1 1 00:00:02,020 --> 00:00:04,360 So far we have seen how we can use a service 2 2 00:00:04,360 --> 00:00:05,890 with a default password 3 3 00:00:05,890 --> 00:00:08,940 or a service that has not been configured correctly 4 4 00:00:08,940 --> 00:00:11,730 or a service that came with a back door 5 5 00:00:11,730 --> 00:00:14,740 to gain full access to the target computer. 6 6 00:00:14,740 --> 00:00:18,550 We also seen how the basic use Metasploit 7 7 00:00:18,550 --> 00:00:21,770 using the, to connect to a backdoor that was 8 8 00:00:21,770 --> 00:00:24,190 installed on the FTP service. 9 9 00:00:24,190 --> 00:00:26,510 Today we are going to have a more advanced look 10 10 00:00:26,510 --> 00:00:30,760 on Metasploit and we will see how we use it to run 11 11 00:00:30,760 --> 00:00:33,750 vulnerability that exists in a certain service. 12 12 00:00:33,750 --> 00:00:36,930 It's a code execution vulnerability which will give us 13 13 00:00:36,930 --> 00:00:39,483 full access to the target computer as well. 14 14 00:00:40,820 --> 00:00:44,780 So back to our results here with Nmap and we're gonna do 15 15 00:00:44,780 --> 00:00:47,060 the same thing that we have been doing for a while, 16 16 00:00:47,060 --> 00:00:49,140 we copy the service name and see 17 17 00:00:49,140 --> 00:00:51,020 if it has any vulnerabilities. 18 18 00:00:51,020 --> 00:00:54,090 So for today we are having a look on this particular port, 19 19 00:00:54,090 --> 00:00:58,663 139, which has a Samba server version 3.X. 20 20 00:01:00,650 --> 00:01:02,780 So 3. anything really. 21 21 00:01:02,780 --> 00:01:04,360 So we're going to go through Google just like 22 22 00:01:04,360 --> 00:01:06,080 we did in the previous videos 23 23 00:01:06,080 --> 00:01:09,070 and we're going to look for 24 24 00:01:09,070 --> 00:01:11,233 Samba 3.X exploit. 25 25 00:01:12,390 --> 00:01:14,770 Now as you can see there is a number of results. 26 26 00:01:14,770 --> 00:01:17,210 The one that we are interested in, the ones that come in 27 27 00:01:17,210 --> 00:01:20,310 from Rapid 7 because as I said these are the people 28 28 00:01:20,310 --> 00:01:23,420 that make Metasploit, so the exploits that you see 29 29 00:01:23,420 --> 00:01:27,070 there can be used through Metasploit. 30 30 00:01:27,070 --> 00:01:28,440 So we have two examples here, 31 31 00:01:28,440 --> 00:01:30,050 now I have actually tried both. 32 32 00:01:30,050 --> 00:01:32,320 The first one doesn't work, so there is a bit 33 33 00:01:32,320 --> 00:01:35,310 of trial and error in this and the second one 34 34 00:01:35,310 --> 00:01:36,940 is the user Maps Script. 35 35 00:01:36,940 --> 00:01:40,883 It's a command execution vulnerability, as you can see here. 36 36 00:01:42,140 --> 00:01:45,090 So the name of the vulnerability is this. 37 37 00:01:45,090 --> 00:01:47,640 So it's the same thing that we used before 38 38 00:01:47,640 --> 00:01:51,630 with the evil backdoor in the FTP service. 39 39 00:01:51,630 --> 00:01:54,573 This is just the different name that we are going to use. 40 40 00:01:55,550 --> 00:01:57,690 So I'm going to Metasploit 41 41 00:01:57,690 --> 00:01:59,830 and I have already run MSF console, 42 42 00:01:59,830 --> 00:02:02,820 so you can see that the console is running here for me. 43 43 00:02:02,820 --> 00:02:05,300 So I'm going to do a use, like we did before, 44 44 00:02:05,300 --> 00:02:08,400 yesterday and then I'm gonna put the name of the exploit 45 45 00:02:08,400 --> 00:02:09,383 that I want to use. 46 46 00:02:11,190 --> 00:02:14,090 Then the next thing that we usually do is show options 47 47 00:02:14,090 --> 00:02:15,460 like we did yesterday. 48 48 00:02:15,460 --> 00:02:18,130 So I'm going to do show options. 49 49 00:02:18,130 --> 00:02:21,260 So using these exploits is always pretty much the same 50 50 00:02:21,260 --> 00:02:24,320 the only difference is the options that you can set 51 51 00:02:24,320 --> 00:02:25,660 for each exploit. 