1 00:00:00,330 --> 00:00:02,969 Instructor: Welcome back time to gain access 2 00:00:02,969 --> 00:00:07,620 to our Windows 10 machine using the SMB ghost vulnerability. 3 00:00:07,620 --> 00:00:09,090 For now we manage to scan it, 4 00:00:09,090 --> 00:00:10,350 to see if it's vulnerable. 5 00:00:10,350 --> 00:00:12,780 And we also manage to find a tool 6 00:00:12,780 --> 00:00:16,170 that we can use to crash the target system. 7 00:00:16,170 --> 00:00:19,350 But ideally we don't want to crash it. 8 00:00:19,350 --> 00:00:23,760 Instead we want to gain shell on that target machine. 9 00:00:23,760 --> 00:00:27,690 Well with this vulnerability, it is not that easy. 10 00:00:27,690 --> 00:00:29,580 There are some things that we need to know 11 00:00:29,580 --> 00:00:32,610 in order to be able to remotely exploit it. 12 00:00:32,610 --> 00:00:34,020 Let's see what I mean. 13 00:00:34,020 --> 00:00:35,520 The first thing that we must do 14 00:00:35,520 --> 00:00:37,080 is we must download the tool, 15 00:00:37,080 --> 00:00:39,510 that we are going to use for the exploitation. 16 00:00:39,510 --> 00:00:41,670 And I will check a few of them out 17 00:00:41,670 --> 00:00:43,200 and found the best working one 18 00:00:43,200 --> 00:00:47,313 to be this ZecOps CVE vulnerability. 19 00:00:48,360 --> 00:00:49,620 If you just type the same thing 20 00:00:49,620 --> 00:00:51,510 that we type from the previous video, 21 00:00:51,510 --> 00:00:53,880 which is the vulnerability name and then GitHub. 22 00:00:53,880 --> 00:00:57,810 You should find this ZecOps link to be on the first page. 23 00:00:57,810 --> 00:01:01,500 Click on it and down here, we can see the files that we get. 24 00:01:01,500 --> 00:01:05,610 And right here we also see the usage of the tool itself. 25 00:01:05,610 --> 00:01:07,770 But before we get into all of this, 26 00:01:07,770 --> 00:01:10,800 let us first download the tool from GitHub. 27 00:01:10,800 --> 00:01:13,590 So let's copy the link right here. 28 00:01:13,590 --> 00:01:16,830 Copy go to our terminal, and type git clone, 29 00:01:16,830 --> 00:01:19,083 and then the tool link. 30 00:01:19,950 --> 00:01:22,080 Press enter and here it is. 31 00:01:22,080 --> 00:01:22,980 It finished downloading. 32 00:01:22,980 --> 00:01:24,180 Let us type ls. 33 00:01:24,180 --> 00:01:26,550 And we will see a bunch of these directories 34 00:01:26,550 --> 00:01:28,050 with the same name. 35 00:01:28,050 --> 00:01:32,760 This one however has this extension of RCE and then POC, 36 00:01:32,760 --> 00:01:36,690 which stands for remote code execution, proof of concept. 37 00:01:36,690 --> 00:01:39,273 Let's change the directory to that directory. 38 00:01:40,800 --> 00:01:43,110 And if I type LS right here, 39 00:01:43,110 --> 00:01:45,180 we're going to see a bunch of files. 40 00:01:45,180 --> 00:01:50,130 So we get this dot bat file, which runs on Windows. 41 00:01:50,130 --> 00:01:53,040 We get this SMB ghost assembly shell code 42 00:01:53,040 --> 00:01:54,990 for the 64 bit version. 43 00:01:54,990 --> 00:01:58,260 And we get this Python SMB bleeding ghost file, 44 00:01:58,260 --> 00:02:00,750 which is the exploit itself. 45 00:02:00,750 --> 00:02:02,880 But we don't really know how exactly 46 00:02:02,880 --> 00:02:04,920 do we combine all of these files. 47 00:02:04,920 --> 00:02:06,600 So let's go back to the page 48 00:02:06,600 --> 00:02:08,613 and check out the usage of the program. 49 00:02:09,479 --> 00:02:11,100 The first step right here tells us 50 00:02:11,100 --> 00:02:15,150 that make sure Python and ncat are installed. 51 00:02:15,150 --> 00:02:18,510 Then run this dot bat file on the target computer, 52 00:02:18,510 --> 00:02:20,880 and adjust the offsets at the top 53 00:02:20,880 --> 00:02:23,490 of the SMB bleeding ghost dot py file 54 00:02:23,490 --> 00:02:26,280 according to the script output. 