1
00:00:00,580 --> 00:00:09,610
Métis Boyte and my interpreter are both coated with and they stand over Ruby, so even Métis Point lets

2
00:00:09,610 --> 00:00:14,720
you run directly any ruby code on the target without any insulation.

3
00:00:15,580 --> 00:00:20,110
However, the community widens this feature further.

4
00:00:21,160 --> 00:00:27,520
So python and power shell extensions are a good example of how the community contributes to Métis Boy.

5
00:00:28,460 --> 00:00:37,040
The Python extension gives you the ability to run Python code natively on a target machine without having

6
00:00:37,040 --> 00:00:38,360
the interpreter installed.

7
00:00:39,350 --> 00:00:42,560
Also, it lets you load your own Python scripts.

8
00:00:43,760 --> 00:00:48,230
And while Railgun gives us the ability to execute Win32 API calls.

9
00:00:49,150 --> 00:00:57,310
A completely in-memory python interpreter is not a bad idea for Python lovers, it doesn't support all

10
00:00:57,310 --> 00:01:04,480
python modules, but it is going to help you work with easier automation of Win32 related functions

11
00:01:04,480 --> 00:01:06,610
with libraries such as C types.

12
00:01:07,620 --> 00:01:12,090
And besides, no one can underestimate the power of power sharing.

13
00:01:13,380 --> 00:01:20,640
Now, it also comes as an extension to interpreter and can greatly expand interpreters capability on

14
00:01:20,640 --> 00:01:22,110
a compromised Windows target.

15
00:01:23,290 --> 00:01:31,510
So in this coming section, we're going to touch on the features of these extensions and I will show

16
00:01:31,510 --> 00:01:34,770
you how they can be used to your advantage.

17
00:01:36,520 --> 00:01:39,610
So with an active maturity shell running on the target machine.

18
00:01:40,780 --> 00:01:47,260
Let's type in lowed, python, and that's going to load the extension, giving us access to these new

19
00:01:47,260 --> 00:01:47,860
command.

20
00:01:48,770 --> 00:01:53,720
And to get the new commands just type in help Python.

21
00:01:55,300 --> 00:01:58,210
All right, so three new commands are added to the session.

22
00:01:59,500 --> 00:02:05,200
By executed execute python command, string's directly python import.

23
00:02:06,110 --> 00:02:15,410
Helps you to import your python files directly into memory, Python reset restarts the Python interpreter

24
00:02:15,410 --> 00:02:17,140
that loads into the memory.

25
00:02:18,350 --> 00:02:20,180
So why don't we start with the first one first?

26
00:02:21,560 --> 00:02:24,620
Typing Python execute H.

27
00:02:25,710 --> 00:02:27,330
Brings up the help menu.

28
00:02:28,460 --> 00:02:30,740
All right, so there's only one extra parameter.

29
00:02:32,050 --> 00:02:33,760
So let's take Python execute.

30
00:02:34,720 --> 00:02:38,320
And then type your python code between double quotes.

31
00:02:41,370 --> 00:02:48,120
All right, so I'm going to get the path variables value and assign it to the X variable.

32
00:02:50,900 --> 00:02:52,910
Then with our.

33
00:02:54,270 --> 00:02:55,620
The value of this variable.

34
00:02:57,820 --> 00:03:02,500
And yes, you just executed the first Python code on the target.

35
00:03:04,230 --> 00:03:08,430
So you ready for another example type python execute?

36
00:03:16,530 --> 00:03:20,760
Now, this time, let's get the path of the Tomcat users file.

37
00:03:23,580 --> 00:03:26,790
And are to print the value of the variable.

38
00:03:29,970 --> 00:03:35,010
You can also import a file, so type Python, import H.

39
00:03:36,580 --> 00:03:41,290
To display the help menu and here are a few more parameters.

40
00:03:42,820 --> 00:03:43,900
Python import.

41
00:03:44,780 --> 00:03:47,690
F and the path to your final.

42
00:03:50,840 --> 00:03:54,020
Desktop Tomcat users.

