1
00:00:00,570 --> 00:00:01,290
Welcome back.

2
00:00:01,500 --> 00:00:06,300
In the previous video, we talked about matters, played, framework, structure, we explained all

3
00:00:06,300 --> 00:00:11,490
of the modules and what they are for, but we haven't really read the framework itself.

4
00:00:12,120 --> 00:00:16,500
In this video, we're going to run it and cover some of the basic commands for it.

5
00:00:17,160 --> 00:00:23,310
OK, I already mentioned in the last video that to open this framework, what we must do is open up

6
00:00:23,310 --> 00:00:31,230
our terminal and type NSF console, press, enter and keep in mind that it might take some time to open,

7
00:00:31,260 --> 00:00:33,810
especially if you're running it for the first time.

8
00:00:35,020 --> 00:00:41,560
And here it is, it already opened for me and what we get right here is we get the banner of mental

9
00:00:41,800 --> 00:00:44,950
framework, which changes every time you start this program.

10
00:00:45,310 --> 00:00:53,830
And down here we get these seven modules that we talked about and we also get the exact number of modules

11
00:00:53,830 --> 00:00:55,520
that we have available to us.

12
00:00:56,260 --> 00:01:01,990
So here we can see two thousand forty three experts, one thousand one hundred and five auxiliary modules,

13
00:01:02,300 --> 00:01:07,600
three hundred and forty four post exploitation modules, over five hundred payloads and a little bit

14
00:01:07,600 --> 00:01:14,050
of encoders knobs and evasion modules, as in every other tool that we covered to see all the available

15
00:01:14,050 --> 00:01:17,500
commands we can use, we can run the health command.

16
00:01:18,520 --> 00:01:22,780
This will open the help menu, which will give us all the available options, as well as some of the

17
00:01:22,780 --> 00:01:29,470
examples of how we can use Matus plate, but for now, this is not necessary, as I will show you a

18
00:01:29,470 --> 00:01:31,990
few of these commands that you will use every time.

19
00:01:32,640 --> 00:01:38,020
And by the way, before we get into those comments, what you can do inside the metal plate framework,

20
00:01:38,320 --> 00:01:45,580
you can also run the normal commands such as L, such as changing directories, such as, for example,

21
00:01:45,580 --> 00:01:46,050
running.

22
00:01:46,060 --> 00:01:46,780
I have config.

23
00:01:46,790 --> 00:01:52,390
So if I type pseudo, I have config and type in my password, it will give me the output of five config.

24
00:01:52,750 --> 00:01:56,320
So you can also run regular terminal commands from this.

25
00:01:57,130 --> 00:02:01,720
But as far as the plate framework goes, let's start with listing some of the modules.

26
00:02:02,020 --> 00:02:07,360
For example, we can use the show command to list out any type of modules we want.

27
00:02:07,870 --> 00:02:10,180
So we know that there are over 500 payload.

28
00:02:10,210 --> 00:02:16,090
We saw the number once we started Šemeta split in order to list all of those five hundred payloads.

29
00:02:16,240 --> 00:02:18,870
We can type, show and then payload.

30
00:02:19,630 --> 00:02:25,060
If I press enter, it will tell you just a few seconds and it will list out all of the available payloads

31
00:02:25,060 --> 00:02:27,250
that we have now right here.

32
00:02:27,280 --> 00:02:33,280
This is not really that good of an output because I have my terminal a little bit more sumthin than

33
00:02:33,280 --> 00:02:33,820
I should have.

34
00:02:33,820 --> 00:02:38,590
So I will just go to the preferences and lower the font of my letters.

35
00:02:39,070 --> 00:02:41,280
So I click on OK, apply.

36
00:02:41,740 --> 00:02:46,240
OK, clear the screen and I will type show payloads once again.

37
00:02:47,650 --> 00:02:49,210
It's still not that good.

38
00:02:49,240 --> 00:02:57,670
Let me just go and lower it a little bit more, so I'll just go 30 apply and we can clear the screen

39
00:02:58,030 --> 00:02:59,110
from the comment again.

40
00:03:00,310 --> 00:03:01,330
And here it is.

41
00:03:01,340 --> 00:03:02,910
We get a better output.

42
00:03:03,610 --> 00:03:06,690
So let's explain what we see right here.

43
00:03:07,270 --> 00:03:12,730
If I scroll all the way up to the beginning, we can see this is the number of the payload.

44
00:03:13,090 --> 00:03:15,130
It goes from zero to over five hundred.

45
00:03:15,370 --> 00:03:18,040
And this right here is the name of the payload.

46
00:03:18,460 --> 00:03:22,660
So as we already know, there are braincells and reversions.

47
00:03:23,110 --> 00:03:24,790
So we get different types of them.

48
00:03:25,000 --> 00:03:31,540
We can see the payloads for Android, the payloads for Apple, iOS, we can see all types of payloads

49
00:03:31,700 --> 00:03:35,960
command Chelse, we can see Java payloads, Linux payloads.

50
00:03:35,980 --> 00:03:43,560
If I go all the way down, OSX payloads, payloads, Biton, Ruby and bunch of others as well.

51
00:03:43,750 --> 00:03:45,790
Here is also Windows payloads.

52
00:03:46,820 --> 00:03:50,260
So we get a lot of them under the rank.

53
00:03:50,270 --> 00:03:53,830
They're all manual because they have to get executed on the target machine.

54
00:03:54,500 --> 00:03:58,070
And in the description we can see for what this is.

55
00:03:58,260 --> 00:04:04,790
For example, if we check out this one Apple interpreter, reverse DP, this is the Apple II interpreter

56
00:04:04,790 --> 00:04:07,310
Shell or reverse HDP in line.

57
00:04:07,880 --> 00:04:12,360
So this means you would use this payload if you were, for example, attacking an Apple device.

58
00:04:13,190 --> 00:04:15,980
Now we can do the same thing with exploits.

59
00:04:16,190 --> 00:04:20,930
If we want to list all of the 2000 exploits, we can type show exploits.

60
00:04:21,500 --> 00:04:26,410
And this may take a little bit longer because there is a lot more exploits than there is payload.

61
00:04:27,440 --> 00:04:31,670
And here they are here all 2041 exploits.

62
00:04:32,680 --> 00:04:39,090
You can see the output is pretty much the same as with the Paillot, we get the number right here,

63
00:04:39,400 --> 00:04:44,980
we get the exploit name and these exploit names are really well written.

64
00:04:45,190 --> 00:04:46,030
As we can see.

65
00:04:46,150 --> 00:04:49,260
The first part tells us for what is this exploit?

66
00:04:49,480 --> 00:04:52,120
Currently we are inside the windows exploit.

67
00:04:52,990 --> 00:04:56,590
And if we scroll all the way up, we should see some other experts as well.

68
00:04:57,960 --> 00:05:00,540
Let's go and scroll all the way up.

69
00:05:01,020 --> 00:05:06,300
Well, it seems that we can only go up to here because there is a lot of them, but nonetheless, we

70
00:05:06,300 --> 00:05:09,090
can see for what the exploits are, for example.

71
00:05:09,150 --> 00:05:11,840
This one is for Windows and for browser.

72
00:05:12,180 --> 00:05:15,890
And here it specifies exactly what does it exploit.

73
00:05:16,560 --> 00:05:23,610
If I go down here and for example, check out these ones here, we can see this is also in the sexpert

74
00:05:23,760 --> 00:05:25,140
for the FTP.

75
00:05:26,010 --> 00:05:27,950
So they're very well organized.

76
00:05:27,960 --> 00:05:31,140
And this is the structure that we saw in the previous video.

77
00:05:31,530 --> 00:05:35,100
Just this is how the metal plate framework outputted for us.

78
00:05:35,910 --> 00:05:42,570
These exploits that belong to Windows FTP are all located inside of the FTP directory of the Windows

79
00:05:42,570 --> 00:05:43,650
XP directory.

80
00:05:44,550 --> 00:05:45,950
If it go all the way down.

81
00:05:46,410 --> 00:05:52,710
And what we can do right here is we can choose one of these experts just to see how we can select them

82
00:05:52,830 --> 00:05:53,880
and run them.

83
00:05:54,160 --> 00:05:56,670
Of course, we are not going to be attacking any target.

84
00:05:56,850 --> 00:05:59,920
We just want to see how we can select one of these exploits.

85
00:06:00,630 --> 00:06:02,940
So let's go with this one.

86
00:06:03,210 --> 00:06:09,690
For example, Windows SMB, RMS zero six zero four zero net API.

87
00:06:10,680 --> 00:06:15,330
And by the way, to check out more information about the exploits, we can go on to the right.

88
00:06:15,780 --> 00:06:24,540
So this exploit came out in 2006 and in the right column right here, it tells us what exactly does

89
00:06:24,540 --> 00:06:25,820
this exploit do?

90
00:06:26,820 --> 00:06:33,990
So for this particular one, we get that it is an expert for Microsoft server service and it overflows

91
00:06:33,990 --> 00:06:34,920
this function.

92
00:06:35,640 --> 00:06:42,090
Now, the good part about this is that you don't really need to know how these work in order to be able

93
00:06:42,090 --> 00:06:42,570
to run.

94
00:06:43,700 --> 00:06:51,200
Let me show you, if you copy this exploit name right here, so copy Windows Sambi Hemas zero six zero

95
00:06:51,200 --> 00:06:52,720
four zero net API.

96
00:06:53,300 --> 00:06:56,330
In order to select it, let us clear the screen.

97
00:06:56,660 --> 00:06:58,610
We can type the command use.

98
00:06:59,670 --> 00:07:05,310
And you type views and then the module name that you want to use in our case, we want to use and exploit

99
00:07:06,030 --> 00:07:09,720
and after it, all we have to do is based the expert.

100
00:07:10,710 --> 00:07:17,460
So use exploit windows, slash Sambi and then the name of the expert press enter.

101
00:07:18,650 --> 00:07:26,300
And we will see that this exploit configured payload windows interpreter reverse DCP and we will talk

102
00:07:26,300 --> 00:07:27,780
about this in just a second.

103
00:07:28,220 --> 00:07:34,220
For now, we can see that it is currently using the module that we selected because it is printed out

104
00:07:34,220 --> 00:07:35,120
in red right here.

105
00:07:35,240 --> 00:07:37,520
And it also tells us that it is an expert.

106
00:07:38,150 --> 00:07:42,140
So let's check out all the information that we can get for this exploit.

107
00:07:42,710 --> 00:07:47,630
The first thing that I always like to do is type the command show info.

108
00:07:48,200 --> 00:07:52,430
And this show in full command tells us more about this particular exploit.

109
00:07:53,030 --> 00:07:59,690
If you go down here to the description, it will tell us this module exploits a stack buffer overflow.

110
00:08:00,050 --> 00:08:10,340
So this is a buffer overflow exploit in the net API 32 canonical path name function using this RPG and

111
00:08:10,340 --> 00:08:13,190
you can read about any exploits to select.

112
00:08:14,040 --> 00:08:19,380
Another information that we get right here are some of the references so you can visit these links right

113
00:08:19,380 --> 00:08:26,580
here to read more about this particular expert besides this, another command that we can do is show

114
00:08:26,820 --> 00:08:27,410
options.

115
00:08:28,080 --> 00:08:29,880
And this is the important part.

116
00:08:30,150 --> 00:08:34,710
Let me just clear the screen and type it once again just so we can see only the options.

117
00:08:34,710 --> 00:08:38,850
Part here is where you select your options for the exploit.

118
00:08:39,690 --> 00:08:45,630
First thing we see is module options and it asks us for three different things.

119
00:08:46,020 --> 00:08:49,580
And keep in mind, different experts will want different things.

120
00:08:50,130 --> 00:08:56,220
Usually they will all have these are hosts and our port, which is just the remote host and the remote

121
00:08:56,220 --> 00:09:02,510
port, or in our case, the target's IP address and the target support that we are attacking.

122
00:09:03,300 --> 00:09:06,660
So we can see two of these are already automatically set.

123
00:09:06,990 --> 00:09:12,920
The airport is already set to be four for five and the S&amp;P pipe is already set to be the browser.

124
00:09:13,590 --> 00:09:19,390
All we are left to specify right here is the our hosts or the IP address of the target machine.

125
00:09:20,130 --> 00:09:25,410
So if we were attacking a Windows server that was vulnerable to this attack, we would specify here

126
00:09:25,410 --> 00:09:28,100
the IP address of that Windows Server machine.

127
00:09:28,800 --> 00:09:34,740
And in this column right here, you will notice that some of these things will be required and some

128
00:09:34,740 --> 00:09:40,680
of these things will not be required in our case in this particular exploit, all of these three things

129
00:09:40,680 --> 00:09:44,040
are required to specify in order for expert to work.

130
00:09:45,170 --> 00:09:50,600
In the description, it tells us exactly what it wants from us, so the our host is the target host

131
00:09:50,870 --> 00:09:52,370
or the target's I.P. address.

132
00:09:52,880 --> 00:09:56,870
The airport is the S&amp;P service port on the target machine.

133
00:09:57,590 --> 00:10:00,230
And the S&amp;P pipe is the type name to use.

134
00:10:01,330 --> 00:10:06,960
So these are the exploit options and down here we get payload options.

135
00:10:07,990 --> 00:10:08,740
What does this mean?

136
00:10:09,190 --> 00:10:13,380
Well, remember, after exploiting the target, we drop our payload.

137
00:10:13,780 --> 00:10:20,740
So by default, remember, once we ran the command to use this exploit, it gave us Windows method better

138
00:10:20,910 --> 00:10:22,470
reverse by default.

139
00:10:22,990 --> 00:10:25,760
This means that we were using a payload for windows.

140
00:10:26,170 --> 00:10:31,870
It is a bitter, bitter shell which remembers it is the best shell that we can get and it is a reverse

141
00:10:31,870 --> 00:10:33,490
shell over TCP connection.

142
00:10:34,500 --> 00:10:36,250
You can change this if you want to.

143
00:10:36,390 --> 00:10:40,590
And down here, we get the options that we need to set for Paillot.

144
00:10:41,250 --> 00:10:47,490
Remember, once using reverse shell, we must listen on our clinic's machine for the incoming connection.

145
00:10:48,120 --> 00:10:50,830
And that's the information that it asks us right here.

146
00:10:51,330 --> 00:10:58,890
The host is our own IP address, the IP address of Linux machine, or as it says right here, the listening

147
00:10:58,890 --> 00:10:59,400
address.

148
00:10:59,970 --> 00:11:02,010
We specify our IP address right here.

149
00:11:02,220 --> 00:11:04,140
So you just need to type pseudo.

150
00:11:04,770 --> 00:11:12,180
I have config and we can see 192 of the 168, that font that nine, usually the metabolite framework

151
00:11:12,180 --> 00:11:13,620
will set it by default.

152
00:11:14,310 --> 00:11:17,580
So let me just clear the screen transcriptions options once again.

153
00:11:18,000 --> 00:11:25,020
And the airport is the listening port or Calladine export that we want to listen for the incoming connections

154
00:11:25,380 --> 00:11:29,540
and it is usually set by default to be four four, four, four.

155
00:11:30,120 --> 00:11:32,100
And all of these options you can change.

156
00:11:32,550 --> 00:11:38,250
For example, if you notice that metal plate framework set the incorrect IP address for a Linux machine

157
00:11:38,610 --> 00:11:45,450
you can type set and then the parameter name in our case will host to be a different IP address.

158
00:11:45,660 --> 00:11:48,660
For example, 192 of the 168, that one that 15.

159
00:11:49,140 --> 00:11:55,950
And it will set the parameter to be a different IP address, as we can see right here.

160
00:11:57,320 --> 00:12:02,480
Inside of these are hosts, as we can see, this is also required we would set the IP address of our

161
00:12:02,480 --> 00:12:03,230
target machine.

162
00:12:03,500 --> 00:12:07,090
So let's say we had the Windows Server and its IP address was 192.

163
00:12:07,100 --> 00:12:11,240
Of the 168, that one that 20, we would type it right here.

164
00:12:11,250 --> 00:12:15,200
So why don't you do that 168, that one at 20.

165
00:12:15,920 --> 00:12:20,580
And if we type show options once again, now, we got this set as well.

166
00:12:21,380 --> 00:12:25,610
Now, payload something that you can change usually you want to leave it.

167
00:12:25,630 --> 00:12:27,560
What matters framework already gave you?

168
00:12:27,770 --> 00:12:33,500
Because the default one is usually the best one, but sometimes some of the payloads will not work and

169
00:12:33,500 --> 00:12:34,600
others will work.

170
00:12:35,210 --> 00:12:41,930
So in order to see all of the available payloads that you can use for this particular exploit, you

171
00:12:41,930 --> 00:12:44,750
can type show payloads once again.

172
00:12:45,350 --> 00:12:49,490
Just this time it will not list out all the 500 possible payload.

173
00:12:49,730 --> 00:12:53,630
It will only start the possible payload for this particular exploit.

174
00:12:54,080 --> 00:12:56,480
And this will be all the Windows payload.

175
00:12:56,480 --> 00:13:01,430
Since we are attacking a Windows machine with this exploit, the Windows payloads will be something

176
00:13:01,430 --> 00:13:07,580
that we can use so we can see some fine shells, reverse shells, we can see some of them interpretor

177
00:13:07,580 --> 00:13:07,990
shells.

178
00:13:08,390 --> 00:13:12,830
So, for example, let us say that you don't want to use our version.

179
00:13:13,040 --> 00:13:14,300
You want to use a Bindiya.

180
00:13:14,840 --> 00:13:16,310
How would you change the payload?

181
00:13:16,970 --> 00:13:18,620
Well, you would copy the bind shell.

182
00:13:18,620 --> 00:13:20,270
Let's say we want to use them better.

183
00:13:20,420 --> 00:13:22,190
Financial scope, its name.

184
00:13:24,170 --> 00:13:33,920
And go all the way down and type set payload and then paste the payload name to paste selection press

185
00:13:33,920 --> 00:13:39,350
enter and it will tell us the payload has been changed if we clear the screen show options.

186
00:13:40,580 --> 00:13:42,550
We will see different payload.

187
00:13:42,560 --> 00:13:45,260
We no longer have the reverse DCP.

188
00:13:45,560 --> 00:13:52,090
We now have defined TCP interpretor and it will also ask us for different information about the payload.

189
00:13:52,910 --> 00:13:55,180
We no longer get the host since.

190
00:13:55,200 --> 00:13:59,930
Remember with Binti, it is not our Caledonius machine that is listening for the connection.

191
00:14:00,200 --> 00:14:04,790
It is the target machine that is listening for the connection and we are the ones that connect to it.

192
00:14:05,630 --> 00:14:13,190
So in this case it is asking us for our host or the remote host or as the description says, the target

193
00:14:13,190 --> 00:14:13,930
IP address.

194
00:14:14,810 --> 00:14:20,640
So we would select right here the same IP address that we select right here, because it is the target

195
00:14:20,640 --> 00:14:26,120
that has to open the port and the local port will be the local port on the target machine that will

196
00:14:26,120 --> 00:14:27,530
open for us to connect.

197
00:14:28,010 --> 00:14:30,140
And you would select here whatever you want.

198
00:14:31,120 --> 00:14:37,030
So what is important to get out of all of this is that we can change different options using said combat

199
00:14:37,040 --> 00:14:40,960
soldiers typeset and then, for example, want to change the airport.

200
00:14:41,200 --> 00:14:45,100
We type airport and then make it whatever we want.

201
00:14:45,700 --> 00:14:49,450
And if we type show options, it will be changed right here.

202
00:14:50,020 --> 00:14:56,110
And the last part that we see down here are the targets and these targets right here are all of the

203
00:14:56,110 --> 00:15:02,890
vulnerable targets for this particular expert to list all of them out, we can type, show and then

204
00:15:03,130 --> 00:15:03,640
targets.

205
00:15:04,660 --> 00:15:08,860
This will give us a list of all the targets that we can exploit using this attack.

206
00:15:09,520 --> 00:15:16,120
So we get Windows and Windows XP and now different versions of Windows XP and Windows two thousand and

207
00:15:16,120 --> 00:15:16,410
three.

208
00:15:16,840 --> 00:15:20,460
So this is an older exploit that attacks Windows XP machines.

209
00:15:21,010 --> 00:15:26,500
Now, you can either if you know exactly which version of Windows is the target running, you can select

210
00:15:26,500 --> 00:15:30,340
it right here by specifying set target.

211
00:15:30,340 --> 00:15:35,170
And then the number, for example, let's say Target is using Windows XP, XP one English.

212
00:15:35,380 --> 00:15:41,110
You could type it like this or set Target three, because the ID for that particular version is three.

213
00:15:42,700 --> 00:15:47,140
Or if you didn't know exactly which version, you would just leave it on automatic, which means that

214
00:15:47,140 --> 00:15:49,420
the framework will figure it out on its own.

215
00:15:49,720 --> 00:15:51,160
So we don't need to specify it.

216
00:15:51,640 --> 00:15:55,300
The only important thing is that it is one of these versions.

217
00:15:55,900 --> 00:16:00,520
If it is, for example, of Windows seven machine, this expert will not work.

218
00:16:01,300 --> 00:16:07,180
And once you set all of these options, the last thing you need to do is type explained.

219
00:16:09,880 --> 00:16:14,680
In our case, this will not work because we don't really have a vulnerable Windows XP machine.

220
00:16:15,160 --> 00:16:17,740
So it will give us an exploit failed error.

221
00:16:18,100 --> 00:16:18,850
In this case.

222
00:16:18,850 --> 00:16:24,130
It is unreachable because this IP address right here on my local network is not even online.

223
00:16:24,760 --> 00:16:26,410
That's why this will not work.

224
00:16:27,600 --> 00:16:33,930
And this is pretty much it now, there are other commands as well that could be useful, but these are

225
00:16:33,930 --> 00:16:39,420
the main ones that we always use to choose experts and payloads and to set their options.

226
00:16:40,140 --> 00:16:41,640
Finally, the time has come.

227
00:16:42,090 --> 00:16:48,210
In the next video, we're going to play what we've learned for now to perform our first exploit on the

228
00:16:48,210 --> 00:16:49,510
anticipatable machine.

229
00:16:50,730 --> 00:16:51,660
See you in the next video.