1 1 00:00:02,667 --> 00:00:03,979 Welcome to the lab. 2 2 00:00:03,979 --> 00:00:05,755 So in this one, I have two machines. 3 3 00:00:05,755 --> 00:00:08,560 I have a Windows 7 64-bit operating system, 4 4 00:00:08,560 --> 00:00:10,779 and I'm gonna have a Kali Linux machine 5 5 00:00:10,779 --> 00:00:12,347 that we've been using all the time. 6 6 00:00:12,347 --> 00:00:14,704 Now my particular Kali Linux machine has been updated 7 7 00:00:14,704 --> 00:00:17,413 to the latest patches and the latest exploits, 8 8 00:00:17,413 --> 00:00:19,067 including the one we're gonna use today, 9 9 00:00:19,067 --> 00:00:20,571 which is called EternalBlue, 10 10 00:00:20,571 --> 00:00:22,704 because it was released just four days ago. 11 11 00:00:22,704 --> 00:00:24,123 Now the first thing we're gonna do 12 12 00:00:24,123 --> 00:00:25,659 is we're gonna go on our Kali Linux machine, 13 13 00:00:25,659 --> 00:00:26,779 just like we did before, 14 14 00:00:26,779 --> 00:00:28,400 and we're gonna go ahead and find out 15 15 00:00:28,400 --> 00:00:31,355 what our IP address is by using ifconfig. 16 16 00:00:31,355 --> 00:00:34,128 Now you'll see here that when we use ifconfig, 17 17 00:00:34,128 --> 00:00:35,211 our IP address, 18 18 00:00:35,211 --> 00:00:38,711 or my IP address is 192.168.56.102. 19 19 00:00:40,827 --> 00:00:43,269 Now that tells me that since its subnet mask 20 20 00:00:43,269 --> 00:00:47,360 is 255.255.255.0, that this is slash 24 network. 21 21 00:00:47,360 --> 00:00:48,581 So I'm gonna open up Zenmap, 22 22 00:00:48,581 --> 00:00:51,568 and I'm gonna go do a search across this network. 23 23 00:00:51,568 --> 00:00:53,488 That way I can find the Windows machine 24 24 00:00:53,488 --> 00:00:55,829 that is on this network, and so I'll know where it is. 25 25 00:00:55,829 --> 00:00:57,333 Now if you've done your reconnaissance already, 26 26 00:00:57,333 --> 00:00:58,400 and you know the IP address, 27 27 00:00:58,400 --> 00:01:00,736 you can scan just for that one IP. 28 28 00:01:00,736 --> 00:01:03,381 So, as Zenmap goes, I'm gonna fast forward here 29 29 00:01:03,381 --> 00:01:04,747 so we don't have to sit here watching it 30 30 00:01:04,747 --> 00:01:06,352 as it's churning away on its scans. 31 31 00:01:06,352 --> 00:01:08,320 When it's done, you're gonna see the fact 32 32 00:01:08,320 --> 00:01:10,325 that it found the Windows 7 machine, 33 33 00:01:10,325 --> 00:01:11,867 and it did find three ports open. 34 34 00:01:11,867 --> 00:01:15,099 It found 135, 139, and 445. 35 35 00:01:15,099 --> 00:01:18,965 Now for EternalBlue, it does require port 445 to be open, 36 36 00:01:18,965 --> 00:01:20,704 and so that means that Windows 7 machine 37 37 00:01:20,704 --> 00:01:22,288 has to have file sharing enabled, 38 38 00:01:22,288 --> 00:01:23,675 otherwise we're not gonna be able 39 39 00:01:23,675 --> 00:01:25,227 to get to it with this exploit. 40 40 00:01:25,227 --> 00:01:26,779 So now that it's done finding it, 41 41 00:01:26,779 --> 00:01:28,133 we're gonna click on that Windows machine. 42 42 00:01:28,133 --> 00:01:30,181 Again, you're gonna see that this is a Windows machine. 43 43 00:01:30,181 --> 00:01:32,357 It thinks it's a Windows Server 2008. 