52 52 00:02:25,660 --> 00:02:29,000 So you always do use and then you put the exploit name 53 53 00:02:29,000 --> 00:02:32,570 and then you do a show options to see what you can change 54 54 00:02:32,570 --> 00:02:34,200 to work with this exploit. 55 55 00:02:34,200 --> 00:02:37,820 So in the future, you probably will get different exploits 56 56 00:02:37,820 --> 00:02:39,210 than what I have. 57 57 00:02:39,210 --> 00:02:41,180 So every time you want to run an exploit, 58 58 00:02:41,180 --> 00:02:44,500 you do a use exploit name and then you do show options 59 59 00:02:44,500 --> 00:02:46,640 to see the options that you want to configure 60 60 00:02:46,640 --> 00:02:49,140 but using the exploits and setting the options 61 61 00:02:49,140 --> 00:02:50,990 and running them is always the same. 62 62 00:02:50,990 --> 00:02:53,730 So I'm showing you a few examples that should cover 63 63 00:02:53,730 --> 00:02:57,110 pretty much everything that you wanna do in the future. 64 64 00:02:57,110 --> 00:03:01,430 So again, we need to set up the R-Host which is the IP 65 65 00:03:01,430 --> 00:03:04,920 of the target computer and we're gonna do it the same way 66 66 00:03:04,920 --> 00:03:05,753 that we did before. 67 67 00:03:05,753 --> 00:03:08,660 As I said, it's setting the options is always the same. 68 68 00:03:08,660 --> 00:03:11,140 So we're gonna do set 69 69 00:03:11,140 --> 00:03:14,150 R-HOST and then we're gonna put the IP of the target 70 70 00:03:14,150 --> 00:03:18,973 computer which is 10.20.14.204. 71 71 00:03:20,290 --> 00:03:23,570 So exactly like we did before, we're using the set 72 72 00:03:23,570 --> 00:03:26,620 to set an option which is the R-HOST. 73 73 00:03:26,620 --> 00:03:28,370 So we're gonna do our show options. 74 74 00:03:30,950 --> 00:03:34,240 And as you can see now the R-HOST has been set correctly. 75 75 00:03:34,240 --> 00:03:37,950 What we need to do now is, here is where things differ 76 76 00:03:37,950 --> 00:03:39,933 from the previous lecture. 77 77 00:03:41,040 --> 00:03:45,160 In the previous lecture we used a backdoor that was already 78 78 00:03:45,160 --> 00:03:48,410 installed on the target computer so all we had to do 79 79 00:03:48,410 --> 00:03:50,820 is connect to the backdoor and then we could run 80 80 00:03:50,820 --> 00:03:55,300 any commands, any Linux commands on the target computer. 81 81 00:03:55,300 --> 00:03:58,520 In today's video, the target computer does not have 82 82 00:03:58,520 --> 00:04:02,570 a backdoor, it has a normal program that has a buffer 83 83 00:04:02,570 --> 00:04:05,760 overflow or a code execution vulnerability. 84 84 00:04:05,760 --> 00:04:10,000 So the program doesn't have any code that allow us to run 85 85 00:04:10,000 --> 00:04:14,320 Linux commands, it has certain flaw that will let us run 86 86 00:04:14,320 --> 00:04:16,220 a small of piece of code. 87 87 00:04:16,220 --> 00:04:19,643 These small pieces of code are called payloads. 88 88 00:04:21,240 --> 00:04:25,040 So what we need to do, we need to create a payload 89 89 00:04:25,040 --> 00:04:28,380 and then run it on the target computer using 90 90 00:04:28,380 --> 00:04:30,960 the vulnerability that we found. 91 91 00:04:30,960 --> 00:04:34,080 That piece of code will allow us to do different things. 92 92 00:04:34,080 --> 00:04:36,670 So the payload is what allow us to do things 93 93 00:04:36,670 --> 00:04:38,010 that are useful to us. 94 94 00:04:38,010 --> 00:04:41,140 Now the payload might let us do Linux commands 95 95 00:04:41,140 --> 00:04:43,510 and there is other type of payloads we'll look at 96 96 00:04:43,510 --> 00:04:44,343 in the future. 97 97 00:04:45,220 --> 00:04:48,090 So, to see that payloads that you can use 98 98 00:04:48,090 --> 00:04:51,090 with this particular exploit, all you have to do 99 99 00:04:51,090 --> 00:04:53,103 is run show payloads. 100 100 00:04:55,330 --> 00:04:58,620 And these are he different type os payload that you can use. 101 101 00:04:58,620 --> 00:05:02,150 Now I'm gonna talk about this again, so payloads are small 102 102 00:05:02,150 --> 00:05:06,570 pieces of code that will be executed on the target computer 103 103 00:05:06,570 --> 00:05:09,513 once the vulnerability has been exploited. 104 104 00:05:11,040 --> 00:05:14,040 So, when we exploit the vulnerability, the code that we're 105 105 00:05:14,040 --> 00:05:17,280 gonna pick here will be executed and depending on the type 106 106 00:05:17,280 --> 00:05:20,580 of payload we choose, that payload will do something 107 107 00:05:20,580 --> 00:05:22,113 that is useful to us. 108 108 00:05:22,980 --> 00:05:26,550 So, right now you can see that all the payloads are cmd 109 109 00:05:26,550 --> 00:05:29,890 so that's short for command, so they let you run commands 110 110 00:05:29,890 --> 00:05:34,100 on the target computer, just like Linux commands. 111 111 00:05:34,100 --> 00:05:37,350 And all of them only run on Unix and that's okay 112 112 00:05:37,350 --> 00:05:39,580 because our target is Linux. 113 113 00:05:39,580 --> 00:05:42,380 And there is two main types, there is bind payloads 114 114 00:05:42,380 --> 00:05:44,420 and there is reverse payloads. 115 115 00:05:44,420 --> 00:05:48,180 The bind payloads, all they do is they open a port 116 116 00:05:48,180 --> 00:05:51,903 on the target computer and then we connect to that port. 117 117 00:05:53,410 --> 00:05:55,820 The reverse, they do the opposite. 118 118 00:05:55,820 --> 00:05:59,350 So they open a port in my machine and then they connect 119 119 00:05:59,350 --> 00:06:02,410 from the target computer to my machine. 120 120 00:06:02,410 --> 00:06:06,480 This is useful because the reverse allow us to bypass 121 121 00:06:06,480 --> 00:06:10,750 firewalls, so the firewall will filter any connections 122 122 00:06:10,750 --> 00:06:13,670 going to the target machine but if the target machine 123 123 00:06:13,670 --> 00:06:16,300 connects to me and I don't have a firewall, 124 124 00:06:16,300 --> 00:06:18,653 then I'll be able to bypass the firewall. 125 125 00:06:20,070 --> 00:06:24,520 So I'm going to use the cmd Unix reverse 126 126 00:06:25,480 --> 00:06:30,480 or actually I'll use the cmd Unix reverse netcat. 127 127 00:06:30,900 --> 00:06:34,540 The last part of these payloads are the program and language 128 128 00:06:34,540 --> 00:06:36,530 order tool that's going to be used 129 129 00:06:36,530 --> 00:06:38,210 to facilitate the connection. 130 130 00:06:38,210 --> 00:06:41,550 So for example we can see there is payloads written in perl 131 131 00:06:41,550 --> 00:06:46,060 in ruby or in python, php or use a netcat 132 132 00:06:46,060 --> 00:06:50,150 which is a tool that allows connections between computers. 133 133 00:06:50,150 --> 00:06:52,550 So this is the one that I'm going to use 134 134 00:06:52,550 --> 00:06:54,830 and I'm gonna use it the same way you use an exploit. 135 135 00:06:54,830 --> 00:06:58,040 So I'm just gonna say, actually sorry, I'm gonna use it 136 136 00:06:58,040 --> 00:06:59,480 using the set command. 137 137 00:06:59,480 --> 00:07:01,770 So the same way you use set and option, 138 138 00:07:01,770 --> 00:07:05,260 we're gonna set payload, so just like an option, 139 139 00:07:05,260 --> 00:07:07,363 to the payload name that we just picked. 140 140 00:07:08,320 --> 00:07:11,530 Now I'm gonna do a show options to see if there is any 141 141 00:07:11,530 --> 00:07:13,280 other options that I need to set. 142 142 00:07:13,280 --> 00:07:15,910 And yes, because we picked a payload now 143 143 00:07:15,910 --> 00:07:17,170 there is more options. 144 144 00:07:17,170 --> 00:07:19,390 So there is an option called L-HOST 145 145 00:07:19,390 --> 00:07:22,743 and it's the listening address which is my own address. 146 146 00:07:23,800 --> 00:07:27,333 So I'm gonna get my own IP address using if config. 