Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:01
Hello, everybody. And welcome to episode number 22 off the RCP Cores. Public exploits. My name is Sandra and I'll be instructor for today session.
00:12
The learning operatives of this session is to understand the concepts behind this attack and apply techniques to actually implement this attack.
00:19
So let's get down to business, shall we?
00:24
First of all, let me give you a couple of clarification about what public exploit is. What we mean by public exploits is that somewhere there's a lead ability out there and we'll really know it existed. It exists.
00:38
Ah, and someone already, huh?
00:42
Created an exploit for that. So we will use that exploit a bull, not bother creating, are around, exploit. Or, you know, we wouldn't want to go through all the hassle of creating on our code for that if someone else, someone else already did it. So
01:00
yeah, that's that's what public exploit mints Now The problem. There's two problems with that. The 1st 1 is that it's not that easy. It's not I mean, I know just just said You're saying right now, out case if someone already great and exploit why it's not that easy. Well, first of all, um,
01:17
exploits behave differently for different operator systems,
01:21
maybe for different boards, for different. I base for different. I don't know, technologies, something something some things can change. I mean, several things can change and from one system to the other. So you have to be familiar with the vulnerability. What is trying to exploit? How is exploiting it?
01:41
Um,
01:41
it is supposed to get our remote control. It's supposed to just, uh, uh, perform a denial of service attack. It's just supposed to just change something on the system. I don't know. You have to be very familiar with vulnerability. Eso you in order to you to to see if you actually only need to run the exploit,
02:00
or you need to actually modify something inside that exploit.
02:05
And the second part, I think the most dangerous part is that some exploits are not really exploits. Ah, some guys just upload exploits to the Internet, saying that it will exploit sir table in a military. But in reality, they're just changing something on your local machine or the machine. You're easy to
02:24
actually execute that exploits.
02:27
I'm ashamed to admit that, but I learned that the hard wait I was starting my career in penetration testing many moons ago and
02:37
that happened to me. It'll either raise their root folder, so yeah, my operating system was mess up. Thank God I was using a Burton machine with snapshots before, so yeah, uh, but yeah, you can find all of that. You can even create backdoors on your own machine. So you have to be careful.
02:55
So to help you with the first problem, you just have to google it.
03:00
You have to go every possible thing about the vulnerability and to help you with the second problem. Think others. Some trusted sites out there, the 1st 1 let me just show you. Here is exploit dash DVD dot com.
03:15
I guess that's the most common one are the most trust one you can also use that have
03:22
and other pages that you may feel comfortable with. But I guess this is the most common one where you can actually look for safe splits.
03:31
Ok. Ah, let me just
03:36
get started with it with the practice, then first. Well, I'll I will be using several using the same machine for several time for several videos because the energy is it has to change a configuration or install a new server are running Stalin is other sub word. But, you know,
03:53
I'm separating this in different models. It makes more sense to you.
03:59
So first I need to food it out. What operated system is again I need to perform. I still before more reconnaissance, my
04:08
sports guiding and everything. So I can get familiar with the victim and see if they exploit will actually work on that system. And the other used to get ahead. I will just perform at, um
04:20
Mm mm. Ups. Poor scanning. So I can feel about the versions. I know poor 25 110 are open.
04:32
So let me see the results. OK? Eso mail. Um version five. That five. So this second thing, because you can see I already have here all you need to do. By the way, you just enter something here. Maybe an operative system, maybe. Ah,
04:49
a sub word or something specific or maybe a specific moving ability scanner.
04:59
So yeah, you can search, for example, sl male. As we already know. Here we have. You have all of these exploits. Now you have to know the type. I mean, what do you want? You want to create on the denial of service? Do you actually want to get remote remote control? So yeah,
05:17
and the other will choose this one, the 1st 1 But, you know, this is I guess I believe it's Sim Python. Yeah, it's impossible.
05:24
Also, you will find several exploits in different codes. For example, this isn't easy. So you have to, you know, maybe select the one that you're most comfortable with, For example of you already know. See? And you already know how it how it is compiled
05:40
and you already have. Geez, easy. For example, for compiling your colleague Nix,
05:45
you have to choose the most called the one that you feel most comfortable with. Um,
05:50
but that's the thing. So we'll use this one. Um, Let me just don't load it. Yeah, okay. This is a generic name, by the way. Don't worry about it. 638 Say file and let me just copy that to my to my
06:05
before there were working on
06:10
6352
06:15
exploit that fightin.
