1 1 00:00:03,340 --> 00:00:04,520 In today's lecture, 2 2 00:00:04,520 --> 00:00:06,780 we're going to learn some basics 3 3 00:00:06,780 --> 00:00:09,993 about how to interact with metaploits interpreter. 4 4 00:00:11,910 --> 00:00:13,540 So I already have a session here, 5 5 00:00:13,540 --> 00:00:15,640 and as as you can see it just meterpreter. 6 6 00:00:16,910 --> 00:00:19,530 In Linux, in everything, in every command line, 7 7 00:00:19,530 --> 00:00:22,800 the help command is always the best command you can run. 8 8 00:00:22,800 --> 00:00:24,170 So the first thing we're going to do, 9 9 00:00:24,170 --> 00:00:25,383 we're gonna do a help. 10 10 00:00:28,410 --> 00:00:30,470 And as you can see we get a big list 11 11 00:00:30,470 --> 00:00:32,560 of all the commands that you can run, 12 12 00:00:32,560 --> 00:00:36,003 and a description of what each of these commands do. 13 13 00:00:40,520 --> 00:00:43,280 So, I'm gonna show you some basics right now, 14 14 00:00:43,280 --> 00:00:44,960 first thing that I want to show you 15 15 00:00:44,960 --> 00:00:47,060 is the background command. 16 16 00:00:47,060 --> 00:00:48,290 So background 17 17 00:00:50,000 --> 00:00:53,230 will basically backgrounds the current session, 18 18 00:00:53,230 --> 00:00:55,070 so in one terminator session, 19 19 00:00:55,070 --> 00:00:58,630 it will just, it's very similar to minimizing a window. 20 20 00:00:58,630 --> 00:01:01,060 So when I run background, I'll go back to metasploit 21 21 00:01:01,060 --> 00:01:02,370 as you can see there, 22 22 00:01:02,370 --> 00:01:04,740 and I can run other metasploit exploits 23 23 00:01:04,740 --> 00:01:07,030 to further exploit the target machine, 24 24 00:01:07,030 --> 00:01:09,100 or just to exploit other machines. 25 25 00:01:09,100 --> 00:01:11,280 While maintaining my connection 26 26 00:01:11,280 --> 00:01:13,113 to the computer that I just hacked. 27 27 00:01:14,394 --> 00:01:17,860 So, to see a list of all the computers 28 28 00:01:17,860 --> 00:01:19,470 or the sessions that we have, 29 29 00:01:19,470 --> 00:01:21,003 we can just run sessions, 30 30 00:01:23,010 --> 00:01:26,120 L, to list the current sessions, 31 31 00:01:26,120 --> 00:01:28,010 and as you can see we have a session here, 32 32 00:01:28,010 --> 00:01:30,350 meterpreter, so it's still there, we didn't lose it, 33 33 00:01:30,350 --> 00:01:33,410 and it's between our device and the target device, 34 34 00:01:33,410 --> 00:01:35,150 which is 206, 35 35 00:01:35,150 --> 00:01:37,670 now in order if I want to get back into that session, 36 36 00:01:37,670 --> 00:01:40,000 to interact with the meterpreter again, 37 37 00:01:40,000 --> 00:01:42,383 all I need to do is run sessions again, 38 38 00:01:44,920 --> 00:01:47,130 minus I for interact, 39 39 00:01:47,130 --> 00:01:49,150 and then I'm gonna put number two, 40 40 00:01:49,150 --> 00:01:51,033 which is the ID of the session. 41 41 00:01:53,900 --> 00:01:57,253 And as you can see I'm back in the meterpreter session. 42 42 00:02:00,230 --> 00:02:01,670 Another command that I wanna show you 43 43 00:02:01,670 --> 00:02:02,503 is the sysinfo, 44 44 00:02:03,730 --> 00:02:05,310 and you see me run this every time 45 45 00:02:05,310 --> 00:02:08,350 I hack into a system, and the reason for this command, 46 46 00:02:08,350 --> 00:02:11,360 it shows you information about the target computer, 47 47 00:02:11,360 --> 00:02:14,930 so it shows us the computer name, right here, 48 48 00:02:14,930 --> 00:02:19,330 we can see the operating system of the target computer, 49 49 00:02:19,330 --> 00:02:20,690 and it's running windows 10, 50 50 00:02:20,690 --> 00:02:21,970 we can see the architecture, 51 51 00:02:21,970 --> 00:02:24,002 so it's a 64-bit computer, 52 52 00:02:24,002 --> 00:02:27,200 so in the future if you wanted to run 53 53 00:02:27,200 --> 00:02:29,400 some executables on that target, 54 54 00:02:29,400 --> 00:02:33,970 we know it's a 64-bit and we create a 64-bit executables, 55 55 00:02:33,970 --> 00:02:36,150 we can see that the language is English, 56 56 00:02:36,150 --> 00:02:38,490 the work group that it's working on, 57 57 00:02:38,490 --> 00:02:42,610 and the user ID that it's logged in, 58 58 00:02:42,610 --> 00:02:44,430 and then we can see the version of meterpreter 59 59 00:02:44,430 --> 00:02:45,890 that's running on the target machine, 60 60 00:02:45,890 --> 00:02:48,614 and it's actually a 32-bit version 61 61 00:02:48,614 --> 00:02:50,053 of meterpreter. 62 62 00:02:51,350 --> 00:02:53,610 Another useful command for gathering information 63 63 00:02:53,610 --> 00:02:57,210 is IP-config, now IP config is very similar 64 64 00:02:57,210 --> 00:02:59,260 to the IP config that you get when 65 65 00:02:59,260 --> 00:03:02,900 you run on the windows machine on the command prompt, 66 66 00:03:02,900 --> 00:03:04,607 and it'll show you all the interfaces 67 67 00:03:04,607 --> 00:03:08,500 that are connected to the target computer, 68 68 00:03:08,500 --> 00:03:09,570 we can see for example, 69 69 00:03:09,570 --> 00:03:11,510 here interface one, 70 70 00:03:11,510 --> 00:03:13,240 we can see the MAC address, 71 71 00:03:13,240 --> 00:03:15,298 we can see the IP address, 72 72 00:03:15,298 --> 00:03:18,780 and for example here, this is the interface 73 73 00:03:18,780 --> 00:03:20,540 that is connected to our network, 74 74 00:03:20,540 --> 00:03:22,850 and the one that we got the connection from, 75 75 00:03:22,850 --> 00:03:26,130 so if the device is connected to multiple networks, 76 76 00:03:26,130 --> 00:03:27,873 you'll be able to see al the interfaces 77 77 00:03:27,873 --> 00:03:29,913 and how to interact with them. 78 78 00:03:32,073 --> 00:03:35,460 Another useful information gathering command 79 79 00:03:35,460 --> 00:03:37,640 that you can run is PS, 80 80 00:03:37,640 --> 00:03:40,240 now PS will list all the processes 81 81 00:03:40,240 --> 00:03:43,363 that are running on the target computer. 82 82 00:03:43,363 --> 00:03:46,120 So these might be background processes 83 83 00:03:46,120 --> 00:03:48,780 or actual programs running in the foreground 84 84 00:03:48,780 --> 00:03:50,780 as windows programs or GUIs. 85 85 00:03:51,886 --> 00:03:54,586 You can see each process here, 86 86 00:03:54,586 --> 00:03:56,174 the name of the process, 87 87 00:03:56,174 --> 00:03:58,430 and then you can see the ID, or the PID, 88 88 00:03:58,430 --> 00:03:59,603 in which it's running. 