1
00:00:00,300 --> 00:00:02,520
Hello everybody and welcome back.

2
00:00:02,520 --> 00:00:07,520
Now let us just perform the blind command injection.

3
00:00:07,650 --> 00:00:14,960
Or should I say let me show you how to find out if a certain Web site is vulnerable to the blind command

4
00:00:14,960 --> 00:00:18,780
injection instead of just the command injection.

5
00:00:18,780 --> 00:00:25,680
So now what I mean by blind command ejection is basically as you can see if we go right here to the

6
00:00:25,770 --> 00:00:26,790
website once again.

7
00:00:26,940 --> 00:00:29,960
So let me just.

8
00:00:29,970 --> 00:00:32,180
It says that there is an error.

9
00:00:32,180 --> 00:00:38,790
These folks must send information that will repeat an extensive research re recent whatever I'm not

10
00:00:38,790 --> 00:00:43,040
really sure what's the problem I basically just started recording.

11
00:00:43,100 --> 00:00:45,980
That is just connect once again to the machine.

12
00:00:45,980 --> 00:00:52,910
So when I did it once upon funded six siblings believe was and let us go to the what about web application

13
00:00:52,910 --> 00:00:57,840
once again come on will you connect

14
00:01:02,450 --> 00:01:09,650
so let's just let's just let this connect and let me just finish the blind est in the part made blind

15
00:01:09,650 --> 00:01:15,250
command ejection is basically when you can't really see the output of your command.

16
00:01:15,860 --> 00:01:23,240
So in our previous example we actually could be able to see the output of the ping command and also

17
00:01:23,240 --> 00:01:28,300
the output of the command that we specified after the pinging command now.

18
00:01:28,340 --> 00:01:31,290
In some cases you won't be able to see the output.

19
00:01:31,310 --> 00:01:35,800
It took basically maybe just print to your server was being correctly or something like that.

20
00:01:35,840 --> 00:01:43,330
And you want and even if it is vulnerable to the command execution it might not show it in the output.

21
00:01:43,340 --> 00:01:53,240
So the best way to do that is by pinging your own machine from that server and then opening and inspecting

22
00:01:53,240 --> 00:01:58,130
the packets in the shark in order to see if it pinged correctly.

23
00:01:58,160 --> 00:01:59,850
Now I'll show you what I mean.

24
00:01:59,870 --> 00:02:02,370
Let me just see why this isn't connecting.

25
00:02:02,370 --> 00:02:07,640
Let's see if we are just oh maybe it's because we are still on the virtual machine.

26
00:02:07,640 --> 00:02:12,890
So in order to exit that virtual machine just click your exit and you basically stop the connection

27
00:02:12,890 --> 00:02:16,930
to the to the big machine now.

28
00:02:17,090 --> 00:02:21,890
Just ping our director to see if we are on the Internet and we are.

29
00:02:21,890 --> 00:02:24,800
So the problem is not with this machine.

30
00:02:24,800 --> 00:02:27,260
The problem is with the vector machine.

31
00:02:27,290 --> 00:02:28,940
But as we can see it's loaded.

32
00:02:28,940 --> 00:02:34,320
So let's go to the command execution once again and let's pretend that once you type here one night

33
00:02:34,380 --> 00:02:38,460
that once you get that one the one it doesn't give you any output.

34
00:02:38,540 --> 00:02:44,320
Now here it will give you since we do not have an example of blind command an injection right here.

35
00:02:44,530 --> 00:02:51,890
But let's pretend it didn't give us any output and it ping our outer now in order to check if this is

36
00:02:51,890 --> 00:02:55,100
vulnerable to the blind command execution.

37
00:02:55,100 --> 00:02:59,160
The most common method would be talking to machines.

38
00:02:59,180 --> 00:03:06,650
So 192 that 160 that one that one which is a legit command and it is made and the server is made to

39
00:03:06,650 --> 00:03:08,360
ping and one IP address.

40
00:03:08,420 --> 00:03:15,590
But if we specify another IP address in the next command so ping and then the IP address of our clinic's

41
00:03:15,620 --> 00:03:22,090
machine the server that isn't vulnerable shouldn't be executing this command.

