1
00:00:00,180 --> 00:00:05,760
Hello everybody and welcome back to the next lecture in the Metasploit framework or system hacking

2
00:00:05,760 --> 00:00:06,390
section.

3
00:00:06,390 --> 00:00:13,380
So let us actually take a better look at the structure of the Metasploit framework itself.

4
00:00:13,440 --> 00:00:18,320
So in order to do that let us first exit the command tool.

5
00:00:18,540 --> 00:00:20,060
Let me clear the screen.

6
00:00:20,070 --> 00:00:25,650
And the first thing you want to know is where are all the modules, encoders, payloads, exploits actually

7
00:00:25,710 --> 00:00:26,910
stored.

8
00:00:26,910 --> 00:00:29,920
So they are stored in the user.

9
00:00:30,650 --> 00:00:39,860
Let me just cd user, share, and then you go to the Metasploit framework.

10
00:00:40,050 --> 00:00:44,850
Once you change directory to that, you can just type ls and you will see a bunch of these files,

11
00:00:45,330 --> 00:00:53,020
and I will show you what are the more important ones and the ones that we will use.

12
00:00:53,110 --> 00:00:54,760
Now, let's see, first of all.

13
00:00:54,760 --> 00:00:59,920
So the first one is the MSF console, let me just find it, which is right here.

14
00:00:59,920 --> 00:01:06,040
We used it in the previous video. It is used as a program to run the console itself and actually perform

15
00:01:06,040 --> 00:01:07,570
the attacks.

16
00:01:07,570 --> 00:01:12,270
Now one of the also important ones is the MSF venom.

17
00:01:12,280 --> 00:01:17,320
Now this program we will use in order to create our payloads,

18
00:01:17,590 --> 00:01:20,320
our meterpreter shells and back doors.

19
00:01:20,530 --> 00:01:24,220
So we do that with this command line right here.

20
00:01:24,310 --> 00:01:29,480
And also you can update your Metasploit framework with the MSF update command.

21
00:01:29,500 --> 00:01:33,550
Most of the others are not so important at the moment.

22
00:01:33,550 --> 00:01:34,540
Now if you want,

23
00:01:34,580 --> 00:01:39,730
it's good to know that the Metasploit framework and the all of the exploit are written in Ruby, which is

24
00:01:39,730 --> 00:01:42,480
a programming language similar to Python.

25
00:01:42,670 --> 00:01:46,570
So if you know that language it is also a plus.

26
00:01:46,570 --> 00:01:52,840
Now in order for you to find all of the exploits and payloads you need to go to the modules directory.

27
00:01:53,380 --> 00:01:57,750
Everything is stored in there. So if you go into the modules and click, and

28
00:01:57,820 --> 00:02:02,580
type ls here, you will see that we have all of the things that I talked about before.

29
00:02:02,590 --> 00:02:08,470
So we we have auxiliary, encoders, evasion, exploits, nops, payloads, post.

30
00:02:08,500 --> 00:02:18,430
Now let us explain all of those in detail. So exploits, as we said before, they are basically used to target

31
00:02:18,510 --> 00:02:22,540
a vulnerable software running on a remote machine.

32
00:02:22,540 --> 00:02:32,020
So let's actually change our directory to exploits, and cd exploits, and type ls, and you will

33
00:02:32,020 --> 00:02:37,480
notice that you have different exploits for different types of operating systems and different types

34
00:02:37,480 --> 00:02:38,940
of platforms.

35
00:02:38,940 --> 00:02:46,190
So for example you have Linux, Windows, Unix, Solaris Android, Apple exploits.

36
00:02:46,660 --> 00:02:49,400
Also browser exploits as we see Firefox.

37
00:02:49,630 --> 00:02:53,950
There are a bunch of these separated directories for different types of exploits.

