Post Exploitation (part 2) Exploit Development
Video Activity
This lesson focuses on writing vulnerable software to develop exploits. Participants learn step by step instructions to drop into a shell using net commands to develop exploits. This lesson also discusses how to use the impersonate tokens demand to impersonate other users and log into a system.
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
This lesson focuses on writing vulnerable software to develop exploits. Participants learn step by step instructions to drop into a shell using net commands to develop exploits. This lesson also discusses how to use the impersonate tokens demand to impersonate other users and log into a system.
Video Transcription
00:04
all right. The time we got sounds so cool. So I'm on Expedia on
00:10
Want Thio already installed it. So Regiment stall the newest version of when SCP.
00:17
So
00:21
I'm just gonna d'oh
00:23
OCP until it to talk Thio the fun to system
00:28
and give it to Kurt credentials, which should be Georgia and password for us a sage.
00:34
And I tell it to
00:43
to save and click, save password and just say not recommended. But,
00:48
you know, plenty of people do. So we saved that mind. If we do a log in, we can prove that it works
00:56
in the typical way of doing
00:59
secure copy from Windows and frankly, everywhere, because this entire is gonna be rather hard to remember.
01:11
All right, so that just gives us a novelist. Care. Just lost.
01:15
No session. Not cool. Um,
01:22
being h seven.
01:36
All right, Cool.
01:38
Got working sessions again.
01:42
All right, so I want to take a look.
01:46
We'll just jump back into that guy
01:49
a little bit of like finding data. We're going to a surge.
01:53
Yeah, for instance. Like passwords.
02:07
There's password dot text
02:09
in anonymous
02:13
for you.
02:22
Funder. Credit cards.
02:32
We need to search for, like, files
02:35
or
02:37
to be a little bit want for size
02:40
There's actually if we take a look at
02:46
our post exploitation models Ugo Back Thio, kill this.
02:52
You hear that? It's fully does free work
02:57
modules and go into that boost Modules,
03:01
window gather
03:05
hoboes gather stuff. There is a hole
03:07
section for credentials
03:10
So different things that store credentials. So he did when Essie pay
03:15
so I can use post those gather
03:21
there, then fills. I can't smell credentials, so to have complete is nice And when STP
03:28
Since this is a post module, we just need a session Session number
03:34
seven
03:37
set session seven
03:40
you exploit
03:45
found that saves user name and password so we can use these
03:50
gather modules to help us
03:53
gather additional information, including, I mean, in this case, we found the log in for a whole different system,
03:59
depending on what they have
04:02
and stole, that could be potentially useful.
04:09
And also, we didn't look at this and previous through again.
04:14
That's not his ball. This key scans doing actually
04:17
long Qi's drugs.
04:20
We're currently
04:23
believe systems. We may not actually she in here, you're just dance
04:30
ups and move into
04:34
hi
04:38
explorer that you he's always Glacier. Just start menu.
04:43
You're more likely to see key scams There
04:47
started for Kiki longer come over X p and
04:55
hey!
04:57
Hi, You're here.
05:00
Well, you keep began, underscored dump.
05:04
And now we get everything, including, like our windows are
05:09
and back spaces that pad
05:13
wiener Hi, Georgia. So keep Stan. Stop. You can Also, if you move into like the wind log on Bravo's, you could get specific. Gately log in information.
05:25
It does depend on what process you're in. What you'll see
05:29
with the key logger. Certainly easier than
05:34
building your own key loader Getting it passed. Anti Gar sold that
05:41
another thing. You may notice you do the pier.
05:45
Once there were on the system, we may actually find other ways and
05:51
we may not have noticed the first time three was really hard to find Everything certainly
05:57
like, for instance, on this one we actually have the three com t STP service we get to exploit development will see that
06:05
we'll use that for exploit development One of our examples, but would be very hard to find this as a vulnerability that doesn't really say hi. I'm three county FTP or anything like that.
06:17
So while we did find up for it to be
06:20
either open or filter,
06:24
we didn't actually find this, But it actually is an exploitable way in. So
06:28
I guess if you want to,
06:30
right, vulnerable software, put it on UTV. And it will be harder to bide.
06:34
So you may find another way in
06:38
another thing. Like if we look at bash history
06:43
or, of course, Windows logs as well. I mean, logs. Aero is good.
06:47
More of a forensic side there. But,
06:50
hey,
06:50
I like to check the badge history.
07:00
So I kind of cheated here and made the first thing in here is my password. His passwords assured after just password was password.
07:09
They're rather than happen. Do local privilege escalation. We just looked there
07:14
before doing. Are you Dove Could actually save ourselves some trouble there.
07:21
Another thing I like to do in this case, we have the ability to hash. Don't put a lot of times I find myself like with Java interpreter, where I don't have a job. So I come in through, like, Tomcat or
07:34
Roman PHP my interpreter in this case where we did
07:39
our exam ped
07:41
So we got mature better through some sort of Web interface,
07:45
but we don't have the full nutter butter. So what I like to do is drop into a shell and then just use net commands.
07:53
So I couldn't d'oh that user
07:56
go on.
07:58
Last word is John Dad,
08:01
that local group
08:09
minister. Traitors.
08:13
Yeah,
08:18
they're now John is a local admen
08:22
exotic here.
