1
00:00:04,850 --> 00:00:11,030
‫Now, I promise to get your hands dirty, and I don't want to bore you with too much theory, so let's

2
00:00:11,030 --> 00:00:12,560
‫compromise some systems.

3
00:00:13,880 --> 00:00:18,950
‫We performed a vulnerability scanning, and you'll certainly remember that there was an exploitable

4
00:00:18,950 --> 00:00:23,060
‫vulnerability in the Java Army service of the Metasploit system.

5
00:00:23,270 --> 00:00:25,490
‫So let's exploit the Metasploit about.

6
00:00:26,740 --> 00:00:32,920
‫Here we are in the MSFT console, so you can use the search command to find the exploits for Java Army

7
00:00:32,920 --> 00:00:35,860
‫server insecure default config vulnerability.

8
00:00:37,190 --> 00:00:40,700
‫Here we find two salaries and to exploit.

9
00:00:41,990 --> 00:00:46,520
‫To use the exploit, we use the use command of MSF console.

10
00:00:47,660 --> 00:00:49,730
‫Give the full name of the exploit, you see.

11
00:00:51,690 --> 00:00:57,600
‫And you see the command prompt shows us which exploit or auxiliary that we are using.

12
00:00:59,900 --> 00:01:01,970
‫Now we can select a payload.

13
00:01:03,800 --> 00:01:08,180
‫Type show payload, the C, the payloads available with this exploit.

14
00:01:09,100 --> 00:01:12,880
‫You're going to see different payload lists for different exploits.

15
00:01:13,600 --> 00:01:15,700
‫But we have to choose one of these payload.

16
00:01:17,900 --> 00:01:21,980
‫But you know, something I'd like to pause here for a bit, for a little bit of definition.

17
00:01:22,250 --> 00:01:22,930
‫Sorry for that.

18
00:01:22,940 --> 00:01:27,860
‫I know your job and the bit, but I'd like you to understand what it is that you're actually doing.

19
00:01:29,340 --> 00:01:34,260
‫So there are three different types of payload modules in the Metasploit Framework.

20
00:01:34,710 --> 00:01:38,400
‫Singles stages and stages.

21
00:01:39,670 --> 00:01:45,850
‫These different types allow for a great deal of versatility and can be useful across numerous types

22
00:01:45,850 --> 00:01:52,870
‫of scenario, whether or not a payload is staged is represented by slash in the payload name.

23
00:01:53,290 --> 00:02:03,850
‫For example, windows slash shell bind TCP is a single payload with no stage, whereas Windows Shell

24
00:02:04,510 --> 00:02:08,830
‫Reverse TCP rc four consists of.

25
00:02:10,180 --> 00:02:16,240
‫A stager reverse TCP rc four and a stage shell.

26
00:02:17,670 --> 00:02:24,450
‫So singles are payloads that are self-contained and completely standalone, a single payload can be

27
00:02:24,450 --> 00:02:29,790
‫something as simple as adding a user to the target system or running Colcord XY.

28
00:02:30,740 --> 00:02:37,340
‫These kinds of payloads are self-contained so they can be caught with non Metasploit handlers such as

29
00:02:37,340 --> 00:02:37,970
‫Net Cat.

30
00:02:39,280 --> 00:02:45,610
‫Stagers set up a network connection between the attacker and victim and are designed to be small and

31
00:02:45,610 --> 00:02:46,240
‫reliable.

32
00:02:47,190 --> 00:02:53,250
‫It is difficult to always do both of these well, so the result is multiple similar stages.

33
00:02:54,090 --> 00:02:59,010
‫Metasploit will use the best one when a can and fall back to a less preferred one.

34
00:02:59,550 --> 00:03:00,570
‫If it's necessary.

35
00:03:01,930 --> 00:03:09,970
‫Stages are payload components that are downloaded by stagers modules, the various payload stages provide

36
00:03:09,970 --> 00:03:16,300
‫advanced features with no size limits such as mature operator BNC injection and the iPhone, iPod and

37
00:03:16,300 --> 00:03:16,690
‫Shell.

38
00:03:18,690 --> 00:03:21,240
‫OK, so where were we right?

39
00:03:21,720 --> 00:03:24,390
‫We were about to set the payload for our exploit.

40
00:03:25,780 --> 00:03:27,040
‫Do use the payload we want.

41
00:03:27,310 --> 00:03:30,040
‫We use the set payload, Metasploit command.

42
00:03:31,390 --> 00:03:36,100
‫And look at that, you'll see that there are two popular types of shells bind.

43
00:03:37,770 --> 00:03:44,640
‫And reverse a mine shell is the kind that opens up a new service on the target machine and requires

44
00:03:44,640 --> 00:03:47,370
‫the attacker to connect to it in order to get a session.

45
00:03:48,090 --> 00:03:49,740
‫A reverse shell.

46
00:03:50,280 --> 00:03:53,640
‫It's also known as a connect back is the exact opposite.

47
00:03:53,910 --> 00:03:57,510
‫It requires the attacker to set up a listener first on his box.