38
00:02:54,250 --> 00:02:59,440
So let's actually try to find the exploit that I talked about in the previous video. The one for the

39
00:02:59,530 --> 00:03:07,510
Windows 7 and Windows 8 machine, I believe, which is the Eternal Blue exploit from 2017.

40
00:03:07,540 --> 00:03:09,100
It is a Windows exploit.

41
00:03:09,580 --> 00:03:16,810
So we go to Windows, and we type in ls, there is a future division between all of these exploits,

42
00:03:16,900 --> 00:03:24,970
as we can see right here. Some of them are mostly divided by the port number or the servers that they're

43
00:03:25,000 --> 00:03:26,320
running on a certain port.

44
00:03:26,320 --> 00:03:28,400
For example, we can see htp,

45
00:03:28,600 --> 00:03:30,450
it is running on port 80.

46
00:03:30,490 --> 00:03:36,130
We can see ssh, port 22. Ftp, port 21.

47
00:03:36,220 --> 00:03:42,190
We can see smb, port 445 I believe, or something like that.

48
00:03:42,310 --> 00:03:50,500
So let us go to the smb since there is the Eternal Blue exploit. If I type here ls, you will see

49
00:03:50,530 --> 00:03:54,010
a bunch of these different exploits used for the smb.

50
00:03:54,570 --> 00:03:59,110
Now here it is, the eternalblue_win8.py exploit.

51
00:03:59,110 --> 00:04:06,610
We also have the regular Eternal Blue exploit. And all of these are .rb which basically stands that

52
00:04:06,610 --> 00:04:12,040
they are Ruby files. And the ruby exploits are just written in Ruby, as I said before.

53
00:04:12,130 --> 00:04:16,570
So if you wanted to you could actually nano some of them in order to see what they look like.

54
00:04:16,630 --> 00:04:22,240
So ms17...let's see what Eternal Blue looks like.

55
00:04:22,250 --> 00:04:28,760
So .rb, and we can see the code of the exploit itself.

56
00:04:28,870 --> 00:04:36,920
So it is written in Ruby as I said. You can check out a bunch of these things right here.

57
00:04:36,930 --> 00:04:42,930
Now I do not know Ruby, so I will not be actually explaining what all of this does. It is similar to

58
00:04:42,930 --> 00:04:51,060
Python. You can actually understand it if you did learn some of the programming languages before. But

59
00:04:51,180 --> 00:04:56,430
from now on, I just wanted to show you the simple code behind this exploit.

60
00:04:56,430 --> 00:05:04,710
So let's close this, and let's actually go back to the module. So we change our directory back to the

61
00:05:05,130 --> 00:05:11,540
modules, and let's talk about, for example, the payload section.

62
00:05:11,540 --> 00:05:17,390
So for the payload directory, lets change first of all the directory to payloads, and type ls in

63
00:05:17,390 --> 00:05:19,240
order to see what we have.

64
00:05:19,280 --> 00:05:22,720
And here we have different types of payloads.

65
00:05:22,760 --> 00:05:28,080
As I said before, those are files that we send to the victim. For example, back doors.

66
00:05:28,160 --> 00:05:30,690
Now as we can see there are three types right here,

67
00:05:30,690 --> 00:05:39,290
singles, stagers and stages. Now singles are basically used to, they are smaller payloads and they're

68
00:05:39,410 --> 00:05:43,850
used to actually perform only one action.

69
00:05:43,860 --> 00:05:45,920
Stagers right here,

70
00:05:46,010 --> 00:05:52,310
they can be used to deliver another payload. And these stages are some of the larger exploits, or not

71
00:05:52,310 --> 00:05:53,870
exploit, some of the larger payloads,

72
00:05:53,870 --> 00:05:59,360
pardon me. For example, the outer shell that we will use in most of our attacks.

