1 00:00:00,240 --> 00:00:02,660 Hello everybody and welcome back. 2 00:00:02,700 --> 00:00:08,280 Now right now what we want to do is basically just start with some of the auxiliary modules that are 3 00:00:08,370 --> 00:00:10,290 in the Metasploit framework. 4 00:00:10,290 --> 00:00:14,160 So we want to basically scan the machine with MSF console. 5 00:00:14,160 --> 00:00:19,270 Now let us first of all start the MSF console. 6 00:00:19,710 --> 00:00:23,420 Now if you didn't start the postgresql before this started, 7 00:00:23,430 --> 00:00:25,260 so this can run faster. 8 00:00:25,260 --> 00:00:31,510 But while this is starting I also want to start my OWASP virtual machine. 9 00:00:31,680 --> 00:00:36,860 Now if you installed the Metasploitable before, whether it is Metasploitable one or Metasploitable 10 00:00:36,860 --> 00:00:40,160 two, you can also run that one as well. 11 00:00:40,200 --> 00:00:45,680 Now, as I said before, I cannot get Metasploitable to run for some reason so I am using OWASP. 12 00:00:46,150 --> 00:00:50,360 I will show you some of the attacks you can perform on Metasploitable as well. 13 00:00:50,490 --> 00:00:55,760 So those of you who are opening that machine right now can also do something. 14 00:00:55,800 --> 00:01:00,550 But some of the attacks are also similar for OWASP and for the Metasploitable. 15 00:01:00,570 --> 00:01:03,390 So just start any of those two machines. 16 00:01:03,390 --> 00:01:09,870 Now I will make sure to mention when the attack is directed to the Metasploitable, and 17 00:01:09,870 --> 00:01:13,260 when the attack is directed to the OWASP virtual machine. 18 00:01:13,260 --> 00:01:16,690 So we wait for this to open. 19 00:01:16,800 --> 00:01:17,970 This shouldn't take too long, 20 00:01:18,000 --> 00:01:20,490 as we remember this is a virtual machine. 21 00:01:20,490 --> 00:01:26,600 It will prompt us with entering our user name and password, which is I believe user name is root and the password 22 00:01:26,600 --> 00:01:31,920 is owaspbwa. Let me just see if this has opened. 23 00:01:32,000 --> 00:01:33,730 OK, so this has opened. 24 00:01:33,780 --> 00:01:40,060 We get the standard command line tool. 25 00:01:40,290 --> 00:01:45,540 And we also get this banner right here. So let us first log in into the OWASP. 26 00:01:46,980 --> 00:01:51,900 Hopefully it will prompt us with the username and password soon enough. 27 00:01:52,020 --> 00:01:52,590 Here it is. 28 00:01:52,590 --> 00:01:56,670 So the user name is root and the password is owaspbwa. 29 00:01:56,700 --> 00:01:59,300 So, owaspbwa. 30 00:02:00,150 --> 00:02:01,890 And now we are good to go. 31 00:02:01,920 --> 00:02:04,500 Let us just first check the IP address of this 32 00:02:04,500 --> 00:02:05,130 so we know it. 33 00:02:05,130 --> 00:02:10,290 So the IP address of our OWASP virtual machine is 192.168.1.2 34 00:02:10,530 --> 00:02:11,470 Good. 35 00:02:11,490 --> 00:02:19,230 Now as I said before, you can run a bunch of different commands, or basically all the commands we run 36 00:02:19,230 --> 00:02:21,090 from our regular terminal 37 00:02:21,090 --> 00:02:24,630 you can also run from the Metasploit framework command line. 38 00:02:24,630 --> 00:02:30,060 So what we want to do is let's first clear the screen. And what we want to do is 39 00:02:30,060 --> 00:02:33,660 let's first take a good scan of the OWASP virtual machine. 40 00:02:33,660 --> 00:02:35,540 Now we covered nmap before, 41 00:02:35,550 --> 00:02:42,510 so what we want to do right now is nmap -sV so we can get the version from the services 42 00:02:42,510 --> 00:02:48,750 running on certain ports, and then we specify the IP address of our OWASP virtual machine. Or in your 43 00:02:48,750 --> 00:02:52,560 case if you're using Metasploitable, of your Metasploitable machine. 