1
00:00:00,730 --> 00:00:01,420
Welcome back.

2
00:00:01,810 --> 00:00:08,470
Let us talk about mental framework, we already mentioned that we will use this tool a lot to exploit

3
00:00:08,470 --> 00:00:10,600
different targets and their vulnerabilities.

4
00:00:11,380 --> 00:00:15,930
But there are a few things we need to learn first about it before we get to use it.

5
00:00:16,930 --> 00:00:22,540
Remember when I told you that meant a split framework offers us thousands of experts that we can use

6
00:00:22,690 --> 00:00:24,940
for Windows, Mac OS or Linux?

7
00:00:25,900 --> 00:00:26,920
Well, that is true.

8
00:00:27,730 --> 00:00:34,600
It offers us a whole lot more things that we can use besides the experts, matter of fact experts or

9
00:00:34,600 --> 00:00:39,290
just one of seven modules that we can get with metal plate besides them.

10
00:00:39,310 --> 00:00:47,650
We also get payload artillery modules, encoders, evasion modules, knobs and post exploitation modules.

11
00:00:48,190 --> 00:00:52,540
If you are new to all of this, you probably have no idea what each of them are.

12
00:00:53,360 --> 00:00:55,870
Don't worry, we will explain it right now.

13
00:00:56,320 --> 00:01:07,960
First, to navigate to the family directory, we can type KDDI user share and then split the framework.

14
00:01:08,440 --> 00:01:11,650
You can just type metho and then Tabit to autocomplete it.

15
00:01:12,310 --> 00:01:19,660
If I press your enter and if I type l'esprit here in the framework directory, we are going to see quite

16
00:01:19,660 --> 00:01:20,340
a few things.

17
00:01:21,100 --> 00:01:26,860
One of the most important things right here is this massive console and this is an executable file.

18
00:01:27,010 --> 00:01:28,260
This is our program.

19
00:01:28,780 --> 00:01:33,850
If we wanted to run metal plate, we would just type a massive console in the terminal and it would

20
00:01:33,850 --> 00:01:35,320
open the display framework.

21
00:01:36,100 --> 00:01:39,050
The massive Raynham is also very important.

22
00:01:39,580 --> 00:01:44,860
This is a tool that we will use to generate a payload or a shell that we use to control the target machine.

23
00:01:45,790 --> 00:01:51,040
But for this video, what we want to explain is this module's directory.

24
00:01:51,880 --> 00:01:53,710
If we change to that directory.

25
00:01:53,710 --> 00:01:54,790
So the modules.

26
00:01:55,840 --> 00:02:01,750
And I type here, we will see those seven modules that I mentioned.

27
00:02:02,890 --> 00:02:05,390
Let's talk about each one of them a little bit.

28
00:02:05,980 --> 00:02:08,060
We are already familiar with exploits, right?

29
00:02:08,650 --> 00:02:12,490
Let's go to that directly first CD exploits.

30
00:02:13,690 --> 00:02:20,050
And just to remind ourselves that an export module or program executes a sequence of commands to target

31
00:02:20,050 --> 00:02:25,270
the specific vulnerability in the system or application, it takes advantage of that vulnerability in

32
00:02:25,270 --> 00:02:28,060
order to provide us and access to that machine.

33
00:02:29,060 --> 00:02:34,460
There are a few different types of experts, such as, for example, buffer overflow code injection,

34
00:02:34,550 --> 00:02:35,900
web application exploits.

35
00:02:36,080 --> 00:02:42,550
But what is also important to mention right here regarding Martha Stewart is that once we type alst

36
00:02:42,740 --> 00:02:49,080
inside of these experts directory, you will see these exploits are split into different groups.

37
00:02:49,730 --> 00:02:51,770
We got windows exploit.

38
00:02:53,480 --> 00:02:54,650
Oh, sex exploits.

39
00:02:55,960 --> 00:03:03,040
Linux exploits, Firefox exploits and many others as well, and if we go to any of them, for example,

40
00:03:03,040 --> 00:03:12,220
let's go to Windows XP and type URLs right here, we will get even more division of experts.

41
00:03:12,820 --> 00:03:19,450
All of the Windows exploits that we have are divided into a bunch of other sub modules such as FTP,

42
00:03:20,080 --> 00:03:23,260
Firewall, SMTP, SMB and others.

43
00:03:23,740 --> 00:03:28,090
And all of them contain exploits for those specific things.

44
00:03:28,780 --> 00:03:32,650
If we navigate to, for example, HTP, Windows XP.

45
00:03:32,950 --> 00:03:33,880
So let's go there.

46
00:03:35,890 --> 00:03:45,340
And I cleared the screen type right here, we will see there is a lot of them for the HTP and this DOT

47
00:03:45,370 --> 00:03:50,790
RB that all of these files have is just an extension for Ruby language.

48
00:03:51,190 --> 00:03:55,410
All of the experts and methods, but framework are coded inside the Ruby language.

49
00:03:56,020 --> 00:04:00,640
And each one of these programs right here exploits a different vulnerability.

50
00:04:01,730 --> 00:04:07,250
If you were, for example, interested in how some of these work, you could open the code of an exploit

51
00:04:07,250 --> 00:04:11,570
using nano ed. Let's see, for example, this one.

52
00:04:12,910 --> 00:04:13,810
If I know it.

53
00:04:17,440 --> 00:04:22,990
It will open the code of this exploit, and if you know Ruby language, you could figure out how this

54
00:04:22,990 --> 00:04:24,550
exploit works, right?

55
00:04:24,940 --> 00:04:26,900
It also gives us a description right here.

56
00:04:26,950 --> 00:04:31,990
So this exploits a tech buffer overflow in the Webster HTTP server.

57
00:04:32,470 --> 00:04:37,720
The server and source code was released within an article from the Microsoft System Journal in February

58
00:04:37,720 --> 00:04:41,060
1996 titled Write a Simple HTP.

59
00:04:41,830 --> 00:04:44,260
So this is an old old XP.

60
00:04:44,650 --> 00:04:47,920
But you can do this for any file that you want.

61
00:04:47,920 --> 00:04:52,090
You can just open it and see the code of that specific exploit.

62
00:04:53,010 --> 00:04:55,220
And that's how they're stored in clinics.

63
00:04:55,890 --> 00:04:59,280
Let's also mention other modules that exist besides these.

64
00:04:59,290 --> 00:05:09,780
So if I go back to the modules directory and type Élysées, let's next talk about the auxiliary modules.

65
00:05:09,780 --> 00:05:17,280
So if we change directly to Auxillary and I type L'ESPRIT here, then we will see that auxiliary modules

66
00:05:17,280 --> 00:05:20,820
are also split into different categories, as we can see right here.

67
00:05:21,330 --> 00:05:28,290
And an auxiliary module does not execute a payload like an exploit module, but it is used to perform

68
00:05:28,500 --> 00:05:33,510
different actions, such as scanning, fuzzing or denial of service attacks.

69
00:05:34,350 --> 00:05:40,140
These modules can sometimes be used in first two stages of penetration test, as there is a lot of them

70
00:05:40,140 --> 00:05:43,160
that perform fingerprinting and vulnerability scanning.

71
00:05:43,800 --> 00:05:50,940
If we go to one of these sub modules, for example, let's go to Sniffer Submodular if I type CD sniffer.

72
00:05:52,180 --> 00:05:52,960
Thai police.

73
00:05:54,290 --> 00:06:01,820
Well, it seems that there is only one sniffer in metal split and we can see again, it is also coded

74
00:06:01,820 --> 00:06:08,060
in rupee language because of the dot arbi extension if we go to different ancillary submodular, for

75
00:06:08,060 --> 00:06:08,780
example.

76
00:06:09,230 --> 00:06:12,000
Let's go to this one, which is spoofing.

77
00:06:12,020 --> 00:06:15,680
So let's go to the spoofers, clear the screen.

78
00:06:15,800 --> 00:06:23,360
Thai police, we can see they're also divided into even more sub modules based on what it is spoofing

79
00:06:23,750 --> 00:06:31,570
so it can spoof our requests, it can spoof DNS, it can spoof and DNS and others as well.

80
00:06:32,120 --> 00:06:35,790
And all of these spoofers we can use for our attacks if we need to.

81
00:06:36,120 --> 00:06:36,430
Good.

82
00:06:36,800 --> 00:06:38,260
Those are the auxiliary modules.

83
00:06:38,660 --> 00:06:44,840
Now, you can always explore others as well if you want to check out what different files this module

84
00:06:44,840 --> 00:06:45,200
has.

85
00:06:45,860 --> 00:06:51,380
But we are going to continue and we are going to cover the next module from the metal plate framework,

86
00:06:51,710 --> 00:06:54,410
which is the post exploitation module.

87
00:06:55,100 --> 00:07:00,560
And if we change directory to the post exploitation module, cleared the screen and type allows.

88
00:07:01,430 --> 00:07:05,480
This module is used, as its name says, after exploiting the target.

89
00:07:06,260 --> 00:07:10,130
Usually they're used to gather or steal information from Target's device.

90
00:07:10,850 --> 00:07:16,880
That information could be files saved, passwords, dumping hashes, enumerating other services and

91
00:07:16,880 --> 00:07:21,620
applications of the target and many other things we can do with past exploitation modules.

92
00:07:22,310 --> 00:07:26,300
After Type El's, you will see that they are mostly paid the same as the exploit.

93
00:07:27,020 --> 00:07:35,120
If we go to windows, both exploitation modules and type lacerate here we will see different post exploitation

94
00:07:35,120 --> 00:07:39,770
sub modules that have different purposes, such as gathering information.

95
00:07:40,980 --> 00:07:43,530
Such as escalating privileges.

96
00:07:44,550 --> 00:07:49,890
And these escalating privileges simply means if we exploit the target as a regular user on that machine,

97
00:07:50,250 --> 00:07:55,560
we would always want to try to escalate our privilege to become an administrator or a account.

98
00:07:56,590 --> 00:08:04,600
We can also see Felin post exploitation module's, and I believe this would be used to steal saved files,

99
00:08:04,600 --> 00:08:09,670
passwords to the access points that the target was connected to, OK.

100
00:08:10,000 --> 00:08:12,450
You can explore the others as well if you want to.

101
00:08:12,730 --> 00:08:18,010
And let's talk about the others as well so we can go through all of them real fast so you can get a

102
00:08:18,010 --> 00:08:21,730
pretty good understanding of what all of these modules do.

103
00:08:22,600 --> 00:08:27,510
And the next one that people talk about is also really important, and that is payloads.

104
00:08:27,760 --> 00:08:33,390
If I change directory to payloads, clear the screen and type less.

105
00:08:33,820 --> 00:08:38,830
And hopefully you remember that payload is something we deliver to the target with an exploit in order

106
00:08:38,830 --> 00:08:40,060
to control that machine.

107
00:08:40,630 --> 00:08:49,270
And in this payload directory, we can see it is split in three different subdirectories singles' stages

108
00:08:49,450 --> 00:08:50,620
and stages.

109
00:08:51,630 --> 00:08:53,100
What does this even mean?

110
00:08:53,910 --> 00:08:57,870
Well, singles are payloads that are completely standalone.

111
00:08:58,940 --> 00:09:05,090
A single payload can be something as simple as adding a user to the target system or running some other

112
00:09:05,090 --> 00:09:12,020
application stagers set up a network connection between the attacker and victim and are designed to

113
00:09:12,020 --> 00:09:13,370
be small and reliable.

114
00:09:13,920 --> 00:09:18,710
And lastly, stages are payload components that are downloaded by stagers modules.

115
00:09:19,750 --> 00:09:26,530
These Paillot stages can provide us with advanced features with no size limits, such as, for example,

116
00:09:26,530 --> 00:09:32,620
different command shells or interpret their shells and Métayer better is something that we mentioned

117
00:09:32,620 --> 00:09:33,460
for the first time.

118
00:09:34,160 --> 00:09:37,360
Interpreter Schell is also something that people use a lot.

119
00:09:37,930 --> 00:09:41,700
It is similar to the conventional, but with a bunch of other options as well.

120
00:09:41,770 --> 00:09:49,060
Besides executing commands, we can download files, upload files, record microphone conversation,

121
00:09:49,060 --> 00:09:55,450
run webcams on target machine, take screenshots of their desktop and many other things we can do with

122
00:09:55,450 --> 00:09:56,170
the interpreter.

123
00:09:57,040 --> 00:10:03,010
So once we are exploiting a target, my interpreter is usually what we want to run on the target after

124
00:10:03,010 --> 00:10:03,730
and exploit.

125
00:10:04,270 --> 00:10:09,010
If I go to stagers directory right here to see the stagers.

126
00:10:10,900 --> 00:10:19,420
Clear the screen type less, and if I, for example, go to Windows stagers, Thai police here, we

127
00:10:19,420 --> 00:10:22,670
can see different ways of establishing connection.

128
00:10:23,440 --> 00:10:27,380
Remember when we talked about two different types of shells in the last video?

129
00:10:27,880 --> 00:10:29,040
Well, here they are.

130
00:10:29,410 --> 00:10:35,170
Here we can establish a connection either by binding to a port or by listening and creating a reverse

131
00:10:35,350 --> 00:10:35,840
connection.