73
00:05:59,510 --> 00:06:05,990
Now what is a meterpreter shell? That is basically a shell with a bunch of different options that we can use,

74
00:06:06,420 --> 00:06:14,720
after we exploit the remote system. So we can actually screenshot the desktop, we can run a

75
00:06:14,720 --> 00:06:15,260
keylogger,

76
00:06:15,260 --> 00:06:21,560
we can bypass antivirus, and we can do a bunch of this stuff with the meterpreter

77
00:06:21,560 --> 00:06:22,300
shell.

78
00:06:22,580 --> 00:06:25,070
So it gives us a bunch of options to use.

79
00:06:25,070 --> 00:06:28,630
We can upload the other payload as well with meterpreter.

80
00:06:28,640 --> 00:06:34,250
We can download files, upload files and some of the other things that we will cover in the next tutorials.

81
00:06:34,250 --> 00:06:37,450
So that'll be about it for the payload.

82
00:06:37,480 --> 00:06:39,300
Let us check what else we have.

83
00:06:39,710 --> 00:06:41,250
So we have auxiliary.

84
00:06:41,300 --> 00:06:47,570
So let us go to the auxiliary modules and just type here ls, and you will see that they're divided

85
00:06:47,600 --> 00:06:54,330
also in different types. So we have fuzzers, spoofers, sniffers, different types of auxiliary modules.

86
00:06:56,090 --> 00:07:00,620
But most likely auxiliary will only be scanners that you'll perform on a target.

87
00:07:00,620 --> 00:07:06,320
So for example you can scan if your target is vulnerable to some type of attack. And sometimes auxiliary

88
00:07:06,320 --> 00:07:08,360
modules are also used to brute force,

89
00:07:08,360 --> 00:07:14,240
for example, SSH, Tomcat, and other different stuff that we will also cover in the next video.

90
00:07:14,240 --> 00:07:16,720
So that'll be about it for the auxiliary.

91
00:07:16,760 --> 00:07:23,510
You can check out all of these other sub directories, if you want to, and see what does it have in them.

92
00:07:23,510 --> 00:07:30,480
For example, go to fuzzers. You will have in the SSH also some of the

93
00:07:30,830 --> 00:07:39,230
auxiliary modules written in the Ruby language. So that'll be about it for the auxiliary.

94
00:07:39,260 --> 00:07:41,780
Now let's talk about the encoders.

95
00:07:41,780 --> 00:07:49,830
So if I type here ls you will have the encoders. Let's go to that directory. Type here ls once again,

96
00:07:50,000 --> 00:07:56,420
and these are the encoders for different types of machines. So encoders are mostly used

97
00:07:56,420 --> 00:07:58,280
to bypass anti viruses.

98
00:07:58,340 --> 00:08:04,820
Now you can change how the code looks with the encoder, or you can scramble the code and then the antivirus

99
00:08:04,820 --> 00:08:08,130
database can't recognize it.

100
00:08:08,140 --> 00:08:14,000
Now how the antivirus databases work, or basically how does most of the antivirus work, is they have a

101
00:08:14,000 --> 00:08:21,830
huge database where they have all of the known exploits. All of the known viruses,

102
00:08:21,860 --> 00:08:26,330
Trojans and malware, basically, that they have in their database.

103
00:08:26,360 --> 00:08:34,580
And once you run one of the programs on your PC which is malware, and it is also known

104
00:08:34,580 --> 00:08:38,840
to that database, your antivirus will prevent it from running and it will delete it.

105
00:08:39,230 --> 00:08:45,800
But if you for example change the code a little bit and scramble the code, or even better write the malware

106
00:08:45,860 --> 00:08:47,000
yourself,

107
00:08:47,000 --> 00:08:52,910
most likely most of the antivirus won't be able to detect it since it is the first time that they see

108
00:08:53,060 --> 00:08:58,760
code like that. And that code is not in their database, so therefore they cannot really detect that

109
00:08:58,760 --> 00:09:05,900
code. And then they run it it as a normal program and not as a malware. That's why,

110
00:09:05,940 --> 00:09:06,380
...

