Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

In this lesson, Georgia re-visits Metasploit and how it is used for vulnerability testing.

Video Transcription

00:04
All right. So let's take a look at medicine food again. Show should do. My share is
00:09
medicine. Ludie start. Well, I guess it's gonna strike up the database first. Always don't do this because I never really used the ministry database.
00:18
In fact, the image I used to use for clusters it was broken.
00:28
Consul, open up medicine, Lloyd, And look at some really skating and medicine. Boy showed you nah auxiliary module in the menace plate section that we certainly have many other auxiliary models. Besides the example that we looked at about the named pipes so we can use medicine boy to do some vulnerability scanning as well.
00:49
If it ever happens,
00:54
we're gonna take a look at another auxiliary module.
00:58
And we'll also look at something called the cheque function that we have on some but not all, of the exploit modules that will actually allow us to check whether a vulnerability exists
01:08
without actually running it. I mean, in some cases, there's really no way to do this. Exploiting it is really the only way
01:15
to verify. But
01:18
in some cases we will have
01:19
the Czech function.
01:22
Of course your surgery go do something else this is actually going to pop up. I probably should have turned it on before I turned on the video.
01:30
This isn't always what happens. I end up here
01:32
chatting away
01:36
to that,
01:37
Marcie. Like I said, we were gonna do something else.
01:40
Here's your bun, too. Don't really have anything to do. Honor bound to remind you
01:44
seven's off. There's extra
01:48
anonymous of counsel. You have no excuses.
01:53
There we go.
01:55
Friendly.
01:56
It shouldn't be that slow. I guess I could give it more memory. I'm not sure how much it has been assault honestly, but if you have the memory despair, you certainly give your virtual machines more memory.
02:06
All right, so we've already seen how use medicine. Later, you go back to the medicine plea sections. That's what Model number three,
02:15
if you need to see it again. So we want to show you use
02:19
on the example was gonna be another auxiliary do scanner and FTP anonymous
02:28
show our options.
02:32
Oh, what could actually use this to test other credentials as well. So really, it should be ftp too long ago. And I guess I don't know,
02:40
um
02:42
does it? We could just change this to be real credentials, but
02:46
FTP seizures Anonymous and then supposed to have your
02:50
password be your email address or just use this move zealot example dot com Our port by default. 21.
02:58
That's gonna be correct. In some cases, you might find a fiend like 2121 depending on the platform.
03:05
But we know how to change that. You set our port 2121
03:09
threads
03:10
at most. We're gonna run this against two systems, so one thread will be perfectly fine. Can't, of course, make it multi threaded.
03:17
We need Thio.
03:19
Ohh! That is our host,
03:24
but
03:27
about a thought.
03:35
So
03:37
we have our output from in maps. If we have one of the graspable imagine. See what I've got here
03:44
like
03:47
we have,
03:50
like your class can dot g and maps. We kept that out.
03:54
This isn't really useful again for two hos, but this is incredibly useful if you have a lot of them. And we learned how to do this pretty much earlier if we went through the Lenox section,
04:04
so what we can do. So here's the cat out of the G in map. This is why I like G and my abdomen is not very nice to read, but, as the name implies is great for gripping.
04:15
So what we can do
04:17
is looking cat out
04:19
close scan
04:21
dot g and Matt.
04:25
Well, let's she lets
04:28
grip for the word up every time a host is alive, we get this status up here.
04:35
We got that again. In this case, there's only two not that exciting, but could be much, much larger. I do regularly a dupe in test that are 5 10,000 Who's even more.
04:47
Let's do that cut again. We learned cut
04:50
and our
04:51
Lennox section There are other ways of doing that. Look, I know people use off to do this or you're in said I, like cut
04:59
easy from here. Remember this in tax for it.
05:01
I'm gonna make the DL emitter of space time. Until that I want field. I want just the i p address, so I won't feel too
05:10
like it's me just r i p addresses
05:12
on DDE
05:14
again necessary in this case, but short them uniquely I mean, just in case you never know where you're getting your output from. Always a good idea to short you, Nathalie.
05:25
All right, put that into a live Whose text?
05:31
Well, then, what we can do here in medicine boy
05:35
again. It would have been easier just to type in the two hosts. But when you're doing against a lot of them, anything command line consume you like is certainly worth it Was our host to file Colon
05:47
then this isn't the root directory,
05:50
the route
05:53
and live pushed, not text, so it will pull the data from life. Oh, stop text to do this scan.
06:06
All right, so we don't need a payload, since this is just an auxiliary. So go ahead and type, run
06:15
or extra weight. I usually just end up saying exploit
06:18
instead of runs. It works everywhere.
06:21
So we do have anonymous read access.
06:27
So we saw that one of those
06:30
window system looks like that'll be pretty interesting have been called passwords. Stop text
06:36
might be worth grabbing.
06:39
So again, I encourage you to spend some time looking at different auxiliaries on his medicine is still a bit shaky. Go back and look at the medical section. I definitely think there's really nothing you could learn that would benefit you more than medicine. Boy's medicine. Boyd is really
06:57
the de facto over pin testing. It was definitely worth knowing.
07:02
All right, so let's look at one more thing with medicine, because again we can use
07:08
our auxiliary is for
07:10
vulnerability scanning. But we can also
07:14
we go back to our exploit Windows s and B M S O h underscore. 067
07:20
We saw that necessary phone that.
07:23
But I always again like to get at least two things saying that it's true if exploitation is allowed. If you're doing a pin test, then you can certainly just exploited to find out. But if you're just doing vulnerability work, you might just need to do a manual check is possible. This is there
07:42
some cases There may be no manual check. It's exploited or nothing, so I may not always be able to figure it out. But I always try and get at least two things saying that it's true.
07:53
So if we show our options, we should remember this. We want our hose to be
08:00
when there's X Q
08:03
and as it be, pipe is correct. As browser. Remember, there is an auxiliary for that. We saw that in our
08:09
medicine section
08:11
we can do the automatic targeting instead of setting a payload
08:16
on doing exploit, what I'm gonna do is use the cheque function again. Not all men displayed exploit modules have this. In some cases, it's just not possible to check. And even if it is,
08:26
there's no requirement that the developer of the module implement the cheque function.
08:31
There's as the target is vulnerable.
08:35
So that's cool.
08:37
That's something we can exploit. Of course, we already knew that we already tried it
08:41
as our example exploit in a previous module.
08:46
But on our pin chess that would let us know that, yes, indeed, we have confirmation from two sources that this is
08:52
probably a good one to try and exploit, based on either previous knowledge or research will find. The in Miss Soto 67
09:00
is a really good one to try and exploit. If it's available, it's pretty steady. Unlikely to bring the service down. It does give you system level access, and
09:07
interestingly enough, you can exploit it over and over again, which makes it a really good one for class where we might have
09:13
do things wrong and killer sessions.
09:16
So that's one we will
09:18
be able to exploit
09:22
again. Not everything's gonna have the checks functions

Up Next

Advanced Penetration Testing

This course covers how to attack from the web using cross-site scripting, SQL injection attacks, remote and local file inclusion and how to understand the defender of the network you're breaking into to. You'll also learn tricks for exploiting a network.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security
Instructor