1 1 00:00:01,320 --> 00:00:03,340 So far, in the server side attacks, 2 2 00:00:03,340 --> 00:00:07,300 we've seen how we can use a default password 3 3 00:00:07,300 --> 00:00:10,290 or use a misconfigured service 4 4 00:00:10,290 --> 00:00:13,180 to gain access to the target computer. 5 5 00:00:13,180 --> 00:00:14,750 Today, we're gonna have an example 6 6 00:00:14,750 --> 00:00:18,350 on a very simple thing, which is a backdoor. 7 7 00:00:18,350 --> 00:00:21,380 So some programs or services were shipped 8 8 00:00:21,380 --> 00:00:24,860 or come in with backdoors embedded in them, 9 9 00:00:24,860 --> 00:00:27,060 so we're gonna exploit that today, 10 10 00:00:27,060 --> 00:00:29,430 and I chose this very simple exploit 11 11 00:00:29,430 --> 00:00:31,260 because I wanna introduce you 12 12 00:00:31,260 --> 00:00:33,660 to a framework called Metasploit. 13 13 00:00:33,660 --> 00:00:35,690 We're gonna be using that framework a lot, 14 14 00:00:35,690 --> 00:00:37,810 so I wanted something simple to start with 15 15 00:00:37,810 --> 00:00:40,600 and then, we're gonna go deeper into that framework. 16 16 00:00:40,600 --> 00:00:43,900 Now first, let me show you how we find that exploit. 17 17 00:00:43,900 --> 00:00:45,880 So again, using the same method 18 18 00:00:45,880 --> 00:00:49,550 that we've always been using, I have my Nmap scan, 19 19 00:00:49,550 --> 00:00:52,250 and as I said, we're gonna go on each port 20 20 00:00:52,250 --> 00:00:54,790 and Google them, looking for exploits. 21 21 00:00:54,790 --> 00:00:57,240 So I'm gonna Google the service name here 22 22 00:00:59,100 --> 00:01:04,100 and I'm gonna go to my browser, go to Google, 23 23 00:01:08,930 --> 00:01:11,160 and I'm gonna type in exploit, 24 24 00:01:11,160 --> 00:01:15,700 so the service name and followed by exploit. 25 25 00:01:15,700 --> 00:01:17,410 As you can see, the first result 26 26 00:01:17,410 --> 00:01:20,800 comes in from a website called Rapid7. 27 27 00:01:20,800 --> 00:01:24,790 Now, Rapid7 is a company that makes Metasploit framework, 28 28 00:01:24,790 --> 00:01:27,390 so that's why I chose this particular exploit 29 29 00:01:27,390 --> 00:01:28,780 to show you today. 30 30 00:01:28,780 --> 00:01:29,870 So let me go back 31 31 00:01:29,870 --> 00:01:31,830 and let's talk about Metasploit for a second. 32 32 00:01:31,830 --> 00:01:34,830 So we're gonna exploit this service, 33 33 00:01:34,830 --> 00:01:36,620 or this problem, using Metasploit. 34 34 00:01:36,620 --> 00:01:39,450 And as you can see here, Rapid7 is telling us 35 35 00:01:39,450 --> 00:01:44,190 that this version of FTP has a backdoor command execution, 36 36 00:01:44,190 --> 00:01:47,130 so it allowed us, we can basically execute commands 37 37 00:01:47,130 --> 00:01:50,600 on the target computer if it has this program installed. 38 38 00:01:50,600 --> 00:01:53,300 And from Nmap, we know that this program is installed, 39 39 00:01:53,300 --> 00:01:55,260 which means that we can execute 40 40 00:01:55,260 --> 00:01:57,823 commands on the target machine. 41 41 00:01:58,860 --> 00:02:00,140 So I'm coming back here 42 42 00:02:00,140 --> 00:02:02,060 and I'm gonna go to the next slide, 43 43 00:02:02,060 --> 00:02:03,290 which talks about Metasploit. 44 44 00:02:03,290 --> 00:02:06,380 Now Metasploit, as I said, is made by Rapid7. 45 45 00:02:06,380 --> 00:02:09,740 It is a huge framework that contains a large number 46 46 00:02:09,740 --> 00:02:12,610 of exploits, so it allows you to exploit 47 47 00:02:12,610 --> 00:02:15,440 vulnerabilities or create your own exploits. 48 48 00:02:15,440 --> 00:02:17,450 If you are an expert and you know how to discover 49 49 00:02:17,450 --> 00:02:20,890 and make exploits, then Metasploit will help you do that. 50 50 00:02:20,890 --> 00:02:24,040 Now, for today, we're doing a very simple use 51 51 00:02:24,040 --> 00:02:25,823 of an existing vulnerability. 52 52 00:02:26,660 --> 00:02:29,600 So, the commands on Metasploit are very easy. 53 53 00:02:29,600 --> 00:02:31,230 They might seem a bit complicated now, 54 54 00:02:31,230 --> 00:02:34,000 but once you get use to it, it is very easy to use, 55 55 00:02:34,000 --> 00:02:36,080 and a lot of them are generic commands. 