1
00:00:00,720 --> 00:00:03,870
-: Let's continue with our meterpreter commands.

2
00:00:03,870 --> 00:00:06,689
So we only covered navigating through file system

3
00:00:06,689 --> 00:00:08,280
and some essential commands

4
00:00:08,280 --> 00:00:11,370
between switching sessions inside of a meterpreter,

5
00:00:11,370 --> 00:00:14,370
but we didn't really touch on those interesting commands

6
00:00:14,370 --> 00:00:17,550
such as running keylogger or snapping a screenshot

7
00:00:17,550 --> 00:00:20,250
or recording microphone.

8
00:00:20,250 --> 00:00:22,080
But before we get to them,

9
00:00:22,080 --> 00:00:24,180
there is one portion of the commands

10
00:00:24,180 --> 00:00:28,890
that we must go through first and those are system commands.

11
00:00:28,890 --> 00:00:33,180
Let us run the help manual to check them out.

12
00:00:33,180 --> 00:00:35,670
So, if I scroll all the way up,

13
00:00:35,670 --> 00:00:38,700
right after the networking commands,

14
00:00:38,700 --> 00:00:41,910
we should see the system commands.

15
00:00:41,910 --> 00:00:44,670
And here, there are a few interesting ones.

16
00:00:44,670 --> 00:00:45,660
For example,

17
00:00:45,660 --> 00:00:49,950
let's start with this execute command right here.

18
00:00:49,950 --> 00:00:53,190
So this command allows us to execute

19
00:00:53,190 --> 00:00:56,100
any type of the command that we would use inside of a show.

20
00:00:56,100 --> 00:00:58,830
It'll most likely run this on a separate thread,

21
00:00:58,830 --> 00:01:01,410
so we'll be able to execute different commands,

22
00:01:01,410 --> 00:01:03,090
simultaneously.

23
00:01:03,090 --> 00:01:04,440
Let me show you what they mean.

24
00:01:04,440 --> 00:01:05,459
So for example,

25
00:01:05,459 --> 00:01:08,640
let's say that I want to start a calculator

26
00:01:08,640 --> 00:01:09,780
on the target machine.

27
00:01:09,780 --> 00:01:12,270
I can type execute calc,

28
00:01:12,270 --> 00:01:15,993
and here it'll tell me that I need to specify the -f option.

29
00:01:17,340 --> 00:01:22,260
Process 9096 is created and right here,

30
00:01:22,260 --> 00:01:24,213
I got my calculator opened.

31
00:01:25,200 --> 00:01:27,510
Now if I wanted to terminate this process

32
00:01:27,510 --> 00:01:29,280
or any other process,

33
00:01:29,280 --> 00:01:30,720
inside of the system commands,

34
00:01:30,720 --> 00:01:35,550
we also get this kill command that says terminate a process.

35
00:01:35,550 --> 00:01:40,140
But for this command, we need to know the process id.

36
00:01:40,140 --> 00:01:42,780
So, here we got the process ID

37
00:01:42,780 --> 00:01:44,490
as soon as we started this process,

38
00:01:44,490 --> 00:01:47,820
but let's say we wanted to terminate a different process.

39
00:01:47,820 --> 00:01:50,520
How would we get its process ID?

40
00:01:50,520 --> 00:01:51,480
Well, remember,

41
00:01:51,480 --> 00:01:53,520
we can type the command ps

42
00:01:53,520 --> 00:01:56,220
to list out all of the files that are currently running

43
00:01:56,220 --> 00:01:57,660
on the target system.

44
00:01:57,660 --> 00:02:01,620
And this left column right here is the process ID.

45
00:02:01,620 --> 00:02:03,303
If I scroll all the way up,

46
00:02:04,170 --> 00:02:08,400
here we can see PID or Process ID,

47
00:02:08,400 --> 00:02:10,590
and I can scroll all the way down,

48
00:02:10,590 --> 00:02:13,050
and at the end, somewhere around here,

49
00:02:13,050 --> 00:02:16,140
we should see our calculator being open.

50
00:02:16,140 --> 00:02:17,490
Let's go and search it,

51
00:02:17,490 --> 00:02:20,940
so search for the calculator application

52
00:02:20,940 --> 00:02:23,220
and if I scroll a little bit up,

53
00:02:23,220 --> 00:02:27,030
we should be able to find it somewhere around here.

54
00:02:27,030 --> 00:02:30,600
And here it is, calculator.exe.

55
00:02:30,600 --> 00:02:34,233
So, we can see the process ID is 8412.

56
00:02:35,400 --> 00:02:37,050
Let's try to kill this process

57
00:02:37,050 --> 00:02:39,540
and see whether our calculator closes.