06:18
Okay. Exploited. Fightin such mode,
06:25
Titan. Okay, now, no need to modify it.
06:31
Okay, Let me just raise. Let me really first. Uh, okay. Who discover it? Coded by moods. Hunts.
06:39
Now they may give you on a plastic. This guy, he created a lot off exploits on the exploited Be that of a So just raise out. This is for your purpose. Okay? It says something important here. He says that he's raised that
06:57
I have to start a listener import for four for four, so I assume, and this will be creating, or I would connect to put 4444 So I assume this is creating a bind Shell on the victim.
07:10
Ah, yeah. Let me just raise that. I love this swill.
07:16
And let me just go back here, Okay? Says tested on a Windows two k service buck for Let me see what operates system is running. Is this into Okay? It's not finished yet. Let me go ahead and okay. He says change the return address if needed.
07:34
By the way, we'll see
07:36
all of the deed details to create Iran before wonderful exploit. I mean, we'll go from 0 to 2. I don't want to say the other word that Ryan with it, but yeah, we'll go you know, from scratch, and we'll create our own exploit to exploit album I bought for over full liability. So all of this will make more sense
07:57
after you actually go through the entire model
08:01
dedicated for buffer overflow. But for this part in its to understand, is that it was testing their windows to Kay, and we might need to change the return address. So, as I told you at the beginning, some exploits might not be guests just downloaded and granite
08:16
use you Didn't You need to actually change something on that exploit? In this case, we might need to change the return address to something that actually matches. Ah, Windows XB, service. Back trips respect tree, which is the one
08:33
it's using the remote machine machine we're trying to attack.
08:39
So yeah, it's not that easy. It's not that easy. Let me change the obvious. Hers. Ah,
08:45
the I p.
08:46
Of course.
08:50
Uh, let me see if I can actually run it.
08:52
Uh, python.
08:56
Oh, yeah, I already give it excuse.
09:05
Okay, So it's supposed to be creating Ah, a buying shell.
09:11
So I need to just connect to that. Had card limits. If, um,
09:16
just that be
09:18
import for four for four.
09:22
You know, it's not connecting, so it exploit didn't work. And if I go to my, um,
09:30
Windows XB machine,
09:31
I can just see that, if I
09:37
hopes, okay, let me just feel for that
09:46
he will not return. You know something? It didn't not create a bind shell. So that's expected because the exploit was clearly saying to us that this was actually tested on on
10:01
Windows two K. So we need to test it on Windows XB. So we need to change the return address. Um, for the purpose of this course of this module or this session, I will not show you have to actually get that. But again, I will definitely show you that I mean, all the details
10:20
to actually perform this attack
10:22
on on
10:24
on the other and the upcoming modules, which is for both for office floor. So that done that manera bits about it.
10:31
So let me just copy pays here. The return address was supposed to be, which is right here.
10:39
Them changed their return address for a windows ex piece of respect tree. Just just know right
10:46
there. And there was still one thing I need to change. Let me just run it again
10:54
and it's taking a while. That's my be a good sign for us. Um, Selim. See, that actually worked.
11:03
And we just graph here again, my windows XB,
11:07
And let me see if Oh, ok, hee created. Ah, bine shell. So if I go to different,
11:15
uh, she, uh, terminal here, if I get that cat
11:22
and I connect to my poor 4444 and I get our carbine shell,
11:28
okay, I'm good. I'm good. I'm good. I'm good.
11:33
Okay, that's how would you actually change pulling exploits, But you can go for dinner. Um,
11:41
you can actually create. For example,
11:45
we will see more details about this. Uh, but you can actually, uh,
11:52
creates something about that. I mean, up, for example, you can say I don't want a buying shell. I don't want a reversal when we will see that in the next And the next media, which is MSF PanAm to create your own Actually, your own payloads. Because at the end, maybe you say Okay, I know the firewall is filtering
12:09
anything that is connecting to, but it's not filtering anything that
12:13
the machine that the victim machine is connecting to the Internet. So maybe you want to modify, you exploit to to get a reversal, and you need to modify all this exploit. We'll see how to create that in the next video. For now. What about the operating system? We really know that there's a Windows X p. Here,
12:33
let me see. Okay.
12:35
So, yeah, we can bow to ah, database, for example. I know that window six p is vulnerable to eternal blue. Well, research that in previous. Beauteous. So the images go here and change this and put a journal
12:52
and is searching, you know, for for executions, for exploits. Already created windows, ex people. Lola, um,
13:01
then you see each one. Um,
13:05
this, uh,
13:07
let's use this one. Seems like a good fit for us.
