1 00:00:00,780 --> 00:00:03,450 -: Hello and welcome back. 2 00:00:03,450 --> 00:00:06,000 Time to get our first exploit 3 00:00:06,000 --> 00:00:07,710 on the Windows machine. 4 00:00:07,710 --> 00:00:12,710 And we will go first with the famous EternalBlue Exploit. 5 00:00:12,840 --> 00:00:14,430 It is the NSA exploit 6 00:00:14,430 --> 00:00:16,410 that got stolen and leaked, 7 00:00:16,410 --> 00:00:18,890 and that was used for the famous 8 00:00:18,890 --> 00:00:22,470 WannaCry ransomware attack in 2017. 9 00:00:22,470 --> 00:00:24,150 If you want to read more about it 10 00:00:24,150 --> 00:00:25,800 you can google it right here 11 00:00:25,800 --> 00:00:28,500 and it has a very interesting story. 12 00:00:28,500 --> 00:00:29,880 As we can see right here. 13 00:00:29,880 --> 00:00:32,369 You will undoubtedly recall the names Shadow Brokers 14 00:00:32,369 --> 00:00:36,300 who back in 2017 were dumping software exploits 15 00:00:36,300 --> 00:00:37,860 widely believe to be stolen 16 00:00:37,860 --> 00:00:40,530 from the USA National Security Agency, 17 00:00:40,530 --> 00:00:43,440 and WannaCry, notorious ransomware attack 18 00:00:43,440 --> 00:00:45,303 that struck only a few months later. 19 00:00:46,140 --> 00:00:48,840 You can also read some other information about the exploit 20 00:00:48,840 --> 00:00:50,640 like what is EternalBlue 21 00:00:50,640 --> 00:00:52,470 and we can see its vulnerability name 22 00:00:52,470 --> 00:00:54,522 CVE-2017 23 00:00:54,522 --> 00:00:55,355 -: 0143 24 00:00:56,570 --> 00:00:58,020 to 0148, 25 00:00:58,020 --> 00:00:58,853 And as it says, 26 00:00:58,853 --> 00:01:00,720 this is a family of critical vulnerabilities 27 00:01:00,720 --> 00:01:03,030 in Microsoft SMB version one 28 00:01:03,030 --> 00:01:04,980 server used in Windows 7, 29 00:01:04,980 --> 00:01:06,690 Windows Server 2008, 30 00:01:06,690 --> 00:01:08,010 Windows XP, 31 00:01:08,010 --> 00:01:11,523 and even Windows 10 running on port 445. 32 00:01:12,450 --> 00:01:15,450 You can read some other information as well if you want to. 33 00:01:15,450 --> 00:01:17,490 And right here it also tells us 34 00:01:17,490 --> 00:01:21,150 that even after two years of this exploit being patched, 35 00:01:21,150 --> 00:01:24,300 there are millions machines on the internet. 36 00:01:24,300 --> 00:01:25,230 They're still 37 00:01:25,230 --> 00:01:27,510 vulnerable to this attack. 38 00:01:27,510 --> 00:01:30,480 And what this exploit does basically is 39 00:01:30,480 --> 00:01:34,980 it exploits a mathematical error inside the SMB. 40 00:01:34,980 --> 00:01:38,640 And luckily we got that exploit right here 41 00:01:38,640 --> 00:01:41,040 inside of our MSF console. 42 00:01:41,040 --> 00:01:43,620 So for now, what I got right here is the scan 43 00:01:43,620 --> 00:01:45,180 of my Windows 7 machine 44 00:01:45,180 --> 00:01:47,910 and your scans should look similarly to mine. 45 00:01:47,910 --> 00:01:50,250 Now these ports right here are not important. 46 00:01:50,250 --> 00:01:51,570 What is important is 47 00:01:51,570 --> 00:01:52,590 that you have 48 00:01:52,590 --> 00:01:54,900 these ports right here open. 49 00:01:54,900 --> 00:01:56,730 So, port 445, 50 00:01:56,730 --> 00:01:59,100 and port 139. 51 00:01:59,100 --> 00:02:00,990 Also make sure that your Windows machine 52 00:02:00,990 --> 00:02:02,073 is up and running, 53 00:02:03,498 --> 00:02:05,910 and if I open my MSF console 54 00:02:05,910 --> 00:02:06,743 right here 55 00:02:08,970 --> 00:02:11,190 we're going to try to find that exploit 56 00:02:11,190 --> 00:02:14,370 and test it on our Windows 7 machine. 