1
00:00:00,210 --> 00:00:01,370
Welcome back everybody.

2
00:00:01,410 --> 00:00:07,320
And let start off by the command dejection now in the previous video I told you a little bit about the

3
00:00:07,320 --> 00:00:08,550
command ejection.

4
00:00:08,550 --> 00:00:15,680
But let us actually get the practical uh method of using that attack.

5
00:00:15,900 --> 00:00:21,930
So the command ejection well as I said some web applications can use parts of their operating system

6
00:00:21,930 --> 00:00:31,190
to do something as and as I gave the example for example pinging now usually the command injection itself

7
00:00:31,660 --> 00:00:38,990
will run the command on the same server but depending on the architecture of the server itself it can

8
00:00:39,020 --> 00:00:42,220
also execute the command on another server as well.

9
00:00:42,230 --> 00:00:49,030
Now what I mean by that is let's say the same example as before which is the pinging the machine.

10
00:00:49,040 --> 00:00:54,820
So you go to the website which basically pings the machine.

11
00:00:54,880 --> 00:01:02,570
Let me just actually try to find that Web site so I will turn the BRB suit on our open another terminal

12
00:01:02,570 --> 00:01:09,710
for me and at this actually try to find the legit Web site that pings another machine or another Web

13
00:01:09,710 --> 00:01:13,410
site I believe there are lots of them online.

14
00:01:13,410 --> 00:01:17,400
So we will just find one of them.

15
00:01:17,400 --> 00:01:19,550
So let me just turn on the Richard

16
00:01:22,120 --> 00:01:24,370
and while this is turning on.

17
00:01:24,810 --> 00:01:26,470
Let me enlarge this terminal.

18
00:01:26,910 --> 00:01:27,180
OK.

19
00:01:27,220 --> 00:01:29,230
So this is with this.

20
00:01:29,340 --> 00:01:38,740
Let us just turn off the intercept and once we turn off the intercept let us go to the Firefox so let

21
00:01:38,740 --> 00:01:43,060
us just try to search for the simple pinging Web site.

22
00:01:43,060 --> 00:01:44,870
Maybe that will work maybe it won't.

23
00:01:44,870 --> 00:01:48,670
I just want to show you that those Web sites do exist

24
00:01:55,940 --> 00:01:56,500
now.

25
00:01:56,550 --> 00:02:03,150
Our Firefox is a little bit slow because of the groups it so let us just wait for it for a few seconds

26
00:02:07,850 --> 00:02:12,400
or maybe it's better free pink test to ping your server or website.

27
00:02:12,410 --> 00:02:14,240
So we just click on the first link.

28
00:02:15,730 --> 00:02:23,350
And let us see what kind of Web site this is as we can see here is the web server name.

29
00:02:23,370 --> 00:02:25,770
So this is the type of web site I was talking about.

30
00:02:25,770 --> 00:02:31,020
So basically here you just put your web server name and it will being your server in order to check

31
00:02:31,020 --> 00:02:33,200
if it is online or not.

32
00:02:33,210 --> 00:02:40,620
Now what I was talking is that if for example this Web site was vulnerable to the command injection

33
00:02:41,970 --> 00:02:45,900
we could possibly run any command that we can run in our own terminal.

34
00:02:45,930 --> 00:02:53,460
Also right here and it will process the command in the servers terminal but also it can send the command

35
00:02:53,520 --> 00:03:02,110
to another server and we could actually execute this command to the to another server as well so let

36
00:03:02,110 --> 00:03:05,080
us start off with a Web site that we can actually test.

37
00:03:05,150 --> 00:03:08,470
You shouldn't be testing any developed any of these Web sites you'd not own.

38
00:03:08,950 --> 00:03:14,710
So even if this one is vulnerable which I doubt it's enforced first and probably one of the most famous

39
00:03:14,710 --> 00:03:18,900
ones it probably isn't more vulnerable to the command ejection.

40
00:03:19,040 --> 00:03:25,260
But we will use our Web site that is vulnerable to the command ejection so actually I don't know why

41
00:03:25,260 --> 00:03:26,310
I closed Firefox.

42
00:03:26,310 --> 00:03:32,940
We need to go visit our virtual machine which is our always bashing.

43
00:03:32,970 --> 00:03:38,190
Let me just check the I.P. address of it should be not one but nine.

44
00:03:38,280 --> 00:03:39,300
No it's not six.

45
00:03:39,330 --> 00:03:40,510
OK.