132
00:10:36,670 --> 00:10:45,370
They are further divided into, for example, reverse http, reverse UDP and reverse DCPI.

133
00:10:46,120 --> 00:10:52,070
And out of all of these that we have right here, we will almost always use reverse DCP.

134
00:10:52,600 --> 00:11:00,670
So for now, we know that two main things we will combined in a payload is reverse DCP connection and

135
00:11:00,790 --> 00:11:01,300
ometer.

136
00:11:01,300 --> 00:11:07,630
Better Shell because that two combined give us much more options to do with the target.

137
00:11:08,110 --> 00:11:08,830
OK, great.

138
00:11:09,070 --> 00:11:11,400
Now if you don't understand some of this, don't worry.

139
00:11:11,410 --> 00:11:16,450
Once again, this is something that you will fully understand once you get into the practical examples.

140
00:11:17,170 --> 00:11:22,690
For now, we are left to explain three more modules and we're going to go quickly through them since

141
00:11:22,690 --> 00:11:25,590
they are less important than the ones that we already covered.

142
00:11:26,440 --> 00:11:30,460
And those are the evasion modules and coders and knobs.

143
00:11:31,210 --> 00:11:37,910
Now let's go with encoders first encoders or something that helps us to evade antivirus detection.

144
00:11:38,740 --> 00:11:39,530
How exactly?

145
00:11:39,880 --> 00:11:46,180
Well, even though we call our payload the shell or an interpreter, but it is to antivirus and other

146
00:11:46,180 --> 00:11:50,280
people, it is just a simple malware or Trojan or a virus.

147
00:11:51,130 --> 00:11:57,730
That's why with the help of encoders, we can encode our payload and make it less detectable by some

148
00:11:57,730 --> 00:11:58,880
antivirus vendors.

149
00:11:59,440 --> 00:12:03,730
These are not that useful anymore, since they are known to almost all anti viruses.

150
00:12:04,010 --> 00:12:06,790
They can, however, help us bypass some of the.

151
00:12:07,650 --> 00:12:15,090
And evasion modules do pretty much the same thing, and if I change directly to them, so the evasion,

152
00:12:15,630 --> 00:12:21,330
you will see that their evasion modules only for windows and they are used to bypass Windows.

153
00:12:21,330 --> 00:12:27,300
Defender If I change my directory right here to type URLs, we will see different windows, either files

154
00:12:27,300 --> 00:12:29,720
that we use in order to bypass the Windows defender.

155
00:12:30,480 --> 00:12:36,210
However, since Windows Defender recently got an update, I believe many of these don't work anymore.

156
00:12:36,680 --> 00:12:41,940
But don't worry, we'll see later in the course different techniques that we can use to bypass antivirus

157
00:12:41,940 --> 00:12:43,470
and execute our payload.

158
00:12:44,190 --> 00:12:48,750
And the last thing that we got are knobs.

159
00:12:49,500 --> 00:12:52,350
Knobs can be a little bit hard to understand.

160
00:12:53,220 --> 00:12:58,560
What ANOP is, is an instruction for the processor to do nothing.

161
00:12:59,310 --> 00:13:03,660
Once a processor reads an up instruction, it does absolutely nothing.

162
00:13:04,080 --> 00:13:05,580
And I know what you're thinking.

163
00:13:05,820 --> 00:13:07,650
What is the purpose of this for us?

164
00:13:08,550 --> 00:13:15,180
What these knobs are useful in buffer overflow to allocate a lot of space in memory before the payload

165
00:13:15,330 --> 00:13:16,020
executes.

166
00:13:16,650 --> 00:13:22,500
By the way, Knob stands for no operations and if you have a programmed in assembly before, you will

167
00:13:22,500 --> 00:13:23,850
be familiar with this.

168
00:13:24,850 --> 00:13:25,580
But don't worry.

169
00:13:25,630 --> 00:13:30,160
For now, naps are not that important for us, OK?

170
00:13:30,790 --> 00:13:33,330
That was a lot to take for one single video.

171
00:13:33,670 --> 00:13:37,840
But all of this will be more clear once we start exploiting our target.

172
00:13:37,870 --> 00:13:40,590
And trust me, we are really close to that.

173
00:13:41,050 --> 00:13:44,710
We just need to explain the usage of it in the next video real quick.

174
00:13:44,860 --> 00:13:48,600
And after it, we will perform our first experts.

175
00:13:49,060 --> 00:13:52,360
So get ready and I will see you in the next video.