111
00:09:06,380 --> 00:09:10,330
that's why coding your own malware is a big advantage.

112
00:09:12,550 --> 00:09:17,560
So that would be about it for the encoders. We will also show how to use them later on.

113
00:09:17,770 --> 00:09:20,220
But for now let's just explain all of this.

114
00:09:20,220 --> 00:09:27,280
So the post right here is basically some of the tools or programs that you will use after you exploit

115
00:09:27,310 --> 00:09:28,570
the target.

116
00:09:28,570 --> 00:09:32,360
For example, you send meterpreter which is a reverse shell that we will use.

117
00:09:32,430 --> 00:09:36,220
You can upload from the meterpreter other post exploitation programs that

118
00:09:36,220 --> 00:09:41,560
you can use together, for example password gathering, or basically any other information gathering you

119
00:09:41,560 --> 00:09:47,930
want. You can gather, for example, cookies if you want to from the certain browser.

120
00:09:47,980 --> 00:09:56,600
The thing that you might not really know what it is which is nops. Well, basically if you have ever encountered

121
00:09:56,620 --> 00:10:03,340
an assembly code, or if you're an assembly programmer as well, you will most likely know what

122
00:10:03,340 --> 00:10:04,270
NOP is.

123
00:10:04,540 --> 00:10:06,850
It is short for no operation.

124
00:10:06,880 --> 00:10:13,200
It is basically a command in the assembly language and it just performs no operation.

125
00:10:13,210 --> 00:10:20,510
Now this is most popularly known for on X86 chips at 0 x 90 bytes.

126
00:10:20,510 --> 00:10:25,990
So this is the byte are not instruction.

127
00:10:25,990 --> 00:10:30,860
When a processor loads this instruction it simply doesn't do anything.

128
00:10:31,060 --> 00:10:35,620
It basically just keeps the instructions until it comes to the next useful instruction.

129
00:10:35,740 --> 00:10:36,230
It doesn't,

130
00:10:36,230 --> 00:10:41,320
it just does nothing for one cycle, and then advances the register to the next instruction.

131
00:10:41,320 --> 00:10:44,710
Now why are these nops useful?

132
00:10:44,710 --> 00:10:48,620
Well basically the nops keep the payload size consistent.

133
00:10:48,640 --> 00:10:53,520
The practical importance of this has to do with writing instruction jumps.

134
00:10:53,530 --> 00:10:59,530
Now if you do not know what instruction jumps it doesn't really matter that much. but jumps can either

135
00:10:59,530 --> 00:11:07,540
be relative or absolute. Basically, if you move data around at all with an absolute jump, you

136
00:11:07,540 --> 00:11:13,210
must recode an absolute jump to it. If you move one instruction around relative to another, you must also

137
00:11:13,210 --> 00:11:18,810
recode the relative jump. Putting nops basically simplifies the problem because a jump that

138
00:11:18,820 --> 00:11:24,400
lands anywhere in a series of nops will continue on the first executable instruction, and prevent the

139
00:11:24,400 --> 00:11:30,010
processor from reading an invalid code that could stop execution and crash the software.

140
00:11:31,630 --> 00:11:37,750
So basically from all of this you just need to remember that nops is an instruction which is referred

141
00:11:37,750 --> 00:11:44,110
to as a byte zero, or a byte 90, and basically doesn't do anything.

142
00:11:44,170 --> 00:11:46,530
So, that's what you need to know.

143
00:11:46,630 --> 00:11:53,590
We will probably use it later on in some other section. But for now on this would be enough for you to

144
00:11:53,590 --> 00:11:59,710
understand the basic structure of the Metasploit framework, and in the next lectures we will actually start

145
00:11:59,800 --> 00:12:05,170
covering some of these scanners and exploits that we can use on our vulnerable targets.

146
00:12:05,170 --> 00:12:11,020
So that would be it for this tutorial and I hope I see you in the next one. Bye!