1 00:00:00,210 --> 00:00:05,960 Hello everybody and welcome to this next section which is the system hacking section. 2 00:00:06,000 --> 00:00:13,350 Now before we actually start hacking ourselves, let's familiarize ourselves with the Metasploit framework 3 00:00:13,710 --> 00:00:20,480 so that when I for example use certain terms we'll understand them to mean the same thing. 4 00:00:20,480 --> 00:00:26,630 Now the Metasploit framework is basically a tool and it comes pre-installed in Kali Linux. 5 00:00:26,640 --> 00:00:29,970 It is used for exploitation most of the time. 6 00:00:30,090 --> 00:00:32,170 Sometimes you can use it for scanning. 7 00:00:32,190 --> 00:00:38,770 Now there are some of the modules, and payloads, and nops and all the other stuff that we will talk about 8 00:00:38,770 --> 00:00:41,930 that come already with the Metasploit framework. 9 00:00:42,000 --> 00:00:47,610 But before we begin actually using them, let's try to actually make them understandable. 10 00:00:47,850 --> 00:00:50,720 And after that we will execute our first exploit. 11 00:00:50,730 --> 00:00:57,830 So as I said, Metasploit framework is a tool for developing and executing code against a remote target 12 00:00:57,830 --> 00:00:58,980 machine. 13 00:00:59,570 --> 00:01:06,050 Basically, for Metasploit you actually have the MSF payload creator. 14 00:01:06,680 --> 00:01:10,850 We have the Metasploit framework which is the tool that we will use. 15 00:01:10,870 --> 00:01:16,490 You can start it up with a simple command called msfconsole but don't do it yet since we have to start 16 00:01:16,490 --> 00:01:17,830 something else first. 17 00:01:18,110 --> 00:01:24,350 And there is also something called Armitage which is basically a graphical user interface for the Metasploit 18 00:01:24,350 --> 00:01:25,280 framework. 19 00:01:25,280 --> 00:01:32,090 Now the main two things that you will hear most of the time while we are in this section are exploits 20 00:01:32,120 --> 00:01:33,200 and payload. 21 00:01:33,200 --> 00:01:36,560 Now I already believe that most of you know what those two are. 22 00:01:36,950 --> 00:01:41,270 But just in case the exploit is the main action type of the attack. 23 00:01:41,330 --> 00:01:48,110 For example, if we have on a target vulnerable software running we can take advantage of it and exploit 24 00:01:48,110 --> 00:01:48,490 it. 25 00:01:48,490 --> 00:01:53,330 And run our reverse shell or rootkit on it for example. 26 00:01:53,330 --> 00:01:56,470 Now I'll explain what reverse shells and root kits are. 27 00:01:56,750 --> 00:02:00,460 But basically the exploitation process, 28 00:02:00,470 --> 00:02:07,520 there is something that you should know, a term, it's called a zero day. Now a zero day for the exploitation 29 00:02:07,520 --> 00:02:13,810 is basically an exploit for a vulnerable system that hasn't been discovered previously. 30 00:02:13,880 --> 00:02:18,620 That's why it's called zero days, it hasn't been fixed yet. It's still vulnerable, there is still 31 00:02:18,650 --> 00:02:26,840 vulnerable software out there. Now those are types of the attack that you will not encounter the most 32 00:02:26,840 --> 00:02:34,520 likely since discovering zero days only happens a few times during the year. 33 00:02:34,760 --> 00:02:39,100 There are different types of zero day. Some can be more dangerous than others. 34 00:02:39,160 --> 00:02:47,780 But the most recent one that I heard of was the Zero Day in 2017. An exploit that basically allowed 35 00:02:47,870 --> 00:02:50,870 anyone to access a windows 7 machine, 36 00:02:50,990 --> 00:02:57,800 and I think also think a Windows 8 machine, without the user clicking on anything. So you could just connect to the 37 00:02:57,800 --> 00:03:04,310 same network and basically exploit the Windows 7 machine if it is running a 445 open 38 00:03:04,310 --> 00:03:06,410 port or S&P open port. 39 00:03:06,620 --> 00:03:13,160 It was discovered by some hackers, I believe it was an NSA exploit called the Eternal Blue. 40 00:03:13,180 --> 00:03:19,730 I will also show it to you in the Metasploit framework later on, but that is the basic meaning behind 41 00:03:19,730 --> 00:03:20,690 the zero day attack. 