Now let's start doing some actual medicine. Won't work, not without through some of the theory. So we're going to start with. The myth of counsel is going bear primary way of working with medicine, but it will also look at the command line interface briefly,
but I spend most of my time pen testing when I'm using medicine is again miss of Council on most of the other pen testers. I talked to do the same, so we will spend most of our time in the class with the mishap council hit the latest
module updates for medicine for you. You could do MSF update
on that will pull down the latest model. True
on other updates for the Medicis played a framework it those update fairly regularly, so I would encourage you to keep it up to date.
I have already updated mind. I'll start a nice of consul, but first we actually do want to start a couple of service is so we can start up the database. So it's service Post Crest sequel and then stirred
on dhe. Also service medicine. Lloyd Start
starts up some background processes for menace Would and Callie,
we do in this of console
and it will take a minute to start. It is loading up the model tree on the fly. If we write our own model, which we will in the exploit development section, it will be loaded as well,
Aunt. It also will put up some asking art for are so of yours
looks a little bit different than mine when mine actually lewd. Don't worry about that. There are a few different asking origin there, So each time you start up, you may get something different.
Now give it a minute to start. I don't know. We should be able to get started doing our in Minnesota It 67 exploit. We're going to exploit our Windows X P system.
So the only thing we need to know about it at this point is its i p address.
So again, Georgia's password is password
if we do, windows are or command are on the Mac.
We can get a run prompt. And if we do see m d on dirty, they're so cmd
who knows? Command line through an I p config,
as opposed to I s Conseco on
just about any other system you ever run into. We could get our I p address. 1 91 $681. 76. In my case, yours maybe different. Of course.
All right. If I come back over here to medicinally Sure enough, doing something else did. In fact, make it load
always likes to be slow. And I have a video on
ask your heart again If yours is different than mine worries
and we see it has a sea of this recording.
1357 exploit modules
829 auxiliary ZX. 231 post models, 340 payloads,
35 encoders and eight tops.
We will certainly not see every module. We will see examples as
exploits on Hilary's on payloads. In this
may even see some encoders.
And what We'll see post models one way. D'oh! Post exploitation.
We're not really going to work with knots in this class, so do not use those. But we will see examples of
exploits and auxiliaries throughout the class and was, well, some posts and certainly a lot of payloads and something coders
when we do exploit development. Those will definitely come into play as well. A ce maybe for avoiding anti virus. They may have
some usefulness. All right, so now we're in the hands of counsel, Prompt who always say help at any point
to get our basic commands. You can also say help about a specific command. So, for instance,
come up here. If your core commands
and database commands, how about help and then route? That'll give us more information about the route command.
So I was probably expected with the word route. It is used for routing routes, traffic destined to a given sub net through a supplied session.
use that in post exploitation will do something called pivoting that will come into play. But now we don't need that
So what we want to do is find a module far in associate of 67
We do have a couple of options.
We can also look at the online
database for modest split
YouTube by this point dot com
also has a database of menace. White modules.
dating one training. Now
we go to exploits here, just come. And actually, since it's too rapid. Seven dot coms was actually rapid seven dot com, but I was just getting the display dot com when put in our query strings. All this dude in this Oh, wait. 067
And it came up with three results.
Supposed to start with this 1st 1 here is an exploit
and has our exploit module actually has a model name appear in the your eye. So it's in modules exploit Windows s and B m s 0867 that a p i someone we saw the source could briefly in the previous video.
You can also do a search
inside of medicine. Moisture inside of them was of council would say search
on a string was right 0.67
and it comes up with that same exploit. So that is presumably the model we want to use if we want to exploit MSO 8067 I mean, in this case, the description pretty much says it all. We may run into some instances where there may be a few modules that
look like they might be the right one for particular vulnerability. So we may have to do some more investigations.
We use the invoke command for that. So I can say in so
so I can tap complete going, say, exploit
Windows s and B M s 08 underscore a 67 that a p i we can also the name of model drop off this first part exploiting the first slash if you want to you same thing with auxiliaries. Post said There you can just drop off the first folder basically in the module tree
on the slosh that goes with it. Keep in mind if you
do, you do that there, you won't be able to tap complete. So whatever works best for you, I kind of go back and forth as you'll see
so we can get information about a particular module.
So go. So it gives us the name of the module
platform. Of course, Windows. Is it privilege? Does it require or give system or
really high level privileges? Yes, it does. It will actually give us system privileges
menace. White license ranking is great.
The highest ranking you can have is excellent. You have to be a pretty super to get excellent. You could never bring the target down things like that. Lots of requirements. If you look at
manuals for med, exploited their get home page, you can find
explanations of all of that. Great is the 2nd 1 so great is in fact, pretty great.
So gives us an idea that this is
a model that pretty successful
people who wrote it. So if you write your own medicine, white module or contribute toe one and you, too can be Internet famous,
available targets will see automatic targeting. In many cases, menace will. It can decide with the correct target is a stone's a fingerprinting. The service, S and B is a good one for fingerprinting and pretty much writes back says hi. And when there's excuse for respect three. Would you like to exploit me today?
