Try Hack Me : Metasploit: Introduction

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's up guys today we are starting the metasploit series and this is going to be a lot of fun because metasploit if you guys aren't familiar it's a framework that really allows you to take advantage of a lot of vulnerabilities it has a lot of pre-built ones in there for you that you can search it's updated consistently um but we're gonna dive into it and start talking about it and some of the ways to use it and also some of the um pros and cons to it in a sense okay so here it's just kind of like everything else metasploit has the pro version and the framework the pro version again commercial version um facilitates automation and management so what this lets you do is number one it gives you a gui number two it automates and manages tasks for you if you have if you're doing a lot of pen tests or um you're doing consistent things over and over you want to have the automation feature it's very nice the framework is the open source version this comes with most with cali parrot most uh linux distros that are used for pen testing um so here it's showing you it has a set of tools the tools are the msf consoles the modules and the tools so the msf console is the main thing that you're going to use when you type in msf console on parrot uh kali et cetera et cetera um it will start loading up the co the framework for you and then from there you can find whatever modules you're looking for whether it's an exploit auxiliary scanners payloads etc and you can actually import them and it does all this for you so it's it's really an all-in-one tool when it's coming to exploits like this so here tools standalone tools that will help for vulnerability research blah blah so you can up or import tools as well such as scanners and things that will do things that maybe won't necessarily exploit something but it will still do the scanning for you such as just like nmap would so you can use tools like that with it um so let's go ahead and dive into it so here it's kind of teaching you some of the basics again it's saying here before diving into modules we have a what is an exploit it's a piece of code that uses vulnerability present on the target system what's a vulnerability a design flaw coding logic flaw except affecting the target system so basically they want you to know the difference between the vulnerability exploit in a payload so really the main difference vulnerability is something that exists out there that's a flaw that you can you could exploit if you wanted to right you could do that but just because it's vulnerable doesn't mean that it's necessarily been taken over right an exploit is what it's the piece of code that um takes advantage of the vulnerability a payload that is the actual code itself that um it's the exploit that will actually take advantage of the vulnerability so that would be me sending it to you what i'm sending to you is the payload um so that that kind of hopefully sums it up a little bit they just want you to know the difference so that when you're searching for things you can you can find it so here you can see here they're searching in the modules folder for the metasploit framework and you can see they're looking at the auxiliary folder modules and these are just screenshots of examples these are not all inclusive by any means so don't don't worry so you have auxiliary auxiliary is going to be like your scanners your crawlers your fuzzers those type of things that you're going to use to not necessarily take advantage of anything but try and gather some more information it's an auxiliary tool it's not the main purpose of the of metasploit but it my dogs are going crazy but it's it's used in medicine if you want it to um some people use in-map and things like that separately some integrate their metasploit and map all that stuff into one type of format either way you can do it all if you want to now encoders encoders will allow you to encode the x-play all this is is if you're sending an exploit to some to a host right um the firewall antivirus intrusion detection system entry prevention system whatever the case they have it may go by a signature base meaning it may look for a specific file hash as it's coming in or a specific way that it comes in whatever the signature is and it may say hey sorry if my lip's bleeding guys but it may say hey this is we know based on the signature that this is a virus right so what you can do you can encode that that same payload that you're trying to send anyway and it will just make it look as if it's just random letters and numbers to the computer and if that's all it's searching for it may get through now i will tell you nowadays that's it's not as easy as that just because you encode something doesn't guarantee that it's going to come through which is what they're saying here encoders will encode the payload they should not be considered a direct attempt to evade because of the fact that it's not necessarily going to work and things get encoded um for ease of use as well now not just for security um so so a lot of stuff gets encoded so it's not like this is gonna automatically beat any firewall type thing anything like that so okay on the other hand of asian modules we'll try that with more or less success blah blah okay cool so here's the invasion um if you actually search the evasion modules now you have the exploit modules um and you can see these are again just screenshots and then you have no operations do nothing literally if