42
00:03:22,120 --> 00:03:30,130
It should only execute this command but if it is vulnerable it will execute both of these command commands

43
00:03:31,610 --> 00:03:31,920
now.

44
00:03:31,940 --> 00:03:36,160
Be careful since this is the our always machine is Linux machine.

45
00:03:36,170 --> 00:03:40,880
And if you just run this command it for keeping your machine forever so you will just basically have

46
00:03:40,880 --> 00:03:43,250
to restart it in order to stop pinging.

47
00:03:43,250 --> 00:03:48,020
So just type here minus C which stands for count and three.

48
00:03:48,080 --> 00:03:56,910
So this basically means it will only send three pinging packets as in this as in D output right here.

49
00:03:56,930 --> 00:03:58,170
So let me just show you.

50
00:03:58,310 --> 00:04:04,140
If we open our terminal and ping when I do that 168 that one that one.

51
00:04:04,370 --> 00:04:07,020
It will ping forever until we stop this program.

52
00:04:07,310 --> 00:04:13,220
But if you type you one ping one I can say that one that one minus C three it will only ping it three

53
00:04:13,220 --> 00:04:15,420
times and it will stop.

54
00:04:15,440 --> 00:04:22,590
Now we want to run that on the target server so be not in our cells forever but before we run that we

55
00:04:22,600 --> 00:04:25,340
you need to run a tool called white shark.

56
00:04:25,460 --> 00:04:28,550
So just type in your terminal virus shark.

57
00:04:28,550 --> 00:04:37,570
The shark is basically a tool that allows us to inspect our packets on a certain network interface now

58
00:04:38,350 --> 00:04:41,670
as soon as you open it you will see a bunch of packets flowing.

59
00:04:41,740 --> 00:04:42,410
Just click here.

60
00:04:42,460 --> 00:04:44,840
Forget this area click here on OK.

61
00:04:45,160 --> 00:04:50,260
And let me just see my interface is age 0 0.

62
00:04:50,380 --> 00:04:54,700
And once you open it you should be seeing some packets right here finisher.

63
00:04:54,940 --> 00:04:55,210
Why.

64
00:04:55,230 --> 00:04:57,090
I don't see them.

65
00:04:57,090 --> 00:04:58,020
Let's just try.

66
00:04:58,020 --> 00:05:03,220
But why doesn't this want to move right.

67
00:05:03,220 --> 00:05:04,260
What are you doing.

68
00:05:04,310 --> 00:05:05,470
Okay.

69
00:05:05,600 --> 00:05:08,470
And here we can see the packet.

70
00:05:08,470 --> 00:05:10,280
Why is there not other packets.

71
00:05:10,290 --> 00:05:15,000
So let me just try to think when I see the posted up on that one.

72
00:05:16,250 --> 00:05:17,130
Oh yes I am.

73
00:05:17,140 --> 00:05:19,560
This is the terminal that I ran my bar shucking.

74
00:05:19,570 --> 00:05:27,430
So this won't work that will just open another terminal and try to pin one idea to this I see that on

75
00:05:27,430 --> 00:05:28,420
that one.

76
00:05:28,840 --> 00:05:32,250
And here we can see a bunch of ICMP packets floating around.

77
00:05:32,260 --> 00:05:33,300
So that is good.

78
00:05:33,310 --> 00:05:40,550
This is the pinging packet as we can see echo ping requests and echo in reply from our outer.

79
00:05:40,660 --> 00:05:47,110
Now that you opened this and went on to your network interface which for me was ITI H.

80
00:05:47,130 --> 00:05:57,040
Oh and now you want to execute this command and basically click here submit months this is finished.

81
00:06:00,000 --> 00:06:06,720
You want see this output that we see since it is blind but you will be able to see if someone pinged

82
00:06:06,720 --> 00:06:10,260
you in by a shark.

83
00:06:10,260 --> 00:06:11,550
Now let's stop it.

84
00:06:11,570 --> 00:06:18,300
So you just stop the capturing packets on this red button right here and you can then inspect all of

85
00:06:18,300 --> 00:06:21,510
the packet that you received intense certain amount of time.