44 00:02:52,560 --> 00:02:54,090 So execute this. 45 00:02:54,090 --> 00:02:58,880 And now we wait for this to finish. It should prompt us with all of the open ports. 46 00:02:58,890 --> 00:03:01,700 It should prompt us with the services running on the open ports. 47 00:03:01,740 --> 00:03:07,680 And it should prompt us with the version of those services running, which can be useful especially when 48 00:03:07,680 --> 00:03:09,410 you use the Metasploit framework. 49 00:03:09,510 --> 00:03:15,230 So what we will do is we will try some of the certain attacks on this. 50 00:03:15,230 --> 00:03:21,640 Now we can see that the scan has finished in 18.3 seconds. 51 00:03:21,650 --> 00:03:26,390 So we get the open ports, and let's start off with the SSH port. 52 00:03:26,390 --> 00:03:31,550 Now here are a bunch of these other ports such as 139 and 445 running Samba 53 00:03:31,600 --> 00:03:36,390 smbd versions 3 to 4, which is also a vulnerable software. 54 00:03:36,620 --> 00:03:39,950 You also have it on Metasploitable, I believe, the same version. 55 00:03:40,160 --> 00:03:44,080 I will show you how you can exploit it later on. But for now, 56 00:03:44,090 --> 00:03:52,860 let us start off by trying to get in over the SSH. So we can see that the service running is a 57 00:03:52,860 --> 00:03:59,690 SSH on Port 22, and the version is OpenSSH 5.3p1 Debian 3ubuntu4. 58 00:04:00,100 --> 00:04:06,520 So what we will do is we will use the auxiliary module that is in the Metasploit framework, and we will 59 00:04:06,520 --> 00:04:12,140 try to brute force the SSH on Port 22 from our OWASP virtual machine. 60 00:04:12,340 --> 00:04:16,510 Or if you're running Metasploitable, once again, from your Metasploitable the process is the 61 00:04:16,510 --> 00:04:17,440 same. 62 00:04:17,470 --> 00:04:22,720 So let us try with searching SSH. 63 00:04:22,720 --> 00:04:28,450 Now this will print us all of the available exploits auxiliary modules, post exploit modules for the 64 00:04:28,540 --> 00:04:29,620 SSH. 65 00:04:29,680 --> 00:04:34,410 Now let us scroll a little bit up since we do not want post and we do not want exploit. 66 00:04:34,870 --> 00:04:37,150 We want some of these modules right here. 67 00:04:37,390 --> 00:04:38,790 So auxiliary/dos. 68 00:04:38,800 --> 00:04:45,160 We have the auxiliary/dos/windows/ssh... 69 00:04:45,160 --> 00:04:46,880 Not really sure what that is. 70 00:04:46,900 --> 00:04:49,060 It says multi-server key exchange denial of service. 71 00:04:49,060 --> 00:04:49,560 OK. 72 00:04:49,930 --> 00:04:53,050 But this is on windows so we do not really need it. 73 00:04:53,050 --> 00:04:59,640 What we are searching for is a scanner, and the scanner has to be the log in. 74 00:04:59,640 --> 00:05:03,960 So here it is. The auxiliary/scanner/ssh/ssh_login. 75 00:05:04,380 --> 00:05:09,990 Now it does not have the date when it came out, and is it is ranked as normal, 76 00:05:09,990 --> 00:05:15,500 and it says the SSH login check scanner. Which basically means the SSH 77 00:05:15,660 --> 00:05:23,150 bruteforcer. Now you can also, for example, check the SSH version before you start that. 78 00:05:23,260 --> 00:05:28,830 So auxiliary scanner SSH version, SSH version scanner, so let's first of all start with that 79 00:05:28,830 --> 00:05:29,370 one. 80 00:05:29,490 --> 00:05:35,670 I believe it will give us the same thing that the nmap gave us, which is the version of the SSH. 81 00:05:35,680 --> 00:05:40,980 Now you can use this instead of nmap since sometimes nmap won't give you the version, and I believe 82 00:05:40,980 --> 00:05:43,340 this one is actually more detailed. 