1 00:00:00,800 --> 00:00:06,890 ‫So the last step of our scenario is to find other systems which have in TLM or Land Man authentication 2 00:00:06,890 --> 00:00:08,330 ‫mechanisms on the network. 3 00:00:08,990 --> 00:00:12,080 ‫Well, that'll be all Windows systems in general. 4 00:00:13,100 --> 00:00:20,000 ‫So as the first step, I'd like to run an Nmap query with OCR detection, find the Windows devices on 5 00:00:20,000 --> 00:00:25,130 ‫the network that Capital O parameter is for the OS detection. 6 00:00:26,400 --> 00:00:31,620 ‫Top five ports to keep it fast, and the target is the entire IP block. 7 00:00:32,040 --> 00:00:36,060 ‫One seven two one six nine nine zero to 24. 8 00:00:43,380 --> 00:00:45,810 ‫And here are the systems on the network. 9 00:00:46,460 --> 00:00:48,240 ‫01:58 is the college itself. 10 00:00:49,400 --> 00:00:54,920 ‫Now, you see two to three is detected as a Windows system, according to the fingerprints, and Maps 11 00:00:54,920 --> 00:00:59,720 ‫says the system is Windows seven eight Vista or 2008. 12 00:01:00,080 --> 00:01:03,290 ‫So, OK, two to three is our new target. 13 00:01:04,190 --> 00:01:08,750 ‫So let's prepare and other and map query for two to three to see the open ports. 14 00:01:16,050 --> 00:01:23,220 ‫Port, 445 is open, and we know that the port is used for SMB file sharing just by default. 15 00:01:23,850 --> 00:01:29,040 ‫And if you're not sure about the service running on the port for four or five, you can run an end map 16 00:01:29,040 --> 00:01:34,350 ‫query with the AS V parameter to run version detection as well. 17 00:01:34,860 --> 00:01:39,660 ‫So I'll assume that the service is SMB file share and skip this step. 18 00:01:40,700 --> 00:01:46,700 ‫Now here is a critical step we need to have at least one file sharing on the target system. 19 00:01:47,180 --> 00:01:52,580 ‫In general, you'll find that the administrative folders are shared because the sharing of those folders 20 00:01:52,580 --> 00:01:53,900 ‫is enabled by default. 21 00:01:54,450 --> 00:01:56,450 ‫But let's make sure to find out. 22 00:01:56,450 --> 00:02:02,550 ‫The shares of our new target will use and map once again, and Map has a script to find out. 23 00:02:02,570 --> 00:02:03,680 ‫SMB shares. 24 00:02:05,830 --> 00:02:08,230 ‫Now, we don't need to memorize the names of the script. 25 00:02:08,590 --> 00:02:11,770 ‫Let's just find the scripts which may help us find the shares. 26 00:02:12,740 --> 00:02:17,360 ‫I'll use the Locate Linux command to find the location of the map scripts. 27 00:02:18,020 --> 00:02:24,380 ‫Now I know the scripts end with that nrsi, which is the abbreviation of in map scripting engine. 28 00:02:24,800 --> 00:02:25,730 ‫Now, you know, two. 29 00:02:26,510 --> 00:02:29,690 ‫So let's go to the scripts folder using the CD command. 30 00:02:32,850 --> 00:02:36,140 ‫I want to list the scripts, which are about SMB servers. 31 00:02:37,240 --> 00:02:42,280 ‫L s Dash L to list files pipe to send the output of the L. 32 00:02:42,280 --> 00:02:47,440 ‫S Command to the next command and grep SMB to filter the scripts. 33 00:02:48,370 --> 00:02:56,650 ‫So these are the Nmap script related to the SMB service and this one SMB Enum shares is a script defined 34 00:02:56,650 --> 00:02:57,730 ‫SMB shares. 35 00:02:58,660 --> 00:03:01,630 ‫So now let's prepare the Nmap query. 36 00:03:03,240 --> 00:03:10,140 ‫Script to use a script, and here is the script SMB Dash, S&M Bash shares. 37 00:03:19,940 --> 00:03:25,880 ‫Now, even though the script couldn't get the details, it did find the shares admin dollar sign C dollars 38 00:03:25,880 --> 00:03:29,120 ‫sign, IPC Dollar Sign and users. 39 00:03:30,260 --> 00:03:37,520 ‫OK, so let's turn back to MSF console interface, the other terminal screen to try to pass the hash 40 00:03:37,520 --> 00:03:39,410 ‫on to our new target two to three. 41 00:03:40,390 --> 00:03:43,930 ‫Now, the first thing to search for is exact to find the exploit. 42 00:03:45,400 --> 00:03:50,290 ‫So we'll use the exploit Windows SMB exact exploit module. 