86
00:06:21,520 --> 00:06:26,850
Now these first ping requests are something we ran on our terminal and we ping they were up there but

87
00:06:27,060 --> 00:06:33,630
we can find out that that website or the OS machine is preferable to command execution by these ping

88
00:06:33,630 --> 00:06:35,840
requests right here.

89
00:06:35,850 --> 00:06:41,160
So as we can see there are three ping requests as we specified in the server.

90
00:06:41,460 --> 00:06:49,470
We read D minus C pre comment and we got the reply from the OS with the machine which IP addresses night

91
00:06:49,620 --> 00:06:51,440
that 168 1 6.

92
00:06:52,410 --> 00:06:59,820
So that means if we if you got this ICMP packets right here that means that the website is moral to

93
00:06:59,820 --> 00:07:02,010
the command injection.

94
00:07:02,010 --> 00:07:07,390
Now another thing you might need is for example if you have a bunch of packets floating around there's

95
00:07:07,440 --> 00:07:08,060
a lot of them.

96
00:07:08,100 --> 00:07:15,330
You can filter it out by typing ICMP right here and you will only see the pinging pinging packets that

97
00:07:15,340 --> 00:07:20,110
we just as we can see first four or five four three.

98
00:07:20,210 --> 00:07:25,770
Now first four packets are basically the packages that we used to ping our outer.

99
00:07:25,780 --> 00:07:31,250
And this is the output from our command injection.

100
00:07:31,270 --> 00:07:38,650
So by this we know that the machine is vulnerable and we can proceed with the same process as in the

101
00:07:38,650 --> 00:07:46,910
previous video in order for that permeable machine to connect to our own machine.

102
00:07:46,910 --> 00:07:52,970
Now I just want to show you that in the command injection you will most likely have divisible ones since

103
00:07:53,180 --> 00:07:55,820
it must give some kind of the output.

104
00:07:56,240 --> 00:08:02,940
But before I finish with the command injection I just want to tell you a few things which is the quick

105
00:08:02,940 --> 00:08:08,620
injection first of all it can be done both over get in both requests.

106
00:08:08,840 --> 00:08:13,430
The example that we had right here was the most request I believe.

107
00:08:13,430 --> 00:08:16,720
Let me just check right here.

108
00:08:16,790 --> 00:08:23,810
Let me just check it right here by typing in the IP address of our router and then intercepting the

109
00:08:23,810 --> 00:08:24,320
packets.

110
00:08:24,320 --> 00:08:30,450
I believe this is a post request open.

111
00:08:30,460 --> 00:08:35,650
So here we have and we can see right here.

112
00:08:35,680 --> 00:08:38,200
Yes it is a post request.

113
00:08:38,260 --> 00:08:43,120
So this was an example of post request command execution.

114
00:08:43,180 --> 00:08:50,920
You can also have it as a get request and also would get the get request the user input will be sent

115
00:08:50,950 --> 00:08:52,860
within the link.

116
00:08:52,930 --> 00:08:57,580
So that's how you can differentiate the posts from the get request if it does from the get request.

117
00:08:57,580 --> 00:09:05,040
We will have my this IP address at the top here somewhere in the link right here but since this is a

118
00:09:05,040 --> 00:09:07,570
port request we do not have it now.

119
00:09:07,860 --> 00:09:14,100
As we saw in the port request the IP address was sent within the HDP body.

120
00:09:14,110 --> 00:09:15,310
We can see right here.

121
00:09:15,330 --> 00:09:21,960
Here it is and there are also some of the other values in HDP headers that can be potential threat to

122
00:09:21,960 --> 00:09:23,490
the command injection.

123
00:09:23,490 --> 00:09:32,220
Now some of them are for example cookies use arranged as we can see this right here refer can also be

124
00:09:32,730 --> 00:09:40,680
sometimes vulnerable to the command injection and also as we saw the commander judge can be either visible

125
00:09:40,710 --> 00:09:47,480
or invisible we covered both of those both visible and both invisible.

126
00:09:47,490 --> 00:09:52,520
And I want to show you another very very famous comment.

127
00:09:52,570 --> 00:09:59,240
Injection of vulnerability which is called shell shock now shell shock.

128
00:09:59,430 --> 00:10:04,650
If you were to build your OS virtual machine into life version it would print out the current uptime

129
00:10:04,650 --> 00:10:11,440
of the server which means it executes something similar to the you name minus a comment.

130
00:10:11,460 --> 00:10:18,300
So if we will not cover that right now since it is very similar to this to attacks but if you were to

131
00:10:18,330 --> 00:10:25,050
put this machine into the live version you would see once you visit the IP address of that machine it

132
00:10:25,050 --> 00:10:32,240
would print out the uptime of that machine for example the machine is running for three hours now.

133
00:10:32,580 --> 00:10:38,760
That means that it executed some kind of a command in the terminal in order to show us that option which

134
00:10:38,760 --> 00:10:42,510
means it could be potentially vulnerable to the command injection

135
00:10:45,200 --> 00:10:51,950
but if you want to call if you want to check out the shell shock you can switch it on the internet and

136
00:10:52,010 --> 00:11:00,380
read more about it and you can also if you're familiar with the MSF console you can also use its module

137
00:11:00,500 --> 00:11:02,960
in the MSF in metal plate framework.

138
00:11:02,960 --> 00:11:05,920
I believe it is called something like exploits.

139
00:11:05,960 --> 00:11:07,340
It should be a patch mode.

140
00:11:07,350 --> 00:11:08,100
I'm not really sure.

141
00:11:08,120 --> 00:11:09,490
Let me just check out right here.

142
00:11:09,500 --> 00:11:11,780
Once the MSF console opens up

143
00:11:15,040 --> 00:11:16,000
now we'll show you.

144
00:11:16,000 --> 00:11:22,360
Now we didn't cover the Mets point yet but just follow up with what I'm doing right now.

145
00:11:22,360 --> 00:11:30,040
It shouldn't be that hard to do so as we will not be exploiting I will just show you some of the options

146
00:11:30,070 --> 00:11:32,970
that shellshock has or this module in that slide show.

147
00:11:33,460 --> 00:11:44,810
We want to use exploit multi CTP I believe and then Apache modes and then I just had to complete this.

148
00:11:44,860 --> 00:11:50,170
So once you use that you can type your show options and it could give you some of the options that you

149
00:11:50,170 --> 00:11:59,520
need to specify in order to use this vulnerability as we can see the possibility e 2014 6 2 7 1.

150
00:11:59,530 --> 00:12:06,540
Now the ad as I told you the part of the header that it is attacking is the user agent part.

151
00:12:06,550 --> 00:12:13,030
So it will send the that caused by a shark since we don't need it anymore.

152
00:12:13,180 --> 00:12:20,690
It will send the mobility command the vulnerable command to the user agent field in the HDP header.

153
00:12:20,920 --> 00:12:24,700
The method that this uses is get method.

154
00:12:24,700 --> 00:12:32,360
We need to specify the our hosts which is the victim machine which is in our case our OS machine.

155
00:12:32,370 --> 00:12:39,690
You also need to spend a specified the target you are I and you do that by basically just going to the

156
00:12:40,110 --> 00:12:44,610
target's IP address once it is booted into life mode.

157
00:12:44,970 --> 00:12:50,690
And after you do that you can also set the target and you can just type here exploit and it should run.

158
00:12:50,730 --> 00:12:53,580
Now I didn't specify anything so this one front for me.

159
00:12:53,580 --> 00:12:56,300
I will just close it right here on the close.

160
00:12:56,340 --> 00:12:56,900
Max.

161
00:12:56,910 --> 00:12:58,950
I just want to show you that it exists as well

162
00:13:02,510 --> 00:13:08,990
and that would be basically about that all about the command ejection and in the next video we'll start

163
00:13:08,990 --> 00:13:14,420
off with the actual injection which is the number one more on Web sites.

164
00:13:14,480 --> 00:13:19,210
And if you encounter something it will probably be the fuel injection.

165
00:13:19,220 --> 00:13:25,310
It is very dangerous and very common especially in these small websites as they do not filter their

166
00:13:25,400 --> 00:13:28,110
user input that well.

167
00:13:28,190 --> 00:13:35,780
And we will do that and I will show you all of the practical ways to attack that in the next few lectures

168
00:13:36,470 --> 00:13:39,350
and I hope I see you there and take care by.