46
00:03:40,560 --> 00:03:44,280
Let us go one night to that 168 that found that six

47
00:03:46,940 --> 00:03:47,380
now.

48
00:03:47,410 --> 00:03:53,710
Once you are here what you want to do is go to the Dan vulnerable application I believe we did not go

49
00:03:53,710 --> 00:03:55,710
here before.

50
00:03:55,750 --> 00:03:57,680
So just click on this.

51
00:03:57,700 --> 00:04:01,390
Now what this will ask you is the username and password.

52
00:04:01,390 --> 00:04:05,310
Now you can just type here the user name and password which is admin admin.

53
00:04:05,500 --> 00:04:12,640
But let us actually try to practice some of the uh one of the attacks that we covered before.

54
00:04:12,910 --> 00:04:15,280
And one of those attacks is the Hydra.

55
00:04:15,370 --> 00:04:19,630
So let us actually brute force this a log in page.

56
00:04:19,630 --> 00:04:22,290
It is a good practice as we did cover this before.

57
00:04:22,290 --> 00:04:26,440
So what we want to do is open our terminal and we will do it fast.

58
00:04:26,440 --> 00:04:31,930
I won't cover any of the any of the syntax since I covered in it in previous videos.

59
00:04:31,930 --> 00:04:33,320
You can check that out if you want to.

60
00:04:34,210 --> 00:04:41,290
What we basically want to do is type Hydra and the syntax is similar.

61
00:04:41,290 --> 00:04:43,570
So as in the previous videos.

62
00:04:43,960 --> 00:04:53,400
So we type the IP address we are posting the form so HDP form post which now before I type this section.

63
00:04:53,400 --> 00:04:54,230
Let me just show you.

64
00:04:54,330 --> 00:05:00,150
I do have the same files as before which is the user not to extend passwords or to 60.

65
00:05:00,180 --> 00:05:04,080
So we will use the same lists as in the previous video.

66
00:05:04,080 --> 00:05:06,350
So let us start again.

67
00:05:06,350 --> 00:05:11,890
We type here the the IP address and then the platform.

68
00:05:11,910 --> 00:05:17,220
So HDP form post and then we specify the link.

69
00:05:17,220 --> 00:05:23,070
Now in order for us to check out the link let us go right here and we can see that the link in the the

70
00:05:23,070 --> 00:05:25,780
path is TVA log in that Peachtree.

71
00:05:26,100 --> 00:05:33,680
So let us copy that and let us paste it right here.

72
00:05:34,020 --> 00:05:38,030
So once we do that we want to specify the user name and password.

73
00:05:38,040 --> 00:05:45,160
And we want to say to click on the Submit button and we want to specify a string that it will give a

74
00:05:45,180 --> 00:05:47,000
for every incorrect log in.

75
00:05:47,060 --> 00:05:53,550
Now in order for us to see what string it could give let us just type here something random and see

76
00:05:53,630 --> 00:05:54,990
what it gives us is an error.

77
00:05:54,990 --> 00:05:57,400
So it keeps us log in fail.

78
00:05:57,450 --> 00:06:03,630
So we will use this string in order to specify the correct from the incorrect log in credentials.

79
00:06:04,350 --> 00:06:08,060
So now that we want right now what we want to do is inspect element.

80
00:06:08,520 --> 00:06:15,510
So let us inspect the element in order to find out the name of the user name and the name of the password

81
00:06:15,970 --> 00:06:17,530
log form.

82
00:06:17,670 --> 00:06:18,830
Now what I mean by that.

83
00:06:18,840 --> 00:06:25,780
Let me just show you as we can see form action log in the PSP method POST we click here on arrow down

84
00:06:25,780 --> 00:06:28,260
field sets in order to find out and we.

85
00:06:28,260 --> 00:06:35,520
Here we can see a label for user user name the name for user name the name for this field is user name

86
00:06:36,270 --> 00:06:40,440
which is most likely always going to be something like that or user or something like that.

87
00:06:40,440 --> 00:06:46,230
So we will cover this and we divide these two we did two dots.

88
00:06:46,350 --> 00:06:55,770
So you type your user name equals the upper arrow then user the upper.

89
00:06:55,770 --> 00:06:58,300
Another arrow they sign.

90
00:06:59,170 --> 00:07:04,320
Let me make this larger so you can see the entire command OK.

91
00:07:04,350 --> 00:07:09,420
So then after that we want to see what is the name of the password field which is probably going to

92
00:07:09,420 --> 00:07:11,330
be the password.

93
00:07:11,640 --> 00:07:12,510
Name password.