43 00:03:51,560 --> 00:03:53,570 ‫And now he can set the payload. 44 00:03:54,180 --> 00:03:58,460 ‫Don't forget that you can use Tab to command completion in MSF console interface. 45 00:03:58,940 --> 00:04:00,680 ‫So set the payload windows. 46 00:04:01,190 --> 00:04:06,080 ‫Now I know it's a 64 bit system interpreter reverse TCP. 47 00:04:08,800 --> 00:04:09,620 ‫Show options. 48 00:04:11,220 --> 00:04:14,400 ‫I said remote host has Windows eight VM two to three. 49 00:04:16,820 --> 00:04:21,890 ‫Also, the listen host as Carly 01:58, you should be already familiar with all these options. 50 00:04:22,430 --> 00:04:25,280 ‫So now we see the exact specific options. 51 00:04:25,670 --> 00:04:29,450 ‫The SMB user option is the log in username. 52 00:04:30,080 --> 00:04:36,050 ‫As I mentioned before, the options are case sensitive, so you can write SMB user with all lowercase 53 00:04:36,050 --> 00:04:37,490 ‫or however you want. 54 00:04:38,650 --> 00:04:42,670 ‫So I want to try administrator user and it's password. 55 00:04:42,970 --> 00:04:46,450 ‫So I set administrator as SMB user. 56 00:04:47,050 --> 00:04:53,350 ‫I copied the hash value of the administrator user that we gathered from the XP system and use it as 57 00:04:53,350 --> 00:04:55,840 ‫the value of SMB pass parameter. 58 00:04:57,000 --> 00:05:00,210 ‫Liz, the options again with the show options command. 59 00:05:03,660 --> 00:05:09,990 ‫Our port is four for five by default, and we know that the port is open on our target, so just leave 60 00:05:09,990 --> 00:05:10,500 ‫it as it is. 61 00:05:11,430 --> 00:05:14,490 ‫Share is admin dollar sign. 62 00:05:15,180 --> 00:05:18,330 ‫And we also know that admin dollar sign is shared on the target. 63 00:05:18,720 --> 00:05:21,090 ‫So leave that as it is as well. 64 00:05:22,160 --> 00:05:25,190 ‫OK, so SMB user SMB password. 65 00:05:27,070 --> 00:05:31,900 ‫Listen, host, listen, port, OK, we are ready to run the exploit. 66 00:05:32,230 --> 00:05:32,770 ‫Are you ready? 67 00:05:38,130 --> 00:05:40,230 ‫Nope, no chance, the log in failed. 68 00:05:40,980 --> 00:05:47,430 ‫So we assume that there is not a user with the name administrator and with the password. 69 00:05:47,640 --> 00:05:49,620 ‫Same as the admin password of the XP. 70 00:05:50,780 --> 00:05:53,180 ‫But do you want to give up right now? 71 00:05:53,590 --> 00:05:54,590 ‫No, of course not. 72 00:05:54,980 --> 00:06:00,800 ‫As I mentioned several times, humans tend to use the same password in different platforms and systems. 73 00:06:01,980 --> 00:06:02,550 ‫Now, come on. 74 00:06:02,820 --> 00:06:07,110 ‫There are a lot of passwords we have to memorize, so it's just human. 75 00:06:07,110 --> 00:06:15,000 ‫It's normal to use the same password in all kinds of different platforms, so always try the hash with 76 00:06:15,000 --> 00:06:16,150 ‫different users. 77 00:06:16,170 --> 00:06:19,110 ‫If you cannot get the session with the default user. 78 00:06:20,050 --> 00:06:23,800 ‫Now I'll try another username, ad men with the same hash. 79 00:06:24,190 --> 00:06:28,960 ‫OK, so I cheated, I already know that the target system has a user with this name. 80 00:06:30,990 --> 00:06:37,230 ‫I mean, you know, you get the idea you don't want to sit here and watch me try a list of users just 81 00:06:37,230 --> 00:06:39,810 ‫in the course that's for you to come up with. 82 00:06:40,350 --> 00:06:41,190 ‫So let's continue. 83 00:06:41,730 --> 00:06:46,890 ‫The other options are the same and run the exploit for admin user. 84 00:06:47,890 --> 00:06:49,240 ‫We got him interpreter session. 85 00:06:49,420 --> 00:06:51,190 ‫But hold on, just wait a minute. 86 00:06:51,220 --> 00:06:53,680 ‫This is not a session from the target system. 87 00:06:54,190 --> 00:07:01,240 ‫Look at the messages service timed out and couldn't start, and the exploit decides to send the stage 88 00:07:01,240 --> 00:07:04,150 ‫to two zero seven, which is my XP system. 89 00:07:04,630 --> 00:07:05,560 ‫Now that's interesting. 90 00:07:06,250 --> 00:07:09,520 ‫And the interpreter session is opened on two zero seven. 