56 56 00:02:36,080 --> 00:02:38,300 So here, I'm showing you the basic generic commands 57 57 00:02:38,300 --> 00:02:39,570 and then, there are other commands 58 58 00:02:39,570 --> 00:02:41,253 that you get use to them in time. 59 59 00:02:42,690 --> 00:02:45,270 So, the first command is msfconsole 60 60 00:02:45,270 --> 00:02:47,913 and this basically just launches Metasploit program. 61 61 00:02:49,140 --> 00:02:51,540 You can always type in help at any stage, 62 62 00:02:51,540 --> 00:02:53,590 and you'll get help of the commands 63 63 00:02:53,590 --> 00:02:56,723 and the description on how you can use them. 64 64 00:02:57,900 --> 00:03:00,690 You can use the show command to show something, 65 65 00:03:00,690 --> 00:03:03,000 so you can show the available exploits, 66 66 00:03:03,000 --> 00:03:05,370 you can show the available auxiliaries, 67 67 00:03:05,370 --> 00:03:06,968 the available payloads, 68 68 00:03:06,968 --> 00:03:11,083 and we'll talk about what each of these mean in the future. 69 69 00:03:12,690 --> 00:03:14,260 You can use the use command 70 70 00:03:14,260 --> 00:03:15,800 to use something that you're shown. 71 71 00:03:15,800 --> 00:03:17,610 So for example, you showed the exploits 72 72 00:03:17,610 --> 00:03:20,460 and you picked a certain exploit that you want to use. 73 73 00:03:20,460 --> 00:03:21,900 Then, you use the use command 74 74 00:03:21,900 --> 00:03:24,793 and then, you type in the exploit name to run it. 75 75 00:03:25,930 --> 00:03:29,120 Then, you can use the set option, or the set command, 76 76 00:03:29,120 --> 00:03:31,340 to set specific options for the exploit. 77 77 00:03:31,340 --> 00:03:33,440 For example, if you wanted to set the IP address 78 78 00:03:33,440 --> 00:03:36,794 of your target, so you set the IP 79 79 00:03:36,794 --> 00:03:38,420 and then, you put the value of the IP 80 80 00:03:38,420 --> 00:03:39,763 that you wanna set it to. 81 81 00:03:40,630 --> 00:03:42,760 And then, at the end, once you finish configuring 82 82 00:03:42,760 --> 00:03:45,220 your exploit, you can type in exploit 83 83 00:03:45,220 --> 00:03:47,670 to execute that exploit. 84 84 00:03:47,670 --> 00:03:49,240 Now, I know this might look a bit vague, 85 85 00:03:49,240 --> 00:03:51,700 but once I use it, it's gonna become very clear to you 86 86 00:03:51,700 --> 00:03:53,540 and we're gonna be using these programs a lot 87 87 00:03:53,540 --> 00:03:55,640 and these commands a lot, so they're gonna become 88 88 00:03:55,640 --> 00:03:57,653 very easy and simple to use. 89 89 00:03:58,530 --> 00:04:00,950 So we're coming back here, so we went on Nmap, 90 90 00:04:00,950 --> 00:04:02,610 we Googled the name of the service, 91 91 00:04:02,610 --> 00:04:04,340 and the first thing that came up is that 92 92 00:04:04,340 --> 00:04:07,143 this service has a backdoor command execution. 93 93 00:04:08,810 --> 00:04:11,320 Because this is on Rapid7, the vulnerability 94 94 00:04:11,320 --> 00:04:12,993 is exploitable using Metasploit, 95 95 00:04:15,540 --> 00:04:19,140 and the module name we're gonna be using is this. 96 96 00:04:19,140 --> 00:04:22,090 So it made our life much easier with this, 97 97 00:04:22,090 --> 00:04:23,250 so I'm gonna copy the name. 98 98 00:04:23,250 --> 00:04:24,900 This is the name that I want to use 99 99 00:04:24,900 --> 00:04:27,020 to exploit this vulnerability. 100 100 00:04:27,020 --> 00:04:29,850 So, I'm gonna go to my console 101 101 00:04:29,850 --> 00:04:31,400 and I'm gonna launch Metasploit 102 102 00:04:32,573 --> 00:04:33,406 and we're going to do a use, 103 103 00:04:36,650 --> 00:04:40,780 And we're going to do a use 104 104 00:04:40,780 --> 00:04:42,540 and then, put the name of the exploit 105 105 00:04:42,540 --> 00:04:45,380 that we just copied from Google or from Rapid7. 106 106 00:04:45,380 --> 00:04:47,120 So we're gonna use that certain exploit 107 107 00:04:47,120 --> 00:04:52,120 and as you can see, now the name here changed to exploit 108 108 00:04:52,900 --> 00:04:55,950 and then, the name of the exploit that we're using. 