1 1 00:00:01,041 --> 00:00:02,060 Now that we understand 2 2 00:00:02,060 --> 00:00:03,890 the concept of pivoting, 3 3 00:00:03,890 --> 00:00:06,510 it's really not that difficult to perform. 4 4 00:00:06,510 --> 00:00:09,790 All we need to do is we can upload any tool we need to use, 5 5 00:00:09,790 --> 00:00:12,040 for example, if you wanted to use Nmap 6 6 00:00:12,040 --> 00:00:14,590 or ARP spoof or Desniff, 7 7 00:00:14,590 --> 00:00:16,370 you can upload any of these tools, 8 8 00:00:16,370 --> 00:00:17,800 run them on this computer 9 9 00:00:17,800 --> 00:00:20,180 which is connected to this big network 10 10 00:00:20,180 --> 00:00:23,070 and then you can run a port scanner on this, 11 11 00:00:23,070 --> 00:00:26,470 you can do ARP poisoning and do man-in-the-middle attacks 12 12 00:00:26,470 --> 00:00:29,410 like we learned before, it's very simple. 13 13 00:00:29,410 --> 00:00:31,820 All you have to do is use the upload command, 14 14 00:00:31,820 --> 00:00:34,540 upload it here and use it from the command-line 15 15 00:00:34,540 --> 00:00:38,420 like we were using it anyway in the previous videos. 16 16 00:00:38,420 --> 00:00:39,640 What I'm gonna show you today 17 17 00:00:39,640 --> 00:00:41,920 is how to set up a route 18 18 00:00:41,920 --> 00:00:45,750 between the hacked computer and your computer 19 19 00:00:45,750 --> 00:00:48,710 so that you can use any Metasploit auxiliary 20 20 00:00:48,710 --> 00:00:52,600 or module against this big network. 21 21 00:00:52,600 --> 00:00:54,910 So we'll be able to use Metasploit exploits, 22 22 00:00:54,910 --> 00:00:57,030 we'll be able to use port scanners 23 23 00:00:57,030 --> 00:00:58,530 that come in with Metasploit 24 24 00:00:58,530 --> 00:01:00,313 and other useful modules. 25 25 00:01:03,750 --> 00:01:06,290 So to do that, we're going to use a module 26 26 00:01:06,290 --> 00:01:10,290 called autoroute and let me show you first 27 27 00:01:10,290 --> 00:01:12,410 how if I try to run exploit 28 28 00:01:12,410 --> 00:01:15,630 on the target computer on the Metasploitable computer, 29 29 00:01:15,630 --> 00:01:18,950 it's not gonna work because it's not visible to me. 30 30 00:01:18,950 --> 00:01:22,060 So I'm gonna do a session list 31 31 00:01:22,060 --> 00:01:23,970 and you see that I already have a connection 32 32 00:01:23,970 --> 00:01:25,290 with the Windows computer here, 33 33 00:01:25,290 --> 00:01:27,250 so I've already hacked it. 34 34 00:01:27,250 --> 00:01:32,250 And I'm going to use exploit/multi/samba 35 35 00:01:35,650 --> 00:01:36,950 and usermap_script. 36 36 00:01:36,950 --> 00:01:38,760 Now, we already use this exploit 37 37 00:01:38,760 --> 00:01:40,560 against a Metasploitable before. 38 38 00:01:40,560 --> 00:01:42,030 But it was on the same network 39 39 00:01:42,030 --> 00:01:43,640 so it was visible to us. 40 40 00:01:43,640 --> 00:01:47,120 What we're doing now is trying attack a device 41 41 00:01:47,120 --> 00:01:49,130 that is not visible to us. 42 42 00:01:49,130 --> 00:01:50,880 And then I'm gonna do show options, 43 43 00:01:53,330 --> 00:01:58,330 I'm gonna set my RHOST to 10.20.15.4 44 44 00:01:58,430 --> 00:02:01,108 'cause that's the IP of the Metasploitable device. 