55 00:02:26,280 --> 00:02:28,800 Hmm, what does this mean? 56 00:02:28,800 --> 00:02:31,470 Well, let's go to the Python file first. 57 00:02:31,470 --> 00:02:32,853 Let us nano it. 58 00:02:34,410 --> 00:02:36,840 To see what offsets do they mean. 59 00:02:36,840 --> 00:02:40,170 And I assume they mean these offsets right here. 60 00:02:40,170 --> 00:02:42,360 As we can see, there are five of them 61 00:02:42,360 --> 00:02:45,360 and they have different offsets. 62 00:02:45,360 --> 00:02:48,023 But you might be asking, well it tells us right here 63 00:02:48,023 --> 00:02:51,390 that we must run this on the target computer. 64 00:02:51,390 --> 00:02:54,990 And what's the point then of calling this an expert 65 00:02:54,990 --> 00:02:56,490 if there is a file that we must run 66 00:02:56,490 --> 00:02:58,440 on the target computer first? 67 00:02:58,440 --> 00:03:01,080 Well, let's go to the note down here. 68 00:03:01,080 --> 00:03:04,350 As it says you might be wondering why it is necessary 69 00:03:04,350 --> 00:03:07,800 to run the dot bat file script on the target computer. 70 00:03:07,800 --> 00:03:10,500 And doesn't it defeat the whole point 71 00:03:10,500 --> 00:03:13,560 of the remote code execution being remote? 72 00:03:13,560 --> 00:03:15,600 Well, here is the explanation. 73 00:03:15,600 --> 00:03:17,400 These offsets are not random 74 00:03:17,400 --> 00:03:20,310 and are the same on all Windows instances 75 00:03:20,310 --> 00:03:22,320 of the same Windows version. 76 00:03:22,320 --> 00:03:24,360 One could make the attack more universal, 77 00:03:24,360 --> 00:03:26,640 by detecting the target Windows version, 78 00:03:26,640 --> 00:03:29,610 and adjusting the offsets automatically. 79 00:03:29,610 --> 00:03:32,073 Or by not relying on them all together. 80 00:03:33,270 --> 00:03:35,040 Hmm, what does this mean? 81 00:03:35,040 --> 00:03:37,680 Well, these offsets right here are the same 82 00:03:37,680 --> 00:03:39,870 for the same Windows version. 83 00:03:39,870 --> 00:03:43,620 So for example, this Windows version that we got right here. 84 00:03:43,620 --> 00:03:45,810 If we had a thousand machines that were running 85 00:03:45,810 --> 00:03:47,310 the same Windows version,. 86 00:03:47,310 --> 00:03:50,610 Well it is enough that we run this dot bat file on this one 87 00:03:50,610 --> 00:03:52,020 to check out the offsets. 88 00:03:52,020 --> 00:03:56,010 Then we adjust the offsets right here inside of our exploit. 89 00:03:56,010 --> 00:03:59,160 And then we can attack all the thousand machines 90 00:03:59,160 --> 00:04:01,833 without having to run the dot bat file on them. 91 00:04:02,730 --> 00:04:05,130 But a different version of this Windows machine 92 00:04:05,130 --> 00:04:07,530 might have a different offset. 93 00:04:07,530 --> 00:04:10,230 Which will then make our exploit not work. 94 00:04:10,230 --> 00:04:12,420 So we must check the offsets first. 95 00:04:12,420 --> 00:04:14,130 How we're going to do that? 96 00:04:14,130 --> 00:04:15,780 Well, as it says right here, 97 00:04:15,780 --> 00:04:20,100 we're going to run the dot bat file on the target system. 98 00:04:20,100 --> 00:04:22,830 So I already downloaded the tool right here 99 00:04:22,830 --> 00:04:24,660 on my Windows machine. 100 00:04:24,660 --> 00:04:27,030 Here it is on the desktop. 101 00:04:27,030 --> 00:04:27,990 And what you can do 102 00:04:27,990 --> 00:04:29,910 is you can just open the Windows 10 machine. 