13:11
Oh, I see Python as well. Yeah, that looks like a good fit for us.
13:16
Oh, you can also search for you know, um,
13:20
this exploit on the internet, for example. Ah, I know, I know. There are others just
13:28
downloaded through the terminals. I can actually go directly here. Um,
13:35
eternal. That pie
13:37
eternal
13:39
is one Ah, I need to download. Uh, I know that because I really tested all of this. But you might have to be. You might need to be testing had my hand or, you know, step by step. Everything for for for laurel, for you know, the public exploits commands,
14:00
So yeah, that's it. I don't know to exploit. So, actually,
14:03
um,
14:07
run that and let me just see what I need to Marty. Five,
14:13
um, in order to to actually execute that.
14:16
So, uh,
14:18
now I know each other now.
14:22
Okay, Uh, I need to really all of this. It was sister in Windows expiate. That's fine. And used her name, for example. I came here. I know that that I need to use the user name guest,
14:37
for example. But the problem with that is that in that specific case I'm talking about, um
14:46
I mean, just closed out in here and execute
14:52
and executed.
14:54
You will request that P A guess.
14:56
Okay. Yeah, I p
14:58
Five names,
15:01
for example. Browser.
15:05
You will not work because he says, uh, for example, status Logan type not granted. S o. The remote machine is not actually allowing me to use guest us, us, they as them
15:20
user. So That's the other problem with public exploits. Sometimes, um, just need Thio
15:31
actually get something, You know,
15:33
You know, you actually need Thio modify several things and exploit was will steal, not work. And that's something you will face all the time in a daily basis. So, for example, now that I know that it is actually bone mineral for this,
15:50
but I don't know, the Basel worked. I could try other techniques to actually steal the pas work
15:56
from from
15:58
apart from from this. So, for example, let's say that I stole it for a different technique.
16:07
And I need to example, Marty five
16:11
that state
16:14
buzz worry and use her name. I'm see if that actually works.
16:18
Okay, Don
16:21
and he works
16:22
actually worked. So you know, that's the problem with public exploits. Sometimes it will work. Sometimes you need to modify something, and, you know, sometimes you
16:33
cannot go that way and done waste too much time in something that it will not work. You don't want to go down to the rabbit hole and, you know, spend hours trying to actually get trying to actually get things work or get this exploit to work
16:49
because he will not work. So what? You would have to pursue other routes.
16:52
I wanted to exploit our operating system. Um, you know, that's the problem.
17:00
Hey, I can just for example, do something like this.
17:03
Let me just
17:07
Well, I I didn't modify something in here because I didn't know. You need to mind if I discuss a specific exploited, you know, that will take a while to actually do something with the operating system may be changed or create a password or create. I used her name or something like that. Ah,
17:26
that's something you'll have to do with this exploit. But, you know,
17:29
for the purpose of that example, do you get the point?
17:36
What is the most common database we can use to find public exploits Will exploit exploit dash d v dot com. I guess that's the most common one, although you can also find useful exploits on get half in other pages. But I guess that this is the most common one and I can be careful. I cannot. I cannot stress this enough.
17:55
Be careful with what exploited you download and how you run it.
17:59
Can we actually gained remote control to this attack? Yeah, we can actually get off course. We're just using someone else's code exploitable nen abilities, which will lose to have ah, um, river shells or job actors or remote control over a machine
18:15
in this video will learn the concepts behind the pool of exploits Attack. Ah, and we implemented stopped index to execute some public exploits. And we saw How malicious does that that can be? Ah, supplemental materials. The hiker playbook again, There's no other. There's no wrong way with this book. You just need to,
18:34
you know, buy it and read it.
18:37
It will. It will help. It will help you not only with penetration testing, but understanding other stuff in this penetrate and it penetration testing process itself. Aah! And you know it's always every possible source in Google and youto, although in this case I will be careful,
18:53
uh, with Google and YouTube, because at the end again, you will mind end up downloading something militias
19:00
for your computer.
19:02
Looking forward, it an Expedia will cover the Medicis plea for him work and the MSF Bannon. Irene, I know that we already set some basics of Maris plea. We'll see how we can boost that knowledge with the MSF Benham. Ah, too.
19:18
Well, that's it for today, folks, I hope in your DVD a and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor