Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. Welcome to the episode number 10 off the RCP course Medicine. Ball of Basics. My name's Alejandra gonna nlb instructor for today's session.
00:11
The learning oddities is to understand the basic medicine believe functionalities in options and use, man exploit, implement hacking and information gathering to makes.
00:21
Okay, let's get down to business.
00:24
Well, first of all, you can simply start Marissa ploy by using the command MSF console.
00:34
By the way, you can actually also use the graphic user interface of medicinally, which is not mad. Exploit made eyes, something called arma Tash. It's amazing. I mean, I really like it. But again, um, I stick with the
00:52
terminal version of it.
00:54
Oh, are not graphic version off medicine ploy as it again, As your penetration testing career girl goes on, you will realize that you end up using terminal most of the time, but, you know, hands our arm attached. If you're a graphic user interface guy harm Atash. It has a great you know,
01:14
user interface at it as itself,
01:15
and it's quite easy to use and has something called Hail Mary, which is kind of a joke. But it's true you can lunch
01:26
any exploit available against your server. I mean, if you are done with the server and you cannot find a way in, I mean this Hail Mary option. You will throw anything at the server again. You can imagine there is really no easy and it can affect performance. But then again,
01:44
you can also use it. Well, uh, for example, let me start by showing you the basic stuff off exploit, For example, you can simply search for simple force gun search
01:56
for skin, and you know it will. It will show you several modules. Things are called modules, by the way you can actually use. So let me just use, uh, the forced guns Sin
02:08
module.
02:10
And you have to type.
02:13
I'm a lazy guy. So I just copy and paste that stuff. Use mean that stick a man use and you space at the module, and then you can, you know, shower options.
02:24
And it will tell the elicit options in which are mandatory to set in, which are not. Uh Then again, remote host is the only one there is missing. That is monetary. So you can weaken. Set that. So we said remote host and we have to. We actually have to be a little machines. Machines were waiting for for the scan.
02:44
So
02:45
let me just copy and paste the I p from one of them. And by the way, you can also use, uh,
02:53
this is kind of an option that is the same as that came up,
02:58
you know? You know, you can actually use devi map. We'll see that later in the course, but you can just give him up. So all the results are safe in the medicine Phillip database. But I am. Let me just use that one. Ah, set to the remote host, set our host,
03:15
and we can just type the i p
03:19
off for machine. I said, you know again, lazy guy.
03:23
Don't judge me. Oh, I didn't actually copy that.
03:27
Oh, I will have to debt to type it, then.
03:30
Okay. I said the remote host and to actually run it. I just have to ask the town's type the word or the command Run or execute, you know, again, lazy guy, judge me on, Just wait for the results. You know,
03:50
geeking actually run em up from the MSF consult.
03:54
That's one thing that is really cool. I mean, you can actually run several other commands. Wild. You're in the in the MSF council terminal. Let me just wait for this to to end and give you some other pointers
04:12
while it ends. For example, you can actually also use a command. Called him up. I just told you
04:17
and these who what this does is to it runs an atom up script or end my like man. And the point is all that saved
04:29
in the Mansfield database, so you can later use it for other purposes. But boy needs some. We'll get into more detail later in the course when we're actually using, ah, bowling ability scanners, Uh, deaf. That's for now. You can actually
04:46
you can actually search for modules. And, you know,
04:49
um, use use them to perform whatever task um,
04:56
you want. Let me just stop. Stop this. Stop this right here. You can, you know, see that the porter up and you will be seeing more results later. But, you know, just to show you use outs, which, in your axillary model, and if I double top that
05:15
Yeah, we have several possibilities. Let me just display Yeah, we actually want that, and you can see several modules. And maybe you're actually looking for http. So you can, you know, I'm sorry.
05:30
Uh, use, uh, she'll axillary that mean in http. And you know it contains more
05:36
modules.
05:39
Oh, are some specific module seeking use? Ah, for example, at the s. You know, for the server that I just I was scanning the S and P port, maybe open port a one true, 135 And
05:56
And for 45139 AM Sorry. And four for fight. Listen to me
06:02
saying none nonsense. You can actually search for specific modules for For this. Let me just show you here, for example, You can search, use option Ilary at mean hasn't be, and it will display a lot off modules
06:23
you can use.
06:24
Maybe you're looking for a specific, um,
06:27
ballin ability, but yeah, you know, if you're actually just looking forward, you know,
06:33
test a specific bullet ability, you can actually do that. So, for example, maybe we're actually looking for the well known, uh,
06:43
eternal blue or eternal Romans exploits so we can use that one m s
06:50
17
06:51
and we're here. So show options
06:56
Are you gonna even type show targets right away?