57 00:02:14,370 --> 00:02:15,660 One more thing is that 58 00:02:15,660 --> 00:02:17,490 besides this exploit that we have 59 00:02:17,490 --> 00:02:18,960 in our Metasploit point framework, 60 00:02:18,960 --> 00:02:22,440 we also get the auxiliary module for this exploit. 61 00:02:22,440 --> 00:02:23,460 What does this mean? 62 00:02:23,460 --> 00:02:25,920 Well, it means that we can test the machine 63 00:02:25,920 --> 00:02:27,510 to see whether it is vulnerable 64 00:02:27,510 --> 00:02:30,060 before we actually exploit it. 65 00:02:30,060 --> 00:02:31,710 Let me show you what they mean. 66 00:02:31,710 --> 00:02:34,230 If I type right here, search, 67 00:02:34,230 --> 00:02:35,230 and then EternalBlue 68 00:02:37,156 --> 00:02:39,180 I will get six results 69 00:02:39,180 --> 00:02:40,710 to auxiliary modules and, 70 00:02:40,710 --> 00:02:43,230 four different exploits. 71 00:02:43,230 --> 00:02:46,320 This is the one that we're currently interested in. 72 00:02:46,320 --> 00:02:48,720 exploit/windows for the SMB 73 00:02:48,720 --> 00:02:50,793 and it is called ms_17_eternalblue. 74 00:02:53,190 --> 00:02:54,750 But before we use it, 75 00:02:54,750 --> 00:02:56,730 we can use the auxiliary scanner 76 00:02:56,730 --> 00:02:57,930 for the SMB and, 77 00:02:57,930 --> 00:02:59,760 for the same vulnerability 78 00:02:59,760 --> 00:03:02,190 as you can compare these names right here 79 00:03:02,190 --> 00:03:05,430 to see whether our target is vulnerable. 80 00:03:05,430 --> 00:03:09,570 So let's test this auxiliary module first. 81 00:03:09,570 --> 00:03:11,640 If I type right here use, 82 00:03:11,640 --> 00:03:14,110 and then paste the auxiliary module 83 00:03:15,180 --> 00:03:17,463 clear the screen and show my options. 84 00:03:18,900 --> 00:03:21,360 There are a few different things that we need to set up 85 00:03:21,360 --> 00:03:23,970 but the only required things is 86 00:03:23,970 --> 00:03:25,680 the our hosts. 87 00:03:25,680 --> 00:03:28,800 So let's set our hosts to be the IP address 88 00:03:28,800 --> 00:03:30,303 of our Windows 7 machine. 89 00:03:31,710 --> 00:03:34,260 In my case, it is this one, 90 00:03:34,260 --> 00:03:36,780 and if I type show info. 91 00:03:36,780 --> 00:03:39,450 So we can also read what this module does. 92 00:03:39,450 --> 00:03:42,150 It uses information disclosure to determine 93 00:03:42,150 --> 00:03:45,690 whether the EternalBlue has been patched or not. 94 00:03:45,690 --> 00:03:48,633 And here he describes you, how exactly does it do it? 95 00:03:50,078 --> 00:03:51,390 So if I triple check 96 00:03:51,390 --> 00:03:52,920 our options 97 00:03:52,920 --> 00:03:54,900 everything seems to be set. 98 00:03:54,900 --> 00:03:57,030 You don't want to change this named pipes 99 00:03:57,030 --> 00:04:00,420 and you also do not want to change the our port. 100 00:04:00,420 --> 00:04:02,550 So only thing you need to set up is this 101 00:04:02,550 --> 00:04:03,723 our host right here, 102 00:04:05,469 --> 00:04:06,993 and let us type run. 103 00:04:08,550 --> 00:04:10,350 It'll finish in just a few seconds 104 00:04:10,350 --> 00:04:11,430 and it'll tell me 105 00:04:11,430 --> 00:04:13,500 Host is likely vulnerable 106 00:04:13,500 --> 00:04:14,970 to the EternalBlue attack. 