42 00:03:20,690 --> 00:03:26,480 Now we will not be discovering zero days attacks because most of those attacks, if even discovered, 43 00:03:26,990 --> 00:03:32,260 can be costly. They can cost from above $100,000. 44 00:03:32,260 --> 00:03:38,300 So if you were to. for example. discover a zero day. you can sell it for one hundred thousand dollars 45 00:03:38,330 --> 00:03:45,800 or more. I believe for the iPhone, if you were to find for the iPhone a zero day, you would get 46 00:03:45,800 --> 00:03:48,200 paid by Apple one million dollars! 47 00:03:48,260 --> 00:03:50,660 But I only heard that, I'm not really sure if that's true.. 48 00:03:51,350 --> 00:03:55,010 But we won't be really getting ourselves into that. 49 00:03:55,010 --> 00:04:01,940 We will be exploiting targets with already known exploits and with our reverse shells 50 00:04:01,970 --> 00:04:03,460 that we will run on the target. 51 00:04:03,470 --> 00:04:09,320 So there is something called payload which is basically the reverse shell. So that is something that 52 00:04:09,440 --> 00:04:13,220 after we exploit the vulnerable software we deliver its payload. 53 00:04:13,310 --> 00:04:20,540 Now we can deliver it to the machine in order for it to give us success or 54 00:04:20,540 --> 00:04:22,220 some information back. 55 00:04:22,220 --> 00:04:28,100 Now we will cover all of them in detail in the next lectures, but for now let us actually start up 56 00:04:28,100 --> 00:04:31,740 the Metasploit framework and see the environment. 57 00:04:31,850 --> 00:04:37,910 Now I would advise you before you actually type msfconsole which is the command for starting up 58 00:04:37,910 --> 00:04:39,140 the Metasploit framework. 59 00:04:39,140 --> 00:04:47,660 let's run these service postgresql start. So service postgresql start. 60 00:04:47,680 --> 00:04:51,880 This will make your Metasploit run faster since it is using the database. 61 00:04:51,970 --> 00:04:56,970 Now you do not need to do this if you don't want to, but as I said it will only make your Metasploit 62 00:04:56,980 --> 00:04:58,240 run faster. 63 00:04:58,240 --> 00:05:03,300 So now that we run this we can finally open our Metasploit framework. In order to do that 64 00:05:03,310 --> 00:05:09,640 you just need to type msfconsole, click enter and wait for this to open. 65 00:05:09,640 --> 00:05:16,050 Now since this is a virtual machine this might take a few seconds to open depending on your P.C. speed. 66 00:05:16,360 --> 00:05:23,710 And once it does we will actually cover some of the most basic commands that you will use in order to 67 00:05:23,710 --> 00:05:27,730 navigate to the Metasploit framework. 68 00:05:27,730 --> 00:05:30,390 So let us wait for these to open, 69 00:05:30,460 --> 00:05:34,830 first of all. So here it is. 70 00:05:34,850 --> 00:05:37,680 The first thing you notice is this banner right here. 71 00:05:38,170 --> 00:05:39,070 I believe it is 72 00:05:39,070 --> 00:05:41,360 every time different, or something like that. 73 00:05:41,560 --> 00:05:46,990 The next thing you see is the available things on the Metasploit framework currently 74 00:05:47,020 --> 00:05:54,610 at this time, which is March 2019. We have 1854 75 00:05:54,610 --> 00:05:56,620 available exploits. 76 00:05:56,740 --> 00:06:06,690 We have 1049 auxiliary modules. Post exploitation modules 325, 546 77 00:06:06,700 --> 00:06:09,440 payloads, 44 encoders, 10 nops, 2 evasion. 78 00:06:09,440 --> 00:06:15,580 Now we will cover what all of these are in the next lecture, but from now on let us actually see how 79 00:06:15,580 --> 00:06:17,730 we can navigate through this framework. 80 00:06:17,770 --> 00:06:20,900 Now as we can see our command line is right here, 81 00:06:20,950 --> 00:06:22,610 msf5 >, 82 00:06:22,630 --> 00:06:24,400 and here we type our commands. 