 00:13:04,290 --> 00:13:10,740 So then we can do run or exploit depending on how you feel if you like it sounds better, but we can 208 00:13:10,740 --> 00:13:17,220 just do run and hey and pull it out to try to connect over that port and pull down the banner or whatever 209 00:13:17,220 --> 00:13:18,600 it got back from trying to connect. 210 00:13:18,840 --> 00:13:20,990 So was useful about this one. 211 00:13:21,010 --> 00:13:23,730 Now this won't always be the case and probably never will be. 212 00:13:24,330 --> 00:13:30,780 But in this case, it it's, you know, hey, we're able to do successfully connect and then actually 213 00:13:30,780 --> 00:13:31,500 pull down. 214 00:13:31,500 --> 00:13:36,450 What happens when you try to connect this metal box in particular? 215 00:13:36,810 --> 00:13:44,910 It turns out a banner and we see, hey, you can log in with Amazon Admins admin. 216 00:13:45,600 --> 00:13:46,500 So that's pretty neat. 217 00:13:46,510 --> 00:13:53,460 So now we'll be able to go through and just do like a telnet command and actually be able to, you know, 218 00:13:53,460 --> 00:13:54,090 log in. 219 00:13:54,090 --> 00:13:55,380 But we've already done that before. 220 00:13:55,380 --> 00:14:03,480 We know that it works, but it's definitely useful to, you know, run like this particular module or 221 00:14:03,750 --> 00:14:10,950 auxiliary scanner just to make if you ever find, like, you know, telnet open on a computer, it doesn't 222 00:14:10,950 --> 00:14:14,580 hurt to run his command because you could pull some information like this. 223 00:14:14,580 --> 00:14:15,180 You never know. 224 00:14:15,870 --> 00:14:18,130 Some places are very bad security practices. 225 00:14:18,180 --> 00:14:21,450 So I wouldn't be surprised if you find something like this somewhere. 226 00:14:21,790 --> 00:14:23,480 OK, OK, guys. 227 00:14:23,490 --> 00:14:25,410 So let's try another exploit right now. 228 00:14:25,410 --> 00:14:31,100 So let's use it to find a way to actually get into the system. 229 00:14:31,290 --> 00:14:37,020 So in this one, we're going to just type my services again and see what services and you'll see that 230 00:14:37,020 --> 00:14:41,160 an updated so that, you know, with that information from the barrier that we grabbed before. 231 00:14:41,160 --> 00:14:42,870 So metastable is very good. 232 00:14:42,870 --> 00:14:44,070 It's very dynamic. 233 00:14:44,310 --> 00:14:47,070 It's always going to be updating as you're doing things. 234 00:14:47,820 --> 00:14:50,130 So it's very, very helpful, very useful. 235 00:14:50,970 --> 00:14:55,680 So this time we want to go for we've got to try to get into The Da Vinci. 236 00:14:56,070 --> 00:14:58,800 So let's see Protocol three point three. 237 00:14:59,400 --> 00:15:01,620 So this is the one that we want to look at next. 238 00:15:01,620 --> 00:15:03,540 Just try to see if we can get to this one. 239 00:15:04,330 --> 00:15:08,070 So let's actually do a search together and see. 240 00:15:09,090 --> 00:15:10,920 And it came up with a lot of stuff. 241 00:15:12,060 --> 00:15:18,550 So we want to actually look through this and try to see, you know, what you could potentially use. 242 00:15:18,960 --> 00:15:25,170 So one thing that I found is actually pretty useful is actually the Vincey login right here. 243 00:15:25,620 --> 00:15:26,820 So we can go ahead. 244 00:15:27,090 --> 00:15:29,280 And there's a description over here as well. 245 00:15:29,280 --> 00:15:31,050 This is obviously authentication scanner. 246 00:15:31,590 --> 00:15:40,320 So you use three and then we do info and figure out, you know, what the information about this exploit 247 00:15:40,320 --> 00:15:44,850 is, what options are required, what aren't required. 