Metasploit (part 3) Operation
Video Activity
This video continues the lesson on Metasploit. Metasploit uses the MSF console and uses commands for updates. Programmers can use this to start up services and background services. It is important to remember that metasploit uses ipconfig and not ifconfig, which most systems use. Programmers can find more modules on metasploit.com. Also important t...
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
This video continues the lesson on Metasploit. Metasploit uses the MSF console and uses commands for updates. Programmers can use this to start up services and background services. It is important to remember that metasploit uses ipconfig and not ifconfig, which most systems use. Programmers can find more modules on metasploit.com. Also important to remember is the eight characters to avoid as they break up the exploit string. Meterpreter is metasploits payload.
Video Transcription
00:04
Now let's start doing some actual medicine. Won't work, not without through some of the theory. So we're going to start with. The myth of counsel is going bear primary way of working with medicine, but it will also look at the command line interface briefly,
00:20
but I spend most of my time pen testing when I'm using medicine is again miss of Council on most of the other pen testers. I talked to do the same, so we will spend most of our time in the class with the mishap council hit the latest
00:34
module updates for medicine for you. You could do MSF update
00:39
on that will pull down the latest model. True
00:43
on other updates for the Medicis played a framework it those update fairly regularly, so I would encourage you to keep it up to date.
00:52
I have already updated mind. I'll start a nice of consul, but first we actually do want to start a couple of service is so we can start up the database. So it's service Post Crest sequel and then stirred
01:07
on dhe. Also service medicine. Lloyd Start
01:14
starts up some background processes for menace Would and Callie,
01:18
we do in this of console
01:21
and it will take a minute to start. It is loading up the model tree on the fly. If we write our own model, which we will in the exploit development section, it will be loaded as well,
01:34
Aunt. It also will put up some asking art for are so of yours
01:38
looks a little bit different than mine when mine actually lewd. Don't worry about that. There are a few different asking origin there, So each time you start up, you may get something different.
01:51
Now give it a minute to start. I don't know. We should be able to get started doing our in Minnesota It 67 exploit. We're going to exploit our Windows X P system.
02:02
So the only thing we need to know about it at this point is its i p address.
02:08
So again, Georgia's password is password
02:13
on. And
02:15
if we do, windows are or command are on the Mac.
02:20
We can get a run prompt. And if we do see m d on dirty, they're so cmd
02:24
little opener
02:27
who knows? Command line through an I p config,
02:30
as opposed to I s Conseco on
02:34
just about any other system you ever run into. We could get our I p address. 1 91 $681. 76. In my case, yours maybe different. Of course.
02:44
All right. If I come back over here to medicinally Sure enough, doing something else did. In fact, make it load
02:50
always likes to be slow. And I have a video on
02:53
Oh, that we see are
02:55
ask your heart again If yours is different than mine worries
03:01
and we see it has a sea of this recording.
03:07
1357 exploit modules
03:09
829 auxiliary ZX. 231 post models, 340 payloads,
03:17
35 encoders and eight tops.
03:22
We will certainly not see every module. We will see examples as
03:27
exploits on Hilary's on payloads. In this
03:31
section, Ahman
03:34
may even see some encoders.
03:38
And what We'll see post models one way. D'oh! Post exploitation.
03:43
We're not really going to work with knots in this class, so do not use those. But we will see examples of
03:50
exploits and auxiliaries throughout the class and was, well, some posts and certainly a lot of payloads and something coders
03:57
when we do exploit development. Those will definitely come into play as well. A ce maybe for avoiding anti virus. They may have
04:03
some usefulness. All right, so now we're in the hands of counsel, Prompt who always say help at any point
04:12
to get our basic commands. You can also say help about a specific command. So, for instance,
04:20
come up here. If your core commands
04:28
and database commands, how about help and then route? That'll give us more information about the route command.
04:33
So I was probably expected with the word route. It is used for routing routes, traffic destined to a given sub net through a supplied session.
04:44
So we will
04:46
use that in post exploitation will do something called pivoting that will come into play. But now we don't need that
04:53
particular command.
04:55
So what we want to do is find a module far in associate of 67
05:00
We do have a couple of options.
05:02
We can also look at the online
05:08
database for modest split
05:11
YouTube by this point dot com
05:14
also has a database of menace. White modules.
05:20
We look at
05:23
ah,
05:25
dating one training. Now
05:28
we go to exploits here, just come. And actually, since it's too rapid. Seven dot coms was actually rapid seven dot com, but I was just getting the display dot com when put in our query strings. All this dude in this Oh, wait. 067
05:45
And it came up with three results.