94
00:07:12,540 --> 00:07:14,710
So the named password field is password.

95
00:07:14,730 --> 00:07:16,810
So we specify right here.

96
00:07:17,160 --> 00:07:21,270
Password equals again a.

97
00:07:21,410 --> 00:07:22,920
Pass upper arrow.

98
00:07:24,810 --> 00:07:31,140
And then we want to specify the log in button which is called Log in as we can see right here.

99
00:07:31,590 --> 00:07:40,370
So as we can see the submit we should type here which type here submit equals logging or logging equals

100
00:07:40,430 --> 00:07:43,140
submit since name of the button itself is logging.

101
00:07:43,160 --> 00:07:45,150
And the action is submit.

102
00:07:45,200 --> 00:07:54,770
So let us just type that log in equals submit and then we specify another two dots which means to divide

103
00:07:54,800 --> 00:07:57,530
these sections and we specify the string that we get.

104
00:07:57,530 --> 00:08:07,190
Once we provide from user name and password which is log in field so to just copy it is pasted right

105
00:08:07,190 --> 00:08:17,180
here close our apostrophe and then specify the lists and the list of usernames and the list of passwords.

106
00:08:17,270 --> 00:08:26,480
So capital L users at 60 and then capital P S 4 so quickly and let this run it should find the password

107
00:08:26,570 --> 00:08:31,760
and username which is admin admin let us just see right here.

108
00:08:31,970 --> 00:08:38,120
And as we can see it finished and it found one way available user name and one available password.

109
00:08:38,120 --> 00:08:42,670
Now if you wanted to you could just type here and skip this part.

110
00:08:42,800 --> 00:08:49,590
It is good always to have a good practice of something that you learned in the previous videos.

111
00:08:49,820 --> 00:08:51,370
So we do not want to say this.

112
00:08:51,380 --> 00:08:58,370
Let's just call this and once we are here what we want to do is we want to go to the command execution

113
00:08:58,370 --> 00:09:04,910
part so click on the command execution part and you will see the similar website as the one we visited

114
00:09:04,910 --> 00:09:07,490
before which is the pink for free.

115
00:09:08,420 --> 00:09:12,650
So basically just type here as it says the IP address and it will ping it.

116
00:09:12,680 --> 00:09:14,060
Now we can try it.

117
00:09:14,690 --> 00:09:24,100
Let us ping my router since it is online of course I wouldn't be able to access the Internet if it wasn't.

118
00:09:24,100 --> 00:09:30,100
And we can see the pinging results so it performed three ping scans and we can see that it received

119
00:09:30,100 --> 00:09:31,150
three packets.

120
00:09:31,150 --> 00:09:33,400
So that's good.

121
00:09:33,790 --> 00:09:37,100
But let's say for example you were uh.

122
00:09:37,390 --> 00:09:43,420
You think that this is vulnerable possibly for the command execution and you try a simple command which

123
00:09:43,420 --> 00:09:55,360
is 192 that 168 that wanted one where we specify our router IP address and we type here to just find

124
00:09:55,360 --> 00:09:56,920
where is it on my keyboard.

125
00:09:56,920 --> 00:10:05,940
The DOT and the comma in order to divide these two commands and we type here for example.

126
00:10:05,950 --> 00:10:06,570
Who am I.

127
00:10:07,700 --> 00:10:13,250
And we did cover this command to give the key account on the terminal on this web server.

128
00:10:13,280 --> 00:10:19,720
If it is vulnerable to the command execution so we submit that and we can see that it executed the pings

129
00:10:19,720 --> 00:10:20,130
can.

130
00:10:20,150 --> 00:10:27,140
And it also gave us the output who is running on that server which basically tells us that this server

131
00:10:27,260 --> 00:10:30,060
is vulnerable to the command injection.

132
00:10:30,170 --> 00:10:41,720
We were able to execute the command on the server that isn't only the pinging command now we will continue.

133
00:10:42,020 --> 00:10:46,190
I will continue to show you how to actually exploit this.

134
00:10:46,490 --> 00:10:52,160
Now for now we just ran a simple command in order to find out whether it's vulnerable or not.

135
00:10:52,220 --> 00:10:59,270
And in the next video I will show you how to exploit this and make that server connect to our own machine.

136
00:10:59,270 --> 00:11:01,610
So that's about it for this lecture.

137
00:11:01,670 --> 00:11:04,430
We'll continue the next one and I hope I see you there.

138
00:11:04,450 --> 00:11:04,700
By.