83 00:05:43,470 --> 00:05:49,170 So as we saw in the previous videos, in order to pick any of these you just type use and then the name 84 00:05:49,170 --> 00:05:50,300 of the module itself. 85 00:05:50,310 --> 00:05:54,720 So auxiliary scanner SSH and then slash SSH underscore version. 86 00:05:54,840 --> 00:06:01,250 And what we want do is show our available options. So we can see that we have four different options 87 00:06:01,310 --> 00:06:03,590 and they are all required. 88 00:06:03,590 --> 00:06:05,820 Most of them are already selected for us. 89 00:06:05,840 --> 00:06:12,910 So the RPORT, for example, is selected as 22 which is good. SSH is most likely always, 90 00:06:13,190 --> 00:06:16,490 and also by default, is running on Port 22. 91 00:06:16,510 --> 00:06:24,050 If it is not you would want to change this. Thread is the number of threads basically 92 00:06:24,260 --> 00:06:25,640 running during this process. 93 00:06:25,640 --> 00:06:28,840 Now the more treads, the more faster this process will go. 94 00:06:29,120 --> 00:06:37,710 So depending on your power of your virtual machine you can select, for example, let's set THREADS 95 00:06:38,010 --> 00:06:38,860 3. 96 00:06:39,060 --> 00:06:45,470 Now we also covered the set command, so you set basically all of these options with just set command, and then 97 00:06:45,470 --> 00:06:50,000 the name of the option you want, and then the number. 98 00:06:50,000 --> 00:06:55,220 So we want three threads. So if you were to use, for example, type show options right now, you would see 99 00:06:55,220 --> 00:06:57,990 that the threads are now selected to 3. 100 00:06:58,010 --> 00:07:04,220 The only thing that we need to select right now is the RHOSTS. So the RHOSTS is basically the target 101 00:07:04,220 --> 00:07:08,310 address for our OWASP virtual machine. 102 00:07:08,390 --> 00:07:16,850 It is basically an IP address of your target. So set RHOSTS, we know it is 192.168.1.2, 103 00:07:16,850 --> 00:07:23,500 and now if we show our options again in order to check if everything is 104 00:07:23,500 --> 00:07:26,310 good, we will be able to run this. 105 00:07:26,360 --> 00:07:32,090 Now if you just run this, so just type in run, this will probably... 106 00:07:32,110 --> 00:07:32,610 here it is. 107 00:07:32,610 --> 00:07:40,900 This will print out the SSH version that it is running on the target software, or on target port 22. As 108 00:07:40,900 --> 00:07:48,370 we can see, SSH version this one, and it gives a bunch of other options as well that could be potentially 109 00:07:48,370 --> 00:07:49,680 useful to you. 110 00:07:49,930 --> 00:07:56,140 Now this is simple scan that we did for the first one, but now let's actually try to brute 111 00:07:56,140 --> 00:07:59,220 force this SSH on Port 22. 112 00:07:59,260 --> 00:08:05,680 So let us go to our available auxiliary modules, and what we want to use is the SSH to log in one. 113 00:08:05,710 --> 00:08:14,500 So just select the auxiliary/scanner/ssh/ssh_login, copy it, let us go 114 00:08:14,500 --> 00:08:18,660 down here, and let's do the use, and then our module. 115 00:08:18,670 --> 00:08:25,210 So copy, paste it, and the then we can see that it changed the module. So let's clear the screen so we 116 00:08:25,210 --> 00:08:29,170 can see stuff a little bit better, and let's show our options. 117 00:08:30,210 --> 00:08:37,050 Now you can see unlike the last one, this one has a lot of different modules, not modules, a lot of 118 00:08:37,050 --> 00:08:40,360 different options that we need to specify. 119 00:08:40,530 --> 00:08:46,260 Now some of them are required and some of them are not. For example, BLANK_PASSWORDS are not required. 