1
00:00:00,240 --> 00:00:05,240
All right let's take a look at making this shell interactive for us.

2
00:00:05,340 --> 00:00:08,130
So we're going to run the same situation here.

3
00:00:08,130 --> 00:00:10,920
I'm just going to tab up because I already have it saved.

4
00:00:11,250 --> 00:00:13,740
So let's put up responder again.

5
00:00:13,770 --> 00:00:14,940
If you're just catching up.

6
00:00:15,000 --> 00:00:16,550
We have TV off.

7
00:00:16,560 --> 00:00:20,760
We have S&amp;P off and we've got responder listening.

8
00:00:20,760 --> 00:00:26,250
Let's go ahead and load up until I'm relay and the only thing that I'm going to do here a little bit

9
00:00:26,250 --> 00:00:33,030
differently is at the end I'm putting in a dash I now Dash I stands for interactive and we're going

10
00:00:33,030 --> 00:00:35,400
to try to get an interactive shell here.

11
00:00:35,430 --> 00:00:36,990
Let's take a look at what this looks like.

12
00:00:37,070 --> 00:00:38,510
So go ahead and enter.

13
00:00:38,550 --> 00:00:43,890
This is just going to sit around and wait and we're going to trigger that event again.

14
00:00:43,920 --> 00:00:45,060
So let's go ahead and do that.

15
00:00:45,090 --> 00:00:46,020
I'm going to log in

16
00:00:49,470 --> 00:00:52,670
triggered this event one more time.

17
00:00:52,730 --> 00:00:56,110
Let's see what happens over here OK.

18
00:00:56,130 --> 00:00:58,070
So you could see it says received the connection.

19
00:00:58,080 --> 00:01:06,710
It's exceeded and then it says it created an SMB client shell on 1 2 7 0 0 1 eleven thousand.

20
00:01:06,740 --> 00:01:09,350
So you're should say something very similar to that.

21
00:01:09,410 --> 00:01:17,850
Go ahead and open up a new tab and just say something along the lines of net Cat 1 2 7 0 0 1 eleven

22
00:01:17,970 --> 00:01:28,840
thousand and then it says type help for a list of commands let's say help now we are in a SMB shell

23
00:01:28,870 --> 00:01:33,100
essentially and we can do quite a bit of things here we're in a file share.

24
00:01:33,730 --> 00:01:35,350
So what can we do.

25
00:01:35,350 --> 00:01:38,910
Well we can we can look at the shares.

26
00:01:39,010 --> 00:01:41,110
We can use a certain share.

27
00:01:41,230 --> 00:01:49,900
We can change the password of our current user and we can look at making directories or moving directories

28
00:01:49,900 --> 00:01:56,320
or removing files we can put new files get new files we can create a mountain point there's a lot of

29
00:01:56,320 --> 00:01:57,430
different things we can do.

30
00:01:57,490 --> 00:01:58,730
OK.

31
00:01:58,840 --> 00:02:00,780
And so let's take a look at this.

32
00:02:00,790 --> 00:02:09,670
So let's just say shares and we've got the C drive admin IPC and we got that share folder that we created.

33
00:02:09,670 --> 00:02:18,910
So let's go ahead and just do something like use C dollar side OK and let's go ahead and just say allies.

34
00:02:19,210 --> 00:02:27,460
Now look or at we've got access to the C drive here if we wanted to use the admin which we could get

35
00:02:27,460 --> 00:02:35,240
to this other way we just say use admin hit Enter Al s and look now we're in the admin so we're in system

36
00:02:35,360 --> 00:02:42,340
32 here on a Windows machine and we just have full control of this computer we can add files get files

37
00:02:43,000 --> 00:02:44,770
we have a lot of control here.

38
00:02:44,920 --> 00:02:49,270
So there are other things that we can do as well that we're not going to cover by do encourage you to

39
00:02:49,270 --> 00:02:50,560
explore.

40
00:02:50,590 --> 00:02:59,410
So I'm a control C this couple of things to point out is we can say something like dash E for execute

41
00:02:59,500 --> 00:03:05,620
and then we could set up a mortar printer listener like test out EMC we can generate MSA venom to create

42
00:03:05,620 --> 00:03:12,220
a payload and then we can set up a mature printer listener and go get a shell and met point with multi

43
00:03:12,220 --> 00:03:18,700
handler we could do a dash C for command so that this executes some specific command when we run the

44
00:03:18,700 --> 00:03:26,470
machine it could be something as simple as Who am I to a complex power shell reverse shell or something

45
00:03:26,470 --> 00:03:30,610
along those lines that we can talk back to us as well and get a shell with that.

46
00:03:30,610 --> 00:03:37,190
So the interactive shell is not the only way to do things but it's another way to do things.

47
00:03:37,210 --> 00:03:40,630
So we just want to improve upon everything that we get.

48
00:03:40,630 --> 00:03:44,770
So again we have those hashes we're going to figure out what we can do with those hashes later.

49
00:03:44,770 --> 00:03:49,750
So again make sure you have those saved once we get to the post compromise attack section.

50
00:03:49,840 --> 00:03:52,590
We're going to abuse those frequently.

51
00:03:52,600 --> 00:03:54,910
So for now that's it.

52
00:03:54,940 --> 00:03:59,140
Let's go ahead and talk the next video about defenses and then we'll talk a little bit about gaining

53
00:03:59,140 --> 00:04:04,240
shells and some other attack vectors before we get into post compromise enumeration.

54
00:04:04,270 --> 00:04:06,070
So I will catch you over in the next video.