45 45 00:02:01,108 --> 00:02:03,333 Then I'm gonna do show payloads. 46 46 00:02:07,587 --> 00:02:10,827 And I'm going to use this payload right here. 47 47 00:02:11,890 --> 00:02:16,273 So I'm gonna do set PAYLOAD to this. 48 48 00:02:17,330 --> 00:02:18,593 Show options. 49 49 00:02:20,300 --> 00:02:21,700 Everything's set up properly, 50 50 00:02:21,700 --> 00:02:23,153 so I'm gonna do exploit. 51 51 00:02:27,131 --> 00:02:29,360 And you'll see that this exploit will time out 52 52 00:02:29,360 --> 00:02:33,280 because if we go back to the diagram here, 53 53 00:02:33,280 --> 00:02:35,960 this device cannot see this device, 54 54 00:02:35,960 --> 00:02:38,020 so it's trying to run an exploit on this device, 55 55 00:02:38,020 --> 00:02:41,090 even though this device has that vulnerability 56 56 00:02:41,090 --> 00:02:43,270 but I won't be able to use it 57 57 00:02:43,270 --> 00:02:45,653 because I can't see that device. 58 58 00:02:49,720 --> 00:02:51,840 And as you can see now, 59 59 00:02:51,840 --> 00:02:53,980 the exploit failed, connection timeout, 60 60 00:02:53,980 --> 00:02:56,760 you just couldn't connect to the target computer. 61 61 00:02:56,760 --> 00:02:58,000 So what I'm going to do now, 62 62 00:02:58,000 --> 00:03:00,110 I'm gonna interact with my metepreter 63 63 00:03:00,110 --> 00:03:02,977 on ID one so sessions -i one. 64 64 00:03:04,180 --> 00:03:05,660 So I'm in my metepreter. 65 65 00:03:05,660 --> 00:03:07,570 I'm gonna run ifconfig first 66 66 00:03:07,570 --> 00:03:10,030 to see what my network look like 67 67 00:03:10,030 --> 00:03:12,933 or the networks that the target computer is connected to. 68 68 00:03:16,450 --> 00:03:18,827 So we can see all the interfaces connected 69 69 00:03:18,827 --> 00:03:20,070 to the target computer 70 70 00:03:20,070 --> 00:03:23,250 and I'm gonna look for interfaces with IP addresses. 71 71 00:03:23,250 --> 00:03:26,860 So we have this interface number four has an IP address 72 72 00:03:26,860 --> 00:03:28,890 and we can see that this IP address 73 73 00:03:28,890 --> 00:03:30,330 is on our network, 74 74 00:03:30,330 --> 00:03:32,570 so it's really not very useful. 75 75 00:03:32,570 --> 00:03:33,790 It's already on our network, 76 76 00:03:33,790 --> 00:03:37,400 we're on the 10.20.14 anyway on that subnet. 77 77 00:03:37,400 --> 00:03:40,250 So this one is not very useful for me. 78 78 00:03:40,250 --> 00:03:42,264 Another one that I can see is this 79 79 00:03:42,264 --> 00:03:47,020 which is connected to 10.20.15.5. 80 80 00:03:47,020 --> 00:03:49,530 So it's on a different subnet right here 81 81 00:03:49,530 --> 00:03:53,070 which I cannot see from my Kali Linux device. 82 82 00:03:53,070 --> 00:03:55,210 So I'm going to try to set a route 83 83 00:03:55,210 --> 00:03:58,273 between this subnet and my current subnet. 84 84 00:03:59,210 --> 00:04:01,200 So I'm gonna copy this. 85 85 00:04:01,200 --> 00:04:04,400 And then I'm going to background my current session, 86 86 00:04:04,400 --> 00:04:05,650 so I'm back in Metasploit 87 87 00:04:06,720 --> 00:04:07,763 and I'll clear this. 88 88 00:04:08,630 --> 00:04:09,940 Then I'm going to use 89 89 00:04:13,150 --> 00:04:18,150 post/manage/windows.manage/autoroute. 90 90 00:04:23,650 --> 00:04:25,880 Now, by the way, at any stage of this, 91 91 00:04:25,880 --> 00:04:27,970 if you wanted to see all of the manage modules, 92 92 00:04:27,970 --> 00:04:30,270 for example, you can just leave it at this 93 93 00:04:30,270 --> 00:04:33,200 and double tap and you'll see all 94 94 00:04:33,200 --> 00:04:35,460 the post Windows manage modules 95 95 00:04:35,460 --> 00:04:36,940 and you can try and use them 96 96 00:04:36,940 --> 00:04:39,150 and experiment with them. 97 97 00:04:39,150 --> 00:04:42,093 So our one that we want to use is autoroute. 98 98 00:04:44,110 --> 00:04:46,460 And I'm gonna do show options 99 99 00:04:46,460 --> 00:04:48,700 to see the options that I can set. 100 100 00:04:48,700 --> 00:04:50,800 And we have two options that we need to set. 101 101 00:04:50,800 --> 00:04:52,370 We need to set the session 102 102 00:04:52,370 --> 00:04:53,800 that we have 103 103 00:04:53,800 --> 00:04:55,013 and the subnet. 104 104 00:04:55,910 --> 00:04:57,660 So I'm gonna set the session first. 105 105 00:04:59,430 --> 00:05:00,873 And it's session number one. 106 106 00:05:02,260 --> 00:05:04,760 And then I'm gonna set the subnet to what we've seen 107 107 00:05:04,760 --> 00:05:06,893 when we did the ifconfig command. 108 108 00:05:09,590 --> 00:05:12,430 So it was 10.20.15 109 109 00:05:12,430 --> 00:05:13,993 and I'm gonna put a zero to it. 110 110 00:05:14,920 --> 00:05:16,410 So again, we're using the set, 111 111 00:05:16,410 --> 00:05:18,420 very simple commands we already learned. 112 112 00:05:18,420 --> 00:05:20,370 We're setting the session to number one, 113 113 00:05:20,370 --> 00:05:23,430 that's the session that we hacked for the Windows 114 114 00:05:23,430 --> 00:05:27,260 and the subnet is the subnet which the Windows 115 115 00:05:27,260 --> 00:05:29,590 is connected to and we don't have access to 116 116 00:05:29,590 --> 00:05:31,773 so it's the 10.20.15.0. 117 117 00:05:33,160 --> 00:05:34,453 And I'm gonna do exploit. 118 118 00:05:38,120 --> 00:05:42,770 And this will create the connection 119 119 00:05:42,770 --> 00:05:45,360 or the route between my device 120 120 00:05:45,360 --> 00:05:47,140 and the Windows device. 121 121 00:05:47,140 --> 00:05:48,300 So what I'm going to do now, 122 122 00:05:48,300 --> 00:05:50,110 I'm gonna go back to the same exploit 123 123 00:05:50,110 --> 00:05:52,210 that I tried at the start of the video 124 124 00:05:52,210 --> 00:05:53,810 and you'll see that the exploit 125 125 00:05:53,810 --> 00:05:56,680 is going to work because the Windows device 126 126 00:05:56,680 --> 00:05:58,670 is visible to me now. 127 127 00:05:58,670 --> 00:06:00,350 So instead of using that exploit, 128 128 00:06:00,350 --> 00:06:02,810 you can use, as I said, port scanners 129 129 00:06:02,810 --> 00:06:05,520 or discovery modules 130 130 00:06:05,520 --> 00:06:06,970 that can win with Metasploit 131 131 00:06:06,970 --> 00:06:08,280 or any other module 132 132 00:06:08,280 --> 00:06:09,490 that come with Metasploit 133 133 00:06:09,490 --> 00:06:13,220 because my device can now see the target computer, 134 134 00:06:13,220 --> 00:06:16,360 it can see this Metasploitable