1
00:00:00,030 --> 00:00:05,070
Hello everybody and welcome back. And
right now let us see some of the post

2
00:00:05,069 --> 00:00:10,289
exploitation modules that you can run
after you fully exploit the target. So in

3
00:00:10,290 --> 00:00:16,950
the previous videos we saw how we can
gain and access the system privileges on a

4
00:00:16,949 --> 00:00:22,289
Windows 10 machine, and we also saw
how we can actually prevent anyone from

5
00:00:22,289 --> 00:00:26,669
doing that on our own machine. But right
now let us see some of the post

6
00:00:26,670 --> 00:00:30,720
exploitation modules that we can use. So,
right here if we type sessions, I

7
00:00:30,720 --> 00:00:36,150
have two sessions. One of them is the 4 and one of them is the 5. One has the

8
00:00:36,149 --> 00:00:40,169
system privileges. Well, not yet but the
getsystem command will work on the 5,

9
00:00:40,170 --> 00:00:44,700
since I used the fodhelper exploit. And
the 4 one we can close since that is the

10
00:00:44,700 --> 00:00:50,220
first session that we have open, so
sessions -i 4, and we can exit that.

11
00:00:50,219 --> 00:00:56,759
Now we clear and we enter the sessions -i 5, get system. I already covered all of

12
00:00:56,760 --> 00:01:01,200
this. And right now if I type here getuid, we are the system privilege account.

13
00:01:01,199 --> 00:01:08,489
So, first of all, there is a module that
is called sniffer which allows us to

14
00:01:08,490 --> 00:01:13,560
basically sniff packets from our target
machine. The meterpreter has the

15
00:01:13,560 --> 00:01:17,760
capability of packet sniffing the remote
host without, basically, touching the

16
00:01:17,759 --> 00:01:22,649
hard disk. And it is useful when we want
to monitor what type of information is

17
00:01:22,650 --> 00:01:26,520
being sent. And even better, this is
probably the start of multiple auxilary

18
00:01:26,520 --> 00:01:30,350
modules that will ultimately look for
sensitive data within the capture files.

19
00:01:30,350 --> 00:01:36,180
Now the sniffer module can store up to
200,000 packets in our ring buffer and

20
00:01:36,180 --> 00:01:40,710
supports them in a standard pcap file
format so you can process them using

21
00:01:40,710 --> 00:01:45,720
wireshark later on, for example. So once
we exploit the target, basically, what you

22
00:01:45,720 --> 00:01:52,110
want to just type here is use sniffer,
and it will say loading

23
00:01:52,110 --> 00:01:56,550
extension sniffer...Success. So the thing we want to do right now is to

24
00:01:56,549 --> 00:02:00,989
check our available options with the help
command. And right here at the

25
00:02:00,990 --> 00:02:05,070
bottom we will see that it added the
sniffer commands, which is sniffer_dump,

26
00:02:05,070 --> 00:02:10,530
sniffer_interfaces, sniffer_release, start
stats and stop. Now before we begin the

27
00:02:10,530 --> 00:02:13,250
sniffing we actually want to see the
available

28
00:02:13,250 --> 00:02:20,680
network interfaces on the target. So, if
we just type here sniffer_interfaces...

29
00:02:21,220 --> 00:02:30,830
sniffer_interfaces. Let me just see
why this is the incorrect

30
00:02:30,830 --> 00:02:42,800
function. Copy, sniffer_interfaces:
Operation failed: Incorrect function. Let

31
00:02:42,800 --> 00:02:57,710
me just type here sniffer_dump...sniffer
and then maybe this? So it doesn't want

32
00:02:57,709 --> 00:03:07,069
to work, not really sure why. Thought it
would work. Let me just type help once

33
00:03:07,070 --> 00:03:15,440
again and type sniffer_interfaces.
Okay, so this one doesn't work for some

34
00:03:15,440 --> 00:03:21,470
reason, but luckily we have an
alternative for this. So the alternative

35
00:03:21,470 --> 00:03:30,110
is the packet recorder. So we will just
type here run packetrecorder, and it

36
00:03:30,110 --> 00:03:35,630
will run a module packet recorder for us.
As we can see it basically even gives us

37
00:03:35,630 --> 00:03:40,400
our available options at the start of it.
So, meterpreter scripts are deprecated.

