1
00:00:00,510 --> 00:00:01,410
Instructor: Welcome back,

2
00:00:01,410 --> 00:00:03,600
and we, right now, have to cover

3
00:00:03,600 --> 00:00:05,733
another vulnerability for Windows.

4
00:00:06,630 --> 00:00:09,720
This vulnerability is called BlueKeep,

5
00:00:09,720 --> 00:00:12,930
and it came out in 2019.

6
00:00:12,930 --> 00:00:16,920
This is a Remote Desktop Protocol or RDP vulnerability,

7
00:00:16,920 --> 00:00:19,020
and what is so special about it?

8
00:00:19,020 --> 00:00:21,330
Well, as it says right here on this page,

9
00:00:21,330 --> 00:00:24,567
this latest RDP vulnerability could allow hackers

10
00:00:24,567 --> 00:00:27,414
to remotely run code at the system level

11
00:00:27,414 --> 00:00:30,720
without even having to authenticate.

12
00:00:30,720 --> 00:00:33,990
In other words, any unpatched Windows system

13
00:00:33,990 --> 00:00:37,410
from XP to Windows 7, so these are our targets,

14
00:00:37,410 --> 00:00:41,613
with an exposed RDP port is a potential target.

15
00:00:42,480 --> 00:00:44,850
So, this is a serious vulnerability.

16
00:00:44,850 --> 00:00:47,100
Matter of fact, many people link it

17
00:00:47,100 --> 00:00:50,340
to be as high vulnerability as the EternalBlue was,

18
00:00:50,340 --> 00:00:51,450
which we already covered

19
00:00:51,450 --> 00:00:54,003
and which came out in 2017.

20
00:00:54,930 --> 00:00:56,640
We can read more about it right here,

21
00:00:56,640 --> 00:00:59,700
but, as usual, our most important thing is

22
00:00:59,700 --> 00:01:01,920
to see how we can exploit it.

23
00:01:01,920 --> 00:01:03,390
You can go to this page

24
00:01:03,390 --> 00:01:04,860
if you want to find out more

25
00:01:04,860 --> 00:01:06,780
about the BlueKeep vulnerability.

26
00:01:06,780 --> 00:01:08,610
It even gives some code examples

27
00:01:08,610 --> 00:01:12,824
as to what the vulnerability was and how it got patched.

28
00:01:12,824 --> 00:01:16,890
Down here, we can see what systems are affected.

29
00:01:16,890 --> 00:01:20,250
We got Windows 7, Windows Server 2008,

30
00:01:20,250 --> 00:01:24,870
Windows Server 2008 R2, Windows Server 2003,

31
00:01:24,870 --> 00:01:28,440
Windows Vista, and Windows XP.

32
00:01:28,440 --> 00:01:31,020
Exploit potential, it is a Remote Code Execution,

33
00:01:31,020 --> 00:01:32,790
as the EternalBlue was,

34
00:01:32,790 --> 00:01:37,790
and number of potential victims are around one million.

35
00:01:37,920 --> 00:01:39,660
Now, for this attack to work,

36
00:01:39,660 --> 00:01:42,030
there is one thing that needs to be enabled

37
00:01:42,030 --> 00:01:43,170
on the target system,

38
00:01:43,170 --> 00:01:45,693
and that thing is port 3389.

39
00:01:47,292 --> 00:01:52,290
Now, this port 3389 is used for Remote Desktop Protocol,

40
00:01:52,290 --> 00:01:56,310
and it is often used inside of big and large companies.

41
00:01:56,310 --> 00:01:59,220
You will most likely never see it on home devices

42
00:01:59,220 --> 00:02:02,070
unless it is purposely enabled,

43
00:02:02,070 --> 00:02:04,440
but in order for us to be able to exploit it,

44
00:02:04,440 --> 00:02:07,290
we must enable it on our Windows 7 machine.

45
00:02:07,290 --> 00:02:08,699
So, what I'm going to do is

46
00:02:08,699 --> 00:02:10,014
go to my Windows 7 machine

47
00:02:10,014 --> 00:02:13,230
and open the Kali Linux as well.

48
00:02:13,230 --> 00:02:14,909
In order to see whether it is enabled,

49
00:02:14,909 --> 00:02:17,700
we can use our regular good old Nmap,

50
00:02:17,700 --> 00:02:20,457
so we can type sudo nmap dash ss

51
00:02:20,457 --> 00:02:24,573
192.168.1, and let me check the IP address.