05:47
Supposed to start with this 1st 1 here is an exploit
05:53
and has our exploit module actually has a model name appear in the your eye. So it's in modules exploit Windows s and B m s 0867 that a p i someone we saw the source could briefly in the previous video.
06:08
You can also do a search
06:11
inside of medicine. Moisture inside of them was of council would say search
06:15
on a string was right 0.67
06:21
and it comes up with that same exploit. So that is presumably the model we want to use if we want to exploit MSO 8067 I mean, in this case, the description pretty much says it all. We may run into some instances where there may be a few modules that
06:38
look like they might be the right one for particular vulnerability. So we may have to do some more investigations.
06:44
We use the invoke command for that. So I can say in so
06:48
and then the module
06:50
so I can tap complete going, say, exploit
06:54
Windows s and B M s 08 underscore a 67 that a p i we can also the name of model drop off this first part exploiting the first slash if you want to you same thing with auxiliaries. Post said There you can just drop off the first folder basically in the module tree
07:14
on the slosh that goes with it. Keep in mind if you
07:16
do, you do that there, you won't be able to tap complete. So whatever works best for you, I kind of go back and forth as you'll see
07:27
so we can get information about a particular module.
07:34
So go. So it gives us the name of the module
07:40
platform. Of course, Windows. Is it privilege? Does it require or give system or
07:46
really high level privileges? Yes, it does. It will actually give us system privileges
07:51
menace. White license ranking is great.
07:56
The highest ranking you can have is excellent. You have to be a pretty super to get excellent. You could never bring the target down things like that. Lots of requirements. If you look at
08:07
the
08:09
manuals for med, exploited their get home page, you can find
08:13
explanations of all of that. Great is the 2nd 1 so great is in fact, pretty great.
08:18
So gives us an idea that this is
08:20
a model that pretty successful
08:24
people who wrote it. So if you write your own medicine, white module or contribute toe one and you, too can be Internet famous,
08:31
available targets will see automatic targeting. In many cases, menace will. It can decide with the correct target is a stone's a fingerprinting. The service, S and B is a good one for fingerprinting and pretty much writes back says hi. And when there's excuse for respect three. Would you like to exploit me today?
08:50
So we have the automatic targeting as well as several other targets. In fact, we have 67 available targets. Everything from 2000 x p all the way through service back three. When does X P Windows 2003 of respect
09:07
to go on here? Different language packs. So, of course, everything on here has had a patch released said People don't necessarily patch all their systems. If you do any pin testing, Mrs
09:22
one, you may see from time to time exciting as a pen tester to see it. Because it is us. We'll see an easy win toe. Pretty steady vulnerability. We do have the ability to exploit. It does give a system level privileges this one we really like to see. If we want to break in, really do something that can be patched.
09:41
Quick fix just applied the patch and it's gone.
09:43
So you see, recommendation for fixing.
09:48
We see some basic options. Who will see those again? It says are most our port and S and B pipe. Our port and S and B pipe have a default setting
09:58
and they're all three required. And then they have a description.
10:03
We see some payload information.
10:05
Luckily, medicine. It will take care of all of this for us. But when we get into exploit development, these things will be of the essence, the amount of space we have for the payload of the amount of room we have in memory and bites. So we have 400 bytes,
10:20
and it says there's eight characters we need to avoid. So there's eight bad characters. Bad characters will in some way break the exploits String again when we get into exploit development.
10:31
Well, look at that
10:33
medicine. It doesn't even tell us what those eight characters are. Course we can get them in the source code for Get back to that module. But medicine. It will automatically get rid of any bad characters
10:45
that has the description of the floor.
10:48
Finally, some references again. There may be points during our pin test where there's a few different models that look like they might be. The right 1 may be comparing
10:58
our results in vulnerability analysis to these models.
11:05
Open source. Vulnerability database numbers we have tech minute get. In this case, it's pretty simple to see which one is the right ones in miso Edo 67 But it may not always be named so easily.
11:16
You may have to look a stay open source vulnerability database numbers to see which is the actual vulnerability that we found her vulnerability analysis. You never know. Just maybe a hint for later.
11:28
All right, so this is indeed the model we want at this point again.
11:33
I'm just at this point telling you this is a vulnerability. That's president. We will have
11:39
plenty of time to look at other vulnerabilities. All of our virtual machines have some sort of vulnerability we can exploit,
11:46
so there will be
11:48
plenty of chances to find vulnerabilities on your own.
