1
00:00:02,140 --> 00:00:06,250
OK, so let's see some of the basic interpreter commands with a Windows victim.

2
00:00:08,000 --> 00:00:13,790
Here I have a system running Windows XP service pack one, and it's IP address is two zero seven.

3
00:00:14,510 --> 00:00:19,340
This system has zero 08 zero 067 vulnerability.

4
00:00:20,510 --> 00:00:26,230
So now let's try to exploit the vulnerability and have him interpretor session on the Windows system.

5
00:00:27,560 --> 00:00:35,120
We were in the midst voidable maturity session, so send them a procession background to access MSF

6
00:00:35,120 --> 00:00:36,020
console shell.

7
00:00:37,330 --> 00:00:43,150
Now, let's find the exploit module written for the Miss 08 067 vulnerability.

8
00:00:44,310 --> 00:00:47,670
And we have one exploit with a great rank.

9
00:00:48,470 --> 00:00:53,900
That's good for us, so type use and the full module name to use it.

10
00:00:55,000 --> 00:00:58,030
So now let's look at the payloads we can use with this exploit.

11
00:01:01,030 --> 00:01:06,380
Wow, there are a lot of payloads and let's choose this one.

12
00:01:07,240 --> 00:01:10,540
Windows interpreter slash reverse TCP.

13
00:01:11,400 --> 00:01:19,920
And so the options now, we have already seen these steps before, so I'll keep a quick said the remote

14
00:01:19,920 --> 00:01:22,110
host, the IP address of the Windows machine.

15
00:01:24,910 --> 00:01:26,590
Listen, host as our colleague.

16
00:01:29,590 --> 00:01:31,040
Remote port is correct.

17
00:01:31,060 --> 00:01:32,860
Listen, Port, that's OK for me.

18
00:01:33,310 --> 00:01:35,020
Ready to run the exploit?

19
00:01:37,650 --> 00:01:41,300
And yes, we have an interpreter session on the Windows system.

20
00:01:42,160 --> 00:01:49,330
And what's the first command, this info is always my first command and look at that, we are confirmed

21
00:01:49,870 --> 00:01:58,060
we are on Windows XP service pack one help command is the second one, of course, shows the command

22
00:01:58,060 --> 00:01:58,600
available.

23
00:01:59,950 --> 00:02:05,020
OK, so now there were a few commands which I said that I will show you with an interpreter session

24
00:02:05,020 --> 00:02:06,100
on a Windows system.

25
00:02:07,310 --> 00:02:11,570
The hash dump command was not available when we were on voidable.

26
00:02:12,600 --> 00:02:14,610
Now, an interpreter has this command.

27
00:02:15,380 --> 00:02:19,400
Of course, we can also use the hash dump post module as well.

28
00:02:20,490 --> 00:02:25,700
The hash dome command is more important for Windows systems, and I'll tell you why in a Linux system,

29
00:02:26,160 --> 00:02:30,570
looking at the shadow file is usually enough to see the password hashes.

30
00:02:31,020 --> 00:02:34,650
However, gathering hashes is a bit complicated for Windows systems.

31
00:02:35,280 --> 00:02:41,280
Password hashes are located in the same database and you need to have the key of the same database,

32
00:02:41,280 --> 00:02:43,200
which is in the system file.

33
00:02:44,350 --> 00:02:51,160
Thankfully, we have met her, we can dump password hashes of a Windows system with a single command.

34
00:02:51,160 --> 00:02:51,430
No.

35
00:02:53,210 --> 00:02:59,690
You can use either if config or it config commands to learn the IP address of the victim machine, same

36
00:02:59,690 --> 00:03:01,580
as an interpreter on Linux.

37
00:03:02,770 --> 00:03:09,100
Now you can use the WD command to see your current location on the victim's system, there's no such

38
00:03:09,100 --> 00:03:13,060
command in MSDOS systems, but hey, this is not the command shuttle.

39
00:03:13,070 --> 00:03:14,400
This is my interpreter.

40
00:03:15,340 --> 00:03:18,820
And again, you can use the code command to change the location.

41
00:03:20,590 --> 00:03:26,110
Now, the search function has the same functionality, so you can use it to find any file in the victim

42
00:03:26,110 --> 00:03:26,500
machine.

43
00:03:30,340 --> 00:03:37,330
You can use the command to see the contents of a file, and as you know, Cat is a standard Linux command,

44
00:03:37,330 --> 00:03:41,430
but this cat is not that cat, if you know what I mean.

45
00:03:42,740 --> 00:03:46,760
So now I want to show you an interpreter command, which is window specific.

46
00:03:48,290 --> 00:03:49,700
Clear, Evy.

47
00:03:50,690 --> 00:03:57,380
This command is used to clear the application system and security logs on a Windows system, there are

48
00:03:57,380 --> 00:03:59,390
no options or arguments needed.

49
00:03:59,690 --> 00:04:04,150
Your activities on the system after the exploitation will leave some footprints.

50
00:04:04,580 --> 00:04:06,470
So you just better clean them up.

51
00:04:07,430 --> 00:04:11,090
Let's go to the Windows system and look at the event viewer.

52
00:04:12,380 --> 00:04:16,220
Well, I don't know its location, so I'll use the search option.

53
00:04:17,830 --> 00:04:18,610
And here it is.

54
00:04:19,630 --> 00:04:20,770
Here are the log files.

55
00:04:27,540 --> 00:04:34,650
And now let's run the clear of command and it wiped the log files, so turn back to the Windows system,

56
00:04:34,980 --> 00:04:39,750
refresh the event viewer and see no logs remain.

57
00:04:40,590 --> 00:04:46,440
Well, I don't know if you see what I'm seeing, but there is a new record in the security log.

58
00:04:46,440 --> 00:04:46,890
You see it.

59
00:04:47,900 --> 00:04:50,930
But I don't know what it is, but it doesn't look like a warning.

60
00:04:51,380 --> 00:04:55,540
Well, at least it doesn't contain any clue about who we are.

61
00:04:56,420 --> 00:05:02,870
Now, the Shell command presents you with a standard shell on the target system, this time we have

62
00:05:02,870 --> 00:05:04,230
a command prompt as well.

63
00:05:05,090 --> 00:05:08,510
Now we can use the standard MSDOS commands.

64
00:05:10,020 --> 00:05:16,190
Desire to list the files and folders, if config to see the internal IP, et cetera, et cetera.

65
00:05:23,420 --> 00:05:25,590
Use exit to exit the shell.

66
00:05:26,630 --> 00:05:31,760
Now, we couldn't run idle time commands on meds, voidable limbic system, but now we can.

67
00:05:32,270 --> 00:05:38,510
And as I said before, it displays the number of seconds that the user at the remote machine has been

68
00:05:38,510 --> 00:05:38,810
idle.

69
00:05:39,560 --> 00:05:40,610
Very useful info.