52
00:02:27,600 --> 00:02:29,763
Ipconfig.8.

53
00:02:30,600 --> 00:02:33,420
Perform the scan on your Windows 7 machine,

54
00:02:33,420 --> 00:02:35,070
and in just a few seconds,

55
00:02:35,070 --> 00:02:37,290
we should get results of which ports are open,

56
00:02:37,290 --> 00:02:42,290
and right here, we do not see port 3389 being open.

57
00:02:42,600 --> 00:02:45,600
This means this target is not vulnerable

58
00:02:45,600 --> 00:02:47,550
because that port is closed.

59
00:02:47,550 --> 00:02:49,105
In order to make it vulnerable,

60
00:02:49,105 --> 00:02:53,460
all we need to do is open the Remote Desktop Protocol.

61
00:02:53,460 --> 00:02:56,673
So, go to the Control Panel, System and Security,

62
00:02:57,540 --> 00:03:00,840
then under the System, on the side,

63
00:03:00,840 --> 00:03:03,930
you will see this Remote settings, click on it,

64
00:03:03,930 --> 00:03:07,200
and down here, check Allow connections

65
00:03:07,200 --> 00:03:10,830
from computers running any version of Remote Desktop.

66
00:03:10,830 --> 00:03:13,050
By default, it should be Don't allow connections

67
00:03:13,050 --> 00:03:15,990
to this computer, and, as I already mentioned,

68
00:03:15,990 --> 00:03:18,630
many large companies have this enabled.

69
00:03:18,630 --> 00:03:21,420
We just click on Apply, click on OK,

70
00:03:21,420 --> 00:03:24,993
we can close this, and if we run the scan once again,

71
00:03:26,010 --> 00:03:30,423
right now, we will have 3389 port open.

72
00:03:31,320 --> 00:03:34,680
Let us whether it is vulnerable or has it been patched.

73
00:03:34,680 --> 00:03:39,330
If I open msfconsole, an exploitation is similar

74
00:03:39,330 --> 00:03:40,613
as it was with the EternalBlue.

75
00:03:41,520 --> 00:03:43,590
We got the auxiliary module that will tell us

76
00:03:43,590 --> 00:03:46,110
whether the target is vulnerable without exploiting it,

77
00:03:46,110 --> 00:03:47,820
and then we have an exploit

78
00:03:47,820 --> 00:03:49,860
that will gain access to the target

79
00:03:49,860 --> 00:03:52,410
and give us the Meterpreter shell.

80
00:03:52,410 --> 00:03:53,550
So, what we can do is

81
00:03:53,550 --> 00:03:56,160
we can just type the vulnerability name,

82
00:03:56,160 --> 00:04:00,150
so search bluekeep, press Enter,

83
00:04:00,150 --> 00:04:02,400
and we will see two results right here,

84
00:04:02,400 --> 00:04:05,703
as I mentioned, the auxiliary module and the exploit.

85
00:04:06,600 --> 00:04:09,330
So, let's go with the auxiliary module first.

86
00:04:09,330 --> 00:04:10,503
We copy its name,

87
00:04:12,060 --> 00:04:15,663
we use and then paste the name of the auxiliary module,

88
00:04:16,620 --> 00:04:19,140
clear the screen, show information,

89
00:04:19,140 --> 00:04:21,029
this module checks a range of hosts

90
00:04:21,029 --> 00:04:23,310
for the BlueKeep vulnerability

91
00:04:23,310 --> 00:04:26,310
by binding this channel outside of its normal slot

92
00:04:26,310 --> 00:04:29,190
and sending non-DOS packets which respond differently

93
00:04:29,190 --> 00:04:31,470
on patched and vulnerable hosts.

94
00:04:31,470 --> 00:04:33,330
So, this is the way that it will figure out

95
00:04:33,330 --> 00:04:36,180
whether the target is vulnerable or not.

96
00:04:36,180 --> 00:04:38,220
Let's see what options we need to set.

97
00:04:38,220 --> 00:04:42,990
So, show options, and there seems to be a few of them.

