1 1 00:00:01,080 --> 00:00:04,206 So in the last lesson, we went and used a command shell, 2 2 00:00:04,206 --> 00:00:06,740 a just reversed TCP as our payload. 3 3 00:00:06,740 --> 00:00:07,660 I want to show you what happens 4 4 00:00:07,660 --> 00:00:08,773 if we use a different payload. 5 5 00:00:08,773 --> 00:00:10,126 So, what we are going to do here is use a 6 6 00:00:10,126 --> 00:00:12,077 different thing called Meterpreter. 7 7 00:00:12,077 --> 00:00:14,611 So, we are going to set our payload. 8 8 00:00:14,611 --> 00:00:18,778 And in this case, it's Windows/meterpreter/reverse tcp. 9 9 00:00:23,866 --> 00:00:26,350 And then we will show our options. 10 10 00:00:26,350 --> 00:00:27,915 You can see we have our same options as before. 11 11 00:00:27,915 --> 00:00:29,971 We have our same exploit set, 12 12 00:00:29,971 --> 00:00:31,996 our same volunerable Windows machine, 13 13 00:00:31,996 --> 00:00:33,935 but now we have a different payload set up 14 14 00:00:33,935 --> 00:00:35,724 even though it did carry over the fact that 15 15 00:00:35,724 --> 00:00:36,728 we are still going to listen on 16 16 00:00:36,728 --> 00:00:37,970 this particular coley machine. 17 17 00:00:37,970 --> 00:00:40,553 So now we are ready to exploit. 18 18 00:00:42,083 --> 00:00:44,107 Notice it sent the stage and it actually got it. 19 19 00:00:44,107 --> 00:00:46,227 But, notice our command prompt is a little different. 20 20 00:00:46,227 --> 00:00:47,849 This time it says Meterpreter. 21 21 00:00:47,849 --> 00:00:49,621 Now the reason why is, we're not actually 22 22 00:00:49,621 --> 00:00:51,048 using the Windows command prompt. 23 23 00:00:51,048 --> 00:00:52,971 We're using Meterpreter as our shell. 24 24 00:00:52,971 --> 00:00:55,755 Now Meterpreter is great, it has a lot of capability. 25 25 00:00:55,755 --> 00:00:57,036 In fact, I'm going to go through 26 26 00:00:57,036 --> 00:00:58,576 a couple of them with you real quick. 27 27 00:00:58,576 --> 00:01:00,280 We're going to start out with a question mark, 28 28 00:01:00,280 --> 00:01:03,662 which tells us all the things we can do. 29 29 00:01:03,662 --> 00:01:06,588 If we scroll up here to the top. 30 30 00:01:06,588 --> 00:01:07,958 You'll see the core commands. 31 31 00:01:07,958 --> 00:01:11,775 We can send things to the background, we can get timeouts 32 32 00:01:11,775 --> 00:01:14,183 just some basic housekeeping type information here. 33 33 00:01:14,183 --> 00:01:17,142 But, what really gets fun is when we get down here. 34 34 00:01:17,142 --> 00:01:18,569 File system commands. 35 35 00:01:18,569 --> 00:01:20,629 If you're a Unix guy or a Linux guy, 36 36 00:01:20,629 --> 00:01:22,288 this is great because all of our standard 37 37 00:01:22,288 --> 00:01:24,480 Unix and Linux stuff will actually work. 38 38 00:01:24,480 --> 00:01:27,956 In addition to that, we can use our Windows stuff too. 39 39 00:01:27,956 --> 00:01:30,254 So, we still have dir, we still have cd, 40 40 00:01:30,254 --> 00:01:33,116 but we also have ls for listing our files. 41 41 00:01:33,116 --> 00:01:34,870 The other nice thing that I really like is 42 42 00:01:34,870 --> 00:01:37,288 the fact that we can upload or 43 43 00:01:37,288 --> 00:01:39,681 download files from our directory. 44 44 00:01:39,681 --> 00:01:41,518 This is going to be really useful as well. 45 45 00:01:41,518 --> 00:01:43,359 Now as we move further down, we'll show 46 46 00:01:43,359 --> 00:01:45,402 you some other things that we have here. 47 47 00:01:45,402 --> 00:01:47,263 We can display the arp cache, 48 48 00:01:47,263 --> 00:01:48,400 we can do some proxy settings, 49 49 00:01:48,400 --> 00:01:50,470 we can see the interface as they have 50 50 00:01:50,470 --> 00:01:52,058 and figure out, 'cause sometimes you'll 51 51 00:01:52,058 --> 00:01:53,629 get to a box that is used as a router 52 52 00:01:53,629 --> 00:01:55,286 and we can pivot from one to the other. 53 53 00:01:55,286 --> 00:01:57,420 We can also modify our routing tables. 54 54 00:01:57,420 --> 00:01:59,077 That's some good useful information 55 55 00:01:59,077 --> 00:02:01,945 as we get further into our hacking careers. 56 56 00:02:01,945 --> 00:02:04,754 The other nice thing we have is our system and commands. 