38
00:03:40,400 --> 00:03:44,960
Tried post/windows...okay. So these are just some

39
00:03:44,959 --> 00:03:50,809
of the options that we can do. Now below
we have the commands list. So, what we

40
00:03:50,810 --> 00:03:55,280
want to do is check the running
interfaces, something that we tried with

41
00:03:55,280 --> 00:03:59,270
the sniffer command but it simply didn't
work. So, let us try with this one. Maybe

42
00:03:59,269 --> 00:04:05,839
this one will work. So packetrecorder,
I believe we should specify -li. Specify

43
00:04:05,840 --> 00:04:10,070
the alternative folder to save PCAP files
and interface ID number where all packet

44
00:04:10,070 --> 00:04:14,630
captures will be done. So it will show us,
I believe, our available interfaces right

45
00:04:14,630 --> 00:04:20,720
now. Meterpreter scripts starting
on interface 1. Error starting

46
00:04:20,720 --> 00:04:26,050
packet capture: Operation failed:
Incorrect function.

47
00:04:26,360 --> 00:04:30,460
Not really sure what it gives us these
options...

48
00:04:30,460 --> 00:04:46,700
maybe I'm specifying something
incorrectly? The -Li...oh, so it's the

49
00:04:46,699 --> 00:04:52,399
capital L. I remembered it to be the
-Li. So the capital L is actually

50
00:04:52,400 --> 00:04:58,760
the listing of interfaces that can be
used for capture. But it still says

51
00:04:58,759 --> 00:05:04,309
incorrect function. Wwe can see
right here it actually uses the sniffer

52
00:05:04,310 --> 00:05:06,950
interfaces function, that's why it
doesn't work.

53
00:05:06,949 --> 00:05:11,059
That's why this one doesn't work as well.
Now you can try on your own PC, maybe

54
00:05:11,060 --> 00:05:14,510
this will work for you. Basically, what
you want to do is basically select first

55
00:05:14,509 --> 00:05:18,169
the interface, and then start sniffing in
the .cap file. Then you can see all of

56
00:05:18,169 --> 00:05:23,599
the packets that the target processed, in
the current time, in the PCAP file,

57
00:05:23,599 --> 00:05:27,409
where you saved it, via Wireshark. But right
now we won't really bother with this

58
00:05:27,409 --> 00:05:30,139
anymore. What we want to do is basically use our

59
00:05:30,139 --> 00:05:35,929
module that, for example, works, such as
let's say we want to run an OP scanner

60
00:05:35,930 --> 00:05:42,590
on the target. So run, the module is
called post/windows/gather/

61
00:05:42,589 --> 00:05:49,999
arp_scanner. And then we want
to select the RHOSTS which we want to

62
00:05:50,000 --> 00:05:56,060
scan. And let's say we want to scan
192.168.1.1/24, which will

63
00:05:56,060 --> 00:06:00,320
basically I believe will scan all of the
hosts and their MAC addresses. It will

64
00:06:00,319 --> 00:06:05,449
print us everything that is currently on
our local network. As we can see,

65
00:06:05,449 --> 00:06:10,219
ARP scanning is running and it found out
these five devices. Now I believe there

66
00:06:10,219 --> 00:06:13,819
won't be really any more devices, these
are all that are currently on my network.

67
00:06:13,819 --> 00:06:20,719
As we can see, the Huawei router right
here, my laptop which is at 1.15, Windows

68
00:06:20,719 --> 00:06:25,999
10 machine, this is the Kali Linux machine and this right here I have no idea what it

69
00:06:26,000 --> 00:06:31,760
is. Yeah, this is the another interface for our Windows 10 machine. So

70
00:06:31,759 --> 00:06:35,779
this is the wireless interface for
Windows 10 machine. Good! So this is

71
00:06:35,779 --> 00:06:38,719
another useful thing if you want to see
the devices on the

72
00:06:38,720 --> 00:06:42,560
target's network. If you are not on the local
network you won't be able to see other

73
00:06:42,560 --> 00:06:48,710
devices, in case you're doing this attack
over over the internet. So this is just a

74
00:06:48,710 --> 00:06:52,040
local attack for now, and I will show you
later on how you can port forward and

75
00:06:52,040 --> 00:06:57,260
actually run this attack all over the world
if you want to. In another continent,

76
00:06:57,260 --> 00:07:01,880
for example. Now let me just see if this
is finished. We will close it since it

77
00:07:01,880 --> 00:07:05,830
doesn't seem to finish. Maybe it just
takes a lot of time to scan all of the