98
00:04:42,990 --> 00:04:45,450
We got the RPort, which is 3389,

99
00:04:45,450 --> 00:04:47,460
this is something that we will not change,

100
00:04:47,460 --> 00:04:49,830
we got the RHost, so let's set it

101
00:04:49,830 --> 00:04:52,443
to the IP address of the Windows 7 machine,

102
00:04:54,900 --> 00:04:57,000
we got these four options right here as well,

103
00:04:57,000 --> 00:04:58,680
but the only one that is required is

104
00:04:58,680 --> 00:05:01,950
this RDP Client IP, and it says right here,

105
00:05:01,950 --> 00:05:06,120
The client IPv4 address to report during connect,

106
00:05:06,120 --> 00:05:08,880
and this pretty much doesn't matter,

107
00:05:08,880 --> 00:05:10,800
it can be any IP address.

108
00:05:10,800 --> 00:05:13,560
For example, I will just leave it to be this one,

109
00:05:13,560 --> 00:05:15,510
even though this is an IP address

110
00:05:15,510 --> 00:05:18,180
that I do not have on my local network,

111
00:05:18,180 --> 00:05:20,730
but I will just leave it on this.

112
00:05:20,730 --> 00:05:22,923
And if I go right here and type run,

113
00:05:24,810 --> 00:05:27,390
it will tell me, The target is vulnerable.

114
00:05:27,390 --> 00:05:29,070
The target attempted cleanup

115
00:05:29,070 --> 00:05:33,540
of the incorrectly-bound MS_TI120 channel.

116
00:05:33,540 --> 00:05:35,760
This means it is vulnerable.

117
00:05:35,760 --> 00:05:38,790
Let's use the exploit to gain access,

118
00:05:38,790 --> 00:05:42,390
so use exploit/windows/rdp,

119
00:05:42,390 --> 00:05:45,300
and then let's check our possible options, we want to go

120
00:05:45,300 --> 00:05:50,300
with the CVE 2019 BlueKeep Remote Code Execution.

121
00:05:51,240 --> 00:05:54,750
If I show info, down here, it will tell you

122
00:05:54,750 --> 00:05:57,390
how exactly it exploits the target,

123
00:05:57,390 --> 00:05:59,703
and if I show our available options,

124
00:06:02,160 --> 00:06:03,930
so we got pretty much the same options

125
00:06:03,930 --> 00:06:05,190
as with the auxiliary module.

126
00:06:05,190 --> 00:06:07,770
We got the RDP Client IP, which is this one,

127
00:06:07,770 --> 00:06:10,200
and we are not going to change it once again.

128
00:06:10,200 --> 00:06:11,790
These options are not required,

129
00:06:11,790 --> 00:06:14,280
so we're not going to specify them anyway.

130
00:06:14,280 --> 00:06:16,140
The RHosts, we want to set

131
00:06:16,140 --> 00:06:19,920
to the IP address of Windows 7 machine.

132
00:06:19,920 --> 00:06:22,140
The RPort is set correctly.

133
00:06:22,140 --> 00:06:23,700
The payload is set

134
00:06:23,700 --> 00:06:27,150
to windows/x64/meterpreter/reverse_tcp,

135
00:06:27,150 --> 00:06:30,600
and this is also something that we do not want to change.

136
00:06:30,600 --> 00:06:32,640
Is this the only payload that will work?

137
00:06:32,640 --> 00:06:35,613
Well, mostly since, if I go to show targets,

138
00:06:36,600 --> 00:06:39,180
you will see that this exploit targets

139
00:06:39,180 --> 00:06:41,070
only 64-bit machines,

140
00:06:41,070 --> 00:06:44,403
so it will not be able to run on a 32-bit machine.

141
00:06:45,300 --> 00:06:48,810
So, by this it seems the 32-bit Windows 7 machines

142
00:06:48,810 --> 00:06:53,070
and Windows Servers 2008 are not vulnerable,

143
00:06:53,070 --> 00:06:54,840
which we really don't care

144
00:06:54,840 --> 00:06:57,903
because 99% of machines are 64-bit,

145
00:06:58,980 --> 00:07:01,205
and these targets right here is something

146
00:07:01,205 --> 00:07:03,180
that we must choose from.

147
00:07:03,180 --> 00:07:07,020
Now, this is for the default and normal Windows machines,

148
00:07:07,020 --> 00:07:08,731
and right here, we have targets

149
00:07:08,731 --> 00:07:11,430
for the virtual machines,

150
00:07:11,430 --> 00:07:13,170
and this something that we must set.

151
00:07:13,170 --> 00:07:14,370
If we leave it on automatic,

152
00:07:14,370 --> 00:07:15,870
it should figure out on its own

153
00:07:15,870 --> 00:07:18,930
that we are running Windows 7 inside of a VirtualBox,

154
00:07:18,930 --> 00:07:20,256
and it will perform the exploit

155
00:07:20,256 --> 00:07:22,890
for the VirtualBox Windows 7 version.