08:26
Well, that was background, So I could pretend this is like my interpreter. PHP Formative critter Java and I can use
08:37
I wonder if b. P s exact
08:41
this is going to authenticate over SMB
08:43
with the valid user name and password so that we could get a regular Windows interpreter.
08:50
Also, if you have a valid set of credentials for one system, you could use this to try and get into additional systems that probably have the same credentials. I see the same local admin password like probably unlike 70% of the tests. I do.
09:07
I'm so they're just built from the same
09:09
image or they just have the same local admen. So once you have credentials on one, you could just basically spin around all of them.
09:20
You show options said our host to speed
09:28
set isn't the user,
09:31
John.
09:33
That should be time to John
09:37
and Rs and be doing man
09:41
waken leaving his work group. We can also do dot to tell it local host.
09:46
If you are working with dough and and you want it to just do the local hose, you just do a dot
09:52
I'll just let it default on the payload.
09:58
Well, failure just made John and admin.
10:07
Well, let's try George. Sit
10:11
open the
10:13
either girl. You're
10:16
It isn't the past.
10:26
I'm not set the's a parade.
10:31
I told you to set them up, right? Maybe I didn't set them up, right?
10:37
If I go to control panel on DDE
10:45
actually knowing control panel,
10:48
it's and
10:50
fall in the sea.
10:54
Um,
10:56
local policies, security options.
11:18
Yeah, Onions of this up. Great.
11:20
So basically making X P act as though it's part of the domain. But we have Windows seven in a domains. In my example, though I left that is optional for you.
11:33
So we made this change in the setup. I told you to. Anyways, I obviously did not
11:39
For now, we're on this. It should work.
11:43
Sure enough, it does. So basically, it's making expiate our click. It's part of the domain total allows users to log on over us. And B, you're not know domain. It doesn't do this, but most of your clients will probably be in a domain.
11:56
All right, so we were able to get another session on this would give us
12:01
cash, don't characters.
12:05
And it does. Oddly enough, you would think you'd be long illness the user. But you actually get system level access out of it
12:11
again. Once you have valid administrator, you have to be little admin credentials on one system. You can send this to all the other ones, and chances are at least some of them will have the same.
12:26
So we can also do something of this really cool for past the hajj,
12:31
the video's grab that has here
12:33
We actually don't have to crack it in order to use this P s exactly Can you pass the house? So basically what happens is to avoid sending the password over the network.
12:43
The S and B server sends us a challenge, and we respond to it on the way this is set up. Is that just the answer to the challenge is the hash password
12:54
that is a one way has, Right? We should the only way we should have the hostages if we have the original password. Right,
13:01
Well, as we see here, not always the case. Over.
13:05
Copy this. And I said that doesn't be passed.
13:09
The hajj?
13:13
No. Much better.
13:16
That wasn't.
13:20
And face that end.
13:22
Now you're on it.
13:24
Well, actually. Still work
13:28
too, huh?
13:30
That's foot past
13:31
and could be very helpful if you
13:35
can't practice password. I mean, in this case, it's got
13:37
Ellen has Ron, So no worries. But if the El Amash was blank, you could do this.
13:46
You couldn't get your password cracked
13:52
so we can do kind of the same thing with SS age on the next U. S S h exact.
13:56
I mean, I don't
13:58
use that as much. I mean, I'm always playing with windows. That means
14:03
another thing I could do is took an impersonation.
14:07
So when can use something called Incognito's? We load
14:11
called Neto.
14:16
We'll have your help. We'll have more
14:18
incognito options.
14:20
So we list slogans.
14:24
You
14:28
currently just like bull x p Georgia
14:31
system ones. But if I
14:37
long off here, in which users
14:41
and log on a secret,
14:43
I know what secret Crawford is. 1000 1 day. Very.
14:48
Yeah, Big piece.
14:54
So now if we do this here,
14:58
we pretend we don't know secrets. Password.
15:01
Now we see that secrets logged in
15:07
so we can impersonate again.
15:16
Look at the
15:18
It's not book XB.
15:20
Well, that's
15:24
secret with the double backs lodge.
15:31
Now I am
15:31
effectively secret. So if Secret was, for instance, a domain admin,
15:37
we would
15:39
now be able to behave with the dome. And I have been ourselves.
15:46
No,
15:46
I mean, secret doesn't really have any privileges that Georgia doesn't. If he did set up a domain and I'll show you a little bit about working with the remains
15:58
in one of the later videos in the section. But if you didn't do this here, you can
16:04
impersonate other users that have long into this system without knowing their credentials.
16:11
Another option we have is if we load mini cab.
16:18
The help for this tool is written in French, so it kind of difficult to figure out how to use it correctly.
16:30
But now we are many cats.
16:33
So we just put in your burrows.
16:36
Not currently running is right.
16:38
Um, would you be ready so
16:42
not put this back its system.
16:47
You can actually get plain text passwords of everybody who's low again so that it goes secret and Georgia's passwords. Or it can actually pull the passwords out of memory. So it's one step further than hash done from in the users. Do you need to be logged in for this?
17:02
But we can potentially get plain text password. So I mean, these are some pretty easy vows words to crack, but you could get certainly so much more difficult one.
Up Next
Similar Content