43
00:03:54,840 --> 00:03:56,460
Is my Python file.

44
00:03:58,960 --> 00:04:04,210
And this will look at all the patterns on the target and print the Tomcat users file path.

45
00:04:07,010 --> 00:04:11,320
Now, here's a place that you can really show your python ability.

46
00:04:12,790 --> 00:04:17,890
So why don't we just jump into another extension power shell?

47
00:04:18,840 --> 00:04:23,310
So type load power shell to load onto the session.

48
00:04:26,450 --> 00:04:29,540
Help PowerShares interview Fresh Command.

49
00:04:31,510 --> 00:04:35,080
The first two commands work like Python commands that I already showed you.

50
00:04:36,080 --> 00:04:39,140
But the third one is different, so let's have a look.

51
00:04:40,050 --> 00:04:43,620
It's going to provide a powerful show over the session.

52
00:04:44,950 --> 00:04:48,430
So that's really perfect to run the power shall command.

53
00:04:50,020 --> 00:04:51,550
Power shall execute.

54
00:04:54,450 --> 00:04:57,900
So just one extra parameter, but you don't need.

55
00:04:59,860 --> 00:05:02,530
Now, this also depends on your power show ability.

56
00:05:04,920 --> 00:05:07,410
So let's write some basic commands.

57
00:05:09,150 --> 00:05:15,930
The view, the power show inversion table type power shall execute P.S. version table.

58
00:05:19,540 --> 00:05:21,040
Power shall execute.

59
00:05:23,200 --> 00:05:25,750
Get service to Lyssa Services.

60
00:05:27,630 --> 00:05:30,300
And there are all the services listed below.

61
00:05:31,920 --> 00:05:38,340
So if you want to run a few commands with parameters, you have to use them between double quotes.

62
00:05:41,030 --> 00:05:45,190
So I'm only going to get there running services on the target with this one.

63
00:05:51,680 --> 00:05:52,640
And here it is.

64
00:05:53,600 --> 00:05:54,920
All running services.

65
00:05:57,280 --> 00:05:58,410
Ready for another example.

66
00:05:59,910 --> 00:06:04,590
So this time I will bring the 100 newest application logs.

67
00:06:06,780 --> 00:06:08,100
With this line.

68
00:06:19,460 --> 00:06:20,770
Stop it here and let you go.

69
00:06:22,470 --> 00:06:26,160
And the second command power import.

70
00:06:27,160 --> 00:06:29,110
Type power shall import.

71
00:06:30,470 --> 00:06:33,410
And then the path to the file that you want to import.

72
00:06:34,850 --> 00:06:37,910
So I'm going to import host Rickon File.

73
00:06:40,620 --> 00:06:42,750
And you can download it from these addresses.

74
00:06:45,080 --> 00:06:48,800
So after you import the file, then you need to run this file.

75
00:06:50,200 --> 00:06:56,680
To do so, just type power shall execute invoke host Rickon.

76
00:07:00,230 --> 00:07:04,430
Now, it has a very long output and it takes a few more seconds.

77
00:07:05,920 --> 00:07:08,350
It enumerates the target system very well.

78
00:07:10,000 --> 00:07:21,820
IP information, user information, active connections, services and processes, shares and so much

79
00:07:21,820 --> 00:07:22,120
more.

80
00:07:24,640 --> 00:07:28,660
OK, so now I will import and other power shall file.

81
00:07:29,800 --> 00:07:31,090
Host, enum.

82
00:07:33,240 --> 00:07:35,790
And you can download this file from that address.

83
00:07:37,620 --> 00:07:40,440
And type power, shell, shell.

84
00:07:43,130 --> 00:07:45,770
So now you were in power, Shell, Shell.

85
00:07:46,620 --> 00:07:52,440
And to run the script, you imported type invoke host Inam Local.

86
00:07:55,560 --> 00:08:02,160
And compared to host Rickon, this one brings much more information about the target.

87
00:08:03,280 --> 00:08:05,470
And that's with all these extensions.