1
00:00:00,210 --> 00:00:03,490
All right everybody let's get started with spiking.

2
00:00:03,490 --> 00:00:07,280
So before we get started we're going to do a couple of housekeeping things.

3
00:00:07,280 --> 00:00:10,560
First I want you to disable your Windows Defender.

4
00:00:10,560 --> 00:00:13,440
Real time protection if you have that enabled.

5
00:00:13,440 --> 00:00:17,730
So it looks something like this where you should turn off this button right here.

6
00:00:17,730 --> 00:00:23,490
We're doing that because villain server will actually be blocked by windows defender if you try to run

7
00:00:23,490 --> 00:00:25,710
it and then run anything malicious against it.

8
00:00:26,070 --> 00:00:28,080
So good on Windows Defender for picking this up.

9
00:00:28,080 --> 00:00:31,910
This is more recent as I've taught this in the past and never used to.

10
00:00:31,950 --> 00:00:33,370
But now it does.

11
00:00:33,390 --> 00:00:38,430
So we're gonna make sure that we turn off this real time protection and then we're gonna make sure that

12
00:00:38,430 --> 00:00:43,950
when we run our programs today our immunity debugger and we run our own server that we're running them

13
00:00:43,980 --> 00:00:45,430
as administrator.

14
00:00:45,540 --> 00:00:49,820
So let's go ahead and first get our Bolen server running.

15
00:00:49,920 --> 00:00:53,040
So remember I told you to extract that to a folder.

16
00:00:53,040 --> 00:00:55,260
Here's my vote and server folder.

17
00:00:55,260 --> 00:01:01,500
I'm going to right click on this and I'm just gonna run it as administrator.

18
00:01:01,570 --> 00:01:04,740
So now that I've got that running it should look something like this.

19
00:01:05,680 --> 00:01:08,900
And we're also going to run immunity as administrator.

20
00:01:08,920 --> 00:01:13,780
So we're going to do that because if we don't it's actually not going to see Volm server running as

21
00:01:13,780 --> 00:01:16,550
administrator and be able to access it.

22
00:01:16,570 --> 00:01:23,140
So we need both running as admin and the other reason is for vulnerable running is adamant is when we

23
00:01:23,140 --> 00:01:27,010
get the shell on this we're actually gonna end up as a route automatically.

24
00:01:27,010 --> 00:01:32,000
So we just want this in the most simple terms so bring immunity over here.

25
00:01:32,440 --> 00:01:39,000
And now what we're going to do is we're going to go over here to file and we're gonna say attach and

26
00:01:39,070 --> 00:01:46,400
if you scroll down you'll see phone server right here and you go ahead and set attach on that OK.

27
00:01:46,420 --> 00:01:51,340
In the bottom right corner you see that it says pause or we're gonna do is just hit start over here

28
00:01:51,340 --> 00:01:55,180
this play button up top and now it should say running.

29
00:01:55,180 --> 00:01:59,650
So if you're running then we are good to go.

30
00:01:59,650 --> 00:02:07,840
So now we're going to dive into our Kelly Linux machine so I'm in a command prompt and Cally Linux and

31
00:02:07,840 --> 00:02:12,670
the first thing I want to do is connect to Von server and see what it is.

32
00:02:12,670 --> 00:02:19,630
So by default Von server runs on port nine nine nine nine and you need to know the IP address of your

33
00:02:19,630 --> 00:02:22,120
Windows machine that it's running on.

34
00:02:22,180 --> 00:02:28,800
So once you know that what we can do is use a tool called Net cat we'll use a switch of envy.

35
00:02:28,800 --> 00:02:33,210
We're going to do a connection here and we're just going to say the IP address.

36
00:02:33,230 --> 00:02:42,340
So Vine is one dot 90 and then the port that you're going to connect on which is 9 9 9 9 OK.

37
00:02:42,360 --> 00:02:46,380
So you should see the screen that says Welcome to vulnerable server type help for help.

38
00:02:46,980 --> 00:02:49,350
So it's saying help in all caps are going to do that.

39
00:02:49,380 --> 00:02:57,330
All caps and then we get this list of valid commands so it looks like Volm server takes commands based

40
00:02:57,330 --> 00:02:59,460
on what you enter right.

41
00:02:59,460 --> 00:03:06,380
So there's stats command our time our time etc. So the primary command that we have been focusing on

42
00:03:06,380 --> 00:03:08,730
is this trend command.

43
00:03:08,740 --> 00:03:12,570
Now when I've taught this in the past I've left out actually how to find this.

44
00:03:12,580 --> 00:03:18,380
So I wanted to teach in-depth how we're going to find that train itself is vulnerable.

45
00:03:18,490 --> 00:03:23,380
So we're going to do something called spiking with spiking does is we're going to take this command

46
00:03:23,890 --> 00:03:28,780
one at a time we'll say like stats we're gonna say Hey stats I might throw a bunch of characters at

47
00:03:28,780 --> 00:03:32,440
you and see if I can overflow that buffer that we talked about in the previous video.

