1
00:00:00,680 --> 00:00:01,400
Welcome back.

2
00:00:01,580 --> 00:00:07,940
And in this video, I want to talk about a few more useful comments and post exploitation modules.

3
00:00:08,480 --> 00:00:14,170
So what they got right here, I establishment interpreter session with my Windows 10 main machine.

4
00:00:14,630 --> 00:00:19,500
And now let's see what else could we find useful after exploiting the target?

5
00:00:19,970 --> 00:00:26,480
Well, if the HELP command somewhere around here, I believe there should be an option called search.

6
00:00:27,500 --> 00:00:33,410
And what search allows us to do is to, for example, search for a specific file types on the target

7
00:00:33,410 --> 00:00:33,800
system.

8
00:00:34,280 --> 00:00:40,670
So if we search Dash H, this will give me an options that I can use with this comment.

9
00:00:41,120 --> 00:00:47,510
For example, if I wanted to find all the JPEG pictures on the target system, what I could do is I

10
00:00:47,510 --> 00:00:54,760
could type search that F and then starshine dot jpeg press enter.

11
00:00:55,070 --> 00:01:01,490
And what this is going to do is it will manage to extract all the JPEG images that are located on the

12
00:01:01,490 --> 00:01:02,240
target system.

13
00:01:02,840 --> 00:01:08,870
Now you can also do for any other file type that you want and you can also mix it with one of these

14
00:01:08,870 --> 00:01:10,300
options right here.

15
00:01:11,150 --> 00:01:12,530
And here are the results.

16
00:01:12,770 --> 00:01:14,570
We can see there are a lot of them.

17
00:01:14,930 --> 00:01:18,360
All of these are JPEG files, as we can see right here.

18
00:01:18,500 --> 00:01:22,310
Now, if you scroll all the way up, we can see that the list goes on and on.

19
00:01:22,730 --> 00:01:27,430
So maybe we would want to narrow it down if we were searching for something specific.

20
00:01:27,560 --> 00:01:32,290
But right now, we got all of the JPEG files on the target system.

21
00:01:33,200 --> 00:01:39,320
OK, another thing that I want to show you is the usage of post exploitation modules, how can we do

22
00:01:39,320 --> 00:01:39,660
that?

23
00:01:39,680 --> 00:01:45,710
Well, if I go and put my session in the background, clear the screen, and since we are on a Windows

24
00:01:45,710 --> 00:01:51,290
machine, what we can do to search for the post exploitation modules is we can type search and then

25
00:01:51,470 --> 00:02:01,310
post windows, press, enter, and this will list out all 191 post exploitation modules and you can

26
00:02:01,310 --> 00:02:04,940
scroll through them and see which ones you would find useful.

27
00:02:05,600 --> 00:02:12,770
For example, if your target has our card and it connects to the various XPoint, you can use this module

28
00:02:13,240 --> 00:02:17,240
I use and then the module name show options.

29
00:02:17,240 --> 00:02:22,590
And usually these modules will only want this session ID, so they are very easy to run.

30
00:02:22,940 --> 00:02:25,640
You can see just said the session ID to.

31
00:02:26,120 --> 00:02:32,870
First of all, let's check out what session I have and it is one said session ID to one, then run the

32
00:02:32,870 --> 00:02:39,500
program and this will list out all of the various interfaces and possibly the passwords of the connected

33
00:02:39,500 --> 00:02:40,770
wireless access points.

34
00:02:40,970 --> 00:02:47,300
Now since my machine doesn't have a wireless interface, it simply just prints out no wireless interfaces.

35
00:02:47,600 --> 00:02:51,760
So this post expectation modules depend on what you're looking for.

36
00:02:52,040 --> 00:02:56,620
So let's grow a little bit up and see which type of modules we have.

37
00:02:57,260 --> 00:03:03,440
So we got a bunch of enumeration modules you can enumerate from to extract all the chrome data you can

38
00:03:03,440 --> 00:03:06,890
find inside that browser in case Target is using Chrome.

39
00:03:08,040 --> 00:03:13,080
Check for Riam so you can use this module, for example, to check out whether the target that you managed

40
00:03:13,080 --> 00:03:17,660
to hack uses a virtual machine or if it's a virtual machine.

41
00:03:17,970 --> 00:03:19,710
So let's see how that would work.

42
00:03:19,920 --> 00:03:26,880
We know that my Windows 10 main machine is not a virtual machine, so it should give out false as a

43
00:03:26,880 --> 00:03:28,140
result of that session.

44
00:03:28,230 --> 00:03:35,370
One, run this checking if my target machine is a virtual one and it says it appears to be a physical

45
00:03:35,370 --> 00:03:36,840
machine, which is correct.

46
00:03:37,410 --> 00:03:42,210
Who can also be more specific when searching for the post exploitation module, such as, for example,

47
00:03:42,210 --> 00:03:44,610
type search and then passwords.

48
00:03:45,480 --> 00:03:51,870
And we can see right here, if we get some post exploitation modules for gathering passwords, credentials,

49
00:03:51,870 --> 00:03:54,270
total commanders say password extraction.

50
00:03:54,270 --> 00:03:56,880
Let's go a little bit up, see what else we have.

51
00:03:57,450 --> 00:03:58,820
Not really too interesting.