57 57 00:02:04,754 --> 00:02:06,407 And, there are some things that you can do 58 58 00:02:06,407 --> 00:02:08,060 that will help cover your tracks 59 59 00:02:08,060 --> 00:02:09,564 but they are pretty blatantly obvious. 60 60 00:02:09,564 --> 00:02:11,697 For instance, you can clear the event log. 61 61 00:02:11,697 --> 00:02:13,398 If I clear the event log, the system 62 62 00:02:13,398 --> 00:02:15,374 administrator is going to know he got hacked. 63 63 00:02:15,374 --> 00:02:16,763 The good news is though, 64 64 00:02:16,763 --> 00:02:18,275 he won't know I'm the one who did it. 65 65 00:02:18,275 --> 00:02:20,167 There's a lot better ways of hiding 66 66 00:02:20,167 --> 00:02:21,969 yourself then just clearing the event log, 67 67 00:02:21,969 --> 00:02:23,231 but that's one way to do it. 68 68 00:02:23,231 --> 00:02:24,243 The other thing you can do is, 69 69 00:02:24,243 --> 00:02:26,501 you can execute commands, you can get 70 70 00:02:26,501 --> 00:02:28,807 environmental variables and you can actually 71 71 00:02:28,807 --> 00:02:31,997 grab tokens and steal tokens from another user. 72 72 00:02:31,997 --> 00:02:33,591 So, if there was a domain admin who 73 73 00:02:33,591 --> 00:02:35,264 ever logged into this box, I can steal 74 74 00:02:35,264 --> 00:02:37,824 their token and then use it across the domain. 75 75 00:02:37,824 --> 00:02:39,833 Other things I can do include, rebooting the computer, 76 76 00:02:39,833 --> 00:02:42,476 or showing the process list, or killing processes. 77 77 00:02:42,476 --> 00:02:44,397 If I want to get to that windows command shell, 78 78 00:02:44,397 --> 00:02:47,289 I can do that too, just by typing shell. 79 79 00:02:47,289 --> 00:02:49,404 Now, some more fun, is when you 80 80 00:02:49,404 --> 00:02:50,813 get down here towards the bottom. 81 81 00:02:50,813 --> 00:02:52,453 This is one of my favorite areas. 82 82 00:02:52,453 --> 00:02:54,274 It is the user interface commands. 83 83 00:02:54,274 --> 00:02:55,910 So, one of my favorite commands is actually here. 84 84 00:02:55,910 --> 00:02:57,414 It's called grab a screenshot. 85 85 00:02:57,414 --> 00:02:59,454 You just type in screenshot and it will steal 86 86 00:02:59,454 --> 00:03:01,088 a picture of the person's desk top. 87 87 00:03:01,088 --> 00:03:02,467 So if they are using their 88 88 00:03:02,467 --> 00:03:03,648 banking account information, for instance, 89 89 00:03:03,648 --> 00:03:05,508 now I can have their checking account information 90 90 00:03:05,508 --> 00:03:07,104 because I'll see it on their screen. 91 91 00:03:07,104 --> 00:03:08,110 The other thing I can do, 92 92 00:03:08,110 --> 00:03:10,616 is I can start and stop key scanners. 93 93 00:03:10,616 --> 00:03:12,732 This will actually start capturing every 94 94 00:03:12,732 --> 00:03:14,165 key stroke that person makes 95 95 00:03:14,165 --> 00:03:18,656 and sending it back to me once I type in scan dump. 96 96 00:03:18,656 --> 00:03:21,200 As we move further down, 97 97 00:03:21,200 --> 00:03:23,022 these won't work with our virtual machine we're attacking, 98 98 00:03:23,022 --> 00:03:24,600 but if you had somebody's real machine, 99 99 00:03:24,600 --> 00:03:26,055 we can actually stream their web cam. 100 100 00:03:26,055 --> 00:03:27,002 So I can see what they are doing. 101 101 00:03:27,002 --> 00:03:28,853 I can take a snapshot of their web cam. 102 102 00:03:28,853 --> 00:03:31,356 I can start a video chat with that person 103 103 00:03:31,356 --> 00:03:32,459 or record their microphone and 104 104 00:03:32,459 --> 00:03:33,973 listen to what they are doing. 105 105 00:03:33,973 --> 00:03:36,003 Lots of different things we can do here. 106 106 00:03:36,003 --> 00:03:37,277 And then finally, as we get down here. 107 107 00:03:37,277 --> 00:03:39,545 We have things like getsystem. 108 108 00:03:39,545 --> 00:03:41,731 So, assuming I attack the person using a 109 109 00:03:41,731 --> 00:03:44,742 user based exploit not an administrator exploit, 110 110 00:03:44,742 --> 00:03:46,334 I want to elevate my permissions up to the 111 111 00:03:46,334 --> 00:03:49,734 domain admin and up to a system admin. 112 112 00:03:49,734 --> 00:03:52,728 By doing getsystem, I can get that system level access. 113 113 00:03:52,728 --> 00:03:54,568 Now, to get domain admin I'm going to have 114 114 00:03:54,568 --> 00:03:57,152 to get the Dumps of the SAM database. 