91 00:07:09,520 --> 00:07:10,780 ‫Not on to do three. 92 00:07:11,530 --> 00:07:14,800 ‫This is the Windows XP, which we already exploited. 93 00:07:15,640 --> 00:07:21,250 ‫So now I'll exit from the interpreter session and look at the options once again to see if I made a 94 00:07:21,250 --> 00:07:21,760 ‫mistake. 95 00:07:29,600 --> 00:07:29,900 ‫Huh. 96 00:07:30,230 --> 00:07:33,500 ‫OK, so no mistake, everything's fine. 97 00:07:34,250 --> 00:07:37,280 ‫So let's run the exploit once more. 98 00:07:37,310 --> 00:07:37,970 ‫Are you with me? 99 00:07:38,940 --> 00:07:47,160 ‫Look, the messages it sent the stage to 02:58, which is Windows eight VM, our target and the mature 100 00:07:47,460 --> 00:07:49,650 ‫session is opened on 02:58. 101 00:07:50,400 --> 00:07:55,590 ‫It seems we succeeded to exploit Windows eight without using any vulnerability. 102 00:07:56,830 --> 00:08:02,110 ‫So let's check this system info using this info on the interpreter command. 103 00:08:02,830 --> 00:08:07,330 ‫And yes, we finally have an interpreter session on Windows eight. 104 00:08:08,110 --> 00:08:09,220 ‫Not bad, though, is it? 105 00:08:09,940 --> 00:08:13,130 ‫So let's have a look at the IP address. 106 00:08:13,210 --> 00:08:16,030 ‫Well, it is two to three as expected. 107 00:08:16,870 --> 00:08:23,800 ‫So now we can perform post exploitation steps such as gathering password hashes using the hash dump 108 00:08:23,800 --> 00:08:24,310 ‫command. 109 00:08:25,120 --> 00:08:31,150 ‫From here, we can crack the hashes or use them to perform further past the hash attacks, et cetera. 110 00:08:31,600 --> 00:08:36,230 ‫But we'll see a lot of post exploitation methods in detail later on. 111 00:08:36,250 --> 00:08:38,230 ‫Right now, I think you get the point. 112 00:08:40,890 --> 00:08:46,080 ‫So I'd like to tell you a few more things about the working principle of the past, the hash method. 113 00:08:46,920 --> 00:08:51,600 ‫When you look at this slide, you will see two different runs of the exact module. 114 00:08:52,110 --> 00:08:54,570 ‫The first one is against a Windows XP target. 115 00:08:55,660 --> 00:08:58,270 ‫Well, the second one is against a Windows eight system. 116 00:08:58,990 --> 00:09:06,430 ‫If the target is Windows XP s exact module, treat an executable on the target, use it to connect to 117 00:09:06,430 --> 00:09:09,670 ‫the target and then delete the executable. 118 00:09:10,510 --> 00:09:14,370 ‫If the target is a modern Windows system such as Windows eight, the P. 119 00:09:14,380 --> 00:09:18,610 ‫S exact module checks at the PowerShell is available on the target. 120 00:09:18,880 --> 00:09:20,230 ‫If it is, the P. 121 00:09:20,230 --> 00:09:24,580 ‫S exact module uses PowerShell to open the interpreter session. 122 00:09:25,800 --> 00:09:33,000 ‫So if you set the target option of the exact module to two, which means native upload, the module 123 00:09:33,000 --> 00:09:37,530 ‫will not use PowerShell even if it is present on the target. 124 00:09:38,160 --> 00:09:44,130 ‫But my recommendation is to use PowerShell of the target system to open a session if it's present. 125 00:09:46,220 --> 00:09:50,250 ‫Well, you know what, I was assuming that you know what PowerShell is. 126 00:09:51,800 --> 00:09:55,370 ‫I'll give you a very short definition for those of you who don't know what it is. 127 00:09:56,600 --> 00:10:01,580 ‫To give you a better understanding of PowerShell, I should first define what a shell is in computer 128 00:10:01,580 --> 00:10:01,910 ‫science. 129 00:10:01,910 --> 00:10:07,790 ‫A shell is a user interface that gives you access to various services of an operating system. 130 00:10:08,880 --> 00:10:15,900 ‫Windows PowerShell is a shell developed by Microsoft for purposes of task automation and configuration 131 00:10:15,900 --> 00:10:16,410 ‫management. 132 00:10:17,160 --> 00:10:24,390 ‫This powerful shell is based on the dot net framework, and it includes a command line shell and a scripting 133 00:10:24,390 --> 00:10:24,960 ‫language.