107 00:04:14,970 --> 00:04:17,940 It even gives us the version Windows 7 Ultimate, 108 00:04:17,940 --> 00:04:19,829 7601, 109 00:04:19,829 --> 00:04:22,650 service pack 1, 64 bit. 110 00:04:22,650 --> 00:04:23,483 Great, 111 00:04:23,483 --> 00:04:25,980 our target seems to be vulnerable. 112 00:04:25,980 --> 00:04:27,990 Let us now perform the exploit, 113 00:04:27,990 --> 00:04:29,640 and you will see how easy it is. 114 00:04:29,640 --> 00:04:31,990 So if I search EternalBlue once again 115 00:04:32,940 --> 00:04:36,003 I copy the exploit name which is this one, 116 00:04:38,100 --> 00:04:39,540 clear the screen, 117 00:04:39,540 --> 00:04:40,503 type use. 118 00:04:44,940 --> 00:04:47,940 It will by default set the payload to be 119 00:04:47,940 --> 00:04:50,520 Windows reverse meterpreter shell 120 00:04:50,520 --> 00:04:53,010 for the 64 bit machine. 121 00:04:53,010 --> 00:04:55,920 Now since it'll set this by default 122 00:04:55,920 --> 00:04:57,960 you must consider changing this 123 00:04:57,960 --> 00:05:01,263 in case your Windows seven machine is a 32 bit machine. 124 00:05:02,280 --> 00:05:03,690 If it is a 64 bit, 125 00:05:03,690 --> 00:05:04,650 you can simply just 126 00:05:04,650 --> 00:05:08,940 leave this to be Windows 64 bit meterpreter reverse_tcp. 127 00:05:08,940 --> 00:05:10,170 If it is not, 128 00:05:10,170 --> 00:05:11,760 then you want to set payload 129 00:05:11,760 --> 00:05:13,290 to be equal to 130 00:05:13,290 --> 00:05:15,060 Windows slash 131 00:05:15,060 --> 00:05:17,670 meterpreter slash 132 00:05:17,670 --> 00:05:19,830 reverse_dcp 133 00:05:19,830 --> 00:05:21,660 and you will notice the only difference 134 00:05:21,660 --> 00:05:23,100 between this payload, 135 00:05:23,100 --> 00:05:27,540 and this payload right here is this 64. 136 00:05:27,540 --> 00:05:31,230 So this just indicates that this is a 64 bit payload. 137 00:05:31,230 --> 00:05:32,790 Now I will not run this command 138 00:05:32,790 --> 00:05:35,310 because my Windows seven machine is 64 bit. 139 00:05:35,310 --> 00:05:36,993 I will just type show info, 140 00:05:37,920 --> 00:05:40,950 and here we can see the exact definition 141 00:05:40,950 --> 00:05:42,990 and description of the exploit. 142 00:05:42,990 --> 00:05:44,120 This module is a part 143 00:05:44,120 --> 00:05:46,860 of the Equation group, EternalBlue exploit. 144 00:05:46,860 --> 00:05:51,180 Part of this toolkit right here released by Shadow Brokers. 145 00:05:51,180 --> 00:05:53,070 There is a buffer overflow 146 00:05:53,070 --> 00:05:55,500 operation in this function right here. 147 00:05:55,500 --> 00:05:57,330 The size is calculated in this. 148 00:05:57,330 --> 00:05:59,970 So I'm not going to read this of course 149 00:05:59,970 --> 00:06:02,910 with mathematical error where a Dword 150 00:06:02,910 --> 00:06:05,550 is abstracted into a word. 151 00:06:05,550 --> 00:06:08,760 Okay, so since our target is vulnerable 152 00:06:08,760 --> 00:06:11,010 at least the auxiliary module told us 153 00:06:11,010 --> 00:06:12,690 let us check out the options, 154 00:06:12,690 --> 00:06:15,180 and let's run the exploit. 155 00:06:15,180 --> 00:06:16,440 So here is, as well 156 00:06:16,440 --> 00:06:18,900 we've got few things that we need to set up. 157 00:06:18,900 --> 00:06:21,870 My payload is automatically set right here 158 00:06:21,870 --> 00:06:23,613 to the IP address and the port. 159 00:06:24,720 --> 00:06:27,510 These two, we do not want to change, 160 00:06:27,510 --> 00:06:28,350 the Rport, 161 00:06:28,350 --> 00:06:29,580 we do not want to change. 