115 115 00:03:57,152 --> 00:03:59,854 If I hashdump it, I can steal those credentials 116 116 00:03:59,854 --> 00:04:02,985 and then crack their passwords. 117 117 00:04:02,985 --> 00:04:04,809 And then finally, we have timestomp, 118 118 00:04:04,809 --> 00:04:06,627 and what timestomp does is, this allows 119 119 00:04:06,627 --> 00:04:09,075 me to manipulate the time on files. 120 120 00:04:09,075 --> 00:04:10,987 So, if there is a log file, I might 121 121 00:04:10,987 --> 00:04:12,857 go in there and delete a single line or two 122 122 00:04:12,857 --> 00:04:14,726 and then timestomp it back to the time 123 123 00:04:14,726 --> 00:04:16,170 before I touched it. 124 124 00:04:16,170 --> 00:04:18,657 That will allow me to cover my tracks a little bit better. 125 125 00:04:18,657 --> 00:04:20,529 So, while we are here, I'm going to go ahead 126 126 00:04:20,529 --> 00:04:23,601 and hit ls and see where we are. 127 127 00:04:23,601 --> 00:04:25,342 And in this case, I'm in a directory 128 128 00:04:25,342 --> 00:04:26,700 with a bunch of dlls. 129 129 00:04:26,700 --> 00:04:28,378 Can you guess what directory that is? 130 130 00:04:28,378 --> 00:04:29,898 It's probably the system 32, 131 131 00:04:29,898 --> 00:04:31,258 but to double check that 132 132 00:04:31,258 --> 00:04:32,692 what were going to do is type in PWD, 133 133 00:04:32,692 --> 00:04:35,445 and you'll see that I'm in the Windows 32 directory. 134 134 00:04:35,445 --> 00:04:37,311 Now I talked about screen shots. 135 135 00:04:37,311 --> 00:04:39,939 Let's go ahead and try that one. 136 136 00:04:39,939 --> 00:04:40,856 Screenshot. 137 137 00:04:41,893 --> 00:04:45,037 It saved it to the root file of my calivox 138 138 00:04:45,037 --> 00:04:46,461 under this jpeg name. 139 139 00:04:46,461 --> 00:04:49,917 So, what I'm going to do, is open that up 140 140 00:04:49,917 --> 00:04:52,193 and you can see right there, 141 141 00:04:52,193 --> 00:04:54,265 that was that person's desk top. 142 142 00:04:54,265 --> 00:04:58,053 There is the hack file we made in the last lesson. 143 143 00:04:58,053 --> 00:04:59,365 So that's useful, because you can start 144 144 00:04:59,365 --> 00:05:03,135 stealing information they have on their screen. 145 145 00:05:03,135 --> 00:05:04,055 So what else might be good? 146 146 00:05:04,055 --> 00:05:06,804 Well lets look at the hashdump. 147 147 00:05:06,804 --> 00:05:09,537 So if I type in hashdump, 148 148 00:05:09,537 --> 00:05:11,897 I get the hashes for all of those users. 149 149 00:05:11,897 --> 00:05:14,638 I have the administrator, he is a 500 level account. 150 150 00:05:14,638 --> 00:05:18,565 And here is the hash that's associated with him. 151 151 00:05:18,565 --> 00:05:19,813 There is websites out there that 152 152 00:05:19,813 --> 00:05:21,605 you can plug that hash into that it will 153 153 00:05:21,605 --> 00:05:23,366 come back and tell you what those passwords are. 154 154 00:05:23,366 --> 00:05:24,568 Because, there is a way to break 155 155 00:05:24,568 --> 00:05:26,606 those passwords using landman hashes. 156 156 00:05:26,606 --> 00:05:28,087 Same thing here with John Sim, 157 157 00:05:28,087 --> 00:05:29,581 if we wanted that user account, 158 158 00:05:29,581 --> 00:05:31,958 we could take his hash, pop that it into 159 159 00:05:31,958 --> 00:05:33,250 that website and come back with 160 160 00:05:33,250 --> 00:05:35,182 the user name and the password. 161 161 00:05:35,182 --> 00:05:36,408 This is information that can be 162 162 00:05:36,408 --> 00:05:39,134 very useful to us as we move on. 163 163 00:05:39,134 --> 00:05:40,340 So, this was just to show you some of the 164 164 00:05:40,340 --> 00:05:42,992 capabilities that you have inside Meterpreter. 165 165 00:05:42,992 --> 00:05:44,430 We're going to play with Meterpreter a lot more 166 166 00:05:44,430 --> 00:05:46,320 as we go into our Linux machine and start 167 167 00:05:46,320 --> 00:05:47,848 going through those vulnerabilities. 168 168 00:05:47,848 --> 00:05:49,188 But, I just wanted to give you a quick introduction 169 169 00:05:49,188 --> 00:05:50,655 to show you that there is a lot of power 170 170 00:05:50,655 --> 00:05:52,150 if you use something like Meterpreter, versus 171 171 00:05:52,150 --> 00:05:54,692 using something like a reverse shell tcp.