58
00:02:39,540 --> 00:02:44,077
So if I go and copy this process ID 8412

59
00:02:46,650 --> 00:02:51,033
and down here I type kill and then paste the process id,

60
00:02:52,410 --> 00:02:55,140
here we can see the calculator is now gone.

61
00:02:55,140 --> 00:02:56,940
So we can start different programs

62
00:02:56,940 --> 00:03:00,300
and terminate different programs if we want to,

63
00:03:00,300 --> 00:03:01,683
using a meterpreter shell.

64
00:03:02,670 --> 00:03:05,340
A few more interesting commands from the system commands

65
00:03:05,340 --> 00:03:08,910
would be probably this reboot command

66
00:03:08,910 --> 00:03:10,890
that reboots the remote computer.

67
00:03:10,890 --> 00:03:14,220
Now I'm not going to test this because I am running my shell

68
00:03:14,220 --> 00:03:16,410
on the main Windows 10 operating system.

69
00:03:16,410 --> 00:03:19,950
So, rebooting that machine would be no good,

70
00:03:19,950 --> 00:03:22,590
since I'm also recording on it.

71
00:03:22,590 --> 00:03:23,820
Besides rebooting,

72
00:03:23,820 --> 00:03:26,070
we can also shut down the target machine

73
00:03:26,070 --> 00:03:27,990
just by specifying the command shut down

74
00:03:27,990 --> 00:03:30,180
and you can test both of these commands

75
00:03:30,180 --> 00:03:32,010
on a virtual machine.

76
00:03:32,010 --> 00:03:34,950
And at the end, we also get the system information.

77
00:03:34,950 --> 00:03:38,250
So gets information about the remote system such as OS,

78
00:03:38,250 --> 00:03:40,260
and that is always useful to know,

79
00:03:40,260 --> 00:03:43,260
some of the additional information about the target machine.

80
00:03:43,260 --> 00:03:46,260
Here we can see the computer, the OS, the architecture,

81
00:03:46,260 --> 00:03:49,500
the system language, and other options as well.

82
00:03:49,500 --> 00:03:51,330
But I said that we're going to cover

83
00:03:51,330 --> 00:03:53,490
some of the interesting commands right here

84
00:03:53,490 --> 00:03:56,400
in this video and let's get straight into them.

85
00:03:56,400 --> 00:03:58,110
So after the system commands,

86
00:03:58,110 --> 00:04:02,070
we get these user interface commands.

87
00:04:02,070 --> 00:04:04,920
And here we can control mouse, keyboard,

88
00:04:04,920 --> 00:04:07,110
record microphones, runs screenshots,

89
00:04:07,110 --> 00:04:08,880
and bunch of other cool options

90
00:04:08,880 --> 00:04:10,800
that we're going to cover right now.

91
00:04:10,800 --> 00:04:14,760
So let's start, for example with this mouse option.

92
00:04:14,760 --> 00:04:17,160
Send mouse events.

93
00:04:17,160 --> 00:04:18,870
Let's see how that would work.

94
00:04:18,870 --> 00:04:21,870
If I just type mouse inside of the meterpreter,

95
00:04:21,870 --> 00:04:24,840
it gives us a small usage for this command.

96
00:04:24,840 --> 00:04:26,910
So mouse and then the action,

97
00:04:26,910 --> 00:04:29,340
we can type click, up, down, right click,

98
00:04:29,340 --> 00:04:33,270
right up, right down, double click and so on and so on.

99
00:04:33,270 --> 00:04:35,610
We can also move the mouse if we want to.

100
00:04:35,610 --> 00:04:37,740
So, let's try this command.

101
00:04:37,740 --> 00:04:42,740
If I copy mouse move and then paste right here.

102
00:04:42,750 --> 00:04:46,293
Let us put the mouse right here and if I press enter,

103
00:04:47,430 --> 00:04:50,400
here, the mouse moved on its own.

104
00:04:50,400 --> 00:04:51,693
Let's do it once again.

105
00:04:52,890 --> 00:04:53,850
Did you see it?

106
00:04:53,850 --> 00:04:55,020
It moves on its own,

107
00:04:55,020 --> 00:04:58,230
so we can control the mouse on the target machine.

108
00:04:58,230 --> 00:05:01,200
Now even though this is cool, it is not really that useful.

109
00:05:01,200 --> 00:05:02,730
However there are other commands

110
00:05:02,730 --> 00:05:05,160
we would find a lot more useful than this,

111
00:05:05,160 --> 00:05:08,220
such as for example, running a key logger.