103 00:04:29,910 --> 00:04:32,850 Open the internet explorer, type the vulnerability name, 104 00:04:32,850 --> 00:04:36,390 and then GitHub navigate to the ZecOps tool. 105 00:04:36,390 --> 00:04:38,820 And then if you click on it. 106 00:04:38,820 --> 00:04:42,000 Click on this code error right here 107 00:04:42,000 --> 00:04:44,190 and click on download zip. 108 00:04:44,190 --> 00:04:46,110 This will download the tool for you, 109 00:04:46,110 --> 00:04:47,610 and you should have it right here 110 00:04:47,610 --> 00:04:49,950 on the desktop right after it. 111 00:04:49,950 --> 00:04:50,783 Great. 112 00:04:50,783 --> 00:04:51,720 Once you do that. 113 00:04:51,720 --> 00:04:54,580 What we can do is we can navigate using our terminal 114 00:04:56,190 --> 00:04:57,023 to that tool. 115 00:04:57,023 --> 00:05:01,260 So CD desktop, and then CD CVE. 116 00:05:01,260 --> 00:05:06,260 If I type DIR right here and I run the bat file. 117 00:05:06,810 --> 00:05:08,790 Of course you can run it using command front 118 00:05:08,790 --> 00:05:10,890 or you can just double click on this file. 119 00:05:12,120 --> 00:05:16,590 And double click on the calculate target offsets. 120 00:05:16,590 --> 00:05:18,990 As we can see, this will open another terminal, 121 00:05:18,990 --> 00:05:22,440 and this will give us those five offsets, 122 00:05:22,440 --> 00:05:25,560 for this particular Windows 10 version. 123 00:05:25,560 --> 00:05:27,000 What we must do right now 124 00:05:27,000 --> 00:05:29,520 is we must change these offsets to match 125 00:05:29,520 --> 00:05:32,940 inside of our Python file right here. 126 00:05:32,940 --> 00:05:35,190 So let's check it out. 127 00:05:35,190 --> 00:05:37,890 Here we got two D one seven zero. 128 00:05:37,890 --> 00:05:41,550 The first one is the same three two two one zero. 129 00:05:41,550 --> 00:05:43,290 The second one is also the same. 130 00:05:43,290 --> 00:05:46,200 The third one also appears to be the same. 131 00:05:46,200 --> 00:05:48,750 The fourth one is different. 132 00:05:48,750 --> 00:05:51,000 Here it ends with three seven zero 133 00:05:51,000 --> 00:05:53,910 and here it ends with four one zero. 134 00:05:53,910 --> 00:05:58,910 So let's change that first, let's type it three seven zero, 135 00:06:00,630 --> 00:06:04,620 and the last one is also different. 136 00:06:04,620 --> 00:06:07,890 So here it is B A F A eight, 137 00:06:07,890 --> 00:06:12,120 and here if we change it B A F A eight. 138 00:06:12,120 --> 00:06:14,160 Now everything is good. 139 00:06:14,160 --> 00:06:16,830 So if we control O to save this exploit. 140 00:06:16,830 --> 00:06:19,593 Now we should have a working exploit. 141 00:06:20,850 --> 00:06:23,040 We can close this. 142 00:06:23,040 --> 00:06:24,660 We don't need it anymore. 143 00:06:24,660 --> 00:06:26,130 We can also close this. 144 00:06:26,130 --> 00:06:29,610 And if I go back to the page to check out the next step. 145 00:06:29,610 --> 00:06:31,560 It tells us run ncat 146 00:06:31,560 --> 00:06:34,050 with the following command line arguments. 147 00:06:34,050 --> 00:06:35,790 So the purpose of running ncat is 148 00:06:35,790 --> 00:06:37,680 because once we exploit the target, 149 00:06:37,680 --> 00:06:40,890 and we run the payload, it must connect to somewhere. 150 00:06:40,890 --> 00:06:43,710 Now this listening for the incoming connection, 151 00:06:43,710 --> 00:06:46,530 meta split framework did for us automatically. 152 00:06:46,530 --> 00:06:48,300 Right now we must do it ourselves, 153 00:06:48,300 --> 00:06:51,330 and we're going to do it with the help of ncat. 154 00:06:51,330 --> 00:06:53,220 So to listen for the incoming connection 155 00:06:53,220 --> 00:06:56,015 we can type nc and then dash lvp. 156 00:06:56,015 --> 00:06:58,440 And then the port number. 157 00:06:58,440 --> 00:07:03,440 In this case, let us listen on port 4,444. 158 00:07:03,540 --> 00:07:05,730 This will listen for the incoming connections. 159 00:07:05,730 --> 00:07:07,590 And once we run the exploit, 160 00:07:07,590 --> 00:07:09,300 the target machine will try to connect 161 00:07:09,300 --> 00:07:13,410 back to this port number right here on our IP address. 