83 00:06:24,400 --> 00:06:28,840 So the first logical thing that we should do is type help. 84 00:06:28,840 --> 00:06:36,430 Now help will give us the available commands that we can run right now. So we can see some of the useful 85 00:06:36,430 --> 00:06:39,560 ones would be use command. 86 00:06:39,610 --> 00:06:40,960 You will lose it a lot. 87 00:06:41,110 --> 00:06:47,260 It's basically you just type here yours and then the name of the actual exploit that you want to use. 88 00:06:47,260 --> 00:06:48,260 So here it is. 89 00:06:48,400 --> 00:06:54,190 Selects a module by name. But in order for you to select the module you need to know its name. 90 00:06:54,190 --> 00:07:00,370 So since we are beginners we do not know the name of any module. So we can also use the search command 91 00:07:00,370 --> 00:07:05,110 in order to find out the modules, search modules names and descriptions. 92 00:07:05,110 --> 00:07:12,580 If you just type here search, and let's say we want to find Windows exploits. So just type here search 93 00:07:12,700 --> 00:07:19,090 windows. It will give you all of the available windows exploits on this. 94 00:07:19,110 --> 00:07:24,900 Metasploit framework. So let me just zoom out a little bit so we have a better look at this. 95 00:07:24,990 --> 00:07:32,570 So these are all of the available modules available for Windows exploits. As we can see for example exploit 96 00:07:32,580 --> 00:07:40,140 Windows is a PW3 query, and you can also select that and see more details about it. 97 00:07:40,350 --> 00:07:41,770 Now there are lots of them. 98 00:07:41,790 --> 00:07:47,910 As I said there are over 1800 exploits in the Metasploit framework. We will cover 99 00:07:47,910 --> 00:07:54,330 only a few of them since if we were to cover all of them we would make this course thousands of hours 100 00:07:54,330 --> 00:07:54,830 long. 101 00:07:55,200 --> 00:08:04,120 Now lets say we want to use for example, I don't know, let's select random, random exploit. Let's 102 00:08:04,120 --> 00:08:06,230 say this is auxiliary. 103 00:08:06,850 --> 00:08:07,740 Let's take this one. 104 00:08:07,870 --> 00:08:15,730 So example exploit multi browser Java Rhino. You can select it, you can also see the date that it came 105 00:08:15,730 --> 00:08:20,790 out, so 2011, and its performance says Excellent. 106 00:08:20,830 --> 00:08:29,920 Now Java applet read the script engine remote code execution. So in order to pick that exploit we 107 00:08:29,980 --> 00:08:36,430 simply just type use, and then paste the name of the exploit itself, and just press here enter. 108 00:08:36,990 --> 00:08:40,450 And you can see that you type the correct name for the exploit 109 00:08:40,450 --> 00:08:44,840 once there is red letters in these brackets. So it means this exploit exists. 110 00:08:44,890 --> 00:08:50,810 Now this selected exploit we can see its options with the show command. 111 00:08:50,830 --> 00:08:57,790 So show options will give us all of the options for this exploit and what it requires in order to run. 112 00:08:58,300 --> 00:09:03,330 So we can see module options hex but multi browser Java Rhino. 113 00:09:03,370 --> 00:09:06,190 And then we can see server host 0.0.0. 114 00:09:06,190 --> 00:09:12,490 This is our required field so you need to specify this if it is not specified. Description for that field, 115 00:09:12,490 --> 00:09:14,530 the local host to listen on. 116 00:09:14,530 --> 00:09:18,840 This must be an address on the local machine or 0.0.0.0.0. 117 00:09:19,000 --> 00:09:22,480 Now server port is 8080. Current setting 118 00:09:22,480 --> 00:09:30,370 it is also a required field the local port to listen on, and other things such as SSL, SSL certificate, 119 00:09:30,430 --> 00:09:31,670 and url path 120 00:09:31,810 --> 00:09:38,110 are not required. As we can see they're all under no you do not need to specify them in order to 121 00:09:38,110 --> 00:09:39,340 run this attack. 122 00:09:39,340 --> 00:09:42,880 Now down here we have the exploit target. 