248 00:15:45,060 --> 00:15:46,500 You definitely always want to do that. 249 00:15:46,500 --> 00:15:52,890 So Brigaded description says this module will test the server on a range of machines and report on successful 250 00:15:52,890 --> 00:15:53,460 organs. 251 00:15:53,500 --> 00:15:57,380 OK, so this is going to check hey, can we log in using. 252 00:15:57,540 --> 00:16:04,770 And so what we know from the services for not the services being is one point fifty nine hundred. 253 00:16:05,130 --> 00:16:07,380 So we know that that's already set here. 254 00:16:07,770 --> 00:16:09,480 So we're good to go on that. 255 00:16:09,900 --> 00:16:13,500 We just need to make sure that we said to our hosts, I actually already said it before. 256 00:16:13,980 --> 00:16:17,820 So we have our Métis floatable address here. 257 00:16:17,970 --> 00:16:22,710 So we want to make sure that those two are set and then we should be good to go on every. 258 00:16:23,450 --> 00:16:33,860 So what we can do is actually we can just type and run, and it's a long and successful and this Colen 259 00:16:33,860 --> 00:16:40,160 right here and then Password is showing that there was the user name was blank and they were able to 260 00:16:40,160 --> 00:16:41,210 login with password. 261 00:16:41,210 --> 00:16:45,060 And this might be something that you guys should find in a while a lot, because a lot of people want 262 00:16:45,060 --> 00:16:49,570 to reset the default password on a lot of things, on a lot of services. 263 00:16:49,730 --> 00:16:51,560 So it's definitely something to look for. 264 00:16:51,590 --> 00:16:58,250 So now that we know that we can use different commands and actually try to connect, you know, via 265 00:16:58,250 --> 00:17:05,720 VANOC, so and VSC is just kind of a way to have almost like a remote desktop and like a Linux kind 266 00:17:05,720 --> 00:17:13,130 of way so we can actually use commands that are actually already installed onto the coffee machine to 267 00:17:13,130 --> 00:17:16,100 try to connect, you know, to the machine. 268 00:17:16,340 --> 00:17:26,500 So what we can do is we can type in VSC Connect and then one nine two dot one six eight dot five six 269 00:17:26,850 --> 00:17:32,160 one zero four and enter and actually execute it. 270 00:17:32,300 --> 00:17:39,800 So now that we connected with A, B and C, which is a good time to be in C viewer and now is asking, 271 00:17:39,800 --> 00:17:42,290 hey, what B and C server do you want to connect to. 272 00:17:42,620 --> 00:17:47,480 We do one on two one six eight five six one zero four. 273 00:17:48,440 --> 00:17:50,720 And I was going to ask for a password. 274 00:17:51,020 --> 00:17:56,480 So we know from our metastable exploit that the password is password. 275 00:17:57,020 --> 00:18:05,990 So ssw d enter and bam now we have a desktop on the Métis political machine. 276 00:18:06,000 --> 00:18:06,920 So it's pretty neat. 277 00:18:06,920 --> 00:18:08,000 It's pretty useful. 278 00:18:08,690 --> 00:18:09,500 Pretty quick. 279 00:18:10,250 --> 00:18:12,950 You can play around with this and do anything. 280 00:18:12,950 --> 00:18:19,250 Just like before when we had the root shell for the ATP Command, we pretty much had access to this 281 00:18:19,250 --> 00:18:19,730 machine. 282 00:18:20,330 --> 00:18:24,130 So that's pretty useful and pretty cool is very, very quick. 283 00:18:24,130 --> 00:18:30,640 See, I hope you start to see how useful and how quick things are when using better split-Level and 284 00:18:30,640 --> 00:18:36,470 it allows you to really dig in and be able to get all the information that you need and actually be 285 00:18:36,470 --> 00:18:40,850 able to find your expertise pretty easily and run them pretty quickly. 