48
00:03:33,280 --> 00:03:36,360
So do we overflow the buffer does the program crash.

49
00:03:36,580 --> 00:03:40,240
If it does then we know hey stats is vulnerable if it doesn't.

50
00:03:40,270 --> 00:03:40,560
OK.

51
00:03:40,590 --> 00:03:41,610
Maybe it's not vulnerable.

52
00:03:41,620 --> 00:03:43,300
We'll move on to the next one.

53
00:03:43,300 --> 00:03:47,880
So I'm gonna show you what a non-renewable one looks like and what a vulnerable one looks like.

54
00:03:47,890 --> 00:03:55,130
And we're gonna look at stats and try and for that purpose so when we spike we're gonna use a tool called

55
00:03:55,130 --> 00:04:00,680
generic P and it's going to look something like this.

56
00:04:00,680 --> 00:04:06,320
Let's go ahead and control C or actually we'll just type exit out of this if we can

57
00:04:09,330 --> 00:04:15,630
and then what we're gonna do is we're going to use is called generic center DCP Let's type that in real

58
00:04:15,630 --> 00:04:19,290
quick.

59
00:04:19,440 --> 00:04:22,320
OK so here is the usage for this.

60
00:04:22,560 --> 00:04:23,740
You're going to need the host.

61
00:04:23,850 --> 00:04:24,090
OK.

62
00:04:24,090 --> 00:04:27,010
We know the host of 1 9 2 1 6 8 1 Ninety.

63
00:04:27,010 --> 00:04:28,020
You're gonna need the port.

64
00:04:28,020 --> 00:04:34,620
We know that you're gonna need a spike script and then you're gonna need these script variables here

65
00:04:34,620 --> 00:04:36,520
which we're just gonna leave at 0.

66
00:04:36,570 --> 00:04:41,040
So this is what the usage should look like but we need this spike script.

67
00:04:41,040 --> 00:04:44,060
So let's go ahead and talk about that first.

68
00:04:44,070 --> 00:04:45,890
So I've already gone ahead and pre written it.

69
00:04:45,930 --> 00:04:47,620
It's very very simple.

70
00:04:47,620 --> 00:04:50,260
So let's take a look at it and get it.

71
00:04:51,000 --> 00:04:53,440
So first we're going to look at stats.

72
00:04:53,640 --> 00:05:02,260
So we're gonna have stats that speak for spike so we're gonna do is we're going to read the line then

73
00:05:02,260 --> 00:05:06,070
we're going to take a string and the string is stats.

74
00:05:06,070 --> 00:05:08,960
Remember that's what we had here the stats command.

75
00:05:09,160 --> 00:05:11,550
And then we're just going to send a variable at it.

76
00:05:11,680 --> 00:05:12,040
Okay.

77
00:05:12,040 --> 00:05:16,680
And then when we spike this we're gonna send variables in all different forms and iterations.

78
00:05:16,870 --> 00:05:22,380
So it might send a thousand at a time than twenty thousand at a time than five at a time.

79
00:05:22,480 --> 00:05:24,940
It's just looking for something to break the program.

80
00:05:24,940 --> 00:05:26,050
So that's what spiking is.

81
00:05:26,050 --> 00:05:33,160
We're gonna send all kinds of different characters randomly essentially to try to break this part of

82
00:05:33,160 --> 00:05:34,290
the program.

83
00:05:34,300 --> 00:05:36,670
So now we're getting into specifics here.

84
00:05:36,670 --> 00:05:40,600
So if you can imagine we've got the stats that Spike.

85
00:05:40,600 --> 00:05:45,570
We're also gonna have the trend that spike in the trend is going to have this trend command here.

86
00:05:45,580 --> 00:05:50,800
So if you're following along make sure that you type this out just how I have it just these three simple

87
00:05:50,800 --> 00:06:00,460
lines go ahead and save it as STAT STAT spike and what we're gonna do is we're going to send this.

88
00:06:00,480 --> 00:06:10,540
So again we're going to say generic send TGP and then we know the host is 1 9 2 1 6 8 1 Ninety.

89
00:06:10,580 --> 00:06:13,220
The port is 9 9 9 9.

90
00:06:13,220 --> 00:06:20,820
Despite script is stats stats spike and then we're going to stay zero space zero now we've got immunity

91
00:06:20,820 --> 00:06:22,980
running right now over here.

92
00:06:23,010 --> 00:06:28,200
If you have multiple screens you can run it on multiple and kind of watch what happens.

93
00:06:28,200 --> 00:06:32,790
We hit Enter here it's going to just be running through this.

94
00:06:32,800 --> 00:06:38,680
This is running you can see that it's taking commands but nothing's really happening we'll let it run

95
00:06:38,680 --> 00:06:40,420
through all the way just to make sure

96
00:06:43,310 --> 00:06:49,090
and so you're going to see a little bit of a different action when we do have something vulnerable.

97
00:06:49,090 --> 00:06:51,250
So we're going through.

98
00:06:51,250 --> 00:06:53,140
Looks like we're connecting.

