1
00:00:00,810 --> 00:00:02,610
Hello and welcome back.

2
00:00:03,420 --> 00:00:11,460
Time to get our first expert on the Windows machine, and we will go first with the famous Eternal Blue.

3
00:00:12,840 --> 00:00:19,530
It is the NSA expert that got stolen and leaked and that was used for the famous one, the ransomware

4
00:00:19,530 --> 00:00:21,650
attack in twenty seventeen.

5
00:00:22,440 --> 00:00:25,770
If you want to read more about it, you can Google it right here.

6
00:00:25,890 --> 00:00:28,050
And it has a very interesting story.

7
00:00:28,440 --> 00:00:29,700
As we can see right here.

8
00:00:29,850 --> 00:00:35,520
You will undoubtedly recall the names, shadow brokers who back in twenty seventeen for dumping software

9
00:00:35,520 --> 00:00:42,300
experts widely believed to be stolen from the USA National Security Agency and one of the notorious

10
00:00:42,300 --> 00:00:45,210
ransomware attack that struck only a few months later.

11
00:00:46,120 --> 00:00:51,460
You can also read some other information about the split, like what is internal look and we can see

12
00:00:51,460 --> 00:00:52,180
its vulnerability.

13
00:00:52,180 --> 00:00:57,480
Name CBE twenty seventeen zero point three two zero one four eight.

14
00:00:57,970 --> 00:01:01,600
And as it says, this is a family of critical vulnerabilities in Microsoft.

15
00:01:01,600 --> 00:01:09,820
S&amp;P version one server used in Windows seven, Windows Server 2008, Windows XP and even Windows 10

16
00:01:09,820 --> 00:01:11,440
running on Port four for five.

17
00:01:12,430 --> 00:01:17,800
You can read some other information as well if you want to, and right here, it also tells us that

18
00:01:17,800 --> 00:01:24,520
even after two years of this plane being patched there, millions of machines on the Internet, they're

19
00:01:24,520 --> 00:01:26,740
still vulnerable to this attack.

20
00:01:27,430 --> 00:01:34,090
And what this exploit does basically is it exploits a mathematical error inside the SMB.

21
00:01:34,900 --> 00:01:40,200
And luckily, we got that exploit right here inside the MSF council.

22
00:01:41,020 --> 00:01:44,920
So for now, what we've got right here is the scan of my Windows seven machine.

23
00:01:45,100 --> 00:01:47,510
And your scans should look similar to mine.

24
00:01:47,890 --> 00:01:50,220
Now, these ports right here are not important.

25
00:01:50,230 --> 00:01:57,820
What is important is that you have these ports right here, open support for four, five and port one

26
00:01:57,820 --> 00:01:58,270
three nine.

27
00:01:59,110 --> 00:02:01,980
Also, make sure that your Windows machine is up and running.

28
00:02:02,530 --> 00:02:06,580
And if I open my massive console right here.

29
00:02:08,930 --> 00:02:13,610
We're going to try to find that expert and test it on our Windows seven machine.

30
00:02:14,330 --> 00:02:19,970
One more thing is that besides this expert that we have in our magistrate framework, we also get the

31
00:02:19,970 --> 00:02:22,030
auxiliary module for this expert.

32
00:02:22,450 --> 00:02:23,240
What does this mean?

33
00:02:23,480 --> 00:02:29,240
Well, it means that we can test the machine to see whether it is vulnerable before we actually exploit

34
00:02:29,240 --> 00:02:29,360
it.

35
00:02:30,050 --> 00:02:31,190
Let me show you what I mean.

36
00:02:31,670 --> 00:02:40,700
If I type right here, search and then eternal blue, I will get six results to auxiliary modules and

37
00:02:40,700 --> 00:02:42,510
four different experts.

38
00:02:43,220 --> 00:02:49,940
This is the one that we're currently interested in, expert windows for the SMB, and it is called RMS

39
00:02:49,940 --> 00:02:52,160
17 Internal Look.

40
00:02:53,170 --> 00:02:59,590
But before we use it, we can use the auxiliary scanner for the assembly and for the same vulnerability

41
00:02:59,740 --> 00:03:04,850
as you can compare these names right here to see whether our target is vulnerable.

