1 00:00:00,500 --> 00:00:05,570 Welcome back, and we right now have to cover another vulnerability for Windows. 2 00:00:06,620 --> 00:00:11,870 This vulnerability is called biochip, and it came out in 2009. 3 00:00:12,950 --> 00:00:18,870 This is a remote desktop protocol or are the people unknowability and what is so special about it? 4 00:00:19,010 --> 00:00:24,920 Well, as it says right here on this page, this latest are the people unknowability could allow hackers 5 00:00:24,920 --> 00:00:30,220 to remotely run code at the system level without even having to authenticate. 6 00:00:30,740 --> 00:00:35,650 In other words, any unpatched Windows system from XP to Windows seven. 7 00:00:35,660 --> 00:00:39,400 So these are our targets with and exposed are the people. 8 00:00:39,410 --> 00:00:41,570 It is a potential target. 9 00:00:42,460 --> 00:00:48,760 So this is a serious vulnerability, matter of fact, many people link it to be as high vulnerability 10 00:00:48,760 --> 00:00:53,890 as the eternal bluebox, which we already covered and which came out in 2000 17. 11 00:00:54,880 --> 00:01:00,580 We can read more about it right here, but as usual, our most important thing is to see how we can 12 00:01:00,580 --> 00:01:01,270 exploit it. 13 00:01:01,900 --> 00:01:06,370 You can go to this page if you want to find out more about the Blue-Chip vulnerability. 14 00:01:06,800 --> 00:01:13,570 It even gives some code examples as to what the vulnerability was and how it got patched down. 15 00:01:13,570 --> 00:01:16,510 Here we can see what systems are affected. 16 00:01:16,880 --> 00:01:25,390 We got Windows seven, Windows Server 2008, Windows Server 2008, R2 with the server, 2003, Windows 17 00:01:25,390 --> 00:01:29,430 Vista and Windows XP exploit potential. 18 00:01:29,440 --> 00:01:36,490 It is a remote code execution as the eternal blue was, and number of potential victims are around one 19 00:01:36,640 --> 00:01:37,090 million. 20 00:01:37,900 --> 00:01:43,390 Now, for this attack at work, there is one thing that needs to be enabled on the target system and 21 00:01:43,390 --> 00:01:51,430 that thing is bought three three eight nine now Dysport three three eight nine is used for remote desktop 22 00:01:51,430 --> 00:01:55,660 protocol and it is often used inside of big and large companies. 23 00:01:56,290 --> 00:02:01,450 You will most likely never see it on home devices unless it is purposely enabled. 24 00:02:02,020 --> 00:02:06,740 But in order for us to be able to exploit it, we must enable it on our Windows seven machine. 25 00:02:07,270 --> 00:02:13,960 So what I'm going to do is go to my Windows seven machine and open the Linux as well in order to see 26 00:02:13,960 --> 00:02:15,010 whether it is enabled. 27 00:02:15,250 --> 00:02:21,460 We can use our regular good old and maps so we can type pseudo and map, Desch says one night to the 28 00:02:21,550 --> 00:02:23,050 168 at one end. 29 00:02:23,060 --> 00:02:24,430 Let me check the I.P. address. 30 00:02:27,200 --> 00:02:34,730 I'll be config eight, perform this can open your Windows seven machine, and in just a few seconds, 31 00:02:35,030 --> 00:02:37,060 we should get results of which ports are open. 32 00:02:37,280 --> 00:02:42,120 And right here we do not see Port three three eight nine being open. 33 00:02:42,620 --> 00:02:48,980 This means this target is not vulnerable because that port is closed in order to make it vulnerable. 34 00:02:49,520 --> 00:02:56,510 All we need to do is open this remote desktop protocol to go to the control panel system and security. 35 00:02:57,550 --> 00:02:58,930 Then under this system. 36 00:03:00,070 --> 00:03:07,180 On the side, you will see this remote settings click on it and down here, check allow connections 37 00:03:07,180 --> 00:03:13,090 from computers running any version of remote desktop by default, it should be done to allow connections 38 00:03:13,090 --> 00:03:13,890 to this computer. 39 00:03:14,710 --> 00:03:18,160 And as I already mentioned, many large companies have this enabled. 