162 00:06:29,580 --> 00:06:30,780 And the Rhosts, 163 00:06:30,780 --> 00:06:31,750 we need to set 164 00:06:33,420 --> 00:06:36,720 to the IP address of Windows 7 machine. 165 00:06:36,720 --> 00:06:38,220 Once everything is done, 166 00:06:38,220 --> 00:06:40,650 we can type, run, 167 00:06:40,650 --> 00:06:42,963 and this will start our exploit. 168 00:06:44,100 --> 00:06:45,600 And in just a few seconds 169 00:06:45,600 --> 00:06:49,020 I should get the meterpreter river shell open 170 00:06:49,020 --> 00:06:50,880 on the Windows 7 machine. 171 00:06:50,880 --> 00:06:52,740 And here it is. 172 00:06:52,740 --> 00:06:53,573 Down here. 173 00:06:53,573 --> 00:06:55,560 It'll print out this win 174 00:06:55,560 --> 00:06:58,770 which means the exploit worked successfully, 175 00:06:58,770 --> 00:07:00,600 and I got 176 00:07:00,600 --> 00:07:01,433 my 177 00:07:02,520 --> 00:07:03,810 Windows 7 machine. 178 00:07:03,810 --> 00:07:05,475 If I type the command 179 00:07:05,475 --> 00:07:06,510 getuid 180 00:07:06,510 --> 00:07:08,400 which stands for get user id, 181 00:07:08,400 --> 00:07:11,250 it'll tell me the time currently on that machine 182 00:07:11,250 --> 00:07:13,380 as the system account. 183 00:07:13,380 --> 00:07:16,593 And this is the highest level account on a Windows machine. 184 00:07:17,460 --> 00:07:20,310 Great. We successfully exploited our first 185 00:07:20,310 --> 00:07:23,550 vulnerability inside of Windows 7 machine. 186 00:07:23,550 --> 00:07:24,383 And by the way, 187 00:07:24,383 --> 00:07:27,390 since we haven't really covered the meterpreter yet, 188 00:07:27,390 --> 00:07:29,700 remember that we can run the help command, 189 00:07:29,700 --> 00:07:32,160 and here we can execute all of these commands that 190 00:07:32,160 --> 00:07:34,050 the interpreter shell gives us. 191 00:07:34,050 --> 00:07:34,883 But for now, 192 00:07:34,883 --> 00:07:36,540 we are not going to do that. 193 00:07:36,540 --> 00:07:38,130 We're going to cover these commands, 194 00:07:38,130 --> 00:07:41,100 and bunch of other commands that we don't have here 195 00:07:41,100 --> 00:07:42,660 in the post exploitation module, 196 00:07:42,660 --> 00:07:44,460 which is coming soon. 197 00:07:44,460 --> 00:07:45,293 For now, 198 00:07:45,293 --> 00:07:47,250 we just want to gain access to the target, 199 00:07:47,250 --> 00:07:50,160 and in this video we successfully did it, 200 00:07:50,160 --> 00:07:52,890 but I want to show you one more thing. 201 00:07:52,890 --> 00:07:53,790 So don't worry. 202 00:07:53,790 --> 00:07:55,980 I know that you're impatiently waiting 203 00:07:55,980 --> 00:07:58,230 for us to actually do something on the target, 204 00:07:58,230 --> 00:07:59,340 but for now, 205 00:07:59,340 --> 00:08:01,863 the goal is to only gain access to it. 206 00:08:02,760 --> 00:08:03,630 If you want, 207 00:08:03,630 --> 00:08:05,520 you can test these commands by yourself. 208 00:08:05,520 --> 00:08:08,013 You can just simply type screenshot, for example. 209 00:08:09,000 --> 00:08:11,070 Just to show you how it works, 210 00:08:11,070 --> 00:08:14,310 and it'll take the screenshot of the target's desktop. 211 00:08:14,310 --> 00:08:17,610 It'll save it in the /home/mrhacker 212 00:08:17,610 --> 00:08:19,530 So let's check out that directory. 213 00:08:19,530 --> 00:08:21,633 If I lower my terminal right here, 214 00:08:22,500 --> 00:08:24,160 and go to the 215 00:08:25,057 --> 00:08:26,700 /home/mrhacker, 216 00:08:26,700 --> 00:08:27,783 open the folder. 