52
00:03:58,830 --> 00:04:04,500
However, one module that we can use to extract the cache, the versions of passwords on a Windows machine

53
00:04:04,860 --> 00:04:08,280
is reconned type search and then hash dump.

54
00:04:08,820 --> 00:04:16,110
Then we can scroll a little bit up and we got somewhere around here, a module here it is called Post

55
00:04:16,110 --> 00:04:19,110
Windows Gather and then hash dump.

56
00:04:19,440 --> 00:04:28,770
So let's scope it type use and then paste the module name if I type show options said the session to

57
00:04:28,770 --> 00:04:29,250
be one.

58
00:04:29,640 --> 00:04:31,770
As you can see, they're very easy to run.

59
00:04:32,040 --> 00:04:35,160
Only one option is required and I type run.

60
00:04:35,790 --> 00:04:37,730
It will tell me access is the night.

61
00:04:37,920 --> 00:04:42,660
So this simply means that not a system level account if we know how we can fix that.

62
00:04:42,660 --> 00:04:46,230
So I'm just going to do that real quick just to show you what this has done.

63
00:04:46,230 --> 00:04:48,820
Post exploitation module outputs once it works.

64
00:04:48,820 --> 00:04:53,700
So I'm going to real quick elevator privileges

65
00:04:56,370 --> 00:05:02,880
and here it is, the privilege escalation worked from the second try and I'm going to type get system

66
00:05:03,570 --> 00:05:12,060
background this session and now use both Windows Gather and then cache dump said session to be session

67
00:05:12,060 --> 00:05:16,590
two because this session two in this case is the session with the system level account.

68
00:05:17,100 --> 00:05:23,940
And if I type run, this should give me the hashes of all the users on that Windows machine.

69
00:05:24,660 --> 00:05:30,750
And here they are, we got the administrator hash, we got the user hash and we got some other hashes

70
00:05:30,750 --> 00:05:34,650
as well, and we could use them to crack them with some other program.

71
00:05:34,650 --> 00:05:37,470
But more about password cracking later on in the course.

72
00:05:37,890 --> 00:05:40,410
For now, we just managed to extract the hashes.

73
00:05:40,950 --> 00:05:45,870
Another useful option that we have that requires system privileges inside of the.

74
00:05:46,150 --> 00:05:52,560
But the shell, if I go inside of my system level of control and I type the help menu, scroll a little

75
00:05:52,560 --> 00:05:53,040
bit up.

76
00:05:53,310 --> 00:05:59,010
I should see this option called Clear e.V. and this stands for Clear the event log.

77
00:05:59,290 --> 00:06:00,140
What does this mean?

78
00:06:00,450 --> 00:06:06,120
Well, this command for clear application system and security logs on a Windows system.

79
00:06:06,270 --> 00:06:10,110
So it is something similar to covering up our tracks.

80
00:06:10,590 --> 00:06:11,490
How can we run them?

81
00:06:11,610 --> 00:06:13,350
Well, it takes no other parameter.

82
00:06:13,360 --> 00:06:18,900
So all we need is a system privileged account and we can type clear event and we can see right here

83
00:06:19,200 --> 00:06:23,850
it is wiping out records from application system and security.

84
00:06:24,360 --> 00:06:29,880
And another thing that I want to show you before I close off this video is that you can run post equitation

85
00:06:29,880 --> 00:06:31,620
modules even from the interpreter.

86
00:06:32,190 --> 00:06:36,930
So you don't need to always put it inside of the background in order to run a post exploitation module.

87
00:06:37,260 --> 00:06:44,640
You can simply just type run and then the module name, for example, I will use this one post Windows

88
00:06:45,390 --> 00:06:53,280
Gather and then Neum underscore applications and if I press enter for this post module will do is it'll

89
00:06:53,280 --> 00:06:59,880
print out all of the installed applications on my Windows Ten machine and we can see them right here.

90
00:07:00,890 --> 00:07:06,860
So many different modules exist, so there are hundreds of post expectation modules, you run all of

91
00:07:06,860 --> 00:07:12,730
them the same way, so you can just go and search through them and find which one is useful for you

92
00:07:13,040 --> 00:07:15,380
and you can test them out and see how they work.

93
00:07:15,750 --> 00:07:21,020
Right now that we covered all of this, you have a pretty good understanding of what post expectation

94
00:07:21,020 --> 00:07:21,410
is.

95
00:07:21,590 --> 00:07:24,920
So let's just remind ourselves of the most important things that we do.

96
00:07:24,920 --> 00:07:28,400
After exploiting the target, we try to elevate our privileges.

97
00:07:28,670 --> 00:07:33,170
We create persistence in order to be able to enter that machine whenever we want.

98
00:07:33,950 --> 00:07:41,570
And we search for useful information on that target machine, such as password hashes, such as different

99
00:07:41,570 --> 00:07:43,490
files that we might find useful.

100
00:07:43,760 --> 00:07:46,360
And those are the main parts of both the exploitation module.

101
00:07:46,880 --> 00:07:52,640
Of course, you can then use the commands like Clear Event and other comments that are used to cover

102
00:07:52,640 --> 00:07:58,160
up your tracks and delete the log files, which could be useful to cyber forensics in case they want

103
00:07:58,160 --> 00:08:01,320
to track back the person that was on that machine.

104
00:08:01,790 --> 00:08:05,330
So thank you for watching this video and I will see you in the next lecture.