1 00:00:03,090 --> 00:00:09,420 Now that we have an active Materne Twitter session, that's the Metis Boyte interpreter session, we're 2 00:00:09,420 --> 00:00:14,580 going to see how we can use Materne operator to gather information about the machine that is phoned 3 00:00:14,580 --> 00:00:18,150 home or called into our Caleigh Linux computer. 4 00:00:18,480 --> 00:00:20,280 So we know that we sent this out. 5 00:00:20,310 --> 00:00:25,890 Maybe you sent it to a person working at the organization that you're doing a security test for. 6 00:00:26,280 --> 00:00:31,440 And you said, hey, but check out this invoice and make sure that this is the right thing or make sure 7 00:00:31,440 --> 00:00:33,990 that this is the right file or run this update. 8 00:00:34,530 --> 00:00:36,360 We've seen a security problem with your computer. 9 00:00:36,990 --> 00:00:41,030 What we can do with maturer once that machine phones home is we can. 10 00:00:41,130 --> 00:00:43,230 Well, we saw in the last lesson, we can run help. 11 00:00:45,450 --> 00:00:52,800 To see a listing of commands inside Materne Twitter so we can see that there are commands here to control 12 00:00:52,890 --> 00:01:00,420 the Web cam, we can see things like key Skåne, key start, key stop, so we can actually do a key 13 00:01:00,420 --> 00:01:07,170 scan dump of all of the characters that a user who's infected their computer with a virus is typing. 14 00:01:07,530 --> 00:01:09,860 So that means their Amazon password. 15 00:01:09,870 --> 00:01:15,630 That means their corporate password, the email password, just about anything they ever type on a keyboard 16 00:01:15,630 --> 00:01:16,500 we can capture. 17 00:01:16,800 --> 00:01:18,390 We can see a screen share. 18 00:01:18,390 --> 00:01:21,120 We can view the remote desktop. 19 00:01:21,150 --> 00:01:22,610 We can take a screen shot. 20 00:01:22,980 --> 00:01:25,680 We can change the current desktop. 21 00:01:26,010 --> 00:01:27,750 We can do lots of different things. 22 00:01:27,750 --> 00:01:36,030 We can run a lot of different commands, just like if we had a direct access to that remote computer. 23 00:01:36,600 --> 00:01:39,390 So what we want to do is show you just a couple of quick commands. 24 00:01:39,750 --> 00:01:42,090 So if we look down through this list. 25 00:01:43,480 --> 00:01:49,030 We see that we've got a lot of the same commands that we would run on our Caleigh Linux box or on a 26 00:01:49,030 --> 00:01:50,520 Windows machine, we can do an L. 27 00:01:50,530 --> 00:01:54,880 S to list files, dear directory to list files on the Windows machine. 28 00:01:55,390 --> 00:02:00,700 We can see specific information about the machine itself. 29 00:02:00,730 --> 00:02:03,100 So if we scroll down just a little bit. 30 00:02:04,740 --> 00:02:10,470 We'll come down to system commands and we can see that we've got some commands like. 31 00:02:12,630 --> 00:02:13,650 CIS info. 32 00:02:13,980 --> 00:02:19,890 So if you want to gather some information about the machine that is called in using the typewriter, 33 00:02:20,190 --> 00:02:22,500 the CIS info commands a good first place to start. 34 00:02:22,800 --> 00:02:24,210 So we just type start typing. 35 00:02:24,240 --> 00:02:24,810 S y. 36 00:02:24,900 --> 00:02:26,660 S i n f o. 37 00:02:27,930 --> 00:02:35,970 It will give us some information about the Windows 10 and message went in Windows 10 64 bit machine 38 00:02:36,390 --> 00:02:37,560 that we infected. 39 00:02:37,740 --> 00:02:40,080 That's our other virtual machine, our Windows VM. 40 00:02:40,470 --> 00:02:46,230 We can actually see information about the build number so we know what operating system is running on 41 00:02:46,230 --> 00:02:46,320 it. 42 00:02:46,680 --> 00:02:51,760 We know the build and we can even find out where the user ran the file from. 43 00:02:51,780 --> 00:02:55,560 P WD is the print working directory. 44 00:02:55,980 --> 00:02:58,620 They ran it from their downloads folder. 