44 44 00:01:32,357 --> 00:01:33,344 That's okay. 45 45 00:01:33,344 --> 00:01:34,880 Windows 7 and Windows Server 2008 46 46 00:01:34,880 --> 00:01:36,539 share a very common code base. 47 47 00:01:36,539 --> 00:01:37,840 But when I look at the ports and hosts, 48 48 00:01:37,840 --> 00:01:39,627 the way that it responded on 445, 49 49 00:01:39,627 --> 00:01:41,829 it tells me this is a Windows 7 machine. 50 50 00:01:41,829 --> 00:01:44,000 So I'm gonna open up my Metasploit framework 51 51 00:01:44,000 --> 00:01:47,989 using msfconsole, just like we did in the previous labs. 52 52 00:01:47,989 --> 00:01:50,448 Now, once Metasploit framework has loaded, 53 53 00:01:50,448 --> 00:01:51,419 what we're gonna do is 54 54 00:01:51,419 --> 00:01:54,560 we're gonna use the command use, and then the exploit. 55 55 00:01:54,560 --> 00:01:58,727 Exploit/windows/smb/ms17_010_eternalblue, 56 56 00:02:02,576 --> 00:02:04,597 and then we're gonna hit Enter. 57 57 00:02:04,597 --> 00:02:06,288 Now, we're gonna show our options. 58 58 00:02:06,288 --> 00:02:08,944 And you'll see here that the only option that we have to do 59 59 00:02:08,944 --> 00:02:10,277 is set our remote host, 60 60 00:02:10,277 --> 00:02:15,104 so I'm gonna set our host as 192.168.56.101, 61 61 00:02:15,104 --> 00:02:19,877 the Windows 7 machine, and then I'm gonna type run. 62 62 00:02:19,877 --> 00:02:22,325 Now, from here it's gonna go into its exploit. 63 63 00:02:22,325 --> 00:02:24,725 We're using a standard shell response, 64 64 00:02:24,725 --> 00:02:25,973 not meterpreter payload, 65 65 00:02:25,973 --> 00:02:27,488 although we could have set that as well. 66 66 00:02:27,488 --> 00:02:31,733 So then I get back c:\Windows\system32, 67 67 00:02:31,733 --> 00:02:32,635 and I'm gonna go ahead 68 68 00:02:32,635 --> 00:02:34,459 and change myself to the root directory. 69 69 00:02:34,459 --> 00:02:36,528 Now, notice on my Windows 7 machine, 70 70 00:02:36,528 --> 00:02:37,877 there was no folder there. 71 71 00:02:37,877 --> 00:02:40,704 Now I'm gonna do make directory "You've Boon Hacked", 72 72 00:02:40,704 --> 00:02:42,357 and when I do that, boom, 73 73 00:02:42,357 --> 00:02:44,192 it's on the Windows 7 machine instantly 74 74 00:02:44,192 --> 00:02:45,595 because I have root access 75 75 00:02:45,595 --> 00:02:47,851 to do whatever I want on this Windows machine. 76 76 00:02:47,851 --> 00:02:49,019 So now I'm gonna go ahead 77 77 00:02:49,019 --> 00:02:50,320 and I'm just gonna go into that directory, 78 78 00:02:50,320 --> 00:02:51,312 and I'm gonna create a file 79 79 00:02:51,312 --> 00:02:52,677 and leave a message to the person, 80 80 00:02:52,677 --> 00:02:54,667 because again, if I'm doing a penetration test, 81 81 00:02:54,667 --> 00:02:57,019 I wanna let them know how I got in and why I got in. 82 82 00:02:57,019 --> 00:02:58,576 And so I'm gonna do a quick echo command, 83 83 00:02:58,576 --> 00:02:59,515 and here I'm just gonna say, 84 84 00:02:59,515 --> 00:03:03,653 "This works on Windows 7 and Windows 2008 servers", 85 85 00:03:03,653 --> 00:03:05,557 and I'll put that into a file 86 86 00:03:05,557 --> 00:03:08,197 that is gonna be called hack.txt 87 87 00:03:08,197 --> 00:03:09,197 or work.txt. 88 88 00:03:14,624 --> 00:03:16,379 And now you'll see work.txt 89 89 00:03:16,379 --> 00:03:17,899 popped up in the Windows 7 machine. 90 90 00:03:17,899 --> 00:03:19,536 So at this point I can do whatever I want 91 91 00:03:19,536 --> 00:03:20,369 on this Windows machine. 