device 135 135 00:06:16,360 --> 00:06:19,160 because it was not visible for me at the start, 136 136 00:06:19,160 --> 00:06:21,550 but now I have a connection to this computer 137 137 00:06:21,550 --> 00:06:23,920 and I set up a route between this network 138 138 00:06:23,920 --> 00:06:25,000 and my computer 139 139 00:06:25,000 --> 00:06:27,963 so I can actually see the Metasploitable device now. 140 140 00:06:29,270 --> 00:06:32,263 So I'm going to use the exploit I used before. 141 141 00:06:36,840 --> 00:06:40,560 And it was exploit/multi/samba/usermap_script. 142 142 00:06:40,560 --> 00:06:41,543 Just clear that. 143 143 00:06:42,490 --> 00:06:43,820 Now I'm gonna show the options 144 144 00:06:43,820 --> 00:06:44,960 and I'm gonna leave them the same 145 145 00:06:44,960 --> 00:06:47,363 because everything is actually set up correctly. 146 146 00:06:49,810 --> 00:06:51,403 So I'm just gonna do exploit. 147 147 00:06:54,203 --> 00:06:55,036 And as you can see, 148 148 00:06:55,036 --> 00:06:57,900 now command shell was started properly 149 149 00:06:57,900 --> 00:07:00,840 and I actually have access to the Metasploitable device now 150 150 00:07:00,840 --> 00:07:03,330 so I can do id and I'm root. 151 151 00:07:03,330 --> 00:07:07,833 I can do a uname -a to just confirm that for you. 152 152 00:07:09,130 --> 00:07:11,580 And we can see that we're in the Metasploitable device 153 153 00:07:11,580 --> 00:07:14,070 and I can run any Linux command that I want 154 154 00:07:14,070 --> 00:07:15,633 so I can do ls, 155 155 00:07:17,627 --> 00:07:20,150 pwd and I should be in the root. 156 156 00:07:20,150 --> 00:07:21,370 And I can do cd. 157 157 00:07:21,370 --> 00:07:23,350 Go to var, for example. 158 158 00:07:23,350 --> 00:07:25,550 And do any Linux command that I want 159 159 00:07:25,550 --> 00:07:28,663 so I basically have full access to the target computer. 160 160 00:07:29,870 --> 00:07:32,190 Now again, as I said, you could upload stuff 161 161 00:07:32,190 --> 00:07:33,780 and run them from the target computer 162 162 00:07:33,780 --> 00:07:35,090 but it's not always a good idea 163 163 00:07:35,090 --> 00:07:37,330 to upload things to a hacked computer, 164 164 00:07:37,330 --> 00:07:39,330 so setting up the routes like this 165 165 00:07:39,330 --> 00:07:42,363 and using pivoting is a much safer choice. 166 166 00:07:44,180 --> 00:07:46,560 And I highly recommend that you go 167 167 00:07:46,560 --> 00:07:48,800 and have a look on other Metasploitable modules 168 168 00:07:48,800 --> 00:07:51,490 'cause Metasploit is really, really big, 169 169 00:07:51,490 --> 00:07:53,050 it's hard for me to cover everything. 170 170 00:07:53,050 --> 00:07:55,150 I just covered the main basic stuff 171 171 00:07:55,150 --> 00:07:56,500 but you can always just go in 172 172 00:07:56,500 --> 00:07:59,060 and have a look on other modules and try them. 173 173 00:07:59,060 --> 00:08:01,141 Using the modules is usually the same. 174 174 00:08:01,141 --> 00:08:04,640 We had a look on a broad array of modules, 175 175 00:08:04,640 --> 00:08:07,930 so it should be easy to just configure options 176 176 00:08:07,930 --> 00:08:09,993 and run these modules the way you want.