11:52
But for now, let's use this model for use again. You could drop off exploits large if you want Thio,
11:58
Windows S and B
12:01
in Mystery 8067 at a P I.
12:05
That moves us into the context of that module. Soon Alyssa's exploit an emissary 867 that a p I.
12:13
We do a show options
12:16
options may be different from module to module,
12:20
but all of our network based exploits like this we're going to have our host, and it's not going to be set. That's going to be the remote host we want to send it to. We will look at some client side exploits where we don't directly send the exploit,
12:33
but this one and many of the other ones will look at our network based. They're going to send the craft that exploit string over the network to another system, and
12:43
hopefully you've lost control and allow us to our payload
12:48
So now we want to
12:50
set our host to the correct value for our Windows X P machine.
12:56
Yeah, and that was over here.
12:58
Course has already forgotten what itwas 1 91 $681. 76. In my case, easiest way to make your exploit not work is to just blindly follow me when your network is something else entirely.
13:13
So you sure? I'm set your
13:16
i p address accordingly.
13:20
Make sure it is the I p address of your Windows expert machine and online.
13:26
The artist option or your options General are actually not case sensitive. You can do them lower case. It is the best practice to do them in the case. And I will try and remember throughout the class. But you may catch me doing it wrong at some point, and you can either use correct case or not again, I would encourage you to do show
13:46
we have our port and has to be pipe. They both set to default, setting for 45 for our port and s and B pipe. Is it the browser? The our port.
13:56
In fact, that seems like it would be correct for 45 I've never seen us and be anywhere else. You wanted to make everybody in your I t staff measurable. And you could maybe recode everything. But every client has a hard could. It ends. I can't imagine it would be something that anybody would ever want to do.
14:13
So probably that our port is going to be correct. But it's really,
14:18
for some reason, needed to change in our port. For my support, we could do the same thing with they set the option to set. How about we wanted to set it too. But again, this one is fine. How it is we could set in the option. That way, though. Just set the option to set. And what we want to set it to
14:35
something that s and B pipe for now. I'm just going to tell you that browser pipe is correct. How it is set now, we don't currently know what doesn't be named pipes. You're listening. Well, actually, look at an auxiliary module that will tell us that a bit later on for arm silvery example. But again, for now, just go on safe. But what I'm telling you is true.
14:56
We also see the exploit target you set by default automatic targeting. We can see all our targets again with show targets. Who we show options show targets, etcetera.
15:09
The syntax is pretty simple For most, boy,
15:11
you see all those targets again. But we will just leave it as automatic targeting for now.
15:18
So it looks like everything is shut. Now, would you show options? In fact, we now have our host, so everything should be good to go. We have forgotten one thing.
15:28
We have not said a payload
15:30
minister. Right. Well, if you don't set a payload cheese, it a fault payload for the model and do its best to run correctly.
15:37
But we should certainly know how to set up a load. That a fault may not always be what we walked, so we should certainly at least learn have a set of payload.
15:46
So what we want to do is to a show. Okay, Loads show options to see the options. Have targets to see the target's show pales. See the payloads probably catching on here.
15:58
If we do a show paillettes. This is going to show us only the payloads that work for this model that we're only gonna see Windows. Payloads here. Nothing for Lennox, for iPhones are Androids.
16:08
We'll see all of pretty much all of our Windows payloads, though it does have to be able to spend it. Not 400 characters of space, but
16:18
that's a pretty good amount of space. We should probably see much everything here,
16:23
and we'll learn more about the fitting in space. When we do our exploit development,
16:30
we see something called Interpreter Come Up. That may not be familiar to you, but reporter is displayed special payload. We will see lots of motor Peter, particularly in our post exploitation section
16:45
on. We also see it's a basic command shells. You see reverse shell buying shell.
16:52
We go throughout that during our politics basic section about our fine shell on reverse shell bind. It opens on one system and listens, and we connect to it reverse. On the other hand, it actively pushes the shell back to our listener on Callie's. We did that with Net Cat.
17:10
That's the same thing automatically in medicine, boy.
17:15
So let's go ahead on and set the payload thio
17:21
a window shell find underscore TCP
17:27
that will make a buying shell. You will notice If you go through that, there's actually one. That's windows. Sliders, shell, underscore, Bind, underscore TCP. Whereas this one is windows, flies, show slides find TCP so they look like they are exactly the same. They're practically named the same. They just have
17:48
extra slashes. That is a staged payload versus inline payload. Just one that we've chosen with the double slash is staged wise, the one with only once lodges in line in line. Palin puts the entire payload in the original attacks during it does take up more space.