156
00:07:22,890 --> 00:07:25,200
But if we, for example, set this one,

157
00:07:25,200 --> 00:07:27,900
the exploit should not work.

158
00:07:27,900 --> 00:07:32,010
So, we must set the target to two

159
00:07:32,010 --> 00:07:34,020
in case we are running the Windows 7

160
00:07:34,020 --> 00:07:35,520
inside of a VirtualBox.

161
00:07:35,520 --> 00:07:37,710
If we were attacking a regular Windows machine

162
00:07:37,710 --> 00:07:40,290
that is vulnerable, we would set one.

163
00:07:40,290 --> 00:07:42,180
If we were attacking a virtual machine

164
00:07:42,180 --> 00:07:43,950
from the VMWare station,

165
00:07:43,950 --> 00:07:46,020
we would set one of these three,

166
00:07:46,020 --> 00:07:49,440
and we would set these to accordingly as well.

167
00:07:49,440 --> 00:07:51,783
So, let's triple-check our options.

168
00:07:53,250 --> 00:07:54,570
Everything here is set.

169
00:07:54,570 --> 00:07:57,480
The payload is a 64-bit payload, which is good,

170
00:07:57,480 --> 00:08:01,920
and the target is Windows 7 inside of a VirtualBox.

171
00:08:01,920 --> 00:08:04,473
Great, let us run the exploit.

172
00:08:07,440 --> 00:08:09,990
It tells us that the target is vulnerable,

173
00:08:09,990 --> 00:08:11,290
and in just a few seconds,

174
00:08:11,290 --> 00:08:13,558
we should get the Meterpreter shell opened

175
00:08:13,558 --> 00:08:15,423
on that Windows 7 machine.

176
00:08:18,570 --> 00:08:22,680
And after 30 to 40 seconds, here it is,

177
00:08:22,680 --> 00:08:25,110
we got Meterpreter session one opened

178
00:08:25,110 --> 00:08:26,730
on the target machine.

179
00:08:26,730 --> 00:08:28,563
If I type get user ID,

180
00:08:30,000 --> 00:08:31,680
it will tell me that we are system,

181
00:08:31,680 --> 00:08:33,659
once again, the highest privilege account

182
00:08:33,659 --> 00:08:35,370
on this target machine.

183
00:08:35,370 --> 00:08:37,323
We can perform the commands as usual,

184
00:08:38,580 --> 00:08:41,760
enter the shell, type host name, we are Test2-PC,

185
00:08:41,760 --> 00:08:43,890
type the config, gives us the IP address

186
00:08:43,890 --> 00:08:45,090
of the target machine,

187
00:08:45,090 --> 00:08:48,510
and all of these things that we're already familiar with.

188
00:08:48,510 --> 00:08:52,020
Great, another Windows 7 vulnerability covered.

189
00:08:52,020 --> 00:08:53,640
So, what is the important thing

190
00:08:53,640 --> 00:08:55,080
that we learned from this video?

191
00:08:55,080 --> 00:08:57,030
The vulnerability's called BlueKeep.

192
00:08:57,030 --> 00:08:58,620
It is a critical RDP

193
00:08:58,620 --> 00:09:00,990
or Remote Desktop Protocol vulnerability,

194
00:09:00,990 --> 00:09:02,513
and in order to exploit the target,

195
00:09:02,513 --> 00:09:06,270
it must be an unpatched 64-bit Windows XP,

196
00:09:06,270 --> 00:09:07,590
two Windows 7 machine,

197
00:09:07,590 --> 00:09:09,561
including Windows Server 2008,

198
00:09:09,561 --> 00:09:14,561
and it must have RDP enabled and port 3389 open.

199
00:09:15,810 --> 00:09:18,180
Where are these machines most likely to be found?

200
00:09:18,180 --> 00:09:20,010
In large companies.

201
00:09:20,010 --> 00:09:21,480
So, once again, most likely,

202
00:09:21,480 --> 00:09:25,263
we will not see these types of targets in home networks.

203
00:09:26,160 --> 00:09:27,630
OK, great.

204
00:09:27,630 --> 00:09:29,550
Now that we covered Windows 7 vulnerabilities,

205
00:09:29,550 --> 00:09:33,840
time to go on to exploit Windows 10 machine.

206
00:09:33,840 --> 00:09:35,140
See you in the next video.