92 92 00:03:20,369 --> 00:03:21,275 I can move files. 93 93 00:03:21,275 --> 00:03:22,213 I can remove files. 94 94 00:03:22,213 --> 00:03:23,147 I can delete files. 95 95 00:03:23,147 --> 00:03:24,219 I can create new files. 96 96 00:03:24,219 --> 00:03:26,117 I can grab system information. 97 97 00:03:26,117 --> 00:03:28,272 I can create users, pop holes in the firewall, 98 98 00:03:28,272 --> 00:03:30,664 and really just start expanding my access from here. 99 99 00:03:30,664 --> 00:03:32,499 This was just the initial way in. 100 100 00:03:32,499 --> 00:03:34,669 Now again, this is only gonna work 101 101 00:03:34,669 --> 00:03:36,995 on Windows 7 and Windows 2008 right now. 102 102 00:03:36,995 --> 00:03:38,227 There are people who are working on 103 103 00:03:38,227 --> 00:03:39,645 Windows 8 and Windows 10 exploits 104 104 00:03:39,645 --> 00:03:41,656 for this particular vulnerability as well. 105 105 00:03:41,656 --> 00:03:43,373 Microsoft has released a patch, 106 106 00:03:43,373 --> 00:03:45,779 but people are not patching quick enough on this one, 107 107 00:03:45,779 --> 00:03:47,565 so it's really been getting out of hand. 108 108 00:03:47,565 --> 00:03:50,168 Now the good thing is that a lot of people 109 109 00:03:50,168 --> 00:03:51,091 are starting to take notice 110 110 00:03:51,091 --> 00:03:53,379 because of the WannaCry ransomware, 111 111 00:03:53,379 --> 00:03:54,728 and they don't want their files to get hacked, 112 112 00:03:54,728 --> 00:03:56,387 so they have been updating their software. 113 113 00:03:56,387 --> 00:03:58,904 So your services and your systems in your companies 114 114 00:03:58,904 --> 00:04:00,653 are probably gonna be okay from this one, 115 115 00:04:00,653 --> 00:04:02,915 but it is one you wanna scan, and you wanna look for 116 116 00:04:02,915 --> 00:04:04,552 as you're going through your penetration tests. 117 117 00:04:04,552 --> 00:04:05,635 And this is just a simple example 118 118 00:04:05,635 --> 00:04:08,045 that these techniques that we went through in this class, 119 119 00:04:08,045 --> 00:04:09,197 they are timeless. 120 120 00:04:09,197 --> 00:04:10,632 It is the same stuff we've been doing 121 121 00:04:10,632 --> 00:04:12,072 for the last decade or two. 122 122 00:04:12,072 --> 00:04:14,973 The only difference is the particular exploit that we use. 123 123 00:04:14,973 --> 00:04:17,293 And as you go through and use a vulnerability scanner 124 124 00:04:17,293 --> 00:04:19,981 like Nessus, or any of the other products out there, 125 125 00:04:19,981 --> 00:04:20,936 OpenVAS, 126 126 00:04:20,936 --> 00:04:22,573 you can start learning which things 127 127 00:04:22,573 --> 00:04:24,163 are vulnerable on which networks, 128 128 00:04:24,163 --> 00:04:25,933 and start getting a better repertoire 129 129 00:04:25,933 --> 00:04:27,283 and be able to start attacking those things 130 130 00:04:27,283 --> 00:04:28,419 as you move forward. 131 131 00:04:28,419 --> 00:04:30,157 I hope you guys enjoyed this bonus lecture, 132 132 00:04:30,157 --> 00:04:31,725 as I updated this course just a little bit, 133 133 00:04:31,725 --> 00:04:33,496 and really show you some of the latest techniques, 134 134 00:04:33,496 --> 00:04:35,304 and what was being used in WannaCry 135 135 00:04:35,304 --> 00:04:37,615 to be able to get this ransomware out there.