109 109 00:04:55,950 --> 00:04:57,990 Then, we're gonna use the show command 110 110 00:04:57,990 --> 00:05:00,486 As I said, show is a generic command 111 111 00:05:00,486 --> 00:05:02,440 that you can use in a number of cases. 112 112 00:05:02,440 --> 00:05:04,853 that you can use it in a number of cases. 113 113 00:05:05,730 --> 00:05:08,610 So in this case, we're doing a show options 114 114 00:05:08,610 --> 00:05:11,807 for this particular exploit. 115 115 00:05:11,807 --> 00:05:14,169 As you can see now the second option is the port 116 116 00:05:14,169 --> 00:05:17,540 And as you can see now, the second option is the port 117 117 00:05:17,540 --> 00:05:20,090 that the service is running on 118 118 00:05:20,090 --> 00:05:23,730 and it's already set to port 21, and this is correct. 119 119 00:05:23,730 --> 00:05:25,430 If we go back to Nmap, you will see 120 120 00:05:25,430 --> 00:05:30,430 that our target FTP client or server is running on port 21, 121 121 00:05:30,800 --> 00:05:31,633 so this is good. 122 122 00:05:31,633 --> 00:05:33,170 We don't need to change any of that. 123 123 00:05:33,170 --> 00:05:35,440 What we need to change is the RHOST, 124 124 00:05:35,440 --> 00:05:40,420 so the RHOST is the target IP address, as you can see here. 125 125 00:05:40,420 --> 00:05:43,390 And to change the value of this, as I explained before, 126 126 00:05:43,390 --> 00:05:47,280 we're gonna use the set option or the set command. 127 127 00:05:47,280 --> 00:05:52,280 So our command is gonna be set and we're gonna the RHOST. 128 128 00:05:56,020 --> 00:05:57,490 And that's the IP address 129 129 00:05:57,490 --> 00:06:00,550 of my target Metasploitable machine. 130 130 00:06:00,550 --> 00:06:04,350 So, we use set and after set, you put the option name. 131 131 00:06:04,350 --> 00:06:05,700 So for example, if you wanted 132 132 00:06:05,700 --> 00:06:08,080 to change the port, you set RPORT. 133 133 00:06:08,080 --> 00:06:09,450 We are changing the host, 134 134 00:06:09,450 --> 00:06:14,450 so we set RHOST to 10.20.14.204, and I'm gonna hit Enter. 135 135 00:06:15,620 --> 00:06:17,630 And as you can see now, this is the RHOST. 136 136 00:06:17,630 --> 00:06:18,880 It's set to this. 137 137 00:06:18,880 --> 00:06:21,313 Now, what I want I wanna do is show the options again, 138 138 00:06:21,313 --> 00:06:26,313 And as you can see now, the RHOST has been changed 139 139 00:06:27,432 --> 00:06:28,381 And as you can see now, 140 140 00:06:28,381 --> 00:06:32,133 the RHOST has been changed to 10.20.14.204. 141 141 00:06:33,130 --> 00:06:34,350 So everything is ready now 142 142 00:06:34,350 --> 00:06:37,763 and to execute the exploit, we just type in exploit. 143 143 00:06:41,410 --> 00:06:45,070 So it seems like the exploit ran, but nothing has happened. 144 144 00:06:45,070 --> 00:06:46,360 We didn't gain anything, 145 145 00:06:46,360 --> 00:06:48,240 so what I'm gonna do is just run it again, 146 146 00:06:48,240 --> 00:06:49,663 and this happens sometimes. 147 147 00:06:51,510 --> 00:06:56,423 And as you can see now, the exploit was run successfully. 148 148 00:06:58,000 --> 00:07:00,840 And now, I have access to the target computer. 149 149 00:07:00,840 --> 00:07:05,380 If I do an ID, you'll see that my ID is root. 150 150 00:07:05,380 --> 00:07:07,740 Now, basically, I'm running Linux commands here, 151 151 00:07:07,740 --> 00:07:11,330 so if you do a uname -a, you'll see that 152 152 00:07:11,330 --> 00:07:13,660 this is my Metasploitable machine, 153 153 00:07:13,660 --> 00:07:17,010 and if I do ls, then it'll list the files for me. 154 154 00:07:17,010 --> 00:07:19,450 If I do pwd, it'll show me where I am. 155 155 00:07:19,450 --> 00:07:21,640 And I can use Linux commands to do anything 156 156 00:07:21,640 --> 00:07:23,810 I want on the target machine. 157 157 00:07:23,810 --> 00:07:26,980 Now, this was very simple to use of Metasploit. 158 158 00:07:26,980 --> 00:07:30,623 In the future, we gonna be using it for more advanced stuff.