123 00:09:42,880 --> 00:09:49,690 So in order to check out your available targets you can just type your show targets, and it will print 124 00:09:49,690 --> 00:09:54,670 out a list of all of the targets available for this exploit. So we can see this exploit. 125 00:09:54,670 --> 00:10:02,020 We can run Java payload, windows universal, Apple OSX and Linux x86. So basically it can 126 00:10:02,020 --> 00:10:06,840 run on any platform. 127 00:10:06,860 --> 00:10:12,620 For example if you didn't know much about this exploit you would want to find out more about it. 128 00:10:12,650 --> 00:10:14,890 You can do that with show info options. 129 00:10:14,900 --> 00:10:19,000 So this will print out what exactly is this exploit. 130 00:10:19,100 --> 00:10:21,280 So you just type here show info. 131 00:10:21,280 --> 00:10:25,490 Yeah, let's scroll up to the beginning. 132 00:10:25,490 --> 00:10:28,510 It will say name, module, platform. 133 00:10:28,520 --> 00:10:34,400 It will basically give us the output of this command before. So available targets, check supported. 134 00:10:34,400 --> 00:10:40,040 No, it doesn't have an auxiliary module that it will check if this exploit exists. 135 00:10:40,040 --> 00:10:44,350 Basic options are also something that we saw with the previous commands. 136 00:10:44,510 --> 00:10:49,400 Payload information and description. Now description is most likely something that you will search with 137 00:10:49,400 --> 00:10:54,320 this command. So this module exploits a vulnerability in the Rhino script engine that can be used by a 138 00:10:54,320 --> 00:10:58,250 Java applet to run arbitrary Java code outside of the sandbox. 139 00:10:58,290 --> 00:11:05,030 The vulnerability effects version 7 and version 6, update 27 and earlier. And should work on any browser 140 00:11:05,060 --> 00:11:09,830 that supports Java. For example, Firefox Google Chrome and so on. 141 00:11:09,830 --> 00:11:15,650 You can see some of the other references right here. So if you were to copy this link, let us copy the 142 00:11:15,650 --> 00:11:16,500 first link. 143 00:11:17,150 --> 00:11:19,550 Let's see, open link. 144 00:11:19,650 --> 00:11:21,460 Not really sure if it works like that. 145 00:11:21,810 --> 00:11:29,660 So, open link, it's ready. And it will lead you to a page where you can, for example, read more about this 146 00:11:29,660 --> 00:11:31,180 payload. 147 00:11:31,610 --> 00:11:33,920 Pardon me, about this exploit. 148 00:11:33,980 --> 00:11:35,270 So as soon as this loads 149 00:11:35,270 --> 00:11:38,900 you will be able to, I believe it is a rapid 7 website, 150 00:11:38,900 --> 00:11:44,960 not really sure where it is taking us. But it should take us to a page where this exploit is in greater 151 00:11:44,960 --> 00:11:51,280 detail. So vulnerability type we can see that its score is 10.0. 152 00:11:51,290 --> 00:11:54,380 So this is a very serious exploit right here. 153 00:11:54,700 --> 00:12:00,740 And basically let's not just bother ourselves with all these options right here. 154 00:12:00,750 --> 00:12:06,090 You can read it if you want to. You can also try to visit other sites as well 155 00:12:06,090 --> 00:12:12,210 that also explain this exploit in great detail. But we will not be doing that at the moment. 156 00:12:12,210 --> 00:12:18,660 Now if you want to deliver for example a payload with this exploit, you would see your 157 00:12:18,660 --> 00:12:24,920 available payloads with show payload options. Show payloads. 158 00:12:24,930 --> 00:12:27,450 I believe it's spelled like that. 159 00:12:27,450 --> 00:12:34,230 So show payloads will give you your available payload for this exploit. So for example you cannot use 160 00:12:34,410 --> 00:12:41,850 our reverse TCP exploit payload in here since it is not specified in show payload options. 161 00:12:41,850 --> 00:12:48,930 You can only use all these other options available, or payloads available. In 162 00:12:48,990 --> 00:12:49,510 order, 163 00:12:49,560 --> 00:12:55,920 once you check out all of these payloads, and once you choose one, in order to set it you would have to 164 00:12:55,920 --> 00:13:04,760 type here set, and then payload, and then space, and then you basically just copy any payload you want. 165 00:13:04,860 --> 00:13:11,070 So let's copy this one, or the payload that you chose, and you set that payload. As we can see we successfully 166 00:13:11,070 --> 00:13:13,020 set the payload with this command. 