Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. Welcome to the episode number 23 off the speakers, my Rispoli framework and an MSF Banham.
00:09
My name is Alejandro Gina, and I'll be instructor for today's session.
00:13
The learning object IBS of the session is to understand the concept behind this attack and I fly the techniques to implement this attack. So let's get down to business shall way.
00:23
First of all, uh, we already saw some
00:28
basics of the MSF medicinally framework or the MSF counsel. Ah, but let me go a little bit deeper in that knowledge by, you know, using the MSF Banham module off the medicine framework.
00:45
Remember that in the previous video for using public exploits,
00:50
remember that we saw pulling exploit to actually use are exploitable Nabili a buffer overflow Belman ability
00:58
in Ah, the SL mail server.
01:02
Let's use that just Thio, see how a king we can, you know, actually use Emma's abandon to get what we won.
01:10
So, uh,
01:12
let's use Let me first.
01:17
I started this on just another here. Uh, just thio, remember? Just show you so you can remember that exploit that we use before. Um,
01:27
I can't remember. Well, let's go to our
01:32
always useful
01:34
where page
01:38
exploit TV
01:41
and let's search for
01:46
SL mail. Remember that we're all of his with We actually did all of this in the previous video. So
01:56
638
01:57
638 It should be there. Okay.
02:00
Okay.
02:02
And, you know, they leave, We call it, exploit that fighting. And there you go. Remember, that would change their return address.
02:09
Uh, how about remember that when we actually execute that,
02:15
we, uh, created a buying chill. Um,
02:21
with this exploit. And it was, you know, create It was
02:25
great. And by buying chill in port 4444 How about if we actually want to create a reversal import 12 tree for Well, we just need to change that.
02:38
And let me just
02:40
I start with this.
02:44
We can as you can. Well, in the previous video, we use a public exploit, but we actually
02:51
we can actually also use medicine. Plato achieved exact same thing. Let me just
02:58
give you for example, we can just search eso mail here,
03:01
and we quickly found on exploit. So just copy, use
03:10
and show options,
03:14
and it just, you know, eunice did to enter the remote host and SL mail. It's actually ah, proved on all of this. If I go to show targets, it will just tell me the same thing.
03:25
The point is that if we actually go to this, um,
03:31
two, what
03:34
toward this is created. Remember, all of the exploits in In in the Medicis played framework are great. And in pearled. So this pearl a script already has. I mean, it will first detect the operating system. And whatever the operating system is, it will change the return address.
03:51
So remember that this is all created in Pearl. So
03:55
Yeah, that's the thing we just said. The remote host.
04:00
Um, nope. Sorry
04:03
to the windows XB, where the cellular service Rhine. And we just hit. Run
04:10
it will. You know, here you go trying windows as a male, and it will detect the upper system and get us our shelf.
04:19
So yeah, that easy, huh? Um,
04:23
yeah, I want to kill that.
04:25
Okay. About that anymore. So yeah, but what about you actually
04:30
went to modify the Brutus exploit we used with the bullet explodes session.
04:38
We could actually do that with MSF. Benham. Emits of enemy is a menace. Boyfriend war, too, that you can use to actually create your own exploits or your own payloads to be more specific, not exploits, but payloads s o. You can achieve whatever you want
04:54
and your exploits. For example, you downloaded a public exploits, and you can
04:59
as we're going to do in this video. And you don't actually want to execute the ***. Same payload. You want to create your own payload? You can do that with MSF banner. So let me just
05:10
type here. MSF Benham,
05:12
then the payload. Actually, the paler I want to be. Remember that? Itwas ah, bine shell. Not I want to be a reverse shell.
05:24
And then the listening host, which will be my colleague machine, Of course.
05:30
Then the listening port, which let's change it to went to true four, maybe for someplace important for four for four Wasn't working for us
05:40
exit function.
05:42
Um, we wouldn't call it trip. This is basically just to tell it to the exploit that whenever that the service or just created or, you know, the one that we're actually attaching this paler to is going to fail. It changed to the next one, or um
06:01
so we cannot crash the service.
06:03
For example, if you don't put that it's most likely that or SML server it will. It will get us a river shell. But the SM I certainly will not work so that
06:15
that could be a little bit noisy
06:18
then the function. I want to be C because I want to actually just replaced all of this with my payload
06:27
cell function. C
06:30
the architect, sir.
06:32
That's a
06:35
three to back it.
06:38
That's nice platform.
06:40
When those, of course.
06:42
Um,
06:44
then we can set some bad characters. All of this will make a little bit more sense When when We see, um um the
06:55
before awful for module. But, you know, sometimes when you're creating that and you're actually executed, the payload if you're actually
07:02
using some backtracked, is, for example, the character of new, which is represented by the hex code X zero. It can terminate your command or do you know your steps? For example, if you're trying to get a reverse shell
07:18
and you know something is being executed, if it finds a new character or a return carriage character,
07:26
he could end execution, or you can, you know, mess up the execution process so way need to avoid these characters how to find them. We'll see that again in the menace. Um,
07:38
I'm sorry for all the probe modules.
07:41
You a
07:44
ex roadie?
07:45
Okay, we don't want to use this part. Where characters for one creating on exploit and encoding will use she kattegat nine. I'm hoping that's the correct way to say it.
08:00
This is just an encoder that I will die without you working windows. But that's it.
08:05
And we hit enter, and it's supposed to create or exploit from here.
08:11
And there you go. Ah, this is very important rumor that the bites the length of the bites. But I can just, you know,
08:20
copy all of this
08:26
and then modify
08:28
my exploit.
08:31
Remember, I already modified dumb the return address. Let me just eliminate all of this so you could see how we can actually d'oh
08:41
shell code equals
08:45
for insists
08:46
and just copy Just paste. I'm sorry.
