1
00:00:03,090 --> 00:00:09,420
Now that we have an active Materne Twitter session, that's the Metis Boyte interpreter session, we're

2
00:00:09,420 --> 00:00:14,580
going to see how we can use Materne operator to gather information about the machine that is phoned

3
00:00:14,580 --> 00:00:18,150
home or called into our Caleigh Linux computer.

4
00:00:18,480 --> 00:00:20,280
So we know that we sent this out.

5
00:00:20,310 --> 00:00:25,890
Maybe you sent it to a person working at the organization that you're doing a security test for.

6
00:00:26,280 --> 00:00:31,440
And you said, hey, but check out this invoice and make sure that this is the right thing or make sure

7
00:00:31,440 --> 00:00:33,990
that this is the right file or run this update.

8
00:00:34,530 --> 00:00:36,360
We've seen a security problem with your computer.

9
00:00:36,990 --> 00:00:41,030
What we can do with maturer once that machine phones home is we can.

10
00:00:41,130 --> 00:00:43,230
Well, we saw in the last lesson, we can run help.

11
00:00:45,450 --> 00:00:52,800
To see a listing of commands inside Materne Twitter so we can see that there are commands here to control

12
00:00:52,890 --> 00:01:00,420
the Web cam, we can see things like key Skåne, key start, key stop, so we can actually do a key

13
00:01:00,420 --> 00:01:07,170
scan dump of all of the characters that a user who's infected their computer with a virus is typing.

14
00:01:07,530 --> 00:01:09,860
So that means their Amazon password.

15
00:01:09,870 --> 00:01:15,630
That means their corporate password, the email password, just about anything they ever type on a keyboard

16
00:01:15,630 --> 00:01:16,500
we can capture.

17
00:01:16,800 --> 00:01:18,390
We can see a screen share.

18
00:01:18,390 --> 00:01:21,120
We can view the remote desktop.

19
00:01:21,150 --> 00:01:22,610
We can take a screen shot.

20
00:01:22,980 --> 00:01:25,680
We can change the current desktop.

21
00:01:26,010 --> 00:01:27,750
We can do lots of different things.

22
00:01:27,750 --> 00:01:36,030
We can run a lot of different commands, just like if we had a direct access to that remote computer.

23
00:01:36,600 --> 00:01:39,390
So what we want to do is show you just a couple of quick commands.

24
00:01:39,750 --> 00:01:42,090
So if we look down through this list.

25
00:01:43,480 --> 00:01:49,030
We see that we've got a lot of the same commands that we would run on our Caleigh Linux box or on a

26
00:01:49,030 --> 00:01:50,520
Windows machine, we can do an L.

27
00:01:50,530 --> 00:01:54,880
S to list files, dear directory to list files on the Windows machine.

28
00:01:55,390 --> 00:02:00,700
We can see specific information about the machine itself.

29
00:02:00,730 --> 00:02:03,100
So if we scroll down just a little bit.

30
00:02:04,740 --> 00:02:10,470
We'll come down to system commands and we can see that we've got some commands like.

31
00:02:12,630 --> 00:02:13,650
CIS info.

32
00:02:13,980 --> 00:02:19,890
So if you want to gather some information about the machine that is called in using the typewriter,

33
00:02:20,190 --> 00:02:22,500
the CIS info commands a good first place to start.

34
00:02:22,800 --> 00:02:24,210
So we just type start typing.

35
00:02:24,240 --> 00:02:24,810
S y.

36
00:02:24,900 --> 00:02:26,660
S i n f o.

37
00:02:27,930 --> 00:02:35,970
It will give us some information about the Windows 10 and message went in Windows 10 64 bit machine

38
00:02:36,390 --> 00:02:37,560
that we infected.

39
00:02:37,740 --> 00:02:40,080
That's our other virtual machine, our Windows VM.

40
00:02:40,470 --> 00:02:46,230
We can actually see information about the build number so we know what operating system is running on

41
00:02:46,230 --> 00:02:46,320
it.

42
00:02:46,680 --> 00:02:51,760
We know the build and we can even find out where the user ran the file from.

43
00:02:51,780 --> 00:02:55,560
P WD is the print working directory.

44
00:02:55,980 --> 00:02:58,620
They ran it from their downloads folder.

45
00:02:58,980 --> 00:03:04,980
Well, that's where we downloaded the file onto our computer DRM Windows Virtual Machine.

46
00:03:05,790 --> 00:03:09,950
So this this virus is running right now inside downloads.

47
00:03:10,290 --> 00:03:13,650
It's running on the message Win Tin named computer.

48
00:03:14,060 --> 00:03:16,050
And we can see lots of information about that.

49
00:03:17,430 --> 00:03:21,520
And we've already run the help command so that we can see everything that we're gonna be able to do

50
00:03:21,520 --> 00:03:22,660
for the rest of this section.

51
00:03:22,990 --> 00:03:28,300
And honestly, you could spend hours just going through interpreter and the many tools that it allows

52
00:03:28,300 --> 00:03:33,460
you to launch when you're hacking a Windows tin box or checking the security of a network with Windows

53
00:03:33,460 --> 00:03:34,330
10 computers on it.

54
00:03:34,780 --> 00:03:37,480
But let me show you one other really important piece.

55
00:03:37,630 --> 00:03:39,580
Sometimes you'll have more than one computer.

56
00:03:39,580 --> 00:03:45,460
In fact, you could send this virus to hundreds or even thousands of computers on the same network that

57
00:03:45,460 --> 00:03:47,050
can access your IP address.

58
00:03:47,470 --> 00:03:48,460
And you can take.

59
00:03:48,580 --> 00:03:50,800
You can actually work in multiple sessions.

60
00:03:51,190 --> 00:03:57,550
So we saw earlier that when the Windows 10 computer ran the virus, it created a mature Sprouter session.

61
00:03:58,000 --> 00:04:01,870
That is a connection to this Caleigh Linux box.

62
00:04:02,170 --> 00:04:06,330
So if I say background, there we go.

63
00:04:06,340 --> 00:04:08,260
You can see it's backgrounding session one.

64
00:04:08,610 --> 00:04:11,560
So I'll control L just for a moment to get it back to the top of the screen.

65
00:04:12,040 --> 00:04:19,000
I can always check to see how many infected computers are connect to Demy O'Kelley Linux box with sessions

66
00:04:19,720 --> 00:04:21,070
the concessions command.

67
00:04:21,460 --> 00:04:23,500
Now we can see we've only got one open connection.

68
00:04:23,500 --> 00:04:28,570
It's going out to Tendo at nine dot nine, our Windows Virtual Machine.

69
00:04:28,900 --> 00:04:34,920
And I can interact or I that session start by saying Sessions Dasch.

70
00:04:34,930 --> 00:04:36,180
I won.

71
00:04:37,270 --> 00:04:42,280
So if you ever need to get back out to your regular meds play framework, not the materne fritter shell.

72
00:04:42,280 --> 00:04:48,520
Remember, Materne critter is running on the Windows computer, the infected windows machine meds boit

73
00:04:48,580 --> 00:04:51,010
as our framework we can load all kinds of other exploits.

74
00:04:51,010 --> 00:04:56,440
We may even want to run a second exploit after we get into the Windows computer.

75
00:04:56,440 --> 00:05:02,710
We might want to establish something called persistance, where we try to avoid being deleted by Windows

76
00:05:02,710 --> 00:05:03,220
Defender.

77
00:05:03,490 --> 00:05:08,140
We're going to see how to do that one in the next lesson and we're going to upload a copy into another

78
00:05:08,140 --> 00:05:08,590
folder.

79
00:05:08,980 --> 00:05:15,210
So of four right now, you've got the ability to look at multiple sessions and then to interact Sessions'

80
00:05:15,220 --> 00:05:17,390
Dash I with a certain session.

81
00:05:17,400 --> 00:05:20,980
Number one, in our case, we've seen how to run the systems info.

82
00:05:20,980 --> 00:05:23,590
We can run the help command and more sharper to find other commands.

83
00:05:23,950 --> 00:05:31,570
And we know that we're running from the print working directory of C users, i.e. user downloads.

84
00:05:31,900 --> 00:05:37,540
When we come back in the next lesson, we're going to see how to view, how to download and how to upload

85
00:05:37,540 --> 00:05:40,750
files on a compromised Windows 10 computer.

86
00:05:40,990 --> 00:05:42,040
We'll see in the next lesson.