48
00:03:57,840 --> 00:04:01,140
‫The target machine acts as a client connecting to that listener.

49
00:04:01,380 --> 00:04:04,410
‫And then finally, the attacker receives the shell.

50
00:04:05,590 --> 00:04:11,770
‫So here I want to use the Java slash shell slash reverse TCP payload for this example.

51
00:04:13,620 --> 00:04:17,160
‫Type show options to see the parameters we have to configure.

52
00:04:17,850 --> 00:04:24,720
‫Now these are the parameters of the module, and these are the parameters of the selected payload required

53
00:04:24,720 --> 00:04:31,500
‫field shows if you have to fill in the parameter or not, if the option is required, it cannot be empty.

54
00:04:32,220 --> 00:04:37,050
‫So let's set the options for this exploit module options first.

55
00:04:37,860 --> 00:04:45,750
‫The first option is HTP delay, which indicates the time that the FTP server will wait for the payload

56
00:04:45,750 --> 00:04:46,350
‫request.

57
00:04:46,800 --> 00:04:47,940
‫It has a default value.

58
00:04:48,270 --> 00:04:48,630
‫10.

59
00:04:49,170 --> 00:04:50,430
‫Just leave it as it is.

60
00:04:51,580 --> 00:04:57,940
‫Our host is the remote host, which means the target machine and this example, Metasploit will set

61
00:04:57,940 --> 00:05:04,480
‫our host with the IP address of Metasploit of our port is the target port.

62
00:05:05,200 --> 00:05:11,890
‫As we've seen before, Java Army Service Port of Metasploit is 10 999, which is the default value of

63
00:05:11,890 --> 00:05:12,490
‫the option.

64
00:05:14,400 --> 00:05:20,760
‫Sir Host is another required field, which stands for the local host to listen on call for us.

65
00:05:21,360 --> 00:05:24,480
‫So set serve host with the IP address of Collie.

66
00:05:25,460 --> 00:05:28,250
‫Serve post is another required field.

67
00:05:28,580 --> 00:05:33,140
‫The local port to listen on, and that has a default value of 88.

68
00:05:33,170 --> 00:05:35,060
‫No need to change the default here.

69
00:05:35,990 --> 00:05:41,480
‫So the last three options are not required, so I'll just let him be with the default values.

70
00:05:42,140 --> 00:05:47,960
‫Now let's hit the payload options because it's a reverse shell payload.

71
00:05:48,260 --> 00:05:51,770
‫It asks the listener host IP address and the port.

72
00:05:52,460 --> 00:05:54,590
‫Both of them are, of course, required.

73
00:05:55,640 --> 00:05:59,000
‫So said the El host, the listener dress as your colleague.

74
00:05:59,950 --> 00:06:05,500
‫And if you like, change the default value of the Lisson port for 444 is fine for me.

75
00:06:07,200 --> 00:06:09,690
‫Now we are ready to run the export.

76
00:06:10,640 --> 00:06:14,570
‫And here you can use either run or the export command to run the export.

77
00:06:18,820 --> 00:06:21,640
‫OK, so what the heck happened here?

78
00:06:22,720 --> 00:06:24,850
‫Let's look at the messages given by Metasploit.

79
00:06:25,950 --> 00:06:32,700
‫This module takes advantage of the default configuration of the Army Registry and RMI activation services,

80
00:06:33,120 --> 00:06:37,650
‫which allow loading classes from any remote http URL.

81
00:06:38,620 --> 00:06:44,410
‫Here it tries to exploit the vulnerability, which is on the service running on the port and 99 of Metasploit

82
00:06:45,100 --> 00:06:49,240
‫using the application running on the Port 880 of our colleague.

83
00:06:50,260 --> 00:06:57,250
‫And finally, it says a command shall session open, which means exploitation is successful now because

84
00:06:57,250 --> 00:07:00,290
‫we don't need the FTP server opened in Cali anymore.

85
00:07:00,700 --> 00:07:03,100
‫It's stopped at the end of the exploitation.

86
00:07:04,410 --> 00:07:08,370
‫Sessions command is used to see the session running in the background.

87
00:07:09,150 --> 00:07:18,090
‫We'll see the session command and details type session L to see the active sessions and Sessions I one

88
00:07:18,480 --> 00:07:21,690
‫to interact with the session, which has the ID number one.

89
00:07:23,110 --> 00:07:24,730
‫I think the interaction has started.

90
00:07:25,300 --> 00:07:26,290
‫So let's try it.

91
00:07:27,550 --> 00:07:28,570
‫I'll send the L.

92
00:07:28,570 --> 00:07:32,380
‫S Command, and yes, we now have the shell for Metasploit about.

93
00:07:33,310 --> 00:07:34,900
‫Print working directory.

94
00:07:35,230 --> 00:07:36,220
‫We are at the root.

95
00:07:37,220 --> 00:07:37,790
‫Who am I?

96
00:07:39,010 --> 00:07:44,380
‫We are the root user ifconfig to learn the IP address, etc..