78
00:07:05,830 --> 00:07:12,140
255 hosts. But the next module I want to
show you...let me just background this and

79
00:07:12,140 --> 00:07:16,880
clear this a little bit so you can see
it a little bit better. So the next module

80
00:07:16,880 --> 00:07:22,490
I want to show you is an important one. It
is used many times by hackers in malware

81
00:07:22,490 --> 00:07:28,280
where they want to check if the current
malware, or current virus, is running in the

82
00:07:28,280 --> 00:07:34,400
virtual machine. Now why does this
function exist? Well basically the

83
00:07:34,400 --> 00:07:40,250
hackers want to run a function that will
check if the virus has been opened in

84
00:07:40,250 --> 00:07:44,360
a virtual machines. That will probably mean that someone is trying to

85
00:07:44,360 --> 00:07:49,070
reverse engineer that virus, and uses a
virtual machine to do that. So then the

86
00:07:49,070 --> 00:07:52,610
virus, for example, once it sees that it
is actually running in a virtual machine,

87
00:07:52,610 --> 00:07:58,160
it just decides not to run anymore. And
then the user that actually

88
00:07:58,160 --> 00:08:01,970
tries to reverse engineer the malware
can't really see what the malware is doing,

89
00:08:01,970 --> 00:08:06,470
since it refuses to run, since it saw that
it is in a virtual machine. Now in order

90
00:08:06,470 --> 00:08:10,810
to check if your target is running on a
virtual machine you can just run

91
00:08:10,810 --> 00:08:17,120
post/windows/gather/checkvm, which checks virtual machine. And this

92
00:08:17,120 --> 00:08:21,680
will check if our Windows 10 is a
virtual machine, which it isn't, as it

93
00:08:21,680 --> 00:08:26,300
says right here. Desktop appears to be a
physical machine. So this means that our

94
00:08:26,300 --> 00:08:31,190
target is not running Windows 10 on a
virtual machine. Which is correct since we

95
00:08:31,190 --> 00:08:36,470
are not. The next one which could also be
useful is the credential collector. It

96
00:08:36,469 --> 00:08:40,129
will basically give you the hashes of
the accounts on the

97
00:08:40,130 --> 00:08:46,490
Windows machine. So the module is called
run, so just type here run. Basically, the

98
00:08:46,490 --> 00:08:51,230
run command just runs the module that
you specify after that. And then

99
00:08:51,230 --> 00:08:55,380
post/windows since we're on the Windows
machine. Gather since we're gathering

100
00:08:55,379 --> 00:09:01,559
some credentials, so we specified
credentials.

101
00:09:01,560 --> 00:09:09,930
And then credential_collector. And hopefully this

102
00:09:09,930 --> 00:09:15,480
will print out all the hashes for our
accounts. So, running module...error accessing

103
00:09:15,480 --> 00:09:20,340
hashes. Did you migrate to a process
that matched the target's architecture? What

104
00:09:20,339 --> 00:09:22,909
do you mean by that?

105
00:09:23,629 --> 00:09:32,839
Did you migrate the process...but we can
try another one which is basically

106
00:09:32,839 --> 00:09:38,129
giving us the hashed password of the
administrator, I believe. So it is called,

107
00:09:38,129 --> 00:09:42,299
let me just check, I believe it is called
something like this. So, post/windows/

108
00:09:42,300 --> 00:09:46,320
gather, now most of these post exploitation tools will start

109
00:09:46,319 --> 00:09:51,479
with post/windows/gather. And then what we want to do is hashdump. Let's see if

110
00:09:51,480 --> 00:09:57,870
this one will work. Obtaining the boot
key...calculating the hboot key, obtaining

111
00:09:57,870 --> 00:10:03,000
the user list and keys. Okay, and this one
did work. We were able to get the hashed

112
00:10:03,000 --> 00:10:08,430
passwords. Now for example, you can then
copy some of these. You can, for

113
00:10:08,430 --> 00:10:17,610
example, copy the administrator, so just
copy this one right here. And you would

114
00:10:17,610 --> 00:10:24,090
be able to use another module in
Kali Linux called PSexecute, which

115
00:10:24,089 --> 00:10:28,499
is also in the Metasploit module, in
order to set the SMBpass to be this

116
00:10:28,500 --> 00:10:34,350
hashed value right here. And you would be
able to exploit over port 443 with the

117
00:10:34,350 --> 00:10:39,540
SMBpass. So you just set this hashed
value as the SMBpass in that module,

