1
00:00:00,720 --> 00:00:01,620
-: Welcome back.

2
00:00:01,620 --> 00:00:04,680
And in this video I want to talk about a few more

3
00:00:04,680 --> 00:00:08,520
useful commands and post exploitation modules.

4
00:00:08,520 --> 00:00:10,080
So, what I got right here.

5
00:00:10,080 --> 00:00:12,270
I established my Meterpreter session,

6
00:00:12,270 --> 00:00:14,700
with my Windows 10 main machine.

7
00:00:14,700 --> 00:00:17,850
And now let's see, what else could we find useful,

8
00:00:17,850 --> 00:00:19,950
after exploiting the target.

9
00:00:19,950 --> 00:00:23,220
Well, if we take the help command, somewhere around here,

10
00:00:23,220 --> 00:00:26,613
I believe there should be an option called search.

11
00:00:27,540 --> 00:00:30,540
And what search allows us to do is to, for example

12
00:00:30,540 --> 00:00:34,230
search for a specific file types, on the target system.

13
00:00:34,230 --> 00:00:38,520
So if we type search, dash h, this will give me

14
00:00:38,520 --> 00:00:41,130
an options that I can use with this command.

15
00:00:41,130 --> 00:00:44,760
For example, if I wanted to find all the JPEG pictures

16
00:00:44,760 --> 00:00:46,290
on the target system.

17
00:00:46,290 --> 00:00:49,380
What I could do is echo type search dash F,

18
00:00:49,380 --> 00:00:54,380
and then star sign dot JPEG, press enter.

19
00:00:55,140 --> 00:00:57,390
And what this is going to do is it'll manage to

20
00:00:57,390 --> 00:01:01,170
extract all the JPEG, images that are located

21
00:01:01,170 --> 00:01:02,880
on the target system.

22
00:01:02,880 --> 00:01:06,150
Now. you can also do for any other file type that you want,

23
00:01:06,150 --> 00:01:08,010
and you can also mix it,

24
00:01:08,010 --> 00:01:11,190
with one of these options right here.

25
00:01:11,190 --> 00:01:12,780
And here are the results.

26
00:01:12,780 --> 00:01:14,970
We can see there are a lot of them.

27
00:01:14,970 --> 00:01:18,480
All of these are JPEG files, as we can see right here.

28
00:01:18,480 --> 00:01:19,980
Now if I scroll all the way up,

29
00:01:19,980 --> 00:01:22,740
we can see that the list goes on and on.

30
00:01:22,740 --> 00:01:25,413
So maybe we would want to narrow it

31
00:01:25,413 --> 00:01:27,600
down, if we were searching for something specific.

32
00:01:27,600 --> 00:01:31,260
But right now, we got all of the JPEG files,

33
00:01:31,260 --> 00:01:32,373
on the target system.

34
00:01:33,240 --> 00:01:35,851
Okay, another thing that I want to show you, is the usage

35
00:01:35,851 --> 00:01:38,670
of post expectation modules.

36
00:01:38,670 --> 00:01:39,630
How can we do that?

37
00:01:39,630 --> 00:01:43,050
Well, if we go and put my session in the background,

38
00:01:43,050 --> 00:01:45,360
clear the screen, and since we are on a

39
00:01:45,360 --> 00:01:47,610
windows machine, what we can do to search

40
00:01:47,610 --> 00:01:50,760
for the post exploitation modules, is we can type search

41
00:01:50,760 --> 00:01:54,990
and then post slash Windows, press enter.

42
00:01:54,990 --> 00:01:59,990
And this will list out all 191 post exploitation modules.

43
00:02:00,660 --> 00:02:02,220
And you can scroll through them,

44
00:02:02,220 --> 00:02:05,610
and see which ones you would find useful.

45
00:02:05,610 --> 00:02:09,690
For example, if your target has Ava cart, and it connects

46
00:02:09,690 --> 00:02:13,398
to the virus access point, you can use this module type use

47
00:02:13,398 --> 00:02:17,250
and then the module name show options.

48
00:02:17,250 --> 00:02:21,060
And usually this modules will only want this session ID

49
00:02:21,060 --> 00:02:22,980
so they're very easy to run.

50
00:02:22,980 --> 00:02:25,498
You can simply just set the session ID to

51
00:02:25,498 --> 00:02:28,590
first of all, let's check out what session ID we have.

52
00:02:28,590 --> 00:02:32,100
And it is one, so said session ID to one.

53
00:02:32,100 --> 00:02:35,490
Then run the program, and this will list out

54
00:02:35,490 --> 00:02:37,800
all of the virus interfaces, and possibly the

55
00:02:37,800 --> 00:02:40,950
passwords of the connected wireless access points.

56
00:02:40,950 --> 00:02:43,830
Now since my machine doesn't have a wireless interface,

57
00:02:43,830 --> 00:02:47,610
it simply just prints out no wireless interfaces.

58
00:02:47,610 --> 00:02:50,490
So these post expectation modules, depend on

59
00:02:50,490 --> 00:02:52,050
what you're looking for.