you guys aren't familiar with no ops all it is is literally it does nothing okay it's a buffer it fills a gap now the reason for this is like it says here to achieve consistent payload sizes so let's say your payload is really small but the target system is expecting a packet of x size whatever you could put a no up in there that will fill that buffer and then the payload looks so let's say um this is an example of one when it would come in handy let's say um there's a very well known vulnerability out there and the payload itself is known to be you know 1.3 megabyte size let's just i'm just making this up right well if you add a no up in there and you make the make it two megabytes let's just say right then it's less likely to automatically assume based on that specific size that it is the that specific um payload now again this is not a perfect system it's going to help but it's not going to beat everything so keep in mind that you're noticing these are little tech or little tricks that you can do to evade but at the same time a lot of people implement a lot of these to evade so it's it's not just a one thing one shot it doesn't just click a button and boom everything's safe they try and implement a lot of different strategies to evade intrusion detection systems nowadays so now the the actual payloads payloads are code that run on the target system so this is what you're actually sending to it so there's singles stagers and stages so singles this is self-contained payload this is what you're going to send and it's going to launch on that system and give you a reverse shell or whatever it's going to do and that's going to be it it's going to completely control that system or do what you want it to do just by sending that excuse me that payload that's all it does right a stager now it says here responsible for setting up a connection channel between mad display the target so this is exactly what it says it stages the target meaning it establishes that connection with the target so now you have a connection you guys can talk to each other you have that connection and then you would send the payload so that way at first it trusts you and now you can communicate that's what it is now stages download by stager this will allow you larger sized payloads so it's just a different way to send larger payloads it's downloaded by the stager meaning it the stager connects and then it's downloading it more information for larger payloads so if basically if you just set the single meaning you set single payload and it was very large um the the actual host might reject it because they say hey that's too big for we don't know who you are you know we don't have any sort of rapport with you in a sense now granted this is all in computer terms i'm speaking in layman's terms but the stages will actually allow you to have that established connection that trust if you will and then go ahead and download larger file all right to do so this is important medisplay is a subtle way to help you identify single also called inline payloads and stage paid lows so again the single and the stages there's a way to tell the difference okay so these these look the same right generic shell reverse tcp and then windows shell reverse tcp they look like the same thing now if you see here the former is an inline or single payload as indicated by the underscore so this here is in line meaning it's it's a state or a single excuse not stager it's a single so if i wanted to shell reverse tcp meaning i wanted to get a reverse shell using tcp and i wanted it just to be a single i didn't want to stage anything i didn't want anything this is what i would use now you can see here what's separated with the actual forward slash shows me that it's actually um a stager it's actually distinguished with the different syntax now i know this may be small to see you may not remember that a forward slash versus an underscore but just keep that in your mind that there are differences because you may try to use this it doesn't work and you go what the heck and you're actually looking for this one so just keep that in mind in the back your head be able to find it again if you need to that's the important thing all right so how do what is the name of the code taking advantage of a flaw in the system so the name of the actual code is the exploit okay now the name of the code that runs on the target system to achieve the attacker's goal is the payload so the code taking advantage of the flaw is the exploit the code or the payload is the code that runs on it to achieve the attacker's gold meaning i could use an exploit to get a connection with you and never send a payload yet the payload is the actual attack if you will um all right what are self-contained payloads we just covered that that's singles um and is windows 64 pingback underscore reverse tcp among singles or stage now because it's got the underscore we know it's singles okay keep that in mind all right so now we go on to msf console so when you open metasploit you see this screen this may look totally different to you just keep that in mind um the screen may be different but as long as it says msf5 or six you're in the microsoft con or microsoft the metasploit framework console um now once launched you'll see msf5 or fsf6 it runs exactly like linux as far as commands go you can ls you can do pretty much anything the same commands that a linux machine can do so if you're not familiar with linux you will need to know linux to use metasploit now you can see here they're showing that they can do a pink man all they're doing here is showing that you can run the same type of commands in the fl in the metasploit framework as you can on a linux box that's nothing new um all right so and you can see it'll support most linux commands boom boom all right so now you can see you can actually say help just like in linux but you can say help with a specific command so you're saying help set so what it's saying is here's how you set options okay now you'll have to set options when you're using an exploit now i'll show you guys let's see what else is going to cover history this is just showing you that what you've done in the last 10 um commands you've ran personally you can do the same thing on linux so again if you know linux you'll you'll be fine with that all right so now this here is the payload we're gonna use for this example and i'm gonna go ahead but i'm gonna show you guys how to search it first i'll show you guys what we're actually looking for here okay so i think they they show good screenshots but i think um there's a pa a pattern that you needed to uh go about using here so all right so here's the history boom all right and here's the exploit that they want us to use now you notice they just go straight to use that's not what you do in a real environment theoretically right so let's say we know ms-17010 eternal blue we know we're looking for the eternal blue exploit right first thing i would do is search for eternal blue and you see we have the match right there and that's the actual exploit the exact same one they're talking about and you can see here we have multiple ones we have the auxiliary and that it'll tell you what it's going to do description um then you have let's see another auxiliary scanner so that's gonna scan and tell you if it has remote code execution detection on it that's what it shows right here um and then you have this here the exploit windows smb and that's the one we're gonna actually use today now keep in mind there is extras you can see here this one's the ps exact one that's different but we want the eternal blue and you can see here this is important you see the rank there's normal average normal great there's also pour and it'll cover these here let's see if it shows where it shows them uh it shows it here i'll cover here in a sec but basically that's how well the exploit is ranked meaning um is it proven in the field is it gonna work every time the reliability et cetera et cetera et cetera and it's gonna tell you if it's a good average rank whatever normal but keep in mind it's not perfect meaning this could say great and it could still crash the machine okay meta splay is not perfect it will crash machines um especially depending on what services it takes over and stuff like that but keep that in mind if the machine stops responding it could be broken meaning it could have crashed and need to restart this does happen so keep that in mind if you're using metasploit for uh you know whatever for a pen test or for whatever make sure you're prepared to accept that it could crash the machine okay because these are payloads that you didn't write so you don't know every single thing it's doing so if you don't really know what payload you're doing then you maybe shouldn't do it unless you have permission and you're testing it or something like that so now we found the one we want so now we just say use and we're gonna make sure we and the nice thing here is we can actually tab out just like uh linux we're gonna say windows smb and we're gonna say 17 and then we're gonna say eternal blue and when you hit use you notice it says no payload configured but we do have now this right here that's telling us that that's the module we've loaded now and now we're in that one okay all right so let's go here so it's telling us to show options so if we show the options you can see here we don't have an r host okay so we need we need this host and it says here it's the target host so we needed our host which is the target host and the lhost you notice this is the nice thing it already picked up our listening port and our our ip address for us we didn't have to put that in sometimes you'll have to put that in so keep that in mind you'll need what if let's say you want to change the listing port and you want to list it on a different um port if you want to so on so forth it can do that for you because this exploit specifically actually sets up a listener for us and so if you change the port it will change that for you so that's the nice thing you don't it's not like a script or um a github or something like that where you have to actually go in edit the ip edit the port that's the nice thing about metasploit it has a lot of this features that can do a lot for you and you'll see that here um very quickly so we showed the options so number one first thing we're gonna have to do and this is option for post exploitation so let's go ahead and get exploit it first so first thing we have to do no matter what is we're going to have to set the target host so what all you do to set it set set and then you have to do our hosts and then it's just 10 10 what was the ip up here 10 10 104 14. all right so 10 10 104 14 hit enter and then you don't have to do this every single time but this is just good practice i always do it then i always show options to make sure that that actually set and you can see that this is a required option that's important because if it's required you have to input something if it doesn't have it it will not run okay so now you can see the exploit target this is the targets that it's going to look for all right so now all you do to exploit is literally type exploit now this is eternal blue eternal blue is a known long time exploit it's been around for a while and everyone knows it works okay so keep in mind not all of them are going to be this easy you can see meterpreter session one opened boom it's open we have a reverse shell connection right now to the machine if we hit ls it's gonna take a second because we're in a windows home directory but um and you can see so you can see this is all windows dll files so you can see this is all in a windows um or in the windows box now the nice thing nope didn't type there the nice thing is you notice i'm on a windows box but i'm still able to use some linux commands like that's present working directory and it tells me see windows system32 and it did not take who am i which is a linux command so keep in mind it's not going to do everything so you have to play with it a little bit and i wanted you to see that it's not going to accept everything so what what can you do just like anything else you can type help and look at how fun this is guys if you have so i like to do this just to show people but so you can get system and this will attempt a privilege escalation i'll tell you now that doesn't work very often and the reason for it is this just has a set thing that's gonna a couple you know a list of things he's gonna try if it doesn't work it doesn't work whatever right um so this is a really good one watch the remote user's desktop in real life so screen share so we're on a linux machine right now and you can see look at this we are actually in here and we are logged in we can watch them you can do this in in a real machine you can watch the people right so keep that in mind um you can go here see if it'll exit i'll probably control see it alright um so i interrupted it you can watch them you can record their mic you can start a video chat list webca i mean you can do a lot of this stuff keep that in mind that when you take over a box with with uh metasploit you've got a lot of power now keep in mind also not all this is going to work because these are post exploitation meaning these are things that it's going to do after um the big one some of the ones that you're going to do a lot and i'll show you this here is all right so where are we at where are we at okay okay so we're at the top now so we're at the core commands right so this one sleep is a good one to know i'll tell you that because uh if you guys have never used cobalt strike it's very similar you set this node and you tell it just reconnect every let's just say 24 hours the reason for that is when someone's looking at logs and things they're not going to see this constant connection with you that maybe doesn't make sense they say i don't even know who i whose ip that is that's not us whatever so it's important that you know what sleep does it's going to just reestablish that connection every so often um it's very good to stay quiet but it's very slow right if i say wait sleep for 24 hours it's literally not gonna check back in with me for 24 hours meaning that i'm no like if i type ls i'm not going to get the results for 24 hours okay so keep that in mind that's important to know um but there's that one there's these are just your regular file system commands then you're going to see do to do system commands so let's see there's i'm just looking to see which ones you guys will use the clear event logs that's obviously important if you're worried about getting uh getting caught which again it depends if you're doing what you're doing and what type of uh pen test you're doing get system that's obviously a really important one another one hash dump i'll show you this so you can see we have hash dump now we have john's hash and the admin hash i could actually take these these hashes go offline now and try and crack them and then i would have unlimited access to this because i have the admin and john's password and that would be that so there's there's a lot of really cool stuff you guys can do here in metasploit that's the whole point you guys can check it out um all right so now the show command will show payloads so that's once it's already actually before it's exploited and it shows that you can change the payloads now keep in mind when i didn't select a payload it automatically accepted the reverse listener which is what we got here to do and the reverse listeners what set this up so that we could then have a full shell with it um and then info is just going to tell you more information about the exploit itself here's the whole description search we already showed how to search for things um all right so they're just showing you can search for types of payloads all right so here's one of the questions how would you search for module related uh apache apache and it's just search apache now who provided the auxiliary scanner ssh okay so this one we're going to have to actually open up another one only because i don't want to lose this connection because i think it asks questions about it but don't quote me all right and then the summary that's the summary is not going to tell us anything um so this is the last question all right so now it wants us to search for auxiliary actually wants us to search for ssh actually we can just use it because it just gave it to us so we can just say use auxiliary ssh ssh login all right so we use that and then we say info all right and it wants us to see who it was provided by which is todd b we hit enter boom we got that okay now we're gonna go with working with modules all right i'm not sure what's going on here that machine stopped working for a second all right we can close that one there we go okay so now this one here it's just showing us the show options i already showed you guys that i'm not going to cover that again all right so we've got the show options we've got the eternal blue that's what it's showing us here we've already done that boom now it shows that we have the shell on the target system see windows system 32 and we know that because we did present working directory and we're in c windows system32 we're in the same thing they are all right and then from here as mentioned earlier the show options command will list available parameters now if you see here it won't work here because we have the shell they're showing it here it i don't like the way they do this sometimes because it looks like they're talking about the shell but they're not they're talking you can tell here because it's got the msf5 still that they're talking about it before you actually exploit it and you can see they don't have an r host setting in there so they have to put that option if they don't it's not going to run and that's what they're showing here set our hosts boom now they have it now it'll run and then here they're showing to to flush all that data if you want to in the future uh like let's say you go ahead and exit this it exits it and then we say show options you can see we have our host now we'll say unset all and then show options and you can see the host is gone so that's important if you're doing this on multiple hosts or something like that and all of a sudden you say oh crap it's running on the same host excuse me bless me all right so if you say setting on you'll have to go back and change that okay now you can use the set g command to set values that will be used for all modules um this to me is a global command so basically we set the r host using the variable set g command instead of the set command what this does is then it sets it globally so if that's your target no matter what host you go to or no matter what module you go to it will automatically add that to our host um that's where i like what they're saying the problem i'll show you here in a second um now keep in mind you'll have to do unset g on set global to get rid of it as well now here the exploit tax z what that's going to do is it's going to run the background session in the or it's going to run the interpreter session in the background so you could keep going and you can see here session two created in the background so then you have to go to sessions and you'd have to actually go through and reconnect to it so you can see sessions there he's got multiple different systems that he's holding on to um so now and then here to interact with a session you can use sessions i followed by the desired number and then boom you take over now here's where i have a problem with it it says how would you set the global value for our hosts and it was not set g which is set global so i don't really know what they were looking for there but it was just set so keep that in mind guys i'm gonna go ahead and terminate this and you'll see what i'm talking about so here you can see set our hosts is the answer even though it should be set g so it's just a mistake um how would you set the l port value it's just set l port 6666 then what command would you use to clear a set payload just unset payload that's all it is then what command do you use to proceed with the exploitation phase just exploit you type exploit boom you have it so that's it guys metasploit is very useful tool this is a very broad easy way to learn it this is very over the top not very in detail about it but eternal blue is one of the easiest ones to learn and it feels really good taking over your first box so this one is one of the ones where you're genuinely hacking into the box meaning you're actually using an exploit you're not um you're not try i think uh you're not just typing like a password in an admin password not breaking a password you're genuinely breaking the system to get in so this is a cool one in my opinion i've um i'm pretty sure every hacker has done eternal blue a million times at this point to see it and understand it and things so it's a really cool one to learn i really like like it i think they did a good job showing that as their first metasploit introduction and i'm looking forward to actually doing the other two metasploit boxes that are next and hopefully they're also good so if you guys like it go ahead and sub i really appreciate it like the video and then uh below i'm going to start linking the discord in the descriptions that way you guys can join the discord and have conversations in there and ask me questions as well thanks guys

Info

Channel: stuffy24

Views: 5,600

Rating: undefined out of 5

Keywords: pc, linux, windows, computer, hacker, try, hack, me, be, ne, tryhackeme, tryhackme, hacked, pawned, pwnd, hacking, burp, suite, pro, community, burpsuite, community editions, edition, passive, recon, reconnaissance, network, security, email, whois, dig, nslookup, dnsdumpster, shodan.io, nmap, nmap advanced, basic, advanced, port, scans, scanner, n map, NMAP, scanning, ports, protocols, common, network ports, smtp, http, ftp, rdp, https, SSH, vuln, vulnerabilities, 101, vulns, vulnerability

Id: EK7vDlr9v5c

Channel Id: undefined

Length: 29min 3sec (1743 seconds)

Published: Fri Feb 04 2022