08:50
Ah, whatever. It was inside of four payload,
08:54
and there's you.
08:58
I'm sorry.
09:01
There you go.
09:03
And just hopes just equal. Stupid. Okay, It's equals two. And, um, now we just need to save it.
09:11
And remember that we actually said that will be listening. Import for 1234
09:18
So let's fire up a listener here.
09:22
I'm sorry. Well, let's fire up in displaced in
09:30
before, and we'll listen for connections. And then just remember that we modify this
09:35
and just execute the ex, actually, execute the expert.
09:43
Oops. Sorry.
09:46
Oh, my gosh.
09:54
Sending evil buffer
09:58
and, yeah, we got a reverse shelling here.
10:03
So this is how powerful and Mr Bennett could be
10:07
in the previous service in the previous exploit, the surface was crashing after first successful attempt. However, you know, as I told you, we used the exact function to generate a more stable exploit. The service is still works If I, you know, kill this, sir, my listener again
10:26
and just performed. This excites same thing.
10:28
You will get me a reversal once again. So, you know, the service consistent continues being functional, so we can, you know, buy some time in there and and maybe go. I'm not this for for the administration, Tim.
10:45
So that's the beauty and the powered off the ends of Ben. Um MSF
10:50
Benham to weaken, send, act like, you know, we can send the link to our service to our victim, For example. What if you want to create, Let me just exiting here. Oh, my God. Um, what do you want To create? An execute a ble, for example.
11:07
So you can actually get the sacks in command?
11:11
You know, ***. Same payload listening host. Listen, import, let me just change that for the purpose of this exercise
11:20
for 1 to 2, I don't know, something like that. Um, and, uh, actually, I don't want to be in a in a
11:28
see for money, but I want to be in the next performance excusable foreman, and I just tell it to 72 or wet root, for example. Uh
11:41
um, around reverse
11:43
that exit
11:46
and we save it to that. And by social engineering or something like that, we were sent back to her to her victim.
11:58
Remember that we're your Windows XB machine.
12:01
And he was, uh, reverse.
12:05
The t x t come. Sorry that that excess
12:09
and it unloaded that. And we can just, uh, let me just start fire. Ah, listening here.
12:16
What was the Port high were 1 to 2.
12:22
And as soon as I just opened up in that
12:28
Yeah, run. It will get us a river shell back to us,
12:33
so yeah, you can see
12:33
again. We're in the Windows machine. So this is how powerful? Uh, you know
12:41
how neat thing Nice and cool in whatever adjective you want to give it to you, Mr Benham, but yeah, You can do what everyone. What if you want. You don't want Thio. Maybe you're just messing up with a body or something like that. Uh, you and to actually, you know, want to get a reversal.
13:01
All you want to do is to I don't know,
13:03
for example, something silly like that just changed the payload in here.
13:09
Something silly like, um,
13:11
opening the calculator.
13:15
Something like that. I don't know. I'm just thinking out loud, Matt, right now. So, windows,
13:20
um, except to execute right, CMD equals *** that exit.
13:28
So I'm just creating a payload to up with the kike later on, and I'm living the same us it is. So
13:37
if I, um,
13:39
actually execute that
13:43
and if I
13:45
we just generate that if I go to my windows ex speak in just pretty here when you're 60
13:52
first
13:54
exit, you know, it's a nothing. Yeah, you wanna run it? And boom or calculator Wes happened. So you know, that's you know how you can modify exploits. You can create your your own payload. Maybe you, us. We did in this in this video, we'll really have a polling exploit,
14:15
and we just needed to modify it. Um,
14:20
we can use all of that. We can use whatever exploit. Now, what exploits can you use? Well, you can quickly surf the internet for that. You can just
14:31
four of the MSF console, so we can see you get you can actually help many pay loots you can actually use, which is a lot. I mean, I just showed you three different payloads and two different Baylor's to be more precise reversal. But you can create buying shells you can create,
14:48
um, matter predator reverse shell. So we can you know you're
14:54
capabilities in the big Temple. Because at the end, the MSF Banham Demas him himself. I'm sorry. The matter predator shell is way better than a normal show, right? So let me just show pay loads here
15:11
and you can see there's a lot of a losing their, uh all of this pales can be used in Emma's of Benham, and you can create your own payloads. Uh, the fun part of this is that maybe there's, you know, you have a payload, but you don't have an exploit on the MSF MSF counsel.
15:30
So the point is that you, king, actually, uh,
15:35
not use the Amazon Council because maybe there's note and exploit in there. So you found an exploit on on
15:43
They're not exploitive e, for example, that always on, and you just need to modify the payload, or you just need to modify something else. So this is the beauty about a Mr Benham and the combination with the MSF counsel. For example, if you want to creates again a minor praetor shell, um,
16:03
and you can actually start a major affair releasing her on the MSF counsel
16:07
that will boost your your knowledge and and you and your capabilities on the victim machine.
16:15
Can you generate backdoors in an executed or four months with Emma's? A ban? Um, yeah, you can. You definitely can. Can we actually get a remote control for this attack? Yeah, definitely. Can Again. And you can actually start Calculator is wealth.
16:29
Um uh, this video will learn some concepts behind this attack. And we implemented some techniques to execute this attack to create payloads basically,
16:37
and we sell how malicious diseases that can be, Ah, supplemental materials. There's a new material here, you know. They have the hacker playbook. That's always ah, go to. But now we have the menace fully unleashed the reference for the MSF battle module. You can you can find a lot of good information
16:57
techniques. And how do you actually use,
17:00
um, more capabilities from the MSF Benham? And you know, uh, again every possible source in Google and YouTube
17:08
and looking forward in the next video will cover tunneling. Well, that's it for today, folks, I hope in your the video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor