1
00:00:00,570 --> 00:00:02,070
Instructor: Hello again and welcome

2
00:00:02,070 --> 00:00:04,473
to the exploitation section of the course.

3
00:00:05,340 --> 00:00:09,330
It is time we learn how to gain access to our target.

4
00:00:09,330 --> 00:00:12,120
What we managed to do for now is with the help

5
00:00:12,120 --> 00:00:14,370
of our Kali Linux machine,

6
00:00:14,370 --> 00:00:16,740
we managed to identify our target

7
00:00:16,740 --> 00:00:19,740
and find out a lot of information about it.

8
00:00:19,740 --> 00:00:21,900
Remember, once we were starting

9
00:00:21,900 --> 00:00:24,540
we didn't know anything about it,

10
00:00:24,540 --> 00:00:28,650
but after, with the help of different tools such as Nmap,

11
00:00:28,650 --> 00:00:31,440
Nessus, WhatWeb and others,

12
00:00:31,440 --> 00:00:33,990
we managed to gather enough information

13
00:00:33,990 --> 00:00:36,813
about our target to be able to exploit it.

14
00:00:37,710 --> 00:00:40,800
We have discovered open and closed ports.

15
00:00:40,800 --> 00:00:43,800
We also discovered services running on those ports,

16
00:00:43,800 --> 00:00:45,750
including their versions.

17
00:00:45,750 --> 00:00:49,710
We found out what operating system was our target running.

18
00:00:49,710 --> 00:00:52,440
And we have also tried finding vulnerabilities

19
00:00:52,440 --> 00:00:56,610
to see whether the target has some known issues or bugs.

20
00:00:56,610 --> 00:01:00,000
In other words, we performed information gathering,

21
00:01:00,000 --> 00:01:03,930
scanning, and vulnerability analysis.

22
00:01:03,930 --> 00:01:08,070
Right now, the next step is to use that information we have

23
00:01:08,070 --> 00:01:10,143
to gain access to our target.

24
00:01:11,070 --> 00:01:13,170
Here is how the process goes.

25
00:01:13,170 --> 00:01:15,780
Imagine this is our target

26
00:01:15,780 --> 00:01:19,530
and these are the information that we gathered for it.

27
00:01:19,530 --> 00:01:21,660
It is running Windows 10.

28
00:01:21,660 --> 00:01:24,660
We found out it has an older version of Windows 10

29
00:01:24,660 --> 00:01:27,150
that hasn't been updated lately.

30
00:01:27,150 --> 00:01:31,170
We found three open ports and one filtered port,

31
00:01:31,170 --> 00:01:34,080
and we know for sure that one of those open ports

32
00:01:34,080 --> 00:01:36,360
has a vulnerable software running on it

33
00:01:36,360 --> 00:01:39,333
since we also performed vulnerability analysis.

34
00:01:40,200 --> 00:01:42,060
Once we found out this information,

35
00:01:42,060 --> 00:01:46,353
the next step is to extract useful information from this.

36
00:01:47,310 --> 00:01:50,670
So in this case, what we would find most interesting

37
00:01:50,670 --> 00:01:52,890
would be these two facts,

38
00:01:52,890 --> 00:01:55,980
an outdated Windows 10 operating system

39
00:01:55,980 --> 00:02:00,450
and a vulnerable software on port 1234.

40
00:02:00,450 --> 00:02:04,200
This is what we will use to attack the target.

41
00:02:04,200 --> 00:02:07,200
We would then exploit the target's vulnerability

42
00:02:07,200 --> 00:02:09,479
and gain access to it.

43
00:02:09,479 --> 00:02:12,210
But wait, wait, wait a second.

44
00:02:12,210 --> 00:02:15,060
What do I mean we would exploit the target?

45
00:02:15,060 --> 00:02:17,100
How do we do it exactly?

46
00:02:17,100 --> 00:02:19,713
And what does exploit target even mean?

47
00:02:20,760 --> 00:02:23,460
Well, exploiting the target in other words

48
00:02:23,460 --> 00:02:26,490
is using its vulnerability that we discovered

49
00:02:26,490 --> 00:02:28,713
to send something called payload.

50
00:02:29,730 --> 00:02:34,260
What a payload is is a program that we deliver to the target

51
00:02:34,260 --> 00:02:35,850
after the exploit.

52
00:02:35,850 --> 00:02:38,430
Usually this program is something that allows us

53
00:02:38,430 --> 00:02:40,680
to execute commands on target system

54
00:02:40,680 --> 00:02:43,500
and navigate through its files and folders.

55
00:02:43,500 --> 00:02:45,360
Now I know what you're thinking,

56
00:02:45,360 --> 00:02:47,490
it is still a little unclear to you

57
00:02:47,490 --> 00:02:49,800
as to how this works exactly.

58
00:02:49,800 --> 00:02:50,633
Don't worry.

59
00:02:50,633 --> 00:02:53,490
In the next two videos we'll explain in details

60
00:02:53,490 --> 00:02:56,640
what exactly happens once we exploit a vulnerability

61
00:02:56,640 --> 00:02:58,800
and what type of payloads exist,

62
00:02:58,800 --> 00:03:01,740
and which ones we will use the most.

63
00:03:01,740 --> 00:03:03,570
For now it is important to remember

64
00:03:03,570 --> 00:03:06,060
that payload is a program that we drop

65
00:03:06,060 --> 00:03:08,340
after exploiting a target.

66
00:03:08,340 --> 00:03:12,816
And in 99.9% of cases this will be a program

67
00:03:12,816 --> 00:03:15,870
that allows us to execute commands on target system

68
00:03:15,870 --> 00:03:18,750
or also known as a shell.

69
00:03:18,750 --> 00:03:22,260
The first step would be us exporting the target

70
00:03:22,260 --> 00:03:25,440
and sending shell or payload with it.

71
00:03:25,440 --> 00:03:28,260
That payload will then be on target's machine

72
00:03:28,260 --> 00:03:30,060
and it'll execute.

73
00:03:30,060 --> 00:03:32,880
Once it executes what it essentially does

74
00:03:32,880 --> 00:03:35,557
is it tells the target machine,

75
00:03:35,557 --> 00:03:36,990
"Connect to that other machine

76
00:03:36,990 --> 00:03:39,867
and allow it to execute commands on your system."

77
00:03:40,830 --> 00:03:43,683
And that other machine would be our Kali Linux.

78
00:03:44,580 --> 00:03:46,710
And the third step is pretty easy.

79
00:03:46,710 --> 00:03:48,780
We just send the commands

80
00:03:48,780 --> 00:03:50,940
that we want our target to execute.

81
00:03:50,940 --> 00:03:52,230
We navigate through files,

82
00:03:52,230 --> 00:03:53,490
run other programs,

83
00:03:53,490 --> 00:03:57,690
and in return target sends us an output of the command

84
00:03:57,690 --> 00:03:59,520
that we executed.

85
00:03:59,520 --> 00:04:02,040
Picture it like using target's Terminal

86
00:04:02,040 --> 00:04:03,723
from our Kali Linux machine.

87
00:04:04,590 --> 00:04:08,550
However, there is one problem with this.

88
00:04:08,550 --> 00:04:11,073
Imagine we have two different targets.

89
00:04:12,150 --> 00:04:15,180
Target A and target B.

90
00:04:15,180 --> 00:04:19,709
And let's say target A has unknown vulnerability.

91
00:04:19,709 --> 00:04:21,690
It is running some outdated software

92
00:04:21,690 --> 00:04:24,450
on port 5555 for example.

93
00:04:24,450 --> 00:04:27,540
And in that case we would do what we just explained

94
00:04:27,540 --> 00:04:30,210
which is exploit the target through the vulnerability

95
00:04:30,210 --> 00:04:32,130
and deliver the payload that will allow us

96
00:04:32,130 --> 00:04:34,800
to control that target machine.

97
00:04:34,800 --> 00:04:37,110
Well, this scenario would only work

98
00:04:37,110 --> 00:04:39,333
if the target has a vulnerability,

99
00:04:40,290 --> 00:04:44,100
but what if it doesn't have a vulnerability?

100
00:04:44,100 --> 00:04:48,540
What if all of its softwares are fully updated and secured?

101
00:04:48,540 --> 00:04:49,533
What then?

102
00:04:50,460 --> 00:04:54,360
In that case, we would do something similar.

103
00:04:54,360 --> 00:04:57,090
We would deliver the payload to the target,

104
00:04:57,090 --> 00:05:00,810
just this time we cannot do it through an exploit

105
00:05:00,810 --> 00:05:03,450
which also means we can't make the payload

106
00:05:03,450 --> 00:05:05,640
out to execute on the target,

107
00:05:05,640 --> 00:05:09,390
since once again there is no exploit that we can do.

108
00:05:09,390 --> 00:05:12,480
We must deliver the payload to target using different way

109
00:05:12,480 --> 00:05:16,260
and also we must make it execute a different way.

110
00:05:16,260 --> 00:05:20,430
Well, in this case, social engineering comes in play.

111
00:05:20,430 --> 00:05:23,580
We would try to trick the user to open our payload

112
00:05:23,580 --> 00:05:24,900
by themselves.

113
00:05:24,900 --> 00:05:27,480
They must run it for us.

114
00:05:27,480 --> 00:05:28,770
How would we do that?

115
00:05:28,770 --> 00:05:30,660
Well, we could use different methods

116
00:05:30,660 --> 00:05:32,310
of delivering the payload.

117
00:05:32,310 --> 00:05:36,450
We could, for example, use an email containing our payload

118
00:05:36,450 --> 00:05:39,240
that we perhaps masked to look like an image

119
00:05:39,240 --> 00:05:41,220
or a different file type.

120
00:05:41,220 --> 00:05:43,470
We would also make sure that email looks legit

121
00:05:43,470 --> 00:05:45,300
and target doesn't think twice

122
00:05:45,300 --> 00:05:48,120
before trying to open that image.

123
00:05:48,120 --> 00:05:51,120
We could spoof our email address so it looks like someone

124
00:05:51,120 --> 00:05:52,500
that our target knows,

125
00:05:52,500 --> 00:05:55,560
so they would never think that the image we send

126
00:05:55,560 --> 00:05:57,960
could contain something malicious.

127
00:05:57,960 --> 00:05:59,580
Once they open that image

128
00:05:59,580 --> 00:06:02,040
in the background our payload executes,

129
00:06:02,040 --> 00:06:04,530
and it grants us access to their machine

130
00:06:04,530 --> 00:06:06,633
without them even knowing it.

131
00:06:07,530 --> 00:06:09,330
This is just an example.

132
00:06:09,330 --> 00:06:11,880
There are multiple ways that we can do this.

133
00:06:11,880 --> 00:06:14,400
If you were, for example, physically close to the target

134
00:06:14,400 --> 00:06:17,670
you could infect it over USB drive.

135
00:06:17,670 --> 00:06:19,770
Plug the USB drive in the target machine

136
00:06:19,770 --> 00:06:22,050
and execute payload manually.

137
00:06:22,050 --> 00:06:24,570
But something like this you will almost never do

138
00:06:24,570 --> 00:06:26,370
due to a higher risk of course,

139
00:06:26,370 --> 00:06:28,410
and if you were even able to come close

140
00:06:28,410 --> 00:06:30,090
to the target machine.

141
00:06:30,090 --> 00:06:33,930
Nonetheless, these are the two different possibilities.

142
00:06:33,930 --> 00:06:37,590
Either target is vulnerable or it isn't.

143
00:06:37,590 --> 00:06:41,130
However, if it isn't, we don't just quit.

144
00:06:41,130 --> 00:06:43,410
We try different methods.

145
00:06:43,410 --> 00:06:46,440
Throughout this section we will cover another big tool

146
00:06:46,440 --> 00:06:49,050
that all hackers use and that tool

147
00:06:49,050 --> 00:06:52,230
is called Metasploit Framework.

148
00:06:52,230 --> 00:06:54,480
It contains thousands of exploits

149
00:06:54,480 --> 00:06:57,693
and all of them are already in our Kali Linux machine.

150
00:06:58,800 --> 00:07:01,350
All we need to do is learn how to use them

151
00:07:01,350 --> 00:07:03,000
and how to run them.

152
00:07:03,000 --> 00:07:06,510
This is something we'll cover shortly in great details.

153
00:07:06,510 --> 00:07:07,563
Let's start hacking.