217 00:08:28,800 --> 00:08:31,290 Here is the screenshot that we took 218 00:08:31,290 --> 00:08:32,610 of the target's desktop. 219 00:08:32,610 --> 00:08:34,500 It is saved on our machine, 220 00:08:34,500 --> 00:08:37,080 and that is just one of the cool commands 221 00:08:37,080 --> 00:08:39,690 that we can do with the meterpreter shell. 222 00:08:39,690 --> 00:08:41,789 Others, we will cover later. 223 00:08:41,789 --> 00:08:42,623 For now on, 224 00:08:42,623 --> 00:08:43,799 let me show you one more thing. 225 00:08:43,799 --> 00:08:45,423 If I exit out of the shell, 226 00:08:47,010 --> 00:08:48,600 I just want to show you 227 00:08:48,600 --> 00:08:51,660 if I open the second Windows 7 machine 228 00:08:51,660 --> 00:08:52,833 that I got right here. 229 00:08:53,880 --> 00:08:57,120 And there is no difference between these two machines 230 00:08:57,120 --> 00:08:58,950 Just one is a 32 bit, 231 00:08:58,950 --> 00:09:02,190 and the other one is a 64 bit machine. 232 00:09:02,190 --> 00:09:03,630 I just want to show you that 233 00:09:03,630 --> 00:09:06,000 on this one which is the 32 bit one, 234 00:09:06,000 --> 00:09:07,863 the exploit will not work. 235 00:09:09,300 --> 00:09:10,410 Even though 236 00:09:10,410 --> 00:09:12,240 the auxiliary module will tell us 237 00:09:12,240 --> 00:09:14,280 that the machine is vulnerable. 238 00:09:14,280 --> 00:09:16,743 So I will just wait for this machine to open up. 239 00:09:18,060 --> 00:09:20,610 Matter of fact, if I remember correctly, 240 00:09:20,610 --> 00:09:24,930 the exploit will crash this Windows 7 machine. 241 00:09:24,930 --> 00:09:27,420 It will not manage to gain the meterpreter shell 242 00:09:27,420 --> 00:09:28,253 but instead 243 00:09:28,253 --> 00:09:30,870 this Windows machine will get the blue screen of death, 244 00:09:30,870 --> 00:09:32,403 and then it will crash. 245 00:09:33,630 --> 00:09:34,740 Let's see what happens. 246 00:09:34,740 --> 00:09:37,083 So I will log in to this machine. 247 00:09:39,090 --> 00:09:40,650 I will check two things out. 248 00:09:40,650 --> 00:09:43,173 Once it opens up, I will check the IP address. 249 00:09:49,860 --> 00:09:52,770 So it is 192.168.1.13. 250 00:09:52,770 --> 00:09:54,570 And one more thing I will check is 251 00:09:54,570 --> 00:09:56,820 whether the firewall is disabled. 252 00:09:56,820 --> 00:09:59,580 So I'll go to control panel system and security, 253 00:09:59,580 --> 00:10:01,310 and then Windows Firewall. 254 00:10:01,310 --> 00:10:02,370 It is open. 255 00:10:02,370 --> 00:10:04,683 So I'll just close the Windows Firewall. 256 00:10:08,160 --> 00:10:10,923 And now if I perform the same exploit, 257 00:10:13,920 --> 00:10:16,680 just change the IP address to the IP address 258 00:10:16,680 --> 00:10:18,690 of this new Windows 7 machine, 259 00:10:18,690 --> 00:10:20,043 and I try to run it. 260 00:10:22,080 --> 00:10:23,580 It'll start the same 261 00:10:23,580 --> 00:10:25,560 just after a few seconds. 262 00:10:25,560 --> 00:10:27,903 This machine right here should crash. 263 00:10:28,800 --> 00:10:30,360 It even tells us right here, 264 00:10:30,360 --> 00:10:32,220 Host is likely vulnerable 265 00:10:32,220 --> 00:10:33,780 to the ms17 266 00:10:33,780 --> 00:10:36,330 which is the EternalBlue exploit. 267 00:10:36,330 --> 00:10:38,013 So let's see what happens. 268 00:10:40,159 --> 00:10:41,010 And here it is, 269 00:10:41,010 --> 00:10:43,560 you can see that the Windows machine crashed, 270 00:10:43,560 --> 00:10:45,480 and now it is a restarting. 