40 00:03:18,610 --> 00:03:22,360 We just click on apply, click on, OK, we can close this. 41 00:03:22,480 --> 00:03:24,850 And if we ran, this can once again. 42 00:03:26,050 --> 00:03:30,310 Right now, we will have three three eight nine port open. 43 00:03:31,310 --> 00:03:36,800 Let us see whether it is vulnerable or has it been patched if I open my console? 44 00:03:37,830 --> 00:03:43,620 And the exploitation is similar as it was we did, but we got the auxiliary module that will tell us 45 00:03:43,620 --> 00:03:48,840 whether the target is vulnerable without exploiting it, and then we have an exploit that will gain 46 00:03:48,840 --> 00:03:51,200 access to the target and give us the interpreter. 47 00:03:52,410 --> 00:03:56,190 So what we can do is we can just type the vulnerability name. 48 00:03:56,200 --> 00:04:02,350 So search, biochip press, enter and we will see the results right here. 49 00:04:02,400 --> 00:04:05,670 As I mentioned, the auxiliary module and the exploit. 50 00:04:06,570 --> 00:04:10,350 So let's go with the auxiliary module first, we copy its name. 51 00:04:12,050 --> 00:04:19,820 We use and then base the name of the auxiliary module, clear the screen, show information, this module 52 00:04:19,820 --> 00:04:25,970 checks a range of hosts for the Blue-Chip vulnerability by binding this channel outside of its normal 53 00:04:25,970 --> 00:04:31,410 slot and sending Nontas packets would respond differently, unpatched and vulnerable hosts. 54 00:04:31,430 --> 00:04:35,540 So this is the way that it will figure out whether the target is vulnerable or not. 55 00:04:36,170 --> 00:04:38,240 Let's see what options we need to set. 56 00:04:38,250 --> 00:04:42,250 So show options and there seems to be a few of them. 57 00:04:42,920 --> 00:04:45,290 We got the airport, which is three three eight nine. 58 00:04:45,440 --> 00:04:47,060 This is something we will not change. 59 00:04:47,470 --> 00:04:48,610 We got the our hosts. 60 00:04:48,830 --> 00:04:52,310 So let's set it to the IP address of the Windows seven machine. 61 00:04:54,910 --> 00:04:56,810 We got these four options right here as well. 62 00:04:56,990 --> 00:05:00,760 But the only one that is required is these are the P client IP. 63 00:05:00,980 --> 00:05:05,480 And it says right here the client IP for address to report during Connect. 64 00:05:06,050 --> 00:05:08,630 And this pretty much doesn't matter. 65 00:05:08,870 --> 00:05:11,450 It can be any IP address, for example. 66 00:05:11,450 --> 00:05:17,390 I will just leave it to be this one, even though this is an IP address that I do not have on my local 67 00:05:17,390 --> 00:05:17,930 network. 68 00:05:18,140 --> 00:05:20,150 But I will just leave it on this. 69 00:05:20,660 --> 00:05:22,790 And if I go right here and type run. 70 00:05:24,750 --> 00:05:30,960 It will tell me the target is vulnerable, the target attempted cleanup of the incorrectly bound mouse, 71 00:05:31,150 --> 00:05:34,920 the hundred channel, this means it is vulnerable. 72 00:05:35,760 --> 00:05:38,640 Let's use the exploit to gain access. 73 00:05:38,820 --> 00:05:44,340 So use exploit windows are deep and then let's check our possible options. 74 00:05:44,640 --> 00:05:50,250 We want to go with the CVT 2090 Bluechip Remote Code execution. 75 00:05:51,300 --> 00:05:59,010 If I show info down here, it will tell you how exactly to exploit the target and if I show our available 76 00:05:59,010 --> 00:05:59,520 options. 77 00:06:02,140 --> 00:06:05,230 So we got pretty much the same options as with the axillary module. 78 00:06:05,260 --> 00:06:09,180 We got the RTP client IP, which is this one, and we are not going to change it. 79 00:06:09,190 --> 00:06:11,800 Once again, these options are not required. 80 00:06:11,810 --> 00:06:15,320 So we're not going to specify them anyway to our hosts. 81 00:06:15,340 --> 00:06:19,330 We want to set to the IP address of Windows seven machine. 82 00:06:19,930 --> 00:06:21,760 The airport is set correctly. 83 00:06:22,120 --> 00:06:27,120 The payload is set to Windows X 64 Interpretor Reverse DCP. 84 00:06:27,280 --> 00:06:29,740 And this is also something that we do not want to change. 