120 00:08:46,320 --> 00:08:51,950 BRUTEFORCE_SPEED is required and we will actually select that to be five. 121 00:08:52,080 --> 00:08:59,880 There's no need to actually make that more. I mean, we will first of all use our 122 00:08:59,880 --> 00:09:04,970 simple password lists, so we will not need a higher speed for this. 123 00:09:05,310 --> 00:09:12,240 The next things we need, these are all not required. Password to authenticate 124 00:09:12,240 --> 00:09:13,520 with, no. 125 00:09:13,590 --> 00:09:20,880 Well basically you would use this if you already knew the password side, you see the point of this option 126 00:09:20,880 --> 00:09:21,950 right here. 127 00:09:22,020 --> 00:09:24,140 What we do want is the RHOSTS, 128 00:09:24,180 --> 00:09:27,340 same as in the previous scan. 129 00:09:27,340 --> 00:09:35,090 So just type your set RHOSTS and then the IP address of our target machine. 130 00:09:35,100 --> 00:09:38,210 So 192.168.1.2, I believe. 131 00:09:38,220 --> 00:09:40,720 Let me just check it once again. 132 00:09:40,720 --> 00:09:42,450 Yeah it is .2. 133 00:09:42,600 --> 00:09:50,810 And also what you would want to set, basically let's set again threads to be 3. So set threads 134 00:09:50,840 --> 00:09:58,340 3. RPORT is correct and it is 22, stop on success false, stop guessing when a credential 135 00:09:58,340 --> 00:09:59,560 works for a host. 136 00:09:59,660 --> 00:10:05,600 So you want to set this to true since there is no real point in continuing the brute force, unless you 137 00:10:05,600 --> 00:10:11,300 want to on multiple accounts after you find hosts that actually work. 138 00:10:11,300 --> 00:10:13,700 So on credentials that are useful. 139 00:10:14,090 --> 00:10:22,820 So we type in set STOP_ON_SUCCESS, so you can just press tab in order for it to fill the rest of the 140 00:10:23,090 --> 00:10:28,490 name, and you can set this from false to true. And we can see that stop on success is 141 00:10:28,490 --> 00:10:30,520 now set to true for both. 142 00:10:30,530 --> 00:10:35,960 You also want to set to true so you can see all of the attempts that they're running. 143 00:10:35,960 --> 00:10:38,530 Now you do not need to, basically, 144 00:10:38,540 --> 00:10:45,500 I always set it to true so I can see the attempts of a brute force that we covered already. 145 00:10:45,530 --> 00:10:48,920 So just set VERBOSE. Again, 146 00:10:49,100 --> 00:10:51,970 you can press tab to finish, and then true. 147 00:10:52,160 --> 00:11:00,880 And now if I type show options once again, we should have all of our options set and ready to go. 148 00:11:00,950 --> 00:11:07,150 Now I believe there is something else we need to use which is the... 149 00:11:07,600 --> 00:11:08,530 Yeah, of course, 150 00:11:08,530 --> 00:11:09,910 we are not set to go. 151 00:11:09,910 --> 00:11:15,190 We need to use a password list since this doesn't have a password list pre-specified I believe. 152 00:11:15,310 --> 00:11:20,550 So what we want to use is basically...let us try to find our simple password list. 153 00:11:20,590 --> 00:11:25,400 So let's open up a second terminal. So new window, 154 00:11:28,440 --> 00:11:34,220 and we know that there are some passwords in the usr/share/wordlists. 155 00:11:34,240 --> 00:11:40,890 Now let me view this or zoom this in. If I type here ls, you can see a bunch of these of course we 156 00:11:40,890 --> 00:11:45,030 won't use like the rockyou.txt. It would take forever. 157 00:11:45,210 --> 00:11:53,430 These large passwords are most likely the best choice for the Wi-Fi cracking. For the brute forcing it's 158 00:11:53,430 --> 00:11:57,570 really not that good of a choice since it's not as fast as the Wi-Fi cracking. 