1
00:00:00,770 --> 00:00:04,850
‫OK, so let's see some of the basic interpreter commands with a Windows victim.

2
00:00:06,630 --> 00:00:12,390
‫Here I have a system running Windows XP Service Pack one, and its IP address is two zero seven.

3
00:00:13,260 --> 00:00:16,350
‫Now, I'm not sure if it's legitimate to share it with you.

4
00:00:16,680 --> 00:00:20,970
‫I'll search and if it is legitimate, I'll somehow share the virtual machine with you.

5
00:00:22,520 --> 00:00:29,600
‫Says we've seen in the beginning of the course this system has MW08 08 Dash 067 vulnerability.

6
00:00:30,810 --> 00:00:36,510
‫So now let's try to exploit the vulnerability and have him interpreter session on the Windows system.

7
00:00:37,860 --> 00:00:40,080
‫We in the Metasploit voidable interpreter session.

8
00:00:40,830 --> 00:00:46,260
‫So send them interpreter session background to access MSV console shell.

9
00:00:47,600 --> 00:00:53,390
‫Now, let's find the exploit module written for the RMS zero eight zero six seven vulnerability.

10
00:00:54,590 --> 00:00:57,980
‫And we have one exploit with a great rank.

11
00:00:58,720 --> 00:01:00,130
‫That's good for us.

12
00:01:00,730 --> 00:01:04,150
‫So type, use and the full module name to use it.

13
00:01:05,270 --> 00:01:08,270
‫So now let's look at the payloads we can use with this exploit.

14
00:01:11,310 --> 00:01:11,990
‫Wow.

15
00:01:12,360 --> 00:01:16,620
‫There are a lot of payloads, and let's choose this one.

16
00:01:17,490 --> 00:01:20,820
‫Windows slash interpreters slash reverse TCP.

17
00:01:21,730 --> 00:01:29,800
‫And show the options now we have already seen these steps before, so I'll keep it quick, said the

18
00:01:29,800 --> 00:01:32,350
‫remote host the IP address of the Windows machine.

19
00:01:35,160 --> 00:01:36,870
‫Listen, host as our colleague.

20
00:01:39,860 --> 00:01:41,270
‫Remote port is correct.

21
00:01:41,300 --> 00:01:43,130
‫Listen, port, it's OK for me.

22
00:01:43,670 --> 00:01:45,260
‫Ready to run the export.

23
00:01:47,920 --> 00:01:51,550
‫And yes, we have an interpreter session on the Windows system.

24
00:01:52,460 --> 00:01:56,600
‫And was the first command since info was always my first command.

25
00:01:57,170 --> 00:01:57,920
‫And look at that.

26
00:01:58,370 --> 00:01:59,570
‫We are confirmed.

27
00:02:00,110 --> 00:02:02,930
‫We are on Windows XP Service Pack.

28
00:02:02,930 --> 00:02:08,870
‫One help command is the second one, of course, shows the commands available.

29
00:02:10,250 --> 00:02:15,260
‫OK, so now there were a few commands, which I said that I will show you with an interpreter session

30
00:02:15,260 --> 00:02:16,370
‫on a Windows system.

31
00:02:17,590 --> 00:02:21,820
‫The hash dump command was not available when we were on Metasploit BBL.

32
00:02:22,880 --> 00:02:24,860
‫Now, an interpreter has this command.

33
00:02:25,730 --> 00:02:29,630
‫Of course, we can also use the hash dump post module as well.

34
00:02:30,810 --> 00:02:35,970
‫The hastam command is more important for Windows systems, and I'll tell you why in a Linux system,

35
00:02:36,420 --> 00:02:40,830
‫looking at the shadow file is usually enough to see the password hashes.

36
00:02:41,310 --> 00:02:44,880
‫However, gathering hashes is a bit complicated for Windows systems.

37
00:02:45,570 --> 00:02:51,510
‫Password hashes are located in the SAM database, and you need to have the key of the same database,

38
00:02:51,510 --> 00:02:53,460
‫which is in the system file.

39
00:02:54,630 --> 00:02:56,790
‫Thankfully, we have maternity.

40
00:02:57,390 --> 00:03:01,740
‫We can dump password hashes of a Windows system with a single command now.

41
00:03:03,490 --> 00:03:08,950
‫You can use either ifconfig or ipconfig commands to learn the IP address of the victim machine.

42
00:03:09,550 --> 00:03:11,800
‫Same as an interpreter on Linux.

43
00:03:13,070 --> 00:03:17,840
‫Now you can use the pWt command to see your current location on the victims system.

44
00:03:18,500 --> 00:03:23,300
‫There's no such command in modern systems, but hey, this is not the command show.

45
00:03:23,330 --> 00:03:24,640
‫This is mature operator.

46
00:03:25,640 --> 00:03:29,060
‫And again, you can use the CD command to change the location.

47
00:03:30,890 --> 00:03:33,290
‫Now, the search function has the same functionality.

48
00:03:33,470 --> 00:03:36,730
‫So you can use it to find any file in the victim machine.

49
00:03:40,650 --> 00:03:47,580
‫You can use the command to see the contents of a file, and as you know, Cat is a standard Linux command,

50
00:03:47,580 --> 00:03:50,130
‫but this cat is not that cat.

51
00:03:50,670 --> 00:03:51,690
‫If you know what I mean.

52
00:03:53,050 --> 00:03:57,010
‫So now I want to show you an interpreter command, which is Windows specific.

53
00:03:58,570 --> 00:03:59,700
‫Clear, Eve.

54
00:04:00,970 --> 00:04:06,610
‫This command is used to clear the application system and security logs on a windows system.

55
00:04:07,420 --> 00:04:09,640
‫There are no options or arguments needed.

56
00:04:09,970 --> 00:04:14,410
‫Your activities on the system after the exploitation will leave some footprints.

57
00:04:14,860 --> 00:04:16,720
‫So you just better clean them up.

58
00:04:17,710 --> 00:04:21,340
‫Let's go to the Windows system and look at the event viewer.

59
00:04:22,650 --> 00:04:26,460
‫Well, I don't know its location, so I'll use the search option.

60
00:04:28,130 --> 00:04:28,850
‫And here it is.

61
00:04:29,930 --> 00:04:31,040
‫Here's the log files.

62
00:04:37,830 --> 00:04:42,270
‫And now let's run the clear of command, and it wiped the log files.

63
00:04:43,200 --> 00:04:50,010
‫So turn back to the Windows system, refresh the event viewer and see no logs remain.

64
00:04:50,850 --> 00:04:57,020
‫Well, I don't know if you see what I'm seeing, but there is a new record in the security log you see.

65
00:04:58,170 --> 00:05:01,170
‫But I don't know what it is, but it doesn't look like a warning.

66
00:05:01,650 --> 00:05:05,850
‫Well, at least it doesn't contain any clue about who we are.

67
00:05:06,720 --> 00:05:10,860
‫Now, the shell command presents you with a standard shell on the target system.

68
00:05:11,730 --> 00:05:14,490
‫This time we have a command prompt as well.

69
00:05:15,360 --> 00:05:18,780
‫Now we can use the standard must dos commands.

70
00:05:20,270 --> 00:05:26,480
‫The air to list the files and folders, ipconfig to see the internal IP, et cetera, et cetera.

71
00:05:33,720 --> 00:05:35,880
‫Use exit to exit the shell.

72
00:05:36,960 --> 00:05:38,110
‫Now we couldn't run.

73
00:05:38,130 --> 00:05:42,000
‫Idle time commands on Metasploit while Linux system, but now we can.

74
00:05:42,570 --> 00:05:48,750
‫And as I said before, it displays the number of seconds that the user at the remote machine has been

75
00:05:48,750 --> 00:05:49,080
‫idle.

76
00:05:49,830 --> 00:05:50,880
‫Very useful info.