162 00:07:13,410 --> 00:07:14,760 Therefore, right after it, 163 00:07:14,760 --> 00:07:16,470 we should have a shell popup right here, 164 00:07:16,470 --> 00:07:19,920 and we should be able to execute commands on target machine. 165 00:07:19,920 --> 00:07:20,753 Great. 166 00:07:20,753 --> 00:07:22,740 Let's check out the next step. 167 00:07:22,740 --> 00:07:25,470 The next step is to run the .py file, 168 00:07:25,470 --> 00:07:28,050 while following the command line arguments. 169 00:07:28,050 --> 00:07:30,870 So the command that we must run is the file name, 170 00:07:30,870 --> 00:07:35,040 then the target IP address, then the Kali Linux IP address, 171 00:07:35,040 --> 00:07:37,620 and then port that we're listening on. 172 00:07:37,620 --> 00:07:40,800 And this reverse shell IP is just the IP address 173 00:07:40,800 --> 00:07:42,690 of the machine that you're listening 174 00:07:42,690 --> 00:07:44,850 for the incoming connections. 175 00:07:44,850 --> 00:07:47,583 And you get the explanation right here as well. 176 00:07:48,450 --> 00:07:50,220 So let's try it out. 177 00:07:50,220 --> 00:07:52,050 We are listening right here already. 178 00:07:52,050 --> 00:07:54,510 And let us run the file right here. 179 00:07:54,510 --> 00:07:59,400 We're going to use Python three SMBleedingGhost.py. 180 00:07:59,400 --> 00:08:01,140 Then comes the targets IP address. 181 00:08:01,140 --> 00:08:06,140 Which is in my case, 192.168.1.5, as it says right here. 182 00:08:06,960 --> 00:08:09,150 Then comes the IP address on Kali Linux machine. 183 00:08:09,150 --> 00:08:11,250 And I'm going to check it out 184 00:08:11,250 --> 00:08:13,563 inside of a third terminal real quick. 185 00:08:14,430 --> 00:08:15,933 It is dot one dot 12. 186 00:08:18,690 --> 00:08:20,760 So let's type it right here. 187 00:08:20,760 --> 00:08:24,630 And the last step is to specify the port number 188 00:08:24,630 --> 00:08:25,710 that we're listening on. 189 00:08:25,710 --> 00:08:29,433 And in our case that is the port four four four four. 190 00:08:30,720 --> 00:08:34,380 If I press enter, hmm. 191 00:08:34,380 --> 00:08:38,789 We get an error that says no attribute windll, 192 00:08:38,789 --> 00:08:41,909 and I knew this error will come up. 193 00:08:41,909 --> 00:08:45,330 The solution to this is to run the exploit 194 00:08:45,330 --> 00:08:47,280 from a Windows machine. 195 00:08:47,280 --> 00:08:48,796 So this file right here must be ran 196 00:08:48,796 --> 00:08:50,910 from another Windows machine, 197 00:08:50,910 --> 00:08:53,430 and then we can redirect the connection 198 00:08:53,430 --> 00:08:56,283 to this Kali Linux Machine to Papa Shell. 199 00:08:57,390 --> 00:08:58,223 Why is that? 200 00:08:58,223 --> 00:09:01,530 Well, this C types library has no attribute in windll. 201 00:09:01,530 --> 00:09:04,380 Which is only to be ran in a Windows environment, I believe. 202 00:09:04,380 --> 00:09:05,880 So let's test it out. 203 00:09:05,880 --> 00:09:09,210 For this, I'm going to use my main Windows 10 machine 204 00:09:09,210 --> 00:09:11,730 right here to run the exploit. 205 00:09:11,730 --> 00:09:15,210 And I will redirect the connection once exploited, 206 00:09:15,210 --> 00:09:17,970 to the Kali Linux machine that is already listening, 207 00:09:17,970 --> 00:09:19,830 for the incoming connections. 208 00:09:19,830 --> 00:09:21,870 Now, I know it sounds a little bit complicated, 209 00:09:21,870 --> 00:09:23,520 but let's give it a try. 210 00:09:23,520 --> 00:09:26,760 I already downloaded the exploit right here. 211 00:09:26,760 --> 00:09:30,030 Here is the file containing all of the other files. 212 00:09:30,030 --> 00:09:33,437 And if I open my command prompt, then I navigate 213 00:09:36,060 --> 00:09:38,763 to this directory right here containing the exploit. 