99
00:06:53,140 --> 00:06:58,150
If we look at villain server you can see that we're actually connecting to the client here and then

100
00:06:58,150 --> 00:07:03,180
disconnecting from the client as we send these commands over so I'm going to go ahead and just kill

101
00:07:03,180 --> 00:07:04,130
this for now.

102
00:07:04,140 --> 00:07:10,070
We can take control see doesn't look like it's vulnerable in a real test we let it run all the way through

103
00:07:10,110 --> 00:07:13,800
but I'm telling you now it's not vulnerable so we'll just save a little bit of time.

104
00:07:14,580 --> 00:07:22,910
So now let's take a look at the Tron spiking again should look the same but you should have a trend

105
00:07:22,910 --> 00:07:24,340
that spikes similar to this.

106
00:07:24,350 --> 00:07:31,470
So if you want to go ahead and type this out and we have this trend command here so when we send this

107
00:07:31,470 --> 00:07:35,880
Spike Milligan to tab up twice and change this to Tron

108
00:07:38,720 --> 00:07:43,900
and then again we have to make sure immunity is running you see it's running in the corner.

109
00:07:44,080 --> 00:07:49,950
We're gonna go ahead and hit send on this and immediately immunity starts blinking.

110
00:07:49,950 --> 00:07:50,600
What happened.

111
00:07:50,610 --> 00:07:52,660
We have paused over here.

112
00:07:52,740 --> 00:07:55,650
There's an access violation when executing.

113
00:07:55,660 --> 00:07:59,790
Okay let's go ahead and just kill the processing colleagues.

114
00:07:59,850 --> 00:08:02,020
We don't need to keep sending all these.

115
00:08:02,280 --> 00:08:04,980
So your own server has actually crashed.

116
00:08:05,040 --> 00:08:10,260
You're not seeing an error message because it's being held up by the the immunity debugger if we were

117
00:08:10,260 --> 00:08:15,170
to actually detach or on pause this then volunteer would crash.

118
00:08:15,210 --> 00:08:17,190
So we've hit a violation.

119
00:08:17,190 --> 00:08:18,210
This is really good.

120
00:08:18,210 --> 00:08:20,450
This says hey something's vulnerable here.

121
00:08:20,760 --> 00:08:24,520
And if we look at the registers we can kind of get some information.

122
00:08:24,570 --> 00:08:29,240
So one of the information's that we're picking out is OK we're seeing this trend command center right

123
00:08:30,230 --> 00:08:32,980
and we're sending this trend command in with a bunch of A's.

124
00:08:33,030 --> 00:08:36,290
So imagine this going into a buffer space right.

125
00:08:36,290 --> 00:08:38,300
Like we talked about before.

126
00:08:38,310 --> 00:08:47,330
OK we're sending this command a in a perfect world the trend command or this this at all Phil into a

127
00:08:47,330 --> 00:08:48,290
buffer space right.

128
00:08:48,320 --> 00:08:49,610
All these days.

129
00:08:49,730 --> 00:08:54,740
Well what's happened here is that it's actually filled over.

130
00:08:54,740 --> 00:08:59,110
So if we look at the BP remember the base register right.

131
00:08:59,240 --> 00:09:02,460
You see 4 1 4 1 4 1 4 1.

132
00:09:02,510 --> 00:09:04,970
That's just hex code for four A's.

133
00:09:05,060 --> 00:09:08,320
So we've got these here these four bytes right.

134
00:09:08,390 --> 00:09:13,090
And we've gone actually over the e s p as well.

135
00:09:13,130 --> 00:09:19,710
Bunch of A's here OK and we've gone over the e IP.

136
00:09:19,710 --> 00:09:22,110
So now we've overridden everything.

137
00:09:22,110 --> 00:09:26,850
Remember when we talked about the last video the E IP is the important factor.

138
00:09:26,850 --> 00:09:30,990
If we can control this e IP we can get malicious and pointed to something malicious.

139
00:09:30,990 --> 00:09:31,800
Right.

140
00:09:31,800 --> 00:09:34,130
So that's what we're going to do in the next couple of videos.

141
00:09:34,710 --> 00:09:40,830
So I've showed you how Tron itself can be spiked and found in the next video what we're gonna actually

142
00:09:40,830 --> 00:09:46,120
be covering is how to fuzz the Tron command with a python script.

143
00:09:46,230 --> 00:09:51,600
So that way you can kind of feel out how this process is done in another way called fuzzing.

144
00:09:51,600 --> 00:09:55,680
So it's gonna be very very similar when we send a bunch of A's in it might feel like a little bit of

145
00:09:55,680 --> 00:09:59,330
a repeat lesson but we're gonna build out a python script to do that.

146
00:09:59,460 --> 00:10:04,320
And then once we do that we're going to work on finding this e IP location because once we control that

147
00:10:04,320 --> 00:10:06,930
again we can inject malicious code.

148
00:10:06,930 --> 00:10:08,520
So step one done.

149
00:10:08,520 --> 00:10:10,800
I will see you in the next video for fuzzing.