147 147 00:07:30,650 --> 00:07:35,070 And my own address is 10.20.14.203. 148 148 00:07:35,070 --> 00:07:36,280 So I'm gonna close this 149 149 00:07:38,180 --> 00:07:39,688 and I'm gonna set the L-HOST. 150 150 00:07:39,688 --> 00:07:42,540 So it's like the same way that we set the R-Host before, 151 151 00:07:42,540 --> 00:07:44,230 we set the L-HOST. 152 152 00:07:44,230 --> 00:07:45,083 Do 10. 153 153 00:07:46,780 --> 00:07:47,613 20. 154 154 00:07:48,660 --> 00:07:53,250 So, before we used to do set R-HOST to set this option, 155 155 00:07:53,250 --> 00:07:57,160 now we're setting the L-HOST to set this particular option. 156 156 00:07:57,160 --> 00:07:59,820 So set is really simple, set, you put the option name 157 157 00:07:59,820 --> 00:08:02,020 and then the value that you wanna set it to. 158 158 00:08:03,150 --> 00:08:05,450 Then I'm gonna do show options 159 159 00:08:05,450 --> 00:08:07,130 and now everything seems fine. 160 160 00:08:07,130 --> 00:08:11,400 So we're using this exploit, the R-HOST is set to this, 161 161 00:08:11,400 --> 00:08:12,670 which is okay. 162 162 00:08:12,670 --> 00:08:15,720 And then the L-HOST is set to this which is perfect. 163 163 00:08:15,720 --> 00:08:18,550 And then you can also set the port 164 164 00:08:18,550 --> 00:08:21,593 that you're gonna be listening on, on your current computer. 165 165 00:08:22,680 --> 00:08:25,030 You can actually set it to 80 if you wanted to, 166 166 00:08:25,030 --> 00:08:28,120 that's the port that is used by web browsers. 167 167 00:08:28,120 --> 00:08:31,550 So if you set the L-PORT to 80, the target computer will try 168 168 00:08:31,550 --> 00:08:35,750 to connect to you using port 80 which is never filtered on 169 169 00:08:35,750 --> 00:08:38,910 firewalls because that's the port that web browsers 170 170 00:08:38,910 --> 00:08:40,440 or web servers use. 171 171 00:08:40,440 --> 00:08:43,680 So whenever you access a website you actually access port 80 172 172 00:08:43,680 --> 00:08:44,760 on that website. 173 173 00:08:44,760 --> 00:08:47,640 So if you open port 80 on your machine and the target 174 174 00:08:47,640 --> 00:08:50,350 connects to you on 80, then the firewall will think 175 175 00:08:50,350 --> 00:08:52,803 that the target is only browsing the internet. 176 176 00:08:53,920 --> 00:08:56,740 I'm not gonna do that now because I have a web server 177 177 00:08:56,740 --> 00:08:59,020 running on port 80 and that will conflict. 178 178 00:08:59,020 --> 00:09:00,690 So I'm just gonna set the L-PORT 179 179 00:09:02,260 --> 00:09:05,970 to 555 just for example of you, just to see that you can 180 180 00:09:05,970 --> 00:09:09,200 change any option using the same way which is set, 181 181 00:09:09,200 --> 00:09:11,800 the option name and then the value. 182 182 00:09:11,800 --> 00:09:13,550 So I'm gonna do show options again. 183 183 00:09:16,150 --> 00:09:20,050 And as you can see, this has been changed to 5555 184 184 00:09:20,050 --> 00:09:23,003 and I'm gonna do exploit to run the exploit. 185 185 00:09:25,280 --> 00:09:26,920 Now as you can see, 186 186 00:09:26,920 --> 00:09:30,203 it's telling me that session one has been opened. 187 187 00:09:31,390 --> 00:09:36,170 And the connection is between this device and this device. 188 188 00:09:36,170 --> 00:09:38,690 Which is the target and my device. 189 189 00:09:38,690 --> 00:09:40,880 So I'm gonna do a pwd 190 190 00:09:42,470 --> 00:09:44,513 and, or I do an id. 191 191 00:09:45,750 --> 00:09:49,463 You'll see that I'm root therefore I do a uname -a. 192 192 00:09:52,150 --> 00:09:54,540 You'll see I'm in the Metasploitable machine 193 193 00:09:54,540 --> 00:09:58,020 and if I do an ls, I'll be able to list the files and so on. 194 194 00:09:58,020 --> 00:10:01,350 I can use any Linux command, just like we did before 195 195 00:10:01,350 --> 00:10:02,453 in the other videos.