271 00:10:45,480 --> 00:10:48,480 Also. Here we can see that the exploit failed. 272 00:10:48,480 --> 00:10:50,350 Remember that we got the WIN message 273 00:10:51,285 --> 00:10:53,460 once we exploited the previous window 7 target, 274 00:10:53,460 --> 00:10:55,740 but right now the exploit failed. 275 00:10:55,740 --> 00:10:56,573 Matter of fact, 276 00:10:56,573 --> 00:10:57,780 in the second attempt 277 00:10:57,780 --> 00:11:00,150 of it exploiting the window seven machine 278 00:11:00,150 --> 00:11:02,400 it crashed the machine. 279 00:11:02,400 --> 00:11:04,290 So this is just an example 280 00:11:04,290 --> 00:11:06,960 that sometimes an exploit will not work. 281 00:11:06,960 --> 00:11:07,950 In the first one, 282 00:11:07,950 --> 00:11:09,540 we manage to gain the access 283 00:11:09,540 --> 00:11:11,160 to the Windows 7 machine 284 00:11:11,160 --> 00:11:12,240 with the meterpreter shell 285 00:11:12,240 --> 00:11:13,500 but in the second one, 286 00:11:13,500 --> 00:11:15,480 we only manage to crash it. 287 00:11:15,480 --> 00:11:17,820 However, even if you manage to only crash it, 288 00:11:17,820 --> 00:11:21,240 this is something that you will 100% write on a report. 289 00:11:21,240 --> 00:11:23,100 This is a vulnerability. 290 00:11:23,100 --> 00:11:24,810 You should never be able to crash 291 00:11:24,810 --> 00:11:27,300 a target computer just like this. 292 00:11:27,300 --> 00:11:29,190 Imagine if this Windows 7 machine 293 00:11:29,190 --> 00:11:31,020 was doing something important, 294 00:11:31,020 --> 00:11:33,030 and just us knowing its IP address, 295 00:11:33,030 --> 00:11:34,560 and running this exploit, 296 00:11:34,560 --> 00:11:36,810 we managed to crash it. 297 00:11:36,810 --> 00:11:39,150 That could cause a lot of problem. 298 00:11:39,150 --> 00:11:41,640 Now, if you really want to get this exploit to work, 299 00:11:41,640 --> 00:11:44,430 you can try to find a different Windows 7 files, 300 00:11:44,430 --> 00:11:45,960 and try with it 301 00:11:45,960 --> 00:11:48,870 to see if it might work on that one. 302 00:11:48,870 --> 00:11:50,520 I would also advise you that 303 00:11:50,520 --> 00:11:51,353 if you can, 304 00:11:51,353 --> 00:11:54,900 you try to install up Windows 64 bit version. 305 00:11:54,900 --> 00:11:56,670 And in the next video 306 00:11:56,670 --> 00:11:58,590 we are going to see how we can perform 307 00:11:58,590 --> 00:12:00,570 a slightly different version 308 00:12:00,570 --> 00:12:01,980 of this exploit 309 00:12:01,980 --> 00:12:05,640 using EternalBlue Double Pulsar attack. 310 00:12:05,640 --> 00:12:07,110 In my personal experience, 311 00:12:07,110 --> 00:12:09,330 this one works a little bit better 312 00:12:09,330 --> 00:12:11,940 than the Metasploit version of EternalBlue. 313 00:12:11,940 --> 00:12:14,670 And another interesting thing is that 314 00:12:14,670 --> 00:12:17,733 we don't have it inside of our Metasploit framework. 315 00:12:18,570 --> 00:12:19,923 So what are we going to do? 316 00:12:20,760 --> 00:12:21,976 Well, 317 00:12:21,976 --> 00:12:22,809 not only are we going to run it 318 00:12:22,809 --> 00:12:24,030 in the next video, 319 00:12:24,030 --> 00:12:24,960 but that will also show you 320 00:12:24,960 --> 00:12:26,220 how we can add 321 00:12:26,220 --> 00:12:28,650 the EternalBlue Double Pulsar module 322 00:12:28,650 --> 00:12:31,560 to the Metasploit framework by ourselves. 323 00:12:31,560 --> 00:12:32,860 See you in the next video.