18:06
When I was a stage payload just puts it enough
18:08
commands to call back and finish the paler, basically, So we'll have it set up something called a handler. It will do that automatically, which will know what it needs to do in order to finish up the payload.
18:22
So in our case, either will work. They're both on our list, but it may come into play sometimes an exploit development that we may want to do a stage payload.
18:34
But again, neither will work here. But we chose the stage one, and it is bind underscore. TCP can do anything that's on this list. You encourage you to spend some time playing around with payloads at the end of this module Before we move on.
18:48
Maybe try out my interpreter.
18:51
But for now, let's do a show options again. We see our old options, like our hosts are poor. Listen, be pipe, but that we also see some payload options.
19:03
There have been tacked on, so we have exit function. As the name implies. That's how it's going to exit.
19:10
We have S C H for the structured exception handler. We'll talk about that. We get to exploit development. But that's how will those deals with exceptions
19:18
when something goes wrong?
19:21
Also, it's thread, which is the default. So it'll just killed a thread and also killed the process or do no exit
19:27
function at all. Threat is a good one.
19:30
Just exit the thread and continue on. Hopefully won't bring the server down.
19:37
L Port is going to be our
19:41
local port that it's going to open that bind shell on 04444 is the default. You can change that same way so we could do set
19:51
heliport thio 1234 for instance. But that's not strictly required.
19:56
Course some intrusion detection systems. If your client has them, may just automatically block everything on 44440 your medicine, please go away kind of thing when they're all signature based. So easy to get around that by this changing the port.
20:12
So, of course, in our lab, we don't need that. We don't have snore or anything listening at this point,
20:18
it also has our hostess. Well, I'm not required with us. The target address. We've already set that in the previous
20:26
section. When we did our host
20:30
appear That's already set for us. That's all we need. Here are options again, Will be based on this particular payload. If we had done a reverse shell, for example, it would have asked us for the i P address to call back to since we did a fine show. We don't need that here. Who is going to be different every time
20:49
Based on what you choose for your module and your payload, some of them may be the same, but there will be various so you can always do a show options to see what you need.
21:02
So now we should be really good to go, so we can say exploit to tell it to run, But this type exploit. And if we have indeed set everything up correctly, we should be good to go.
21:17
And sure enough, we now have a Windows Command prompt.
21:21
We are at sea Windows System 32. This does exploit the S and B server, which is a system service.
21:29
So first thing we did was open up a bind handler. So we chose a buying payloads that automatically sets up a handler to deal with it on, connect back and finish
21:40
the payload. Since it's stage, it automatically detects the target. We did tell it to automatically detect the target. So sure enough, it does figures out as Windows X p
21:51
service back three English selects the correct target,
21:55
and then it does send over the attack string. What does encode it?
22:00
I said we would kind of seon coders here. This is one of the encoder from medicine late 36 Chicago and I, that's Japanese for it can't be helped as well. See him are avoiding anti virus
22:14
phase actually can be helped and the virus will in fact pick up Chicago and I. But we will get other ways of getting around anti virus, primarily in coding, is really just to avoid our bad characters. We saw there were eight of them that needed to be avoided here, so it will
22:32
encode it sells to get rid of any bad characters.
22:36
And then it will
22:37
pra penned a decoder basically at the top. So first thing it will do is decode itself back into its original form,
22:45
and then our payload will run.
22:48
And then we send over
22:51
our stage on dhe the handler deals with finishing at
22:56
and then we get
23:00
our session medicine while it considers communication between our target and
23:07
in this case, Callie to be a session.
23:10
So this is session one on. Now we have again our command for arm silicon run
23:15
windows commands that we're interested in.
23:21
And when we're done with it, we can close it with a control. See, that will abort the session. But we have another option. Weaken background. The session with Control Z office. Do we want to background it? If we say yes, it will keep the session open, but then return us to the medicinally prompt.
23:40
And then if we do a sessions dash l for list we can see all of our open sessions. Currently, we only have one we want to interact with. The session that's in the background would say sessions, dash I and then the session number
23:56
and that will drop us back into the session so we can move from medicine boy out of sessions and back into them. We don't necessarily have to be done with them Before we put them in the background, we could always bring them back as long as there's still network communication between the two systems.
Up Next
Similar Content