So we have the automatic targeting as well as several other targets. In fact, we have 67 available targets. Everything from 2000 x p all the way through service back three. When does X P Windows 2003 of respect
to go on here? Different language packs. So, of course, everything on here has had a patch released said People don't necessarily patch all their systems. If you do any pin testing, Mrs
one, you may see from time to time exciting as a pen tester to see it. Because it is us. We'll see an easy win toe. Pretty steady vulnerability. We do have the ability to exploit. It does give a system level privileges this one we really like to see. If we want to break in, really do something that can be patched.
Quick fix just applied the patch and it's gone.
So you see, recommendation for fixing.
We see some basic options. Who will see those again? It says are most our port and S and B pipe. Our port and S and B pipe have a default setting
and they're all three required. And then they have a description.
We see some payload information.
Luckily, medicine. It will take care of all of this for us. But when we get into exploit development, these things will be of the essence, the amount of space we have for the payload of the amount of room we have in memory and bites. So we have 400 bytes,
and it says there's eight characters we need to avoid. So there's eight bad characters. Bad characters will in some way break the exploits String again when we get into exploit development.
medicine. It doesn't even tell us what those eight characters are. Course we can get them in the source code for Get back to that module. But medicine. It will automatically get rid of any bad characters
that has the description of the floor.
Finally, some references again. There may be points during our pin test where there's a few different models that look like they might be. The right 1 may be comparing
our results in vulnerability analysis to these models.
Open source. Vulnerability database numbers we have tech minute get. In this case, it's pretty simple to see which one is the right ones in miso Edo 67 But it may not always be named so easily.
You may have to look a stay open source vulnerability database numbers to see which is the actual vulnerability that we found her vulnerability analysis. You never know. Just maybe a hint for later.
All right, so this is indeed the model we want at this point again.
I'm just at this point telling you this is a vulnerability. That's president. We will have
plenty of time to look at other vulnerabilities. All of our virtual machines have some sort of vulnerability we can exploit,
plenty of chances to find vulnerabilities on your own.
But for now, let's use this model for use again. You could drop off exploits large if you want Thio,
in Mystery 8067 at a P I.
That moves us into the context of that module. Soon Alyssa's exploit an emissary 867 that a p I.
We do a show options
options may be different from module to module,
but all of our network based exploits like this we're going to have our host, and it's not going to be set. That's going to be the remote host we want to send it to. We will look at some client side exploits where we don't directly send the exploit,
but this one and many of the other ones will look at our network based. They're going to send the craft that exploit string over the network to another system, and
hopefully you've lost control and allow us to our payload
set our host to the correct value for our Windows X P machine.
Yeah, and that was over here.
Course has already forgotten what itwas 1 91 $681. 76. In my case, easiest way to make your exploit not work is to just blindly follow me when your network is something else entirely.
So you sure? I'm set your
i p address accordingly.
Make sure it is the I p address of your Windows expert machine and online.
The artist option or your options General are actually not case sensitive. You can do them lower case. It is the best practice to do them in the case. And I will try and remember throughout the class. But you may catch me doing it wrong at some point, and you can either use correct case or not again, I would encourage you to do show
we have our port and has to be pipe. They both set to default, setting for 45 for our port and s and B pipe. Is it the browser? The our port.
In fact, that seems like it would be correct for 45 I've never seen us and be anywhere else. You wanted to make everybody in your I t staff measurable. And you could maybe recode everything. But every client has a hard could. It ends. I can't imagine it would be something that anybody would ever want to do.
So probably that our port is going to be correct. But it's really,
for some reason, needed to change in our port. For my support, we could do the same thing with they set the option to set. How about we wanted to set it too. But again, this one is fine. How it is we could set in the option. That way, though. Just set the option to set. And what we want to set it to
something that s and B pipe for now. I'm just going to tell you that browser pipe is correct. How it is set now, we don't currently know what doesn't be named pipes. You're listening. Well, actually, look at an auxiliary module that will tell us that a bit later on for arm silvery example. But again, for now, just go on safe. But what I'm telling you is true.
We also see the exploit target you set by default automatic targeting. We can see all our targets again with show targets. Who we show options show targets, etcetera.
The syntax is pretty simple For most, boy,
you see all those targets again. But we will just leave it as automatic targeting for now.
So it looks like everything is shut. Now, would you show options? In fact, we now have our host, so everything should be good to go. We have forgotten one thing.
We have not said a payload
minister. Right. Well, if you don't set a payload cheese, it a fault payload for the model and do its best to run correctly.
But we should certainly know how to set up a load. That a fault may not always be what we walked, so we should certainly at least learn have a set of payload.
So what we want to do is to a show. Okay, Loads show options to see the options. Have targets to see the target's show pales. See the payloads probably catching on here.
If we do a show paillettes. This is going to show us only the payloads that work for this model that we're only gonna see Windows. Payloads here. Nothing for Lennox, for iPhones are Androids.