112
00:05:08,220 --> 00:05:10,863
Let's see how we can run a simple key logger.

113
00:05:11,730 --> 00:05:13,680
So if I scroll all the way up,

114
00:05:13,680 --> 00:05:16,920
here we get the commands keyscan start,

115
00:05:16,920 --> 00:05:20,400
keyscan stop and keyscan dump.

116
00:05:20,400 --> 00:05:22,800
Hmm, let's give them a try.

117
00:05:22,800 --> 00:05:26,913
If I copy this command that says start capturing keystrokes,

118
00:05:29,970 --> 00:05:33,060
input it inside of my meterpreter,

119
00:05:33,060 --> 00:05:35,670
it says starting the keystrokes sniffer.

120
00:05:35,670 --> 00:05:38,580
Now let's go to this page and this is a PayPal page

121
00:05:38,580 --> 00:05:41,550
and now just going to type something random right here.

122
00:05:41,550 --> 00:05:45,600
So let's say example@gmail.com

123
00:05:45,600 --> 00:05:49,530
and password will be test1234.

124
00:05:49,530 --> 00:05:53,580
If I click on login, of course, this account does not exist.

125
00:05:53,580 --> 00:05:54,840
But let's go right here

126
00:05:54,840 --> 00:05:58,680
and see whether our meterpreter shell managed to capture it.

127
00:05:58,680 --> 00:06:01,800
To print out the key strokes that were captured,

128
00:06:01,800 --> 00:06:03,243
we can type keyscan_dump.

129
00:06:05,490 --> 00:06:07,740
Press enter and here it is,

130
00:06:07,740 --> 00:06:12,740
example<shift>@gmail.com and here is the password test1234.

131
00:06:14,790 --> 00:06:18,307
To stop a key logger, we can type keyscan_stop,

132
00:06:20,610 --> 00:06:23,280
and this will stop capturing keystrokes.

133
00:06:23,280 --> 00:06:24,810
So this is really useful,

134
00:06:24,810 --> 00:06:26,730
if you want to capture the messages

135
00:06:26,730 --> 00:06:28,710
that they're sending online

136
00:06:28,710 --> 00:06:31,260
or basically whatever they type on their keyboard,

137
00:06:31,260 --> 00:06:33,760
you can capture it by typing keyscan_start

138
00:06:34,980 --> 00:06:37,770
and then you can type keyscan_dump

139
00:06:37,770 --> 00:06:40,200
to dump all of the keystrokes that they captured

140
00:06:40,200 --> 00:06:42,420
in that specific time lapse.

141
00:06:42,420 --> 00:06:45,870
Great. Let's check out more options as well.

142
00:06:45,870 --> 00:06:47,460
So, another interesting one

143
00:06:47,460 --> 00:06:49,140
is the one that we already covered,

144
00:06:49,140 --> 00:06:50,880
which is the screenshot option.

145
00:06:50,880 --> 00:06:54,120
As it says, grab a screenshot of the interactive desktop.

146
00:06:54,120 --> 00:06:56,643
If we run it real quick,

147
00:06:58,200 --> 00:06:59,670
this will save a screenshot

148
00:06:59,670 --> 00:07:02,760
inside of this /home/mrhacker directory.

149
00:07:02,760 --> 00:07:06,690
And we can visit it by clicking on this open folder

150
00:07:06,690 --> 00:07:08,430
and here is the screenshot.

151
00:07:08,430 --> 00:07:10,650
So it is the screenshot of our Cal Linux machine,

152
00:07:10,650 --> 00:07:13,200
because my Cal Linux machine is running

153
00:07:13,200 --> 00:07:14,823
on this Windows 10 machine.

154
00:07:15,690 --> 00:07:18,000
But what if I wanted to, for example,

155
00:07:18,000 --> 00:07:20,790
see what the target is doing

156
00:07:20,790 --> 00:07:25,230
or simply just record the screen at the live time.

157
00:07:25,230 --> 00:07:28,950
Well, there is a command called screenshare.

158
00:07:28,950 --> 00:07:32,640
And it says watch the remote user's desktop in real time.

159
00:07:32,640 --> 00:07:35,193
We can type it right here, screenshare,

160
00:07:36,900 --> 00:07:39,900
and this will start streaming the target's desktop

161
00:07:39,900 --> 00:07:41,343
to our Cal Linux machine.

162
00:07:43,650 --> 00:07:44,483
Here it is.

163
00:07:44,483 --> 00:07:47,580
Now, this command knows to be a little bit buggy,

164
00:07:47,580 --> 00:07:51,210
as it does require some of the power in order to run.