286 00:18:41,060 --> 00:18:44,330 OK, guys, so we're back at the display menu. 287 00:18:44,330 --> 00:18:49,400 So what we can do is type in services just to see what's going on and let's try to check out something 288 00:18:49,400 --> 00:18:49,640 else. 289 00:18:49,640 --> 00:18:51,650 So I see my superior. 290 00:18:51,920 --> 00:18:54,380 So we know my school is used for databases. 291 00:18:54,560 --> 00:19:00,230 So maybe we can get into the Marsico database, maybe we can find some sensitive information. 292 00:19:00,980 --> 00:19:02,990 So let's actually go in and try that. 293 00:19:03,020 --> 00:19:08,050 So what we can do is search my school and see what comes up. 294 00:19:08,180 --> 00:19:10,760 So there's thirty two things, the things that came up. 295 00:19:10,760 --> 00:19:11,560 So that's not too bad. 296 00:19:11,570 --> 00:19:18,410 So we just go to the top and start looking through and you can try a bunch of these different things, 297 00:19:18,410 --> 00:19:24,050 you know, especially like the auxiliary ones, because those are just for confirming and finding information 298 00:19:24,260 --> 00:19:26,400 and then they actually get you in there. 299 00:19:26,840 --> 00:19:31,280 So we're going to look for is the my school login. 300 00:19:31,280 --> 00:19:33,500 So which is right here. 301 00:19:33,500 --> 00:19:34,610 So it's number ten. 302 00:19:35,570 --> 00:19:39,860 So use ten and then there we go. 303 00:19:39,860 --> 00:19:45,590 We had the my school log in module loaded so we could just typing info, get some information about 304 00:19:45,590 --> 00:19:45,770 it. 305 00:19:45,950 --> 00:19:51,950 So this modules simply queries the my single instance for a specific user and pass. 306 00:19:52,190 --> 00:19:59,930 So the default is going to be a sort of default username that's on here if you don't say anything specifically 307 00:19:59,930 --> 00:20:03,200 is going to be just through and then the password is going to be blank. 308 00:20:03,470 --> 00:20:09,650 So if you want to, as you can see from these options, you can set up a password file. 309 00:20:09,890 --> 00:20:12,710 So you would just do like if you wanted to do this. 310 00:20:13,490 --> 00:20:26,940 User said user on the score file user pass is a pass fail and then you can just go to the directory 311 00:20:26,960 --> 00:20:32,600 whenever you have a password file set up and you can also do a user file. 312 00:20:32,600 --> 00:20:41,000 So user on this file and like linked to a directory where you have a list of username and a text file 313 00:20:41,000 --> 00:20:41,480 or something. 314 00:20:42,020 --> 00:20:44,420 So that's an option that you can do right now. 315 00:20:44,420 --> 00:20:49,940 We're just going to keep it how it is right now and see if we can get into my school, you know, using 316 00:20:50,150 --> 00:20:54,980 what the default credentials are, because more often or not, you might actually find that out in a 317 00:20:54,980 --> 00:20:55,340 while. 318 00:20:55,490 --> 00:21:01,640 But know that you can also, you know, if you want to set username, you know, to, I don't know, 319 00:21:02,000 --> 00:21:05,120 eight there, say you can do that. 320 00:21:06,140 --> 00:21:08,750 So that's an option. 321 00:21:08,750 --> 00:21:12,980 And then you can always check and was said to there you go. 322 00:21:12,990 --> 00:21:15,850 It's so what we're going to do actually we're just going to keep it as root. 323 00:21:15,860 --> 00:21:20,540 And then I believe that everything else is set that needs to be set. 324 00:21:21,050 --> 00:21:22,630 So what we can do is. 325 00:21:22,720 --> 00:21:32,880 Actually run this exploit, so this type of explainer, and so I found my school version 5.0 A's, we 326 00:21:32,880 --> 00:21:35,820 have a successful logging from route and then call them right there. 