214 00:09:43,560 --> 00:09:44,700 What I'm going to do is 215 00:09:44,700 --> 00:09:45,960 I'm going to run the exact 216 00:09:45,960 --> 00:09:49,230 same command that I ran previously on my Kali Linux machine. 217 00:09:49,230 --> 00:09:51,600 Just this time I will be running it 218 00:09:51,600 --> 00:09:53,853 from my main Windows 10 machine. 219 00:09:54,690 --> 00:09:57,180 So the IP address of the target is first. 220 00:09:57,180 --> 00:09:59,070 Then comes the IP address of the machine 221 00:09:59,070 --> 00:10:01,440 that is listening for the incoming connections. 222 00:10:01,440 --> 00:10:02,910 And this might sound confusing, 223 00:10:02,910 --> 00:10:06,480 but this is still the IP address of our Kali Linux machine. 224 00:10:06,480 --> 00:10:07,410 If you want, however, 225 00:10:07,410 --> 00:10:10,170 you can also connect back to this Windows 10 machine, 226 00:10:10,170 --> 00:10:12,875 but in that case you must install Netcat for Windows, 227 00:10:12,875 --> 00:10:16,890 and listen using Netcat from a Windows machine. 228 00:10:16,890 --> 00:10:19,260 And then right here you would specify the IP address 229 00:10:19,260 --> 00:10:22,560 of the Windows 10 machine that is running the exploit. 230 00:10:22,560 --> 00:10:24,433 Since there is no need for me to do that. 231 00:10:24,433 --> 00:10:27,540 I will just specify the Cal Linux IP address 232 00:10:27,540 --> 00:10:30,750 and the port number is four four four four. 233 00:10:30,750 --> 00:10:31,680 Great. 234 00:10:31,680 --> 00:10:34,653 The command is here and if we execute it. 235 00:10:36,930 --> 00:10:38,550 It will start the exploit, 236 00:10:38,550 --> 00:10:41,700 and sometimes this exploit will crash the target. 237 00:10:41,700 --> 00:10:43,560 As we can see right here. 238 00:10:43,560 --> 00:10:45,870 The first try of running this exploit 239 00:10:45,870 --> 00:10:48,360 crashed our target machine. 240 00:10:48,360 --> 00:10:50,700 And this is something that you must get used to 241 00:10:50,700 --> 00:10:53,070 once running these type of exploits. 242 00:10:53,070 --> 00:10:54,720 So what I'm going to do is 243 00:10:54,720 --> 00:10:58,773 I'm going to control CD to quit this exploit. 244 00:11:00,150 --> 00:11:01,770 And then what I'm going to do 245 00:11:01,770 --> 00:11:03,660 clear the screen using CLS command, 246 00:11:03,660 --> 00:11:06,420 and I will run this command once again. 247 00:11:06,420 --> 00:11:08,250 Just I will wait for this Windows 10 machine 248 00:11:08,250 --> 00:11:09,900 to boot up once again. 249 00:11:09,900 --> 00:11:12,840 And we are going to give it a second try. 250 00:11:12,840 --> 00:11:14,040 And now that we're logged in, 251 00:11:14,040 --> 00:11:16,530 I will run the command once again. 252 00:11:16,530 --> 00:11:18,930 Now there is a chance that it will crash once again, 253 00:11:18,930 --> 00:11:20,610 but hopefully it will not. 254 00:11:20,610 --> 00:11:21,510 And here it is. 255 00:11:21,510 --> 00:11:22,740 It crashed once again. 256 00:11:22,740 --> 00:11:25,830 So I'm just going to restart it again real quick, 257 00:11:25,830 --> 00:11:28,740 and then run the exploit for the third time. 258 00:11:28,740 --> 00:11:30,873 Hopefully the third time it'll work. 259 00:11:31,740 --> 00:11:32,670 Okay, here it is, 260 00:11:32,670 --> 00:11:35,550 and hopefully the third time will be our lucky run. 261 00:11:35,550 --> 00:11:37,143 Let's run the exploit. 262 00:11:39,450 --> 00:11:41,550 For now everything seems to be working. 263 00:11:41,550 --> 00:11:45,171 We haven't reached this point in the past two tries. 264 00:11:45,171 --> 00:11:47,490 So hopefully right now the target will not crash. 