1
00:00:00,430 --> 00:00:04,330
Hello again, and welcome to the exploitation section of the course.

2
00:00:05,290 --> 00:00:12,160
It is time we learn how to gain access to our target, what we managed to do for now is with the help

3
00:00:12,160 --> 00:00:19,020
of our Linux machine, we managed to identify our target and find out a lot of information about it.

4
00:00:19,730 --> 00:00:23,950
Remember, once we were starting, we didn't know anything about it.

5
00:00:24,520 --> 00:00:32,080
But after with the help of different tools such as and MAP Nessa's what Web and others, we managed

6
00:00:32,080 --> 00:00:36,760
to gather enough information about our target to be able to exploit it.

7
00:00:37,710 --> 00:00:40,230
We have discovered opened and closed ports.

8
00:00:40,770 --> 00:00:45,040
We also discovered services running on those ports, including their versions.

9
00:00:45,740 --> 00:00:49,200
We found out what operating system was our target running.

10
00:00:49,650 --> 00:00:55,710
And we have also tried finding vulnerabilities to see whether the target has some known issues or bugs.

11
00:00:56,580 --> 00:01:03,160
In other words, we performed information gathering, scanning and vulnerability analysis.

12
00:01:03,960 --> 00:01:07,320
Right now, the next step is to use that information.

13
00:01:07,320 --> 00:01:10,080
We have to gain access to our target.

14
00:01:11,060 --> 00:01:12,500
Here is how the process goes.

15
00:01:13,160 --> 00:01:20,810
Imagine this is our target and these are the information that we gathered for it, it is running Windows

16
00:01:20,820 --> 00:01:21,100
10.

17
00:01:21,650 --> 00:01:26,430
We found out it has an older version of Windows 10 that hasn't been updated lately.

18
00:01:27,140 --> 00:01:30,950
We found three open ports and one filtered port.

19
00:01:31,130 --> 00:01:37,160
And we know for sure that one of those open ports has a vulnerable software running on it since we also

20
00:01:37,160 --> 00:01:39,200
performed vulnerability analysis.

21
00:01:40,150 --> 00:01:46,210
Once we found out this information, the next step is to extract useful information from this.

22
00:01:47,310 --> 00:01:54,210
So in this case, what we would find most interesting would be these two facts and outdated Windows

23
00:01:54,420 --> 00:01:59,790
operating system and a vulnerable software on board one, two, three, four.

24
00:02:00,480 --> 00:02:03,380
This is what we will use to attack the target.

25
00:02:04,170 --> 00:02:08,740
We would then exploit the target's vulnerability and gain access to it.

26
00:02:09,450 --> 00:02:11,690
But wait, wait, wait a second.

27
00:02:12,210 --> 00:02:13,080
What do I mean?

28
00:02:13,270 --> 00:02:14,750
We would exploit the target.

29
00:02:15,060 --> 00:02:16,470
How do we do it exactly?

30
00:02:17,070 --> 00:02:19,590
And what is actually target even mean?

31
00:02:20,760 --> 00:02:26,940
Well, exploiting the target, in other words, is using its vulnerability that we discovered to send

32
00:02:26,940 --> 00:02:28,590
something called payload.

33
00:02:29,700 --> 00:02:37,290
What a payload is, is a program that we deliver to the target after the expert, usually this program

34
00:02:37,290 --> 00:02:42,240
is something that allows us to execute commands on target system and navigate through its files and

35
00:02:42,240 --> 00:02:42,720
folders.

36
00:02:43,470 --> 00:02:44,970
Now I know what you're thinking.

37
00:02:45,310 --> 00:02:48,630
It is still a little unclear to you as to how this works.

38
00:02:48,630 --> 00:02:49,260
Exactly.

39
00:02:49,800 --> 00:02:50,400
Don't worry.

40
00:02:50,550 --> 00:02:56,400
In the next two videos, we will explain in detail what exactly happens once we exploit the vulnerability

41
00:02:56,610 --> 00:03:01,050
and what type of payloads exist and which ones we will use the most.

42
00:03:01,710 --> 00:03:07,680
For now, it is important to remember that payload is a program that we drop after exploiting a target

43
00:03:08,280 --> 00:03:14,370
and in a ninety nine point nine percent of cases, this will be a program that allows us to execute

44
00:03:14,370 --> 00:03:17,880
commands on target system or also known as a shell.

45
00:03:18,720 --> 00:03:24,600
The first step would be us exploiting the target and sending our payload with it.

46
00:03:25,440 --> 00:03:31,290
That payload will then be on Target's machine and it will execute once it executes.

47
00:03:31,530 --> 00:03:37,770
What it essentially does is it tells the target machine, connect to that other machine and allow it

48
00:03:37,770 --> 00:03:39,660
to execute commands on your system.