327 00:21:35,820 --> 00:21:37,250 So there's a blank password. 328 00:21:37,800 --> 00:21:45,010 So now we know that overreport 33 06, we can connect to my school with the route account. 329 00:21:45,390 --> 00:21:53,490 So now knowing that information, what we can do is actually typing my school and actually connectivity 330 00:21:53,490 --> 00:21:53,730 BS. 331 00:21:53,940 --> 00:22:00,480 So the way that you can connect to my school database is my school that you are then using. 332 00:22:00,630 --> 00:22:07,130 So in this case, Root and H then put the this is going to be the IP address of the target. 333 00:22:07,350 --> 00:22:13,530 So this be one or two one six eight five six one zero four. 334 00:22:14,010 --> 00:22:20,160 And then after that we could just sit here and say we just got access to the high school degree. 335 00:22:20,200 --> 00:22:21,000 So that's pretty neat. 336 00:22:21,330 --> 00:22:27,630 So just to quickly show you guys a little bit in case you don't know any Marsico, I know a little bit 337 00:22:27,630 --> 00:22:31,560 just for, you know, just to be able to use it in the field very quickly to get information. 338 00:22:31,830 --> 00:22:37,140 So what you can do is like a show database's, come in and make sure you always have a calling out. 339 00:22:37,230 --> 00:22:43,440 Everything for my school's part of the syntax so you can't enter and it's going to show you the different 340 00:22:43,440 --> 00:22:44,160 databases. 341 00:22:44,370 --> 00:22:48,390 So what we can do is actually select one of these databases. 342 00:22:48,840 --> 00:23:01,650 So if we want to, for example, use a tent, this will actually select the OOS 10 database so we can 343 00:23:01,650 --> 00:23:01,950 do that. 344 00:23:02,520 --> 00:23:04,620 And then now, hey, we changed our database. 345 00:23:04,650 --> 00:23:12,990 So what we can do now is actually look at the tables inside of the database so we can show tables and 346 00:23:12,990 --> 00:23:14,790 then that's semicolon. 347 00:23:15,450 --> 00:23:19,100 And then now it's shown it's, hey, these are the tables inside of this database. 348 00:23:19,110 --> 00:23:21,180 So now this is where the fun part comes. 349 00:23:21,180 --> 00:23:22,940 We can select information from it. 350 00:23:23,220 --> 00:23:26,810 So, uh, I like the credit cards one. 351 00:23:26,820 --> 00:23:29,240 So I want to go buy something on Amazon. 352 00:23:29,250 --> 00:23:33,990 So select star from credit cards. 353 00:23:34,380 --> 00:23:36,270 So just briefly go over it. 354 00:23:36,540 --> 00:23:38,220 This is going to select. 355 00:23:39,550 --> 00:23:48,250 Everything this star means everything from the credit cards table, so we're selecting everything from 356 00:23:48,250 --> 00:23:49,390 this credit card table. 357 00:23:49,420 --> 00:23:53,410 So now let's see what is actually going to give us. 358 00:23:54,190 --> 00:23:57,250 And hey, oh, we got some credit card numbers. 359 00:23:57,250 --> 00:23:58,090 Nice. 360 00:23:58,360 --> 00:24:02,610 So we have the credit card number to see as we the expiration date. 361 00:24:03,550 --> 00:24:06,100 This is pretty much everything we need to go by something that happens. 362 00:24:06,100 --> 00:24:06,910 Not if you want to see this. 363 00:24:07,080 --> 00:24:07,810 That's pretty neat. 364 00:24:07,960 --> 00:24:15,410 So you can look into more in depth as you all come in and practice a little bit. 365 00:24:15,860 --> 00:24:19,960 Definitely get used to it, because if you're going to be ethical hacker, you know, these kind of 366 00:24:19,960 --> 00:24:21,310 skills are going to be pretty useful. 367 00:24:22,030 --> 00:24:26,440 So I recommend that you guys kind of look into that and yet you're going to be on your way to becoming 368 00:24:26,440 --> 00:24:26,820 a pro.