165
00:07:51,210 --> 00:07:53,610
As we can see right here, it can be buggy sometimes.

166
00:07:53,610 --> 00:07:57,990
But nonetheless, we can see the targets desktop.

167
00:07:57,990 --> 00:07:59,730
Let us close this real quick

168
00:07:59,730 --> 00:08:02,130
and another command that I wanted to show you

169
00:08:02,130 --> 00:08:06,360
that it's really cool, is recording the target's desktop.

170
00:08:06,360 --> 00:08:10,503
How we can do that if I type the help command, go up here,

171
00:08:11,730 --> 00:08:15,600
here, we can see these commands right here, record mic,

172
00:08:15,600 --> 00:08:18,990
record audio from the default microphone for X seconds.

173
00:08:18,990 --> 00:08:22,290
We can also stream the webcam and take a snapshot

174
00:08:22,290 --> 00:08:26,220
from the specified webcam, using these commands right here.

175
00:08:26,220 --> 00:08:28,890
But since my Windows 10 machine doesn't have a webcam,

176
00:08:28,890 --> 00:08:30,330
I'm not going to be running this.

177
00:08:30,330 --> 00:08:32,190
Of course, you can test these commands out,

178
00:08:32,190 --> 00:08:34,620
if you got the webcam and see if they work.

179
00:08:34,620 --> 00:08:37,620
For now on, I am going to record microphone

180
00:08:37,620 --> 00:08:40,289
on our Windows 10 target machine.

181
00:08:40,289 --> 00:08:42,659
Now this command requires a parameter.

182
00:08:42,659 --> 00:08:46,740
We can specify the amount of seconds using -d option,

183
00:08:46,740 --> 00:08:49,110
and I will specify 10 seconds.

184
00:08:49,110 --> 00:08:50,880
If I press your enter,

185
00:08:50,880 --> 00:08:53,550
this will start recording and it should capture

186
00:08:53,550 --> 00:08:56,820
what I'm speaking at the moment to the microphone.

187
00:08:56,820 --> 00:09:00,780
So here the 10 seconds finished and it saved the file

188
00:09:00,780 --> 00:09:05,610
inside of the /home/mrhacker and this is the file name.

189
00:09:05,610 --> 00:09:07,050
You can listen it, if you want to,

190
00:09:07,050 --> 00:09:10,140
but for now on let us check out what other commands we have

191
00:09:10,140 --> 00:09:13,980
at the end of the help menu and we got these cool commands,

192
00:09:13,980 --> 00:09:15,993
such as getsystem and hashdump.

193
00:09:16,950 --> 00:09:18,330
And believe it or not,

194
00:09:18,330 --> 00:09:21,000
these commands could be the most useful

195
00:09:21,000 --> 00:09:23,130
out of all of the others that we covered.

196
00:09:23,130 --> 00:09:25,983
However, if I try to run the get system command,

197
00:09:27,030 --> 00:09:28,580
inside of my meterpreter shell,

198
00:09:30,000 --> 00:09:33,030
hmm, operation failed.

199
00:09:33,030 --> 00:09:34,740
They will not work.

200
00:09:34,740 --> 00:09:37,680
It seems we cannot get system privileges

201
00:09:37,680 --> 00:09:39,240
on the target machine.

202
00:09:39,240 --> 00:09:40,650
And just to remind you,

203
00:09:40,650 --> 00:09:42,930
system privileges are highest privileges

204
00:09:42,930 --> 00:09:46,710
on the Windows machine, even higher than the administrator.

205
00:09:46,710 --> 00:09:48,600
Once we get system level account,

206
00:09:48,600 --> 00:09:52,080
we can say we fully hacked that box.

207
00:09:52,080 --> 00:09:54,240
So what are we going to do?

208
00:09:54,240 --> 00:09:57,120
Well, we are going to try to elevate our privileges

209
00:09:57,120 --> 00:10:01,020
in the next video by using post exploitation modules.

210
00:10:01,020 --> 00:10:01,853
For now,

211
00:10:01,853 --> 00:10:03,630
we covered basic meterpreter commands

212
00:10:03,630 --> 00:10:05,490
and you saw how useful they are

213
00:10:05,490 --> 00:10:08,190
despite being so easy to run.

214
00:10:08,190 --> 00:10:11,640
We simply got a screenshot by running one command.

215
00:10:11,640 --> 00:10:14,670
We recorded the microphone by running one command.

216
00:10:14,670 --> 00:10:17,310
But it is time to get into more advanced things

217
00:10:17,310 --> 00:10:20,130
and running more advanced modules.

218
00:10:20,130 --> 00:10:21,430
See you in the next video.