07:00
Oh, sorry.
07:02
Oh, it doesn't. It's not working here. Yeah, you can. You can actually show targets. Uh oh. Because I'm using Ah, axillary. But when you're actually you seen unexploited when we'll see that later in the media, you actually type show targets. Uh, for now, let me just set the
07:23
show options again,
07:24
and it's asking me to set the remote host now. Remote board is for for five.
07:30
Makes sense. Right? And we can just set
07:34
and host.
07:36
Oh, sorry.
07:39
Oh, come on. Our host and tidy I pee off Or Windows server in this case is
07:46
Look at that. I'm not that Lacey after all, uh, against show option. Used to be sure.
07:53
Again, we don't want to launch this again. Uh, I'm serving. We don't own or we're not due to have permissions to run this against that.
08:01
Um,
08:03
I would just he run
08:05
and there with percent mint controller Davila. You can see that it's actually vulnerable to this apple's inability, by the way. So, yeah, you can
08:16
use thes facility to actually test that,
08:20
Uh, you know, simple is that we'll see how to use medicine ball as a kind of led ability scanner. But that's not the main point off disappointments, boys, acid towns to exploit liabilities. But you just have to know that there will be no letters are there.
08:35
Or maybe, you know, you can again, we'll see that later in the chorus and see how to use Madis plea.
08:41
It's a kind of Lin abilities, Connor, but at this point, Ah, we already know, Or we knew already that, um
08:50
we had a Windows mission and b of the Windows machine. And that is it's a really all Windows machine that is actually vulnerable to this. Um um um,
09:03
well, the ability in windows, which is, you know, eternal Romans or eternal blue eso we had used to show you how easy it is to exploit that. Let me just use this module. So I will just go to this use.
09:16
I'm sorry.
09:18
Oh, yeah.
09:18
Windows.
09:20
It's not working.
09:24
Let me just copy paste this here.
09:26
Cool.
09:28
Use exploits
09:31
when those
09:31
Oh,
09:33
as in b o as in Obie?
09:35
Um m s.
09:39
Okay. P s. Except for example, it was Just show you how many modules are for these vulnerability. you can just any of them. But I would just PS except
09:50
show options. And if I say show targets should work here. Okay, that's dirties, but you know for sure options,
09:58
um, again, Just have to enter the remote host.
10:01
And that should be it.
10:03
So cept your host,
10:07
the I p.
10:11
And you know, you can even set pay it said a payload by default a TTE this point in time. But if all medicine blow, it uses a pale cold matter. Matter matter predator. Um,
10:24
it's actually kind of a shell, but in no way a lot of muscle behind it can perform anything that a shell or a common line or a terminal came perform but can execute way more commands, for example, weaken True. Let me just show you, shall we?
10:43
Is run here. Uh, this matter predator can actually, before a lot of stuff, for example, we will really have the machine. By the way, we have remote control over the machine. Let me just hope over day
10:58
so you can see the machine. Aah! And you know it didn't throw any alert at all. I mean, I know that you have you guys say that this is the Windows XB and whatever, but believe me, this will work. That's just just as fine. If the machine is not is not protected. Origin is not up to date.
11:16
As a matter of fact, if you just go to, for example, the D v i. R.
11:22
From Bryson,
11:22
you will see that most of the time they're still there Still hits and confirmed hits for the eternal blue blue ability. People are still getting hacked because they don't actually update our operator operating system.
11:43
And I don't have any patch management
11:46
at hole, so yeah, you can still use that. And you can actually execute that. A simple as I did with a non patch or not updated machine, it could be Windows 80 r. I'm sorry. Windows 2000 a witness 2017 16. I'm sorry.
12:01
Windows X p windows, Mr. Wind of seven, Windows eight. We understand
12:07
whatever brand of windows, it is not up today. You can still see that most of the time The stargates window seven. But you know,
12:15
that's the point is a simple Is that
12:16
so, um,
12:18
now that we have remote controlled, for example, this was standard with this. Dangerous about the matter Predator Shell is that is file is kind of a file. A small word. It means that it never touches the disc.
12:35
So if you're trying to perform a forensic, analyses
12:39
this will issue are a really big challenge for you. So you know, kind of the cool thing if you're the good guy trying to perform the penetration testing. But if you're the bad guy and you're the good guy trying to defend against that, it's kind of pain, and you know where so, for example, let me just
12:58
give you a simple you can, you know, just take shell and way have windows shell.