159 00:11:57,570 --> 00:11:59,100 It's not nearly as fast. 160 00:11:59,880 --> 00:12:07,440 So what we want to do is go to the Metasploit, type here ls, and we will see some of the password lists 161 00:12:07,440 --> 00:12:11,370 that are in Metasploit. So we can choose any, basically, any we want. 162 00:12:11,370 --> 00:12:16,800 So we do not need to really crack the SSH, we just need to show you the process of cracking it, and 163 00:12:16,860 --> 00:12:18,940 we will choose any password list we want. 164 00:12:18,960 --> 00:12:27,780 So let's say we choose, for example, this one, mirai_user_pass.txt 165 00:12:27,780 --> 00:12:29,280 mirai_user_pass.txt. 166 00:12:29,340 --> 00:12:36,460 Now what that means, I believe, is that it also has both user and password. 167 00:12:36,700 --> 00:12:45,330 Yeah, it has both user and password separated with the space. So we will use that and we will see 168 00:12:45,330 --> 00:12:51,240 the available option for that right here, which would be the user pass file. So file containing users 169 00:12:51,270 --> 00:12:56,460 and password separated by a space, one pair per line, which is exactly what we selected. 170 00:12:56,580 --> 00:13:02,330 So we need to set this option right here. So let us set that option. 171 00:13:02,460 --> 00:13:10,530 set-USERPASS_FILE and then we specify the path to the word list. 172 00:13:10,560 --> 00:13:15,770 So it was usr/share/wordlists/metasploit 173 00:13:16,590 --> 00:13:19,380 and then mirai_ 174 00:13:19,470 --> 00:13:20,100 user_ 175 00:13:20,100 --> 00:13:22,980 pass.txt 176 00:13:22,980 --> 00:13:26,830 So we set the path to our 177 00:13:27,210 --> 00:13:30,420 brute force list, or basically password and user name list. 178 00:13:30,420 --> 00:13:36,030 And now if we clear and show options once again, I believe now 179 00:13:36,030 --> 00:13:38,820 now we should really be good to go. 180 00:13:38,820 --> 00:13:41,560 So let us run this. 181 00:13:41,720 --> 00:13:44,940 We press here run and it should start 182 00:13:44,940 --> 00:13:55,470 brute forcing the SSH on port 22. As we can see it is starting different types of the usernames and 183 00:13:55,470 --> 00:13:58,670 passwords. It is going by that list that we specified. 184 00:13:58,680 --> 00:14:00,350 So these are all failed ones. 185 00:14:00,540 --> 00:14:06,840 And if it reaches one that actually exists it will stop and it'll prompt us with a success. 186 00:14:06,840 --> 00:14:12,630 So here we can see root:admin, admin:admin, root:root, and some of the other passwords. 187 00:14:12,630 --> 00:14:19,910 Now I'm not really sure how many passwords are in this list so we will not be waiting for this to finish. 188 00:14:20,160 --> 00:14:24,600 I just wanted to show you some of the different types of SSH auxiliary modules that you can use. 189 00:14:24,600 --> 00:14:28,710 So we saw how we can actually scan the version of SSH. 190 00:14:28,710 --> 00:14:31,450 We also saw how we can brute force the SSH. 191 00:14:31,560 --> 00:14:39,730 Now you can actually try this both on Metasploitable and on the OWASP 192 00:14:39,750 --> 00:14:40,200 machine. 193 00:14:40,200 --> 00:14:47,970 I'm not really sure if this password list has username and password for those machines, but 194 00:14:47,970 --> 00:14:52,710 it doesn't really matter since the process of attacking is the most important. 195 00:14:52,710 --> 00:14:58,610 So now you can use any password list you want and actually hope that you will brute force the SSH. 196 00:14:58,690 --> 00:15:00,490 So, that would be it 197 00:15:00,540 --> 00:15:06,600 for this tutorial. In the next tutorial we will cover another auxiliary module that we will use to 198 00:15:07,200 --> 00:15:11,300 attack another service running on our OWASP virtual machine. 199 00:15:12,530 --> 00:15:17,480 So that'll be it for this tutorial, and I hope I see you in the next one. Bye!