60
00:02:52,050 --> 00:02:53,940
So let's scroll a little bit up,

61
00:02:53,940 --> 00:02:57,240
and see which type of modules we have.

62
00:02:57,240 --> 00:02:59,640
So we got bunch of enumeration modules.

63
00:02:59,640 --> 00:03:02,310
You can enumerate Chrome, to extract all the

64
00:03:02,310 --> 00:03:05,190
chrome data you can find inside of that browser,

65
00:03:05,190 --> 00:03:07,023
in case the target is using Chrome.

66
00:03:08,040 --> 00:03:08,970
Check for VM.

67
00:03:08,970 --> 00:03:10,830
So you can use this module, for example

68
00:03:10,830 --> 00:03:13,170
to check out whether the target, that you manage to

69
00:03:13,170 --> 00:03:17,970
hack uses a virtual machine or if it's a virtual machine.

70
00:03:17,970 --> 00:03:19,920
So let's see how that would work.

71
00:03:19,920 --> 00:03:21,870
We know that my Windows 10 main machine,

72
00:03:21,870 --> 00:03:23,100
is not a virtual machine,

73
00:03:23,100 --> 00:03:27,210
so it should give out false, as a result.

74
00:03:27,210 --> 00:03:30,270
So set session one. Run this,

75
00:03:30,270 --> 00:03:33,180
checking if my target machine is a virtual one.

76
00:03:33,180 --> 00:03:36,000
And it says it appears to be a physical machine.

77
00:03:36,000 --> 00:03:37,440
Which is correct.

78
00:03:37,440 --> 00:03:39,780
You can also be more specific, when searching

79
00:03:39,780 --> 00:03:41,280
for the post exploitation module.

80
00:03:41,280 --> 00:03:45,540
Such as for example, type search and then passwords.

81
00:03:45,540 --> 00:03:48,660
And we can see right here, we get some post exploitation

82
00:03:48,660 --> 00:03:51,840
modules for gathering passwords, credentials

83
00:03:51,840 --> 00:03:54,240
total commanders, save password extraction.

84
00:03:54,240 --> 00:03:57,420
Let's go a little bit up, see what else we have.

85
00:03:57,420 --> 00:03:58,740
Not really too interesting.

86
00:03:58,740 --> 00:04:02,340
However, one module that we can use to extract the hashed

87
00:04:02,340 --> 00:04:05,490
versions, of passwords on a Windows machine is we

88
00:04:05,490 --> 00:04:08,820
can type search and then hash dump.

89
00:04:08,820 --> 00:04:12,330
Then we can scroll a little bit up and we got somewhere

90
00:04:12,330 --> 00:04:14,460
around here, a module.

91
00:04:14,460 --> 00:04:19,440
Here it is called post Windows gather and then hash dump.

92
00:04:19,440 --> 00:04:24,440
So let's copy it, type use, and then paste the module name.

93
00:04:26,130 --> 00:04:29,700
If I type show options, set the session to be one.

94
00:04:29,700 --> 00:04:32,070
As you can see, they're very easy to run.

95
00:04:32,070 --> 00:04:35,820
Only one option is required, and I type run.

96
00:04:35,820 --> 00:04:37,950
It will tell me, access is the night.

97
00:04:37,950 --> 00:04:41,250
So this simply means time not, a system level account.

98
00:04:41,250 --> 00:04:42,660
We know how we can fix that.

99
00:04:42,660 --> 00:04:45,030
So I'm just going to do that real quick, just to

100
00:04:45,030 --> 00:04:47,550
show you what this has done, post exploitation model,

101
00:04:47,550 --> 00:04:48,810
outputs once it works.

102
00:04:48,810 --> 00:04:53,810
So I'm going to real quick, elevate privileges.

103
00:04:56,430 --> 00:04:58,980
And here it is the privilege escalation worked,

104
00:04:58,980 --> 00:05:00,300
from the second try.

105
00:05:00,300 --> 00:05:04,740
And I'm going to type get system background, this session

106
00:05:04,740 --> 00:05:08,460
and now use post windows gather.

107
00:05:08,460 --> 00:05:11,047
And then hash dump, set session to be session two

108
00:05:11,047 --> 00:05:14,520
because the session two, in this case

109
00:05:14,520 --> 00:05:17,160
is the session with the system level account.

110
00:05:17,160 --> 00:05:21,240
And if I type run, this should give me the hashes,

111
00:05:21,240 --> 00:05:24,720
of all the users on that Windows machine.

112
00:05:24,720 --> 00:05:25,710
And here they are.

113
00:05:25,710 --> 00:05:28,890
We got the administrator hash, we got the user hash,

114
00:05:28,890 --> 00:05:31,650
and we got some other hashes as well.

115
00:05:31,650 --> 00:05:33,210
And we could use them to crack,

116
00:05:33,210 --> 00:05:34,650
them with some other program.

117
00:05:34,650 --> 00:05:37,920
But more about password cracking later on in the course.

118
00:05:37,920 --> 00:05:41,010
For now on, we just managed to extract the hashes.

119
00:05:41,010 --> 00:05:44,220
Another useful option, that we have that requires

120
00:05:44,220 --> 00:05:46,860
system privileges inside within the Meterpreter shell.

121
00:05:46,860 --> 00:05:49,800
If I go inside of my system level account shell,

122
00:05:49,800 --> 00:05:51,630
and I type the help menu.

123
00:05:51,630 --> 00:05:53,340
Scroll a little bit up.

124
00:05:53,340 --> 00:05:56,820
I should see this option called clear EV.

125
00:05:56,820 --> 00:05:59,340
And this stands for Clear The Event Log.

126
00:05:59,340 --> 00:06:00,480
What does this mean?

127
00:06:00,480 --> 00:06:03,870
Well, this command for Clear Application System,

128
00:06:03,870 --> 00:06:06,240
and Security Logs on a window system.

129
00:06:06,240 --> 00:06:10,620
So it is something similar to covering up our tracks.

130
00:06:10,620 --> 00:06:11,610
How can we run them?

131
00:06:11,610 --> 00:06:13,380
Well, it takes no other parameters.

132
00:06:13,380 --> 00:06:15,570
So all we need is a system privileged account,

133
00:06:15,570 --> 00:06:17,820
and we can type clear event.

134
00:06:17,820 --> 00:06:19,920
And we can see right here it is wiping,

135
00:06:19,920 --> 00:06:24,420
out records from Application, System and Security.

136
00:06:24,420 --> 00:06:25,980
And another thing that I want to show you,

137
00:06:25,980 --> 00:06:28,230
before I close off this video, is that

138
00:06:28,230 --> 00:06:30,750
you can run post exploitation modules even

139
00:06:30,750 --> 00:06:32,190
from the meterpreter shell.

140
00:06:32,190 --> 00:06:34,860
So you don't need to always put it inside of the background,

141
00:06:34,860 --> 00:06:37,290
in order to run a post exploitation module.

142
00:06:37,290 --> 00:06:39,450
You can simply just type run,

143
00:06:39,450 --> 00:06:42,360
and then the module name, for example, I will use this one.

144
00:06:42,360 --> 00:06:45,960
So post windows gather,

145
00:06:45,960 --> 00:06:49,440
and then enum underscore applications.

146
00:06:49,440 --> 00:06:51,000
And if I press enter.

147
00:06:51,000 --> 00:06:53,580
What this post module will do, is it'll print

148
00:06:53,580 --> 00:06:56,130
out all the installed applications,

149
00:06:56,130 --> 00:06:57,810
on my Windows 10 machine.

150
00:06:57,810 --> 00:07:00,003
And we can see them right here.

151
00:07:00,930 --> 00:07:02,790
So many different modules exist.

152
00:07:02,790 --> 00:07:06,090
We saw there are hundreds, of post exploitation modules.

153
00:07:06,090 --> 00:07:07,650
You run all of them the same way.

154
00:07:07,650 --> 00:07:09,330
So you can simply just go and search,

155
00:07:09,330 --> 00:07:13,080
through them and find which one is useful for you.

156
00:07:13,080 --> 00:07:15,750
Then you can test them out and see how they work.

157
00:07:15,750 --> 00:07:17,940
Great! Now that we covered all of this,

158
00:07:17,940 --> 00:07:19,680
you have a pretty good understanding

159
00:07:19,680 --> 00:07:21,600
of what post exploitation is.

160
00:07:21,600 --> 00:07:23,100
So let's just remind ourselves

161
00:07:23,100 --> 00:07:24,900
of the most important things that we do.

162
00:07:24,900 --> 00:07:26,490
After exploiting the target,

163
00:07:26,490 --> 00:07:30,060
we try to elevate our privileges, recreate persistence.

164
00:07:30,060 --> 00:07:34,020
In order to be able to enter that machine whenever we want.

165
00:07:34,020 --> 00:07:36,600
And we search for useful information,

166
00:07:36,600 --> 00:07:40,230
on that target machine, such as password hashes,

167
00:07:40,230 --> 00:07:43,800
such as different files, that we might find useful.

168
00:07:43,800 --> 00:07:46,950
And those are the main parts of post expectation module.

169
00:07:46,950 --> 00:07:48,600
Of course, you can then use the commands,

170
00:07:48,600 --> 00:07:52,620
like clear event, and other commands that are used to cover

171
00:07:52,620 --> 00:07:55,290
up your tracks, and delete the lock files,

172
00:07:55,290 --> 00:07:57,360
which could be useful to cyber forensics.

173
00:07:57,360 --> 00:07:59,550
In case they want to track back,

174
00:07:59,550 --> 00:08:01,800
the person that was on that machine.

175
00:08:01,800 --> 00:08:03,030
So, thank you for watching this video,

176
00:08:03,030 --> 00:08:05,433
and I will see you in the next lecture.