89 89 00:04:01,600 --> 00:04:05,220 An interesting process is the explorer.exe, 90 90 00:04:05,220 --> 00:04:10,210 and that's literally the graphical interface of windows, 91 91 00:04:10,210 --> 00:04:14,660 and we can see that it's running on process ID 2116, 92 92 00:04:14,660 --> 00:04:17,530 now a very good idea once you hack into a system, 93 93 00:04:17,530 --> 00:04:20,290 is to migrate the process, the current process 94 94 00:04:20,290 --> 00:04:23,980 that you're running on into a process that is safer 95 95 00:04:23,980 --> 00:04:25,640 than your current process. 96 96 00:04:25,640 --> 00:04:29,360 For example, the explorer is the graphical interface 97 97 00:04:29,360 --> 00:04:31,210 of windows, so it's always running 98 98 00:04:31,210 --> 00:04:33,890 as long as the person is using their device. 99 99 00:04:33,890 --> 00:04:37,103 So, it's much safer than the process 100 100 00:04:37,103 --> 00:04:39,710 that you gained your access to the computer through, 101 101 00:04:39,710 --> 00:04:41,210 for example, if you gained your access 102 102 00:04:41,210 --> 00:04:43,470 through an executable, or a program, 103 103 00:04:43,470 --> 00:04:45,350 you will lose your process as soon as 104 104 00:04:45,350 --> 00:04:47,630 the person closes that program, 105 105 00:04:47,630 --> 00:04:48,992 so a better way to do is 106 106 00:04:48,992 --> 00:04:53,010 to migrate to a process that is less likely to be closed, 107 107 00:04:53,010 --> 00:04:55,660 or terminated, so what we're going to do, 108 108 00:04:55,660 --> 00:04:58,003 we're going to use a command called migrate, 109 109 00:04:59,790 --> 00:05:03,560 to move our current session into a different process, 110 110 00:05:03,560 --> 00:05:05,370 and we're gonna use the explorer process 111 111 00:05:05,370 --> 00:05:06,853 because it's very safe, 112 112 00:05:09,550 --> 00:05:10,713 Put 2115, 113 113 00:05:12,540 --> 00:05:14,420 and there's no such process obviously, 114 114 00:05:14,420 --> 00:05:16,253 so it should be 2116, 115 115 00:05:19,320 --> 00:05:21,200 and the migration's successful now, 116 116 00:05:21,200 --> 00:05:24,886 so the meterpreter at the moment is running from 117 117 00:05:24,886 --> 00:05:28,550 the explorer.exe, now if we go to the task manager 118 118 00:05:28,550 --> 00:05:29,793 on the target computer, 119 119 00:05:30,840 --> 00:05:33,693 and run my system monitor, 120 120 00:05:37,220 --> 00:05:38,733 or resource monitor, sorry. 121 121 00:05:41,550 --> 00:05:42,963 Now if we go on network, 122 122 00:05:44,150 --> 00:05:47,060 and go into CP connections, 123 123 00:05:47,060 --> 00:05:50,250 you'll see that the connection here on port 8080, 124 124 00:05:50,250 --> 00:05:52,480 is coming from explorer.exe, 125 125 00:05:52,480 --> 00:05:54,910 so it's not coming from a malicious file, 126 126 00:05:54,910 --> 00:05:57,870 our payload or backdoor is actually running 127 127 00:05:57,870 --> 00:05:59,500 through the explorer, 128 128 00:05:59,500 --> 00:06:02,020 now if you see firefox or chrome, 129 129 00:06:02,020 --> 00:06:04,030 you can migrate to that process, 130 130 00:06:04,030 --> 00:06:05,890 and especially that you're connecting 131 131 00:06:05,890 --> 00:06:08,400 through port 8080, or you can use 80, 132 132 00:06:08,400 --> 00:06:11,040 then it's gonna look even less suspicious 133 133 00:06:11,040 --> 00:06:15,409 because 80 and 8080 are the ports used by web servers, 134 134 00:06:15,409 --> 00:06:17,940 so it's very natural or very normal 135 135 00:06:17,940 --> 00:06:20,863 to have a connection on port 80 or 8080.