1 00:00:00,840 --> 00:00:03,900 So now open your terminal and. 2 00:00:05,370 --> 00:00:06,900 Start the MSF console. 3 00:00:09,670 --> 00:00:12,220 The first command of this part is show. 4 00:00:13,320 --> 00:00:19,230 Now, when you work with a module, it helps you to display the variables and properties of that module. 5 00:00:20,180 --> 00:00:23,630 So the help screen is for showing us that. 6 00:00:25,310 --> 00:00:34,430 Type the show command and then the name of the object, so let's have a look at knob generators by typing 7 00:00:34,430 --> 00:00:35,870 show knob's. 8 00:00:37,010 --> 00:00:39,650 And as you see the generators list. 9 00:00:40,790 --> 00:00:47,900 Appears so there's no plug in for this phase and here are the encoders. 10 00:00:49,380 --> 00:00:51,390 And also, he exploits. 11 00:00:53,020 --> 00:00:56,710 But it might take a little while to list all the exploits if you try to list them. 12 00:00:58,930 --> 00:01:02,920 And then here are all the exploits in Métis Point. 13 00:01:04,920 --> 00:01:13,800 Now, when you need to use an exploit, you can search these exploits, for example, if you want to 14 00:01:13,800 --> 00:01:16,890 exploit a Java RMI server code execution. 15 00:01:17,820 --> 00:01:25,820 You can search for terms like RMI, RMI registry, so, yeah, let's perform a search just like that 16 00:01:26,310 --> 00:01:28,770 search RMI registry. 17 00:01:29,990 --> 00:01:33,260 And you see, it brings me the appropriate XPoint. 18 00:01:34,410 --> 00:01:42,270 So I want to make an important point here, when you are conducting a test, you should perform an extensive 19 00:01:42,270 --> 00:01:45,900 enumeration on the target to choose the right boy. 20 00:01:46,560 --> 00:01:49,050 That's how you know what to search for. 21 00:01:50,040 --> 00:01:55,860 Although Métis Point has many exploits, it doesn't mean that you can use every single one in every 22 00:01:55,860 --> 00:01:56,610 circumstance. 23 00:01:57,390 --> 00:02:00,060 First, you need to find the vulnerability. 24 00:02:00,750 --> 00:02:04,530 And then if Métis Boyd has a suitable exploit, you can use that. 25 00:02:05,430 --> 00:02:11,060 Otherwise, you may have a headache if you randomly run exploits and it's a waste of time. 26 00:02:12,200 --> 00:02:18,980 OK, so back to the RMI registry XPoint, so now you have the name of the XPoint. 27 00:02:19,900 --> 00:02:25,210 And if you recall from the previous videos, how do you use this exploit? 28 00:02:26,590 --> 00:02:29,740 Type views and then the name of the boy. 29 00:02:31,450 --> 00:02:33,490 Now, you can work with that XPoint. 30 00:02:35,280 --> 00:02:43,140 If you want to be sure about the XPoint or if you want to configure the details, you can use the info 31 00:02:43,140 --> 00:02:47,700 command to get detailed information about whether he exploits going to do. 32 00:02:48,740 --> 00:02:49,580 And in this case. 33 00:02:50,820 --> 00:02:56,760 This is an XPoint, but for sure it can be any other Métis flight module. 34 00:02:57,690 --> 00:03:04,500 So read the description, examine the variables, or follow the reference link to get additional information 35 00:03:04,500 --> 00:03:06,060 about that particular exploit. 36 00:03:08,080 --> 00:03:10,360 So the options to view the variables. 37 00:03:11,480 --> 00:03:13,250 And these are the basic variables. 38 00:03:14,570 --> 00:03:21,750 And yes, you can set some advance variables to have more control over the exploit code. 39 00:03:22,430 --> 00:03:24,800 How do you do that show advanced? 40 00:03:26,800 --> 00:03:27,160 So. 41 00:03:27,980 --> 00:03:32,360 Here are the other variables of the XPoint to make some of the advanced configurations. 42 00:03:33,520 --> 00:03:39,670 Some X boys only work with a specific operating system or software versions, whatever. 43 00:03:40,820 --> 00:03:47,510 Now, to send the target, the right exploit code, you've got to know the version of what you're trying 44 00:03:47,510 --> 00:03:49,500 to exploit makes sense, right? 45 00:03:50,540 --> 00:03:56,660 I'll assume here that you have made enumeration and you know your target well. 46 00:03:57,290 --> 00:03:59,480 So that's what you tell Metters boy. 47 00:04:00,480 --> 00:04:05,270 You specify the available targets by the show Targets Command. 48 00:04:06,500 --> 00:04:10,520 As I hope you see on the screen, there's only five types of target. 49 00:04:11,700 --> 00:04:18,000 So this means that this exploit can't be utilized on environment other than these particular five. 50 00:04:19,580 --> 00:04:20,480 For the most part. 51 00:04:22,930 --> 00:04:30,750 In a production environment, your exploit may fail due to IPPs IDs or firewall rules. 52 00:04:31,390 --> 00:04:34,960 So I think it's good practice to evade the security measures. 53 00:04:36,150 --> 00:04:40,290 For each XPoint, there are different evasion techniques and Métis Point. 54 00:04:41,410 --> 00:04:47,140 So let's use the show Evasion Command to display the available techniques. 55 00:04:48,640 --> 00:04:50,410 And if you want, you can choose these. 56 00:04:52,060 --> 00:04:58,000 And these are the payloads that I listed by the show, Payloads Command. 57 00:05:00,550 --> 00:05:04,930 Now, like evasion for each exploit, there are different pelote. 58 00:05:06,270 --> 00:05:10,020 So this means you can't use a Linux payload for Windows system. 59 00:05:11,140 --> 00:05:15,000 And for this point, there are these available paillard. 60 00:05:16,950 --> 00:05:21,180 Now, I'll show you these variables again and let's set them. 61 00:05:22,110 --> 00:05:28,770 You may remember from some of the previous videos how to set a variable, so we'll do that now, use 62 00:05:28,950 --> 00:05:31,210 this at command just like that. 63 00:05:31,500 --> 00:05:33,030 That's why I like the Linux console. 64 00:05:34,020 --> 00:05:40,410 Setting the value a variable means you can get the value of the same variable. 65 00:05:41,450 --> 00:05:46,370 I simply typing get as a command and then the variable name. 66 00:05:47,590 --> 00:05:51,640 This is the medicine voidable to IP address in my lab environment. 67 00:05:52,840 --> 00:05:58,060 Now, you can also unset a variable value by using the unset command. 68 00:06:00,180 --> 00:06:03,660 And I just unset our host value, as you see here. 69 00:06:04,820 --> 00:06:11,420 So you may come across a situation that you need to use the same value in every XPoint. 70 00:06:12,630 --> 00:06:19,380 So you can just set the variable to the same value in each exploit again. 71 00:06:20,630 --> 00:06:27,290 If you use set command, you can globally set a variable value. 72 00:06:28,500 --> 00:06:36,030 And by using the get G- command, you can get the global value of a variable. 73 00:06:37,290 --> 00:06:44,310 And then simply, you can unset a global variable by using the unset G command. 74 00:06:45,520 --> 00:06:55,570 Now, after setting all the variables, you can get the exploit to execute by either using the run or 75 00:06:55,570 --> 00:06:57,160 the exploit commands. 76 00:06:58,260 --> 00:06:59,400 It actually doesn't matter. 77 00:07:00,120 --> 00:07:03,570 So these messages here show what's going on in the background. 78 00:07:04,410 --> 00:07:08,670 And you will also be informed by Métis boy if a session is open. 79 00:07:09,600 --> 00:07:16,770 So now I have this session, and by taping the Sessions command, I will list my available sessions. 80 00:07:17,800 --> 00:07:26,380 And as expected, I have only this one now to interact with that session type sessions as your command 81 00:07:26,380 --> 00:07:29,920 with the eye parameter and then. 82 00:07:30,960 --> 00:07:33,090 An index of this session appears. 83 00:07:34,360 --> 00:07:36,070 In my case, it's three. 84 00:07:37,110 --> 00:07:40,620 OK, so now I'm in the Metro Operator Show. 85 00:07:42,170 --> 00:07:45,810 Later, you're going to have your deep dive in an interpreter, I promise. 86 00:07:46,520 --> 00:07:52,280 But for now, I'm going to only show you that I have exploited them at exploitable to. 87 00:07:53,250 --> 00:07:59,190 Then let's type in background to turn back to the MSF console again.