85 00:06:30,670 --> 00:06:32,440 Is this the only payload that will work? 86 00:06:32,620 --> 00:06:40,840 Well, most likely since if I go to show targets, you will see that this target's only 64 bit machines, 87 00:06:41,050 --> 00:06:44,260 so it will not be able to run on a 32 bit machine. 88 00:06:45,250 --> 00:06:52,360 So by this, it seems the 32 bit Windows seven machines and Windows servers 2008 are not vulnerable, 89 00:06:53,050 --> 00:06:57,880 which we really don't care because 99 percent of machines are 60 Forbert. 90 00:06:58,930 --> 00:07:03,460 And these targets right here is something that we must choose from now. 91 00:07:03,790 --> 00:07:10,690 This is for default and normal Windows machines and right here we have targets for the virtual machines. 92 00:07:11,380 --> 00:07:13,030 And this is something that we must set. 93 00:07:13,160 --> 00:07:17,920 If we leave it on automatic, it should figure out on its own that we are running Windows seven inside 94 00:07:17,920 --> 00:07:22,380 of a virtual box and it will perform the exploit for the virtual box Windows seven version. 95 00:07:22,870 --> 00:07:26,950 But if we, for example, set this one, the exploit should not work. 96 00:07:27,900 --> 00:07:35,760 So we must set the target to two in case we are running the Windows seven inside of our toolbox, if 97 00:07:35,760 --> 00:07:39,810 we were attacking of regular Windows machine that is vulnerable, we would set one. 98 00:07:40,290 --> 00:07:46,410 If we were attacking a virtual machine from the VM workstation, we would set one of these three and 99 00:07:46,560 --> 00:07:48,690 we would set these two accordingly as well. 100 00:07:49,440 --> 00:07:51,630 So let's triple check our options. 101 00:07:53,190 --> 00:07:59,370 Everything here is set, the payload is a 64 bit payload, which is good, and the target is Windows 102 00:07:59,370 --> 00:08:01,350 seven inside of a virtual box. 103 00:08:01,950 --> 00:08:02,370 Great. 104 00:08:02,830 --> 00:08:04,340 Let us run the exploit. 105 00:08:07,410 --> 00:08:14,310 It tells us that the target is vulnerable and in just a few seconds, we should get them opened on that 106 00:08:14,310 --> 00:08:15,300 Windows seven machine. 107 00:08:18,540 --> 00:08:26,180 And after 30 to 40 seconds, here it is, we got an interpreter session one opened on the target machine. 108 00:08:26,760 --> 00:08:33,630 If I type get user I.D., it will tell me that we are system once again, the highest privilege account 109 00:08:33,630 --> 00:08:34,800 on the target machine. 110 00:08:35,340 --> 00:08:40,140 We can perform the commands, as usual, entered the shell type hostname. 111 00:08:40,140 --> 00:08:46,260 We are testing PC IP config gives us the IP address of the target machine and all of these things that 112 00:08:46,260 --> 00:08:47,640 we're already familiar with. 113 00:08:48,510 --> 00:08:49,010 Great. 114 00:08:49,020 --> 00:08:51,600 Another Windows seven vulnerability covered. 115 00:08:52,050 --> 00:08:54,720 So what is the important thing that we learned from this video? 116 00:08:55,110 --> 00:08:56,850 The vulnerability is called bluechip. 117 00:08:57,030 --> 00:09:00,780 It is a critical, deep or remote desktop protocol vulnerability. 118 00:09:00,960 --> 00:09:07,590 And in order to exploit the target, it must be an unpatched 64 bit Windows XP to Windows seven machine, 119 00:09:07,590 --> 00:09:09,570 including Windows Server 2008. 120 00:09:09,930 --> 00:09:14,610 And it must have already enabled and bought three three eight nine open. 121 00:09:15,730 --> 00:09:19,610 Where are these machines most likely to be found in large companies? 122 00:09:19,990 --> 00:09:25,120 So, once again, most likely we will not see these types of targets in whole networks. 123 00:09:26,090 --> 00:09:32,720 OK, great, now that we covered Windows seven, vulnerabilities tend to go on to exploit Windows 10 124 00:09:32,720 --> 00:09:33,100 machine. 125 00:09:33,800 --> 00:09:34,780 See you in the next video.