We'll see all of pretty much all of our Windows payloads, though it does have to be able to spend it. Not 400 characters of space, but
that's a pretty good amount of space. We should probably see much everything here,
and we'll learn more about the fitting in space. When we do our exploit development,
we see something called Interpreter Come Up. That may not be familiar to you, but reporter is displayed special payload. We will see lots of motor Peter, particularly in our post exploitation section
on. We also see it's a basic command shells. You see reverse shell buying shell.
We go throughout that during our politics basic section about our fine shell on reverse shell bind. It opens on one system and listens, and we connect to it reverse. On the other hand, it actively pushes the shell back to our listener on Callie's. We did that with Net Cat.
That's the same thing automatically in medicine, boy.
So let's go ahead on and set the payload thio
a window shell find underscore TCP
that will make a buying shell. You will notice If you go through that, there's actually one. That's windows. Sliders, shell, underscore, Bind, underscore TCP. Whereas this one is windows, flies, show slides find TCP so they look like they are exactly the same. They're practically named the same. They just have
extra slashes. That is a staged payload versus inline payload. Just one that we've chosen with the double slash is staged wise, the one with only once lodges in line in line. Palin puts the entire payload in the original attacks during it does take up more space.
When I was a stage payload just puts it enough
commands to call back and finish the paler, basically, So we'll have it set up something called a handler. It will do that automatically, which will know what it needs to do in order to finish up the payload.
So in our case, either will work. They're both on our list, but it may come into play sometimes an exploit development that we may want to do a stage payload.
But again, neither will work here. But we chose the stage one, and it is bind underscore. TCP can do anything that's on this list. You encourage you to spend some time playing around with payloads at the end of this module Before we move on.
Maybe try out my interpreter.
But for now, let's do a show options again. We see our old options, like our hosts are poor. Listen, be pipe, but that we also see some payload options.
There have been tacked on, so we have exit function. As the name implies. That's how it's going to exit.
We have S C H for the structured exception handler. We'll talk about that. We get to exploit development. But that's how will those deals with exceptions
when something goes wrong?
Also, it's thread, which is the default. So it'll just killed a thread and also killed the process or do no exit
function at all. Threat is a good one.
Just exit the thread and continue on. Hopefully won't bring the server down.
L Port is going to be our
local port that it's going to open that bind shell on 04444 is the default. You can change that same way so we could do set
heliport thio 1234 for instance. But that's not strictly required.
Course some intrusion detection systems. If your client has them, may just automatically block everything on 44440 your medicine, please go away kind of thing when they're all signature based. So easy to get around that by this changing the port.
So, of course, in our lab, we don't need that. We don't have snore or anything listening at this point,
it also has our hostess. Well, I'm not required with us. The target address. We've already set that in the previous
section. When we did our host
appear That's already set for us. That's all we need. Here are options again, Will be based on this particular payload. If we had done a reverse shell, for example, it would have asked us for the i P address to call back to since we did a fine show. We don't need that here. Who is going to be different every time
Based on what you choose for your module and your payload, some of them may be the same, but there will be various so you can always do a show options to see what you need.
So now we should be really good to go, so we can say exploit to tell it to run, But this type exploit. And if we have indeed set everything up correctly, we should be good to go.
And sure enough, we now have a Windows Command prompt.
We are at sea Windows System 32. This does exploit the S and B server, which is a system service.
So first thing we did was open up a bind handler. So we chose a buying payloads that automatically sets up a handler to deal with it on, connect back and finish
the payload. Since it's stage, it automatically detects the target. We did tell it to automatically detect the target. So sure enough, it does figures out as Windows X p
service back three English selects the correct target,
and then it does send over the attack string. What does encode it?
I said we would kind of seon coders here. This is one of the encoder from medicine late 36 Chicago and I, that's Japanese for it can't be helped as well. See him are avoiding anti virus
phase actually can be helped and the virus will in fact pick up Chicago and I. But we will get other ways of getting around anti virus, primarily in coding, is really just to avoid our bad characters. We saw there were eight of them that needed to be avoided here, so it will
encode it sells to get rid of any bad characters.
pra penned a decoder basically at the top. So first thing it will do is decode itself back into its original form,
and then our payload will run.
And then we send over
our stage on dhe the handler deals with finishing at
our session medicine while it considers communication between our target and
in this case, Callie to be a session.
So this is session one on. Now we have again our command for arm silicon run
windows commands that we're interested in.
And when we're done with it, we can close it with a control. See, that will abort the session. But we have another option. Weaken background. The session with Control Z office. Do we want to background it? If we say yes, it will keep the session open, but then return us to the medicinally prompt.
And then if we do a sessions dash l for list we can see all of our open sessions. Currently, we only have one we want to interact with. The session that's in the background would say sessions, dash I and then the session number
and that will drop us back into the session so we can move from medicine boy out of sessions and back into them. We don't necessarily have to be done with them Before we put them in the background, we could always bring them back as long as there's still network communication between the two systems.