167 00:13:13,020 --> 00:13:16,400 If you were to mistype it, it would say no such payload available. 168 00:13:16,920 --> 00:13:22,470 Now after we select payload you want to show options once again, and you will see that we also have 169 00:13:22,470 --> 00:13:27,260 some of the additional options for our payload. Now 170 00:13:27,320 --> 00:13:33,560 most of the time you will see these two options one of them is outpost, and one of them is out port. 171 00:13:33,560 --> 00:13:37,010 Now the outpost is basically, as it says over here, the listen address. 172 00:13:37,030 --> 00:13:42,620 So it is basically your Kali Linux machine since you are listening for the connection back from the target 173 00:13:42,620 --> 00:13:43,600 machine. 174 00:13:43,670 --> 00:13:50,620 The out port is the listening port on which you're listening, which is most likely by default on Metasploit 175 00:13:50,630 --> 00:13:52,380 it is 4444. 176 00:13:52,820 --> 00:13:57,130 So in order to run this you would set outpost 192.168. 177 00:13:57,170 --> 00:14:05,290 Let me just first check my IP address which is .1.7, and you would set outpost 178 00:14:06,160 --> 00:14:09,400 to 192.168.1.7 179 00:14:09,680 --> 00:14:13,520 Show options. And now we can see everything is set, 180 00:14:13,640 --> 00:14:19,220 and now you would be able to run this payload or exploit against your target, if you find a vulnerable 181 00:14:19,220 --> 00:14:19,720 one. 182 00:14:19,970 --> 00:14:27,140 Now I will not be running this exploit since I don't really have a vulnerable target, but I just wanted 183 00:14:27,140 --> 00:14:31,610 to show you some of the commands that you will use in order to select your exploits. 184 00:14:31,720 --> 00:14:39,800 And we will actually exploit and run some scanners in the next sections right after we actually cover 185 00:14:40,250 --> 00:14:44,280 the basic structure of the Metasploit framework itself. 186 00:14:44,300 --> 00:14:52,600 I will explain what nops, encoders, payloads, exploits, post exploitation tools are in the next video. 187 00:14:53,240 --> 00:14:57,830 But before I finish this one you might have noticed that I actually typed here. 188 00:14:57,890 --> 00:14:59,070 ifconfig. 189 00:14:59,630 --> 00:15:02,470 Let me just type it once again since I forgot the g. 190 00:15:03,620 --> 00:15:05,900 If it were to give me my command tool back. 191 00:15:05,900 --> 00:15:09,700 So ifconfig, and it actually outputted me 192 00:15:09,860 --> 00:15:16,580 my ifconfig command. So you notice that you can actually run the system commands from this command 193 00:15:16,580 --> 00:15:22,140 tool. So you can run all of the commands that you can run from a simple terminal in the Metasploit framework 194 00:15:22,280 --> 00:15:29,000 command line. So you can also run nmap or netstat, and you can also run anything from this 195 00:15:29,000 --> 00:15:30,920 command tool as well. 196 00:15:30,920 --> 00:15:35,450 So you do not need to call Metasploit while performing the attack or any other scan that you want 197 00:15:35,450 --> 00:15:42,550 to perform. So that would be about it for this introductory video. 198 00:15:42,560 --> 00:15:48,110 Now you might still be wondering about some of the things, don't worry we will also cover them in greater 199 00:15:48,110 --> 00:15:50,270 detail in future videos. 200 00:15:50,270 --> 00:15:54,980 Right now I just wanted to show you the simple environment of the Metasploit framework itself, and 201 00:15:54,980 --> 00:15:55,830 some of the 202 00:15:55,850 --> 00:15:58,480 more important commands that you will be using. 203 00:15:58,640 --> 00:16:04,290 So I will explain the modules that we have in the Metasploit framework in the next lecture, and I hope 204 00:16:04,290 --> 00:16:05,330 you're there. Bye!