13:05
Uh, you know, let me just quit here. But if you actually type commands like hash Dump
13:13
Boom, you already half the intel, um, hashes Andi, we already know that, um, this is kind of ah, easy thing to do. I mean, you can just go online and in
13:28
crack. The hash is online.
13:31
Uh, yeah, it shouldn't take You know
13:35
that much. You can just you know, let me see if, actually, if it works here,
13:41
you can You can just crack those hashes
13:45
online and he shouldn't, you know, again, take that long, especially. You know, they has. She isn't complicated at all. Uh, just copy this entire thing.
13:58
Ah, but the point is that Is that a simple Is that mean? As you can see, I just executed the hashtag man and indeed ing as Mick for anything else or something like that. You know, you can do that. That's the beauty and magic of the murder of Mary. Better shell
14:16
again. I show you had to,
14:18
uh, get a shell a window shell. But you can actually, for example, execute the command.
14:26
Clear, Evie,
14:28
and as you can see, is wiping records application system in security records from the windows. Oh, my God. This is something out of this world.
14:41
What happens if you're actually the cysts have in and someone hacks into our system and it wipes out all your records? I know you'll beast. You're saying OK, this is
14:52
this isn't usual activity. So someone hacked me. But who? That's the point. And this is really scary. Especially if you don't have a backup plan. You have backups. Overdose
15:03
traces for something you can, uh,
15:09
execute the command, download and upload and just specify the path where you want to actually put that but fired you one for sample. I wanna upload,
15:20
um,
15:22
route.
15:24
Um
15:26
there Stop.
15:28
Oh, but I'm being actually
15:31
don't love
15:31
and, you know, he's go to root off. Sorry.
15:37
Route home. I get
15:39
through their stop
15:41
files and you know, you can do whatever you want here and of loud and download whatever you want. It's kind of an FTP, but you know, on the fly and you can actually use them. Migrate, you can migrate. Maybe you you're actually attached to some servicing windows.
16:00
You can migrate to another process on the victim machine because you know that maybe that maybe that process is in that reliable are all
16:07
you can do. That simple is that, for example, is this mine? Not work sometimes. So don't worry about it. Sometimes it will take two, or to try to or three tries. But, you know, it's worth trying, making, you know,
16:26
if you're actually,
16:27
um
16:30
okay.
16:30
Really sure that the process you're right now is not that reliable. Are also emigrated from one process to another process. You know, I
16:40
they didn't get the results. I was looking for ever. I migrated from from deal d d l l I'm sorry to a No, but But, you know, to get the point, that's the point. And you can actually search for files. Maybe you're already compromising machines. So you actually went to
16:59
search for files,
17:00
for example, search and specific file for for example. Uh, I can't tell you. Uh, Mona,
17:10
this is all Sorry, Dash, have
17:12
Mona that I'm sorry, Dash. Master. That's it.
17:18
And it's tell me that is here. You will see what what this is all about Later were saying when we're discussing the buffer overflow, let ability, You know, that's a point. Um,
17:32
you know, you can actually use both this flotation modules.
17:38
Amused type that right here,
17:45
for example, You can actually this doesn't have a weapons, that beautiful machine web cam, and you can snap
17:53
snap,
17:56
which, you know, drives a picture from the web. Cam, You know, the target doesn't have a webcam, But you can do that so you can see how dangerous can this be? And you know how powerful useful can be if you're actually trying to pin test a server, You know, I served you actually have information on,
18:12
but yeah, this is it, guys.
18:15
A single is that
18:21
hope? Sorry, I already
18:25
Tim a python tree. This is embarrassing.
18:30
Okay,
18:33
What command you have to use to select a module? Well, I already gave me to you. Is the command use welcome that you have to use to take you to model? Well, you actually can use the word execute. You know, I prefer to you their work run.
18:48
What is the matter of predator? Well, it's actually kind of a shell, but, you know, a lot of muscle with a lot of extra muscle. It went to the gym and he got beefy. And you can actually execute several other commands. Like as we sell you contro dumb hash is you can actually take a snap from the webcam.
19:06
Whatever malicious thing you can think of
19:07
is most likely that matter. Predator can actually do it.
19:11
Ah, we saw, you know, just summary. We saw the most common man explore options to perform some hacking techniques, were executed some options over the server to see the functionalities and results
19:25
supplemental materials, the medicine like unleash course. I do believe that this the best materials, you can actually go for it. He has the course, but it has a lot of complimentary material that you can go true and search it.
19:38
Looking forward in a nice video will cover Google hacks. Well, that's it for today, folks, I hope in your day video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor