1
00:00:00,720 --> 00:00:01,859
Instructor: Welcome back.

2
00:00:01,859 --> 00:00:04,950
Let us talk about Metasploit Framework.

3
00:00:04,950 --> 00:00:08,010
We already mentioned that we will use this tool a lot to

4
00:00:08,010 --> 00:00:10,904
exploit different targets and their vulnerabilities,

5
00:00:10,904 --> 00:00:14,550
but there are a few things we need to learn first about it

6
00:00:14,550 --> 00:00:16,023
before we get to use it.

7
00:00:16,950 --> 00:00:17,970
Remember when I told you

8
00:00:17,970 --> 00:00:21,720
that Metasploit Framework offers us thousands of exploits

9
00:00:21,720 --> 00:00:25,053
that we can use for Windows, MacOS or Linux?

10
00:00:25,920 --> 00:00:27,090
While that is true,

11
00:00:27,090 --> 00:00:29,943
Metasploit offers us a whole lot more things

12
00:00:29,943 --> 00:00:32,940
that we can use besides the exploits.

13
00:00:32,940 --> 00:00:36,360
Matter of fact, exploits are just one of seven modules

14
00:00:36,360 --> 00:00:38,520
that we can get with Metasploit.

15
00:00:38,520 --> 00:00:42,330
Besides them, we also get payloads, auxiliary modules,

16
00:00:42,330 --> 00:00:45,540
encoders, evasion modules, nops,

17
00:00:45,540 --> 00:00:48,210
and post exploitation modules.

18
00:00:48,210 --> 00:00:49,770
If you're new to all of this,

19
00:00:49,770 --> 00:00:53,340
you probably have no idea what each of them are.

20
00:00:53,340 --> 00:00:56,310
Don't worry. We will explain it right now.

21
00:00:56,310 --> 00:00:59,820
First, to navigate to the Metasploit Framework directory,

22
00:00:59,820 --> 00:01:04,819
we can type cd/usr/share

23
00:01:05,099 --> 00:01:08,490
and then metasploit-framework.

24
00:01:08,490 --> 00:01:12,330
You can just type meta and then tab it out to complete it.

25
00:01:12,330 --> 00:01:16,290
If I press here enter, and if I type ls right here

26
00:01:16,290 --> 00:01:18,240
in the Metasploit Framework directory,

27
00:01:18,240 --> 00:01:21,120
we are going to see quite a few things.

28
00:01:21,120 --> 00:01:23,340
One of the most important things right here

29
00:01:23,340 --> 00:01:27,030
is this msfconsole, and this is an executable file.

30
00:01:27,030 --> 00:01:28,800
This is our program.

31
00:01:28,800 --> 00:01:30,570
If we wanted to run Metasploit,

32
00:01:30,570 --> 00:01:33,300
we will just type msfconsole in the terminal,

33
00:01:33,300 --> 00:01:36,090
and it will open the Metasploit Framework.

34
00:01:36,090 --> 00:01:39,142
The msfvenom is also very important.

35
00:01:39,142 --> 00:01:42,390
This is a tool that we will use to generate a payload

36
00:01:42,390 --> 00:01:45,840
or a shell that we use to control the target machine with.

37
00:01:45,840 --> 00:01:47,130
But for this video,

38
00:01:47,130 --> 00:01:51,870
what we want to explain is this modules directory.

39
00:01:51,870 --> 00:01:54,963
If we change to that directory so cd modules,

40
00:01:55,890 --> 00:01:57,933
and I type ls here,

41
00:01:58,920 --> 00:02:01,803
we will see those seven modules that I mentioned.

42
00:02:02,910 --> 00:02:05,970
Let's talk about each one of them a little bit.

43
00:02:05,970 --> 00:02:08,639
We're already familiar with exploits, right?

44
00:02:08,639 --> 00:02:10,590
Let's go to that directory first.

45
00:02:10,590 --> 00:02:15,590
So cd exploits, and just to remind ourselves

46
00:02:15,690 --> 00:02:18,990
that an exploit module or program executes a sequence

47
00:02:18,990 --> 00:02:21,150
of commands to target a specific vulnerability

48
00:02:21,150 --> 00:02:23,040
in a system or application.

49
00:02:23,040 --> 00:02:25,050
It takes advantage of that vulnerability

50
00:02:25,050 --> 00:02:28,203
in order to provide us an access to that machine.

51
00:02:29,070 --> 00:02:31,980
There are few different types of exploits such as,

52
00:02:31,980 --> 00:02:34,560
for example, buffer overflow, code injection,

53
00:02:34,560 --> 00:02:36,090
web application exploits,

54
00:02:36,090 --> 00:02:39,000
but what is also important to mention right here

55
00:02:39,000 --> 00:02:43,200
regarding Metasploit is that once we type ls inside

56
00:02:43,200 --> 00:02:45,300
of this exploits directory,

57
00:02:45,300 --> 00:02:49,740
you will see these exploits are split into different groups.

58
00:02:49,740 --> 00:02:51,903
We've got Windows exploits,

59
00:02:53,520 --> 00:02:55,654
OSX exploits,

60
00:02:55,654 --> 00:03:00,654
Linux exploits, Firefox exploits, and many others as well.

61
00:03:00,840 --> 00:03:03,030
And if we go to any of them, for example,

62
00:03:03,030 --> 00:03:05,073
let's go to Windows exploits,

63
00:03:07,230 --> 00:03:09,330
and I type ls right here,

64
00:03:09,330 --> 00:03:12,870
we will get even more division of exploits.

65
00:03:12,870 --> 00:03:15,840
All of the Windows exploits that we have are divided

66
00:03:15,840 --> 00:03:20,290
into bunch of other submodules such as FTP, firewall,

67
00:03:20,290 --> 00:03:23,790
SMTP, SMB, and others.

68
00:03:23,790 --> 00:03:28,790
And all of them contain exploits for those specific things.

69
00:03:28,800 --> 00:03:31,020
If we navigate to, for example,

70
00:03:31,020 --> 00:03:34,083
HTTP Windows exploits, so let's go there.

71
00:03:35,940 --> 00:03:39,630
And I clear the screen, type ls right here.

72
00:03:39,630 --> 00:03:43,740
We will see there is a lot of them for the HTTP,

73
00:03:43,740 --> 00:03:48,720
and this dot rb that all of these files have

74
00:03:48,720 --> 00:03:51,210
is just an extension for Ruby language.

75
00:03:51,210 --> 00:03:53,370
All of the exploits in Metasploit Framework

76
00:03:53,370 --> 00:03:56,070
are coded inside of a Ruby language.

77
00:03:56,070 --> 00:03:58,530
And each one of these programs right here

78
00:03:58,530 --> 00:04:00,753
exploits a different vulnerability.

79
00:04:01,770 --> 00:04:02,760
If you were, for example,

80
00:04:02,760 --> 00:04:05,280
interested in how some of these work,

81
00:04:05,280 --> 00:04:09,240
you could open the code of an exploit using nano editor.

82
00:04:09,240 --> 00:04:11,673
Let's see, for example, this one.

83
00:04:12,930 --> 00:04:13,953
If I nano it,

84
00:04:17,382 --> 00:04:19,860
it will open the code of this exploit.

85
00:04:19,860 --> 00:04:21,420
And if you know Ruby language,

86
00:04:21,420 --> 00:04:24,960
you could figure out how this exploit works, right?

87
00:04:24,960 --> 00:04:26,970
It also gives us a description right here.

88
00:04:26,970 --> 00:04:30,060
So this exploits a stack buffer overflow

89
00:04:30,060 --> 00:04:32,490
in the Webster HTTP server.

90
00:04:32,490 --> 00:04:35,160
The server and source code was released within an article

91
00:04:35,160 --> 00:04:38,910
from the Microsoft System Journal in February 1996,

92
00:04:38,910 --> 00:04:41,820
titled, "Write a Simple HTTP."

93
00:04:41,820 --> 00:04:44,670
So this is an old, old exploit,

94
00:04:44,670 --> 00:04:47,910
but you can do this for any file that you want.

95
00:04:47,910 --> 00:04:50,310
You can just open it and see the code

96
00:04:50,310 --> 00:04:52,173
of that specific exploit,

97
00:04:53,040 --> 00:04:55,890
and that's how they're stored in cal Linux.

98
00:04:55,890 --> 00:04:59,310
Let's also mention other modules that exist besides these.

99
00:04:59,310 --> 00:05:03,183
So if I go back to the modules directory,

100
00:05:04,650 --> 00:05:09,650
And type ls, let's next talk about the auxiliary modules.

101
00:05:09,750 --> 00:05:13,020
So if we change directory to auxiliary,

102
00:05:13,020 --> 00:05:15,300
and I type ls right here,

103
00:05:15,300 --> 00:05:18,360
then we will see that auxiliary modules are also split

104
00:05:18,360 --> 00:05:21,360
into different categories as we can see right here.

105
00:05:21,360 --> 00:05:24,840
And an auxiliary module does not execute a payload

106
00:05:24,840 --> 00:05:26,910
like an exploit module does.

107
00:05:26,910 --> 00:05:29,730
It is used to perform different actions,

108
00:05:29,730 --> 00:05:34,320
such as scanning, fuzzing, or denial of service attacks.

109
00:05:34,320 --> 00:05:37,530
These modules can sometimes be used in first two stages

110
00:05:37,530 --> 00:05:40,140
of penetration test, as there is a lot of them

111
00:05:40,140 --> 00:05:43,830
that perform fingerprinting and vulnerability scanning.

112
00:05:43,830 --> 00:05:46,560
If we go to one of these submodules, for example,

113
00:05:46,560 --> 00:05:48,900
let's go to sniffer submodule.

114
00:05:48,900 --> 00:05:51,093
If I type cd sniffer,

115
00:05:52,380 --> 00:05:53,313
type ls,

116
00:05:54,300 --> 00:05:58,110
well it seems that there is only one sniffer

117
00:05:58,110 --> 00:06:01,830
in Metasploit, and we can see again, it is also coded

118
00:06:01,830 --> 00:06:05,790
in Ruby language because of the dot rb extension.

119
00:06:05,790 --> 00:06:09,240
If we go to a different auxiliary submodule, for example,

120
00:06:09,240 --> 00:06:11,970
let's go to this one, which is spoofing.

121
00:06:11,970 --> 00:06:14,940
So let's go to these spoofers.

122
00:06:14,940 --> 00:06:17,070
Clear the screen. Type ls.

123
00:06:17,070 --> 00:06:21,720
We can see they're also divided into even more submodules

124
00:06:21,720 --> 00:06:23,760
based on what it is spoofing.

125
00:06:23,760 --> 00:06:28,140
So it can spoof ARP requests, it can spoof DNS,

126
00:06:28,140 --> 00:06:32,190
it can spoof mDNS, and others as well.

127
00:06:32,190 --> 00:06:34,200
And all of these spoofers we can use

128
00:06:34,200 --> 00:06:36,120
for our attacks if we need to.

129
00:06:36,120 --> 00:06:38,670
Good. Those are the auxiliary modules.

130
00:06:38,670 --> 00:06:42,150
Now you can always explore others as well if you want

131
00:06:42,150 --> 00:06:45,506
to check out what different files this module has,

132
00:06:45,506 --> 00:06:48,210
but we are going to continue, and we are going

133
00:06:48,210 --> 00:06:51,720
to cover the next module from the Metasploit framework

134
00:06:51,720 --> 00:06:55,170
which is the post exploitation module.

135
00:06:55,170 --> 00:06:58,680
And if we change directory to the post exploitation module,

136
00:06:58,680 --> 00:07:01,410
clear the screen, and type ls.

137
00:07:01,410 --> 00:07:03,900
This module is used as its name says,

138
00:07:03,900 --> 00:07:08,100
after exploiting the target. Usually they're used to gather

139
00:07:08,100 --> 00:07:10,860
or steal information from target's device.

140
00:07:10,860 --> 00:07:14,160
That information could be files, saved passwords,

141
00:07:14,160 --> 00:07:16,770
dumping hashes, and numerating other services

142
00:07:16,770 --> 00:07:18,240
and applications on the target,

143
00:07:18,240 --> 00:07:20,070
and many other things we can do

144
00:07:20,070 --> 00:07:22,350
with post exploitation modules.

145
00:07:22,350 --> 00:07:24,600
After you type ls, you will see that they're mostly

146
00:07:24,600 --> 00:07:27,030
displayed the same as the exploits.

147
00:07:27,030 --> 00:07:30,450
If we go to Windows post exploitation modules,

148
00:07:30,450 --> 00:07:33,150
and type ls right here,

149
00:07:33,150 --> 00:07:35,730
we will see different post exploitation submodules

150
00:07:35,730 --> 00:07:39,933
that have different purposes, such as gathering information,

151
00:07:41,010 --> 00:07:43,683
such as escalating privileges.

152
00:07:44,580 --> 00:07:46,830
And this escalating privileges simply means

153
00:07:46,830 --> 00:07:50,250
if we exploit target as a regular user on that machine,

154
00:07:50,250 --> 00:07:53,040
we would always want to try to escalate our privilege

155
00:07:53,040 --> 00:07:55,683
to become an administrator or a root account.

156
00:07:56,610 --> 00:08:00,330
We can also see WLAN post exploitation modules,

157
00:08:00,330 --> 00:08:02,550
and I believe this would be used

158
00:08:02,550 --> 00:08:06,690
to steal saved wireless passwords to the access points

159
00:08:06,690 --> 00:08:08,553
that the target was connected to.

160
00:08:09,390 --> 00:08:12,750
Okay. You can explore the others as well if you want to,

161
00:08:12,750 --> 00:08:15,090
and let's talk about the others as well.

162
00:08:15,090 --> 00:08:17,070
So we can go through all of them real fast,

163
00:08:17,070 --> 00:08:19,200
so you can get a pretty good understanding

164
00:08:19,200 --> 00:08:21,843
of what all of these modules do.

165
00:08:22,680 --> 00:08:24,300
And the next one that we will talk about

166
00:08:24,300 --> 00:08:27,780
is also really important, and that is payloads.

167
00:08:27,780 --> 00:08:29,643
If I change directory to payloads,

168
00:08:30,990 --> 00:08:33,840
clear the screen, and type ls.

169
00:08:33,840 --> 00:08:35,220
And hopefully you remember

170
00:08:35,220 --> 00:08:37,500
that payload is something we deliver to the target

171
00:08:37,500 --> 00:08:40,679
with an exploit in order to control that machine.

172
00:08:40,679 --> 00:08:42,870
And in this payloads directory,

173
00:08:42,870 --> 00:08:47,550
we can see it is split in three different subdirectories,

174
00:08:47,550 --> 00:08:50,763
singles, stagers, and stages.

175
00:08:51,630 --> 00:08:53,910
What does this even mean?

176
00:08:53,910 --> 00:08:58,023
Well, singles are payloads that are completely standalone.

177
00:08:58,950 --> 00:09:02,850
A single payload can be something as simple as adding a user

178
00:09:02,850 --> 00:09:06,630
to the target system or running some other application.

179
00:09:06,630 --> 00:09:09,930
Stagers set up a network connection between the attacker

180
00:09:09,930 --> 00:09:13,980
and victim, and are designed to be small and reliable.

181
00:09:13,980 --> 00:09:16,410
And lastly, stages are payload components

182
00:09:16,410 --> 00:09:18,873
that are downloaded by stagers modules.

183
00:09:19,740 --> 00:09:23,790
These payload stages can provide us with advanced features

184
00:09:23,790 --> 00:09:26,490
with no size limits, such as, for example,

185
00:09:26,490 --> 00:09:29,760
different command shells or meterpreter shells.

186
00:09:29,760 --> 00:09:32,610
And meterpreter is something that we mentioned

187
00:09:32,610 --> 00:09:34,080
for the first time.

188
00:09:34,080 --> 00:09:37,950
Meterpreter shell is also something that we will use a lot.

189
00:09:37,950 --> 00:09:39,690
It is similar to the command shell

190
00:09:39,690 --> 00:09:41,790
but with bunch of other options as well.

191
00:09:41,790 --> 00:09:45,690
Besides executing commands, we can download files,

192
00:09:45,690 --> 00:09:50,250
upload files, record microphone conversation, run webcams

193
00:09:50,250 --> 00:09:53,190
on target machine, take screenshots of their desktop,

194
00:09:53,190 --> 00:09:57,060
and many other things we can do with the meterpreter.

195
00:09:57,060 --> 00:09:59,190
So once we are exploiting a target,

196
00:09:59,190 --> 00:10:01,470
meterpreter is usually what we want to run

197
00:10:01,470 --> 00:10:04,260
on the target after an exploit.

198
00:10:04,260 --> 00:10:07,920
If I go to stagers directory right here

199
00:10:07,920 --> 00:10:09,153
so cd stagers,

200
00:10:10,860 --> 00:10:13,440
clear the screen, type ls,

201
00:10:13,440 --> 00:10:18,440
and if I for example, go to Window stagers, type ls.

202
00:10:18,990 --> 00:10:23,460
Here we can see different ways of establishing connection.

203
00:10:23,460 --> 00:10:25,710
Remember when we talked about two different types

204
00:10:25,710 --> 00:10:27,900
of shells in the last video?

205
00:10:27,900 --> 00:10:29,430
Well, here they are.

206
00:10:29,430 --> 00:10:31,020
Here we can establish a connection

207
00:10:31,020 --> 00:10:34,110
either by binding to a port or by listening

208
00:10:34,110 --> 00:10:36,660
and creating a reverse shell connection.

209
00:10:36,660 --> 00:10:39,390
They are further divided into, for example,

210
00:10:39,390 --> 00:10:41,580
reverse HTTP,

211
00:10:41,580 --> 00:10:43,470
reverse UDP,

212
00:10:43,470 --> 00:10:46,170
and reverse TCP.

213
00:10:46,170 --> 00:10:48,780
And out all of these that we have right here,

214
00:10:48,780 --> 00:10:52,650
we will almost always use reverse TCP.

215
00:10:52,650 --> 00:10:56,250
So for now, we know that two main things we will combine

216
00:10:56,250 --> 00:10:59,508
in a payload is reverse TCP connection

217
00:10:59,508 --> 00:11:02,940
and a meterpreter shell,

218
00:11:02,940 --> 00:11:06,510
because that two combined give us much more options

219
00:11:06,510 --> 00:11:08,130
to do with the target.

220
00:11:08,130 --> 00:11:09,090
Okay, great.

221
00:11:09,090 --> 00:11:11,370
Now, if you don't understand some of this, don't worry.

222
00:11:11,370 --> 00:11:14,430
Once again, this is something that you will fully understand

223
00:11:14,430 --> 00:11:17,190
once we get into the practical examples.

224
00:11:17,190 --> 00:11:19,830
For now, we are left to explain three more modules,

225
00:11:19,830 --> 00:11:22,230
and we are going to go quickly through them

226
00:11:22,230 --> 00:11:24,570
since they're less important than the ones

227
00:11:24,570 --> 00:11:26,490
that we already covered.

228
00:11:26,490 --> 00:11:31,230
And those are the evasion modules, encoders, and nops.

229
00:11:31,230 --> 00:11:34,290
Now, let's go with encoders first.

230
00:11:34,290 --> 00:11:36,210
Encoders are something that helps us

231
00:11:36,210 --> 00:11:38,730
to evade antivirus detection.

232
00:11:38,730 --> 00:11:39,900
How exactly?

233
00:11:39,900 --> 00:11:42,660
Well, even though we call our payload the shell

234
00:11:42,660 --> 00:11:46,920
or meterpreter, what it is to antiviruses and other people,

235
00:11:46,920 --> 00:11:51,150
it is just a simple malware or Trojan or a virus.

236
00:11:51,150 --> 00:11:53,610
That's why with the help of encoders,

237
00:11:53,610 --> 00:11:57,270
we can encode our payload and make it less detectable

238
00:11:57,270 --> 00:11:59,400
by some antivirus vendors.

239
00:11:59,400 --> 00:12:00,930
These are not that useful anymore

240
00:12:00,930 --> 00:12:03,990
since they are known to almost all antiviruses.

241
00:12:03,990 --> 00:12:07,710
They can, however, help us bypass some of them.

242
00:12:07,710 --> 00:12:11,730
And evasion modules do pretty much the same thing.

243
00:12:11,730 --> 00:12:14,899
And if I change directory to them, so cd evasion,

244
00:12:14,899 --> 00:12:18,000
you will see that they're evasion modules only

245
00:12:18,000 --> 00:12:22,110
for Windows, and they're used to bypass Windows Defender.

246
00:12:22,110 --> 00:12:24,780
If I change my directory right here, type ls,

247
00:12:24,780 --> 00:12:27,810
we will see different Windows Defender files that we use

248
00:12:27,810 --> 00:12:30,510
in order to bypass the Windows Defender.

249
00:12:30,510 --> 00:12:33,390
However, since Windows Defender recently got an update,

250
00:12:33,390 --> 00:12:36,690
I believe many of these don't work anymore.

251
00:12:36,690 --> 00:12:38,940
But don't worry, we will see later in the course

252
00:12:38,940 --> 00:12:40,500
different techniques that we can use

253
00:12:40,500 --> 00:12:44,220
to bypass antiviruses and execute our payload.

254
00:12:44,220 --> 00:12:49,220
And the last thing that we got are nops.

255
00:12:49,710 --> 00:12:53,220
Nops can be a little bit hard to understand.

256
00:12:53,220 --> 00:12:57,180
What a nop is is an instruction for the processor

257
00:12:57,180 --> 00:12:59,310
to do nothing.

258
00:12:59,310 --> 00:13:01,680
Once a processor reads a nop instruction,

259
00:13:01,680 --> 00:13:05,820
it does absolutely nothing, and I know what you're thinking.

260
00:13:05,820 --> 00:13:08,550
What is the purpose of this for us?

261
00:13:08,550 --> 00:13:10,680
Well, these nops are useful

262
00:13:10,680 --> 00:13:12,990
in buffer overflows to allocate a lot

263
00:13:12,990 --> 00:13:16,650
of space in memory before the payload executes.

264
00:13:16,650 --> 00:13:19,650
By the way, nop stands for no operations,

265
00:13:19,650 --> 00:13:22,200
and if you have programmed in Assembly before,

266
00:13:22,200 --> 00:13:24,003
you will be familiar with this.

267
00:13:24,870 --> 00:13:29,730
But don't worry for now, nops are not that important for us.

268
00:13:29,730 --> 00:13:33,660
Okay. That was a lot to take for one single video,

269
00:13:33,660 --> 00:13:35,850
but all of this will be more clear

270
00:13:35,850 --> 00:13:37,890
once we start exploiting our target,

271
00:13:37,890 --> 00:13:41,070
and trust me, we are really close to that.

272
00:13:41,070 --> 00:13:43,290
We just need to explain the usage of Metasploit

273
00:13:43,290 --> 00:13:44,910
in the next video real quick.

274
00:13:44,910 --> 00:13:49,080
And after it, we will perform our first exploits.

275
00:13:49,080 --> 00:13:52,473
So get ready, and I'll see you in the next video.