49
00:03:40,780 --> 00:03:43,490
And that other machine would be our Linux.

50
00:03:44,550 --> 00:03:50,730
And the third step is pretty easy, we just send the commands that we want our target to execute.

51
00:03:50,930 --> 00:03:57,690
We navigate through files, run other programs, and in return, Target sends us an output of the command

52
00:03:57,690 --> 00:03:58,770
that we executed.

53
00:03:59,520 --> 00:04:03,600
Picture it like using Target's terminal from our Cal Linux machine.

54
00:04:04,580 --> 00:04:10,930
However, there is one problem with this imagine we have two different targets.

55
00:04:12,100 --> 00:04:14,210
Target aid and target.

56
00:04:15,160 --> 00:04:22,600
And let's say Target A has unknown vulnerability, it is running some outdated software on board Phi

57
00:04:22,600 --> 00:04:28,360
Phi Phi Phi, for example, and in that case, we would do what we just explained, which is exploit

58
00:04:28,360 --> 00:04:33,430
the target through the vulnerability and deliver the payload that will allow us to control that target

59
00:04:33,430 --> 00:04:33,850
machine.

60
00:04:34,770 --> 00:04:39,210
Well, this scenario would only work if the target has a vulnerability.

61
00:04:40,260 --> 00:04:43,290
But what if it doesn't have a vulnerability?

62
00:04:44,070 --> 00:04:49,410
What if all of its softwares are fully updated and secured, what then?

63
00:04:50,430 --> 00:04:53,650
In that case, we would do something similar.

64
00:04:54,330 --> 00:05:01,110
We would deliver the payload to the target just this time, we cannot do it through an exploit, which

65
00:05:01,110 --> 00:05:07,770
also means we can't make the payload out to execute on the target, since once again, there is no expert

66
00:05:07,800 --> 00:05:08,660
that we can do.

67
00:05:09,360 --> 00:05:15,180
We must deliver the payload to target using a different way and also we must make it execute a different

68
00:05:15,180 --> 00:05:15,430
way.

69
00:05:16,230 --> 00:05:19,530
Well, in this case, social engineering comes in play.

70
00:05:20,400 --> 00:05:26,650
We would try to trick the user to open our payload by themselves, they must run it for us.

71
00:05:27,450 --> 00:05:28,320
How would we do that?

72
00:05:28,740 --> 00:05:31,830
Well, we could use different methods of delivering the payload.

73
00:05:32,280 --> 00:05:39,090
We could, for example, use an email containing our payload that perhaps masked to look like image

74
00:05:39,240 --> 00:05:40,470
or a different file type.

75
00:05:41,190 --> 00:05:46,590
We would also make sure that email looks legit and Target doesn't think twice before trying to open

76
00:05:46,590 --> 00:05:47,280
that image.

77
00:05:48,120 --> 00:05:49,860
We could spoof our email address.

78
00:05:49,860 --> 00:05:52,350
So it looks like someone that our target knows.

79
00:05:52,480 --> 00:05:57,120
So they would never think that the image we sent could contain something malicious.

80
00:05:57,930 --> 00:06:03,930
Once they open that image in the background of our payload executes and it grants us access to their

81
00:06:03,930 --> 00:06:06,510
machine without them even knowing it.

82
00:06:07,550 --> 00:06:12,920
This is just an example, there are multiple ways that we can do this, if you were, for example,

83
00:06:12,920 --> 00:06:19,160
physically close to the target, you could infected over USB drive, plug the USB drive in the target

84
00:06:19,160 --> 00:06:21,410
machine and execute payload manually.

85
00:06:22,040 --> 00:06:26,030
But something like this you will almost never do due to a higher risk, of course.

86
00:06:26,300 --> 00:06:32,540
And if you were even able to come close to the target machine, nonetheless, these are the two different

87
00:06:32,540 --> 00:06:33,320
possibilities.

88
00:06:33,920 --> 00:06:36,820
Either target is vulnerable or it isn't.

89
00:06:37,580 --> 00:06:40,880
However, if it isn't, we don't just quit.

90
00:06:41,120 --> 00:06:44,390
We tried different methods throughout this section.

91
00:06:44,600 --> 00:06:51,350
We will cover another big tool that all hackers use, and that tool is called Metal Framework.

92
00:06:52,230 --> 00:06:57,570
It contains thousands of experts and all of them are already in our clinics machine.

93
00:06:58,760 --> 00:07:02,510
All we need to do is learn how to use them and how to run them.

94
00:07:02,990 --> 00:07:05,940
This is something we will cover shortly in great detail.

95
00:07:06,520 --> 00:07:07,490
Let's start taking.