265 00:11:47,490 --> 00:11:49,710 And what we're looking for at the end of this, 266 00:11:49,710 --> 00:11:52,140 is after the exploit is done, 267 00:11:52,140 --> 00:11:54,780 we're looking to gain the shell right here, 268 00:11:54,780 --> 00:11:56,883 inside of our Kali Linux machine. 269 00:11:58,440 --> 00:12:00,693 So let's wait for this to finish. 270 00:12:01,800 --> 00:12:04,720 It tells us right here, wrote shell code 271 00:12:05,730 --> 00:12:09,750 and if I go to my Kali Linux machine, here it is. 272 00:12:09,750 --> 00:12:13,170 We got the shell on our Windows 10 target machine. 273 00:12:13,170 --> 00:12:14,790 If I type who am I. 274 00:12:14,790 --> 00:12:16,200 We are the system level account. 275 00:12:16,200 --> 00:12:18,990 So we are the highest level account possible. 276 00:12:18,990 --> 00:12:21,780 If I type IP config just to check 277 00:12:21,780 --> 00:12:23,250 whether we have the same IP address, 278 00:12:23,250 --> 00:12:26,040 and that indeed is the same machine. 279 00:12:26,040 --> 00:12:30,120 So we successfully exploited the Windows 10 target machine. 280 00:12:30,120 --> 00:12:33,060 Just for this, we had to use a Windows machine 281 00:12:33,060 --> 00:12:34,200 to run the exploit. 282 00:12:34,200 --> 00:12:37,170 Because of some libraries inside of the Python file. 283 00:12:37,170 --> 00:12:38,610 And if you notice right here, 284 00:12:38,610 --> 00:12:40,920 it tells us that if we disconnect 285 00:12:40,920 --> 00:12:44,640 and if we exit this exploit, the target will probably crash. 286 00:12:44,640 --> 00:12:47,220 So what we would want to do is we would want to execute all 287 00:12:47,220 --> 00:12:48,960 of the commands that we want to execute. 288 00:12:48,960 --> 00:12:51,540 Do what we need to do on the target machine. 289 00:12:51,540 --> 00:12:54,626 And then after we've done and we've exited the shell. 290 00:12:54,626 --> 00:12:57,144 We can go right here, stop the exploit. 291 00:12:57,144 --> 00:13:00,870 And once this exploit has been disrupted, 292 00:13:00,870 --> 00:13:03,270 that will again crash the target machine. 293 00:13:03,270 --> 00:13:04,650 As we can see right here. 294 00:13:04,650 --> 00:13:06,960 Just this time, we managed to run the shell. 295 00:13:06,960 --> 00:13:09,360 We managed to execute commands on the target machine, 296 00:13:09,360 --> 00:13:12,810 for as long as we wanted, before crashing the machine. 297 00:13:12,810 --> 00:13:15,570 So the goal right here is to first gain the shell, 298 00:13:15,570 --> 00:13:17,460 and then the machine will crash, 299 00:13:17,460 --> 00:13:20,580 and not crash the machine at the beginning of the exploit. 300 00:13:20,580 --> 00:13:23,010 But that is something that we do not have control of. 301 00:13:23,010 --> 00:13:24,750 So sometimes you will gain the shell, 302 00:13:24,750 --> 00:13:27,603 and sometimes you might crash the target machine. 303 00:13:29,130 --> 00:13:30,030 Okay, great. 304 00:13:30,030 --> 00:13:33,540 So we successfully exploited Windows 10 machine. 305 00:13:33,540 --> 00:13:34,950 We did it manually 306 00:13:34,950 --> 00:13:37,623 with the help of tools that we found online. 307 00:13:38,460 --> 00:13:40,410 We also set up our own listener 308 00:13:40,410 --> 00:13:43,170 that was waiting for the incoming connections. 309 00:13:43,170 --> 00:13:46,440 And right now that we covered all of these vulnerabilities. 310 00:13:46,440 --> 00:13:47,910 Starting from the next video, 311 00:13:47,910 --> 00:13:50,070 we're going to see how we can attack targets 312 00:13:50,070 --> 00:13:52,350 that do not have any vulnerability. 313 00:13:52,350 --> 00:13:55,170 So we are going to see how we can generate our own payloads, 314 00:13:55,170 --> 00:13:58,290 and how we can deliver them to the target machine. 315 00:13:58,290 --> 00:13:59,590 See you in the next video.