45 00:02:58,980 --> 00:03:04,980 Well, that's where we downloaded the file onto our computer DRM Windows Virtual Machine. 46 00:03:05,790 --> 00:03:09,950 So this this virus is running right now inside downloads. 47 00:03:10,290 --> 00:03:13,650 It's running on the message Win Tin named computer. 48 00:03:14,060 --> 00:03:16,050 And we can see lots of information about that. 49 00:03:17,430 --> 00:03:21,520 And we've already run the help command so that we can see everything that we're gonna be able to do 50 00:03:21,520 --> 00:03:22,660 for the rest of this section. 51 00:03:22,990 --> 00:03:28,300 And honestly, you could spend hours just going through interpreter and the many tools that it allows 52 00:03:28,300 --> 00:03:33,460 you to launch when you're hacking a Windows tin box or checking the security of a network with Windows 53 00:03:33,460 --> 00:03:34,330 10 computers on it. 54 00:03:34,780 --> 00:03:37,480 But let me show you one other really important piece. 55 00:03:37,630 --> 00:03:39,580 Sometimes you'll have more than one computer. 56 00:03:39,580 --> 00:03:45,460 In fact, you could send this virus to hundreds or even thousands of computers on the same network that 57 00:03:45,460 --> 00:03:47,050 can access your IP address. 58 00:03:47,470 --> 00:03:48,460 And you can take. 59 00:03:48,580 --> 00:03:50,800 You can actually work in multiple sessions. 60 00:03:51,190 --> 00:03:57,550 So we saw earlier that when the Windows 10 computer ran the virus, it created a mature Sprouter session. 61 00:03:58,000 --> 00:04:01,870 That is a connection to this Caleigh Linux box. 62 00:04:02,170 --> 00:04:06,330 So if I say background, there we go. 63 00:04:06,340 --> 00:04:08,260 You can see it's backgrounding session one. 64 00:04:08,610 --> 00:04:11,560 So I'll control L just for a moment to get it back to the top of the screen. 65 00:04:12,040 --> 00:04:19,000 I can always check to see how many infected computers are connect to Demy O'Kelley Linux box with sessions 66 00:04:19,720 --> 00:04:21,070 the concessions command. 67 00:04:21,460 --> 00:04:23,500 Now we can see we've only got one open connection. 68 00:04:23,500 --> 00:04:28,570 It's going out to Tendo at nine dot nine, our Windows Virtual Machine. 69 00:04:28,900 --> 00:04:34,920 And I can interact or I that session start by saying Sessions Dasch. 70 00:04:34,930 --> 00:04:36,180 I won. 71 00:04:37,270 --> 00:04:42,280 So if you ever need to get back out to your regular meds play framework, not the materne fritter shell. 72 00:04:42,280 --> 00:04:48,520 Remember, Materne critter is running on the Windows computer, the infected windows machine meds boit 73 00:04:48,580 --> 00:04:51,010 as our framework we can load all kinds of other exploits. 74 00:04:51,010 --> 00:04:56,440 We may even want to run a second exploit after we get into the Windows computer. 75 00:04:56,440 --> 00:05:02,710 We might want to establish something called persistance, where we try to avoid being deleted by Windows 76 00:05:02,710 --> 00:05:03,220 Defender. 77 00:05:03,490 --> 00:05:08,140 We're going to see how to do that one in the next lesson and we're going to upload a copy into another 78 00:05:08,140 --> 00:05:08,590 folder. 79 00:05:08,980 --> 00:05:15,210 So of four right now, you've got the ability to look at multiple sessions and then to interact Sessions' 80 00:05:15,220 --> 00:05:17,390 Dash I with a certain session. 81 00:05:17,400 --> 00:05:20,980 Number one, in our case, we've seen how to run the systems info. 82 00:05:20,980 --> 00:05:23,590 We can run the help command and more sharper to find other commands. 83 00:05:23,950 --> 00:05:31,570 And we know that we're running from the print working directory of C users, i.e. user downloads. 84 00:05:31,900 --> 00:05:37,540 When we come back in the next lesson, we're going to see how to view, how to download and how to upload 85 00:05:37,540 --> 00:05:40,750 files on a compromised Windows 10 computer. 86 00:05:40,990 --> 00:05:42,040 We'll see in the next lesson.