1
00:00:00,710 --> 00:00:07,520
Time to finally figure out our possibilities with the interpreter shell in the last section, we focused

2
00:00:07,520 --> 00:00:14,150
so much on how to gain access in many different ways and we popped amateur potential so many times.

3
00:00:14,540 --> 00:00:18,470
But we never got to see its true power and all of its comments.

4
00:00:19,160 --> 00:00:23,000
We only rent a few of them just to make sure the connection was successful.

5
00:00:23,750 --> 00:00:29,180
Now we are going to go real quick through the basic commands that we can do with the interpreter Shell,

6
00:00:29,450 --> 00:00:34,610
and then after it we will see some of the post exploitation modules and how we can run them.

7
00:00:34,910 --> 00:00:37,400
So for this, I already got the shell opened.

8
00:00:37,400 --> 00:00:40,670
As we can see right here, Metropia recession one opened.

9
00:00:40,700 --> 00:00:46,610
I ran my file, which is, you see, and by now, all of us should know how to do this.

10
00:00:47,090 --> 00:00:52,730
Just send the payload to the target, execute it, and you should have an interpreter session on their

11
00:00:52,730 --> 00:00:53,150
machine.

12
00:00:53,890 --> 00:01:01,150
From here, we can run the comment to see all of the available commands with the interpreter SHELP.

13
00:01:02,210 --> 00:01:05,780
If I scroll all the way up and we are going to start from the beginning.

14
00:01:07,090 --> 00:01:13,930
The first section of the comments that we get are called core comments, and these comments we are going

15
00:01:13,930 --> 00:01:18,670
to brush through real quick, which is going to mention a few of them that we already know, such as,

16
00:01:18,670 --> 00:01:26,040
for example, this background or B.G. If you type a background in your interpreter Shelke, this will

17
00:01:26,050 --> 00:01:30,570
background your session and you will be able to use your plate framework module.

18
00:01:31,330 --> 00:01:32,560
When is this command useful?

19
00:01:32,830 --> 00:01:38,650
Well, if I type the command sessions that we already know, we got one session currently, but you

20
00:01:38,650 --> 00:01:41,650
might have a session with multiple targets.

21
00:01:41,980 --> 00:01:47,350
And in order to navigate between each and every session, you can use the background command to put

22
00:01:47,350 --> 00:01:53,020
this method better session in the background and for example, enter a different session with a different

23
00:01:53,020 --> 00:01:53,490
machine.

24
00:01:54,220 --> 00:01:56,740
So that command is useful in that sense.

25
00:01:56,770 --> 00:02:00,370
Of course, you don't need to type the background command.

26
00:02:00,400 --> 00:02:04,310
You can simply just type instead Biji and it will do the same thing.

27
00:02:04,960 --> 00:02:06,430
So if you go back to my session.

28
00:02:07,860 --> 00:02:13,590
And go back to my health comment, we can scroll back to the comments and read some of them.

29
00:02:13,620 --> 00:02:14,430
And what do they do?

30
00:02:15,180 --> 00:02:19,290
So just go to this menu and most of them we're going to cover later on for now.

31
00:02:19,290 --> 00:02:24,020
And we are not going to touch them because most of these are not needed for us at the moment.

32
00:02:24,690 --> 00:02:30,330
For example, you know that you can exit the mortar shell with this exit comment background, the background

33
00:02:30,330 --> 00:02:31,410
comment here.

34
00:02:31,410 --> 00:02:37,110
We can see how we can switch between different sessions and you can get the user I.D. I believe get

35
00:02:37,500 --> 00:02:38,560
command is right here.

36
00:02:38,880 --> 00:02:39,620
Here it is.

37
00:02:39,750 --> 00:02:42,470
Get your I.D., get the session, your I.D..

38
00:02:42,510 --> 00:02:46,140
So if I type that right here, it will tell me the session you had.

39
00:02:46,380 --> 00:02:53,360
We also know the command get user ID and this will tell us which user are we on the target machine.

40
00:02:54,210 --> 00:02:58,950
OK, so these are just some of the comments and of course, you can experiment with others, but some

41
00:02:58,980 --> 00:03:01,120
of them we're going to cover later on for now.

42
00:03:01,120 --> 00:03:07,350
And you can just read through this menu and go to the filesystem comments and these filesystem comments.

43
00:03:07,350 --> 00:03:12,780
You can just picture them as commands that we use inside of a terminal so we can change the rectories.

44
00:03:12,930 --> 00:03:17,330
We can print current working directory, at least all of the files on the target system.

45
00:03:17,700 --> 00:03:19,480
And let's see how that would work.

46
00:03:19,500 --> 00:03:27,120
So if I go down here and to see in which directory and I can type the command, print, working directory,

47
00:03:27,510 --> 00:03:31,860
it will tell me that I'm currently in this desktop directory on the target machine.

48
00:03:32,580 --> 00:03:33,630
Now, why am I here?

49
00:03:33,960 --> 00:03:40,200
Well, because this shell dot the inside of that directory and once the target executed it over Metropia,

50
00:03:40,210 --> 00:03:45,540
the recession will automatically be inside of the directory for the payload is OK.