42
00:03:05,440 --> 00:03:08,650
So let's test this auxiliary module first.

43
00:03:09,550 --> 00:03:17,290
If I type right here, use and then base the auxiliary module, clear the screen and show my options.

44
00:03:18,920 --> 00:03:24,900
There are a few different things that we need to set up, but the only required things is the our hosts.

45
00:03:25,670 --> 00:03:30,170
So let's set our host to be the IP address of our Windows seven machine.

46
00:03:31,670 --> 00:03:33,340
In my case, it is this one.

47
00:03:34,220 --> 00:03:39,260
And if I type show reinforcer, we can also read what this module does.

48
00:03:39,440 --> 00:03:45,110
It uses information disclosure to determine whether the internal blow has been patched or not.

49
00:03:45,650 --> 00:03:48,490
And here it describes you how exactly does it do it?

50
00:03:49,160 --> 00:03:54,280
So if I triple check our options, everything seems to be set.

51
00:03:54,860 --> 00:04:00,170
You don't want to change this name pipes and you also do not want to change the output.

52
00:04:00,380 --> 00:04:06,890
So only thing you need to set up is this our hosts right here and let us run.

53
00:04:08,510 --> 00:04:14,810
If you finish in just a few seconds and it will tell me who is likely vulnerable to the eternal attack,

54
00:04:14,960 --> 00:04:21,980
it even gives us the version of Windows seven ultimate seven six zero one service pack, one 64 bit.

55
00:04:22,640 --> 00:04:23,060
Great.

56
00:04:23,310 --> 00:04:25,400
Our target seems to be vulnerable.

57
00:04:26,000 --> 00:04:29,660
Let us now perform the exploit and you will see how easy it is.

58
00:04:29,690 --> 00:04:35,840
So if I search eternal glow once again, I copy the expert name, which is this one.

59
00:04:38,110 --> 00:04:40,360
Clear the screen type used.

60
00:04:44,910 --> 00:04:52,480
It was by default, set the payload to be Windows reverse interpretor shell for the 64 bit machine.

61
00:04:52,980 --> 00:04:59,310
Now, since it will set this by default, you must consider changing this in case your Windows seven

62
00:04:59,310 --> 00:05:01,140
machine is a 32 bit machine.

63
00:05:02,240 --> 00:05:07,770
If it is a 64 bit, you can simply just leave this to be Windows sixty four with an interpreter reverse

64
00:05:07,790 --> 00:05:08,300
DCP.

65
00:05:08,930 --> 00:05:19,460
If it is not, then you want to set payload to be equal to Windows and interpreter reverse PXP.

66
00:05:19,820 --> 00:05:26,540
And you will notice the only difference between this payload and this payload right here is this sixty

67
00:05:26,540 --> 00:05:26,870
four.

68
00:05:27,530 --> 00:05:30,450
So this just indicates that this is a 64 bit payload.

69
00:05:31,220 --> 00:05:36,070
Now, I will not run this comment because my Windows seven machine is sixty four, but I will just type

70
00:05:36,080 --> 00:05:42,560
show info and here we can see the exact definition and description of the exploit.

71
00:05:43,010 --> 00:05:46,340
This module is a part of the equation group, eternal blue export.

72
00:05:46,850 --> 00:05:50,720
Part of this toolkit right here released by shadow brokers.

73
00:05:51,200 --> 00:05:55,250
There is a buffer overflow operation in this function right here.

74
00:05:55,520 --> 00:05:57,410
The size is calculated in this.

75
00:05:57,410 --> 00:06:04,160
So I'm not going to read this, of course, with mathematical error where a D word is abstracted into

76
00:06:04,160 --> 00:06:04,640
a word.

77
00:06:05,540 --> 00:06:11,960
OK, so since our target is vulnerable, at least the auxiliary module told us, let's check out the

78
00:06:11,960 --> 00:06:14,410
options and let's run the exploit.

79
00:06:15,170 --> 00:06:18,170
So here it's probably got a few things that we need to set up.

80
00:06:18,890 --> 00:06:23,480
My payload is automatically set right here to the IP address and the port.

81
00:06:24,750 --> 00:06:31,110
These two, we do not want to change the airport, we do not want to change and our hosts, we need

82
00:06:31,110 --> 00:06:35,820
to set to the IP address of Windows seven machine.

83
00:06:36,720 --> 00:06:42,840
Once everything is done, we can type run and this will start our expert.

84
00:06:44,030 --> 00:06:50,200
And in just a few seconds, I should get the interpreter reverse shall open on the Windows seven machine

85
00:06:50,840 --> 00:06:58,160
and here it is down here, it will print out this win, which means the exploit worked successfully.

86
00:06:58,730 --> 00:07:00,980
And I got my.

87
00:07:02,590 --> 00:07:08,770
Windows seven machine, if I type the comment, get you ID, which stands for get user ID, it will

88
00:07:08,770 --> 00:07:13,180
tell me the time currently on that machine as the system account.

89
00:07:13,360 --> 00:07:16,420
And this is the highest level account on a Windows machine.

90
00:07:17,470 --> 00:07:17,930
Great.

91
00:07:17,950 --> 00:07:22,720
We successfully exploited our first vulnerability inside the Windows seven machine.

92
00:07:23,470 --> 00:07:28,690
And by the way, since we haven't really covered the interpreter yet, remember that we can run the

93
00:07:28,690 --> 00:07:33,640
help command and here we can execute all of these commands that the interpreter gives us.

94
00:07:34,030 --> 00:07:36,280
But for now, we are not going to do that.

95
00:07:36,560 --> 00:07:41,740
We're going to cover these comments and bunch of other comments that we don't have here in the post

96
00:07:41,740 --> 00:07:43,750
exploitation module, which is coming.

97
00:07:43,750 --> 00:07:47,200
So for now, we just want to gain access to the target.

98
00:07:47,200 --> 00:07:49,600
And in this video, we successfully did it.

99
00:07:50,140 --> 00:07:51,940
But I want to show you one more thing.

100
00:07:52,840 --> 00:07:58,260
So don't worry, I know that you're impatiently waiting for us to actually do something on the target,

101
00:07:58,270 --> 00:08:01,720
but for now, the goal is to only gain access to it.

102
00:08:02,750 --> 00:08:07,880
If you want, you can test these comments by yourself, you can just simply type screenshot, for example,

103
00:08:09,020 --> 00:08:14,010
just to show you how it works and it will take the screenshot of the target's desktop.

104
00:08:14,300 --> 00:08:17,280
It will save it in this flash home slash, Mr. Hacker.

105
00:08:17,630 --> 00:08:25,640
So let's check out that directory file over my terminal right here and go to the slash home slash.

106
00:08:25,640 --> 00:08:27,650
Mr. Hacker, open the folder.

107
00:08:28,780 --> 00:08:35,230
Here is the screenshot that we took of the target's desktop, it is saved on our machine and that is

108
00:08:35,230 --> 00:08:38,800
just one of the cool commands that we can do with the interpreter shell.

109
00:08:39,610 --> 00:08:42,350
Others we will cover later for now.

110
00:08:42,490 --> 00:08:43,780
Let me show you one more thing.

111
00:08:43,790 --> 00:08:45,310
If I exit out of the shell.

112
00:08:46,960 --> 00:08:52,720
I just want to show you, if I open the second Windows seven machine that I got right here.

113
00:08:53,800 --> 00:08:56,530
And there is no difference between these two machines.

114
00:08:57,100 --> 00:09:01,240
Just one is a 32 bit and the other one is a 64 bit machine.

115
00:09:02,140 --> 00:09:07,720
I just want to show you that on this one, which is the thirty two between the XPoint will not work.

116
00:09:09,290 --> 00:09:15,500
Even though the auxiliary module will tell us that the machine is vulnerable, so I will just wait for

117
00:09:15,500 --> 00:09:16,640
this machine to open up.

118
00:09:18,070 --> 00:09:25,150
Matter of fact, if I remember correctly, the exploit for crash, these Windows seven machine, it

119
00:09:25,150 --> 00:09:30,130
will not manage to gain the potential, but instead this Windows machine will get the blue screen of

120
00:09:30,130 --> 00:09:32,230
death and then it will crash.

121
00:09:33,580 --> 00:09:34,740
Let's see what happens.

122
00:09:35,260 --> 00:09:36,910
Log in to this machine.

123
00:09:39,040 --> 00:09:43,030
I will check two things out once it opens up double check the IP address.

124
00:09:49,870 --> 00:09:52,570
So it is to that 168, that one, the 13.

125
00:09:52,720 --> 00:09:56,650
And one more thing I will check is whether the firewall is disabled.

126
00:09:56,800 --> 00:10:01,060
So go to control panel system and security and then Windows firewall.

127
00:10:01,550 --> 00:10:02,380
It is open.

128
00:10:02,390 --> 00:10:04,480
So just close the Windows firewall.

129
00:10:08,130 --> 00:10:10,890
And now if I perform the same exploit,

130
00:10:13,920 --> 00:10:19,710
just change the IP address to the IP address of these new Windows seven machine and they try to run

131
00:10:19,710 --> 00:10:19,920
it.

132
00:10:21,950 --> 00:10:27,770
It will start the same just after a few seconds, this machine right here should crash.

133
00:10:28,790 --> 00:10:35,460
It even tells us right here who is likely vulnerable to the MS 17, which is the eternal Blue explained.

134
00:10:36,320 --> 00:10:37,840
So let's see what happens.

135
00:10:39,310 --> 00:10:44,830
And here it is, you can see the the Windows machine crashed and now it is restarting.

136
00:10:45,430 --> 00:10:48,100
Also here we can see that the explosion failed.

137
00:10:48,520 --> 00:10:53,070
Remember that we got the win message once we exploited the previous Windows seven target.

138
00:10:53,470 --> 00:10:55,490
But right now, the exploit failed.

139
00:10:55,750 --> 00:11:01,640
Matter of fact, in the second attempt of it exploiting the Windows seven machine, it crashed the machine.

140
00:11:02,440 --> 00:11:06,460
So this is just an example that sometimes an expert will not work.

141
00:11:06,940 --> 00:11:11,660
In the first one, we managed to gain the access to the Windows machine with the interpreter.

142
00:11:12,220 --> 00:11:15,030
But in the second one, we only managed to crash it.

143
00:11:15,490 --> 00:11:17,690
However, even if you managed to only crash it.

144
00:11:17,800 --> 00:11:20,920
This is something that you will 100 percent right on the report.

145
00:11:21,250 --> 00:11:22,630
This is a vulnerability.

146
00:11:23,080 --> 00:11:26,920
You should never be able to crash a target computer just like this.

147
00:11:27,280 --> 00:11:33,070
Imagine if this Windows seven machine was doing something important and just us knowing its IP address

148
00:11:33,070 --> 00:11:35,860
and running this expert, we managed to crash it.

149
00:11:36,820 --> 00:11:38,500
That could cause a lot of problem.

150
00:11:39,130 --> 00:11:44,070
Now, if you really want to get this XP to work, you can try to find the different Windows seven nisso

151
00:11:44,110 --> 00:11:48,340
file and try with it to see if it might work on that one.

152
00:11:48,850 --> 00:11:54,310
I would also advise you that if you can, you try to install Windows seven, 64 bit version.

153
00:11:54,820 --> 00:12:01,000
And in the next video, we are going to see how we can perform a slightly different version of this

154
00:12:01,050 --> 00:12:06,940
exploit using eternal blue double pulser attack in my personal experience.

155
00:12:07,150 --> 00:12:11,410
This one works a little bit better than the speed version of Eternal Blue.

156
00:12:11,860 --> 00:12:17,580
And another interesting thing is that we don't have it inside of our metal framework.

157
00:12:18,550 --> 00:12:19,750
So what are we going to do?

158
00:12:20,730 --> 00:12:26,910
Well, not only are we going to run it in the next video, but also show you how we can add the eternal

159
00:12:26,910 --> 00:12:31,170
blue double pulser module to the metal plate framework by ourselves.

160
00:12:31,560 --> 00:12:32,580
See you in the next video.