118
00:10:39,540 --> 00:10:42,810
and you will be able to get another meterpreter shell with

119
00:10:42,809 --> 00:10:49,259
that. So that is also a useful thing to do.
The next thing that you want to do is

120
00:10:49,259 --> 00:10:56,789
basically another module that we can run,
which is basically

121
00:10:56,790 --> 00:11:03,120
the dumplinks module. Which it basically parses the .ink files

122
00:11:03,120 --> 00:11:06,240
in recent documents, which could be useful for

123
00:11:06,240 --> 00:11:10,050
further information gathering, for
example. So in order to do that you can

124
00:11:10,050 --> 00:11:19,050
just type here run post/windows, and then
you can just type gather/dumplinks.

125
00:11:19,050 --> 00:11:26,600
I believe it is like this. So you just
run this and it will give you all of the...

126
00:11:26,600 --> 00:11:32,040
the specified script could not be found: post/windows/gather/dumplinks. Okay, so it

127
00:11:32,040 --> 00:11:36,060
doesn't matter, it is not that important
of a module anyway. We will not be

128
00:11:36,060 --> 00:11:41,820
bothering ourselves to find it right now.
What we can do is we can see all of the

129
00:11:41,820 --> 00:11:45,720
applications that are installed on a
compromised host. So, you do that with

130
00:11:45,720 --> 00:11:52,320
this module, run post...yeah, and this is
probably the reason why it didn't work. I

131
00:11:52,320 --> 00:11:57,300
specified the slash in the front which I
shouldn't have, but it doesn't really

132
00:11:57,300 --> 00:12:01,940
matter at the moment. We'll just go to
the next one. So post/windows/gather and

133
00:12:01,940 --> 00:12:11,670
then ennum_applications, and this will
print out all of the applications installed

134
00:12:11,670 --> 00:12:16,110
on the host that you have hacked. Which
could be useful for you in order to see

135
00:12:16,110 --> 00:12:21,270
what the host has up and running, and
what the host has installed. So we can

136
00:12:21,270 --> 00:12:27,510
see there are a bunch of these since this is
a real machine that I used before. We can

137
00:12:27,510 --> 00:12:34,770
see WinPcap, WinRAR, a bunch of the visual studios, and so on and so on. Now I'm not

138
00:12:34,770 --> 00:12:38,730
really sure what these numbers right
here are. Oh, this is the version. So it

139
00:12:38,730 --> 00:12:42,120
even gives you the version of the
programs running. So we can see a bunch of

140
00:12:42,120 --> 00:12:47,150
Python versions, OpenOffice, Razor
Cortex, and a bunch of these

141
00:12:47,150 --> 00:12:54,720
different applications. Another post
exploitation module that you can use is

142
00:12:54,720 --> 00:12:59,340
the enum_logged_on_users, which returns
the listing of current and recently

143
00:12:59,340 --> 00:13:03,300
logged on users along with their SIDS,
which would be useful for you. So you

144
00:13:03,300 --> 00:13:10,700
just type here run post/windows/gather/enum_ logged_on_users

145
00:13:10,700 --> 00:13:16,200
post/windows/gather/enum_ logged_on_users, and this should print out all the users that have

146
00:13:16,200 --> 00:13:20,880
recently logged in. So running against session 3 we can see

147
00:13:20,880 --> 00:13:25,080
right here that the one of them is a
system, and the one of them is the user

148
00:13:25,080 --> 00:13:32,010
account. So, it even saves this into a
file at this location right here. So root,

149
00:13:32,010 --> 00:13:38,550
and then the Metasploit 4, and then here.
So you can delete it if you want to. It

150
00:13:38,550 --> 00:13:42,810
even saves the file right here at this
location and this path. You can check it

151
00:13:42,810 --> 00:13:49,110
out in there if you want to, or you can delete it. So that would be about it

152
00:13:49,110 --> 00:13:53,820
for this module for now. Now in the
next video I will show you how you can

153
00:13:53,820 --> 00:13:58,140
actually run the same attack that we did
right now over the Internet. So this is

154
00:13:58,140 --> 00:14:02,850
only a local area attack. What you want
to do is do a port forwarding on your

155
00:14:02,850 --> 00:14:07,260
router and actually perform the same
attack. So I will show you how to do that

156
00:14:07,260 --> 00:14:12,050
the in the next video and I hope I see
you there.