51
00:03:46,110 --> 00:03:52,020
If I wanted to list all of the files inside of here, I can type the command and I can also type the

52
00:03:52,590 --> 00:03:53,040
command.

53
00:03:53,430 --> 00:03:57,120
So it supports both Linux Command and Windows Command.

54
00:03:57,390 --> 00:04:00,930
There is used to list files inside the Windows system.

55
00:04:01,920 --> 00:04:07,520
So we can see what files we have right here and maybe we could find something interesting right here.

56
00:04:07,590 --> 00:04:14,160
For example, we get these passwords, dot the file, and of course, I created this on purpose just

57
00:04:14,160 --> 00:04:15,030
for this tutorial.

58
00:04:15,420 --> 00:04:18,400
But this is something that occurs quite often.

59
00:04:18,600 --> 00:04:24,870
Matter of fact, years ago, even I had this file where I've written down all of the passwords that

60
00:04:24,870 --> 00:04:31,020
I couldn't remember for different websites and to read the content of this password stop the next fall.

61
00:04:31,350 --> 00:04:38,940
We can use a familiar comment for us, which is the cat comment for type cat passwords, dot the press,

62
00:04:38,940 --> 00:04:43,460
enter this will print out all of the content inside of this file.

63
00:04:44,020 --> 00:04:50,100
We can see the router, username and password, the Facebook username and password and the PayPal email

64
00:04:50,250 --> 00:04:51,490
and password.

65
00:04:52,290 --> 00:04:57,510
So this is something that you could possibly frown on and you want to see the contents.

66
00:04:57,510 --> 00:04:58,800
Just abdicate command.

67
00:04:59,870 --> 00:05:05,220
Of course, we don't need to be inside this directory if we don't want to, we can use our regular CD

68
00:05:05,240 --> 00:05:07,190
comment to go one directory back.

69
00:05:07,190 --> 00:05:10,150
And if we type, we are no longer in this.

70
00:05:10,610 --> 00:05:12,440
That's the directory here.

71
00:05:12,440 --> 00:05:17,360
We can type there once again to list out all of the files inside of this directory.

72
00:05:18,110 --> 00:05:21,530
If we wanted to choose one of these directories, we can go back to them.

73
00:05:21,530 --> 00:05:24,830
But for now, let's just go back to the desktop directory.

74
00:05:25,810 --> 00:05:32,590
Great, if I type there, here, our desktop files and if we wanted to, we could also download the

75
00:05:32,590 --> 00:05:34,160
file from the target machine.

76
00:05:34,750 --> 00:05:35,860
So how can we do that?

77
00:05:36,070 --> 00:05:42,530
Well, it is as simple as just typing download and then the file name.

78
00:05:42,700 --> 00:05:47,320
In this case, let us say we want to download, for example, passwords that the.

79
00:05:51,220 --> 00:05:55,330
I press enter and here it is, it will download it for us.

80
00:05:56,710 --> 00:06:03,190
Now, I'm not sure where by default the interpreter saves these files, but it could be right here on

81
00:06:03,190 --> 00:06:06,630
the desktop and here it is, here is the password that you see.

82
00:06:07,390 --> 00:06:10,370
And you can also upload files if you want to.

83
00:06:10,690 --> 00:06:16,240
For example, let's say we want to upload this red Back-Door that you acce from one of the previous

84
00:06:16,240 --> 00:06:17,830
videos to the target machine.

85
00:06:18,560 --> 00:06:22,380
We can see right now we don't have it on the desktop, on the target machine.

86
00:06:22,900 --> 00:06:31,690
But if I type upload and then read back to the exit press, enter, go back to the desktop just to check

87
00:06:31,690 --> 00:06:32,010
out.

88
00:06:32,020 --> 00:06:33,550
And here is our file.

89
00:06:33,940 --> 00:06:37,810
We successfully uploaded another executable to the target system.

90
00:06:38,470 --> 00:06:43,060
Then we could use something like a shell to execute that file.

91
00:06:44,010 --> 00:06:50,100
OK, but we are not going to do that right now, let us exit out of the shell and run the command once

92
00:06:50,100 --> 00:06:52,220
again just to see what else we can do.

93
00:06:53,200 --> 00:06:59,350
Inside of the filesystem comments, we also get the comments and how we can create and remove files

94
00:06:59,620 --> 00:07:05,680
so we can use our media to remove a folder, we can use our M to delete the specified files.

95
00:07:05,680 --> 00:07:08,300
So, for example, we want to delete the file on their desktop.

96
00:07:08,310 --> 00:07:11,050
We can do that using the regular our end comment.

97
00:07:11,140 --> 00:07:14,850
We can also create a directory and create files if we want to.

98
00:07:15,840 --> 00:07:21,930
So let's see, for example, if we manage to delete the red Back-Door that we just uploaded, we don't

99
00:07:21,930 --> 00:07:22,610
want it there.

100
00:07:22,620 --> 00:07:24,600
So let's just delete it real quick.

101
00:07:25,320 --> 00:07:28,590
The R.M. comment, and it is no longer here.

102
00:07:29,220 --> 00:07:32,760
And let's say we want to create the best directory.

103
00:07:33,940 --> 00:07:39,480
And we want to copy passwords that stick in the test directory, hmm?

104
00:07:39,940 --> 00:07:42,160
Access is the night letters.

105
00:07:42,160 --> 00:07:43,360
Just check out right here.

106
00:07:43,580 --> 00:07:48,610
We got the test directory, but for some reason, we can't seem to copy this file.

107
00:07:48,790 --> 00:07:51,310
And this could be due to many different reasons.

108
00:07:51,550 --> 00:07:56,320
But the main reason will probably be because we are not an administrator on the target machine.

109
00:07:56,830 --> 00:08:02,890
And we're going to check out in some future video how we can become an administrator and system level

110
00:08:02,890 --> 00:08:06,800
account just by getting the at the shell as a regular user.

111
00:08:07,330 --> 00:08:11,070
Remember, if I ran to get your ID, we're just a regular user.

112
00:08:11,440 --> 00:08:15,870
We are not this system level account, but more about that later on.

113
00:08:15,880 --> 00:08:18,880
For now, let us run the health comment once again.

114
00:08:19,360 --> 00:08:24,010
And you can play with this file system comments that we have right here, but they are just regular

115
00:08:24,010 --> 00:08:26,830
comments that we can run inside of a Linux terminal.

116
00:08:26,980 --> 00:08:32,100
Just this time, you're running it on the target machine inside of the network commands.

117
00:08:32,530 --> 00:08:33,760
We only have a few of them.

118
00:08:33,970 --> 00:08:35,980
So let's just test two or three of them.

119
00:08:35,980 --> 00:08:39,820
For example, this ARP command will display the host our cache.

120
00:08:40,210 --> 00:08:45,820
So with this, we should be able to see the IP addresses and their corresponded Mac addresses.

121
00:08:46,210 --> 00:08:51,190
These are all of the IP addresses that are inside our tables on the Windows machine.

122
00:08:51,880 --> 00:08:58,690
So we have our clinic's IP address because we are currently communicating with our target machine from

123
00:08:58,690 --> 00:09:00,020
our IP address.

124
00:09:00,070 --> 00:09:04,080
Therefore, it must have our Linux IP address in the ARP tables.

125
00:09:04,690 --> 00:09:11,230
We also get the vaulters IP address, the broadcast IP address and all of these down here are not that

126
00:09:11,230 --> 00:09:11,890
important.

127
00:09:12,340 --> 00:09:17,930
If I run the comment, of course, I will be able to see all the networking interfaces on the target

128
00:09:17,980 --> 00:09:22,240
system as well as the IP address that the target currently has.

129
00:09:23,150 --> 00:09:30,620
If I ran the comment, for example, nets that this will print out all of the connections that our target

130
00:09:30,620 --> 00:09:38,420
machine currently has, so we can see right here the connections, the IP addresses, which protocol

131
00:09:38,420 --> 00:09:40,690
are the using in case these are using TCP?

132
00:09:40,730 --> 00:09:43,130
And down here we have EUTERPE Protocol.

133
00:09:43,580 --> 00:09:50,090
If I go up here, we should be able to find ourselves at the ACCE that established the connection with

134
00:09:50,090 --> 00:09:51,350
the IP address.

135
00:09:52,010 --> 00:09:57,520
So we know that 190 to the 168 that fund that four is the IP address of my Windows Ten Target machine.

136
00:09:58,220 --> 00:10:05,090
And here if I go and find the IP address of Linux machine and here it is, we can see it is running

137
00:10:05,090 --> 00:10:06,610
on Port five five five five.

138
00:10:06,770 --> 00:10:14,600
The connection is established and the process that is causing this connection is shall dot or our payload.

139
00:10:15,880 --> 00:10:21,850
Great, now, if you want to, you can go up here and experiment with the other comments as well, but

140
00:10:21,850 --> 00:10:25,300
these are not that interesting or important for us at the moment.

141
00:10:25,900 --> 00:10:32,890
What is important and what we will cover in the next video are these system commands and user interface

142
00:10:32,890 --> 00:10:33,340
commands.

143
00:10:33,790 --> 00:10:40,030
We want to see some of the cool stuff, such as capturing keystrokes or running a key logger, running

144
00:10:40,030 --> 00:10:46,170
a screenshot on the target desktop, maybe, for example, recording microphone, recording webcam,

145
00:10:46,210 --> 00:10:46,930
all of that.

146
00:10:46,940 --> 00:10:51,990
We want to check out and see how we can run them, and we will do that in the next video.

147
00:10:52,570 --> 00:10:55,700
So experiment with the comments that we covered a little bit.

148
00:10:55,720 --> 00:10:59,470
Feel free to run the others as well if you want to check out what do they do?

149
00:10:59,920 --> 00:11:02,560
And I will see you in the next lecture.