Try Hack Me : Metasploit: Meterpreter

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's up guys so today we're covering metasploit interpreter this is a lot of fun so let's go ahead and dive in hopefully you guys are enjoying the series hopefully you guys are liking the metasploit specifically um i really like metasploit um but i will tell you it's not going to be any use to you if you don't know what it's doing in the back end it's more of a uh ease of use thing not so much of a one-stop shop and the reason i tell you that is because if you ever take like the oscp or anything like that you cannot use metasploit so just heads up on the future it's a very good tool if you understand what it's trying to do on the back end but it's not such a good tool if you're relying on it to do everything for you so let's go ahead and dive in this is going to be more post exploitation so let's go ahead and talk about it what how does an interpreter work so interpreter what's the difference between metasploit and interpreter right so metasploit is the framework meaning it's the tools all combined interpreter is when you get the actual session you have an interpreter session meaning you have a shell that you can now access but merterpreter has special commands that you can use to kind of shortcut some things for you so if you guys have ever used cobalt strike anything like that it's a very similar type process where you can actually shortcut a lot of what you would normally do so here you can see get pid they're going to cover some some things and i'll talk more about them but get pids get process id the reason you need your process id and ps is the command for process is is because you're gonna when you usually get an interpreter session it's not gonna be stable what i mean by that is you you might come into a session and whatever service you're running um if you're trying to do stuff with it it could be that that's that service is not going to be stable meaning it could crash then you lose your session um it could be caught very easily because let's say you're let's just say you migrate into a notepad process right and all of a sudden you're running powershell commands from the notepad well that's going to get caught pretty quick by everything because notepad doesn't run powershell commands or asks to so things like that so i don't know if that makes sense to you guys but when you take over a system you're taking control of a process whether that be one of these or you start a new process like powershell or something like that that will run on the system they will be able to see that so keep that in mind now you can take a step further if you actually do this and look at task lists and you can look at the dll libraries if you guys aren't familiar with what dlls are it's the configuration files it's how a lot of the recent attacks have happened um such as print spooler or print nightmare you might know it uh the other one that just happened was the uh the log4j excuse me um these are taken over because of well log4j was a logging thing but that's not my point um the point is the dlls are the configuration files that are going to load when a service runs or when something runs right so this here will show you the dlls what they're showing here all they're trying to tell you guys is if you look here nothing jumps out of the page and says oh watch out my displays got a hold of you but even though they have a session right now so that's what they're trying to show you is that it's sneaky the problem is most antivirus software are going to detect it very quickly because it does have a signature and what i mean by that is it does follow a pattern it is going to do things that meterpreter does and most are going to most antivirus are going to catch it so unless you have permission you're going to get caught 90 percent of the time using interpreter or metasploit and the only reason for that is because it does have a signature um pattern of how it how it traverses all right so this here you can they've used the ms venom and they're actually just looking for meterpreter payloads and this is just showing you that you can look if you search them you're going to get android apple java linux python so on so forth here you go php python all that so what they're saying here is if you know what your target is and you know what you're trying to do you can directly correlate the attack or the payload with what you're actually trying to do or what your operating system is on your attack target now here you can see the ms-17 internal blue that's the one we took over in the last box you can see it defaults to windows 64 interpreter reverse shell right so it defaulted to what it knows eternal blue so what they're trying to show you here with that is simply that not every payload is going to work on every system it's just not possible right if i run an android payload and on a windows system it doesn't know what to do it doesn't even understand what i'm sending it so it's not going to work so you have to make sure you know what you're trying to do and make sure it's specific so here you can see if you show the payloads it has these options and you notice they're all pretty much windows because it's a windows box so keep that in mind that you have to know what you're doing otherwise it's going to if you see something cool it's it may not work is what i'm saying um so this is another example of that so these are the interpreter commands so these are some of the built-in commands that are a little bit more user-friendly rather than knowing how to do it diff or taking the long route or writing a script or something like that these will do this for you so if you type help and the interpreter session you'll get these commands right so some of the ones that you're going to look at this is a big one migrate so it allows you to migrate metropolitan to another process so we're going to cover that but migrate's a big one because like i said when you take over an interpreter session typically you want to migrate to a better service because these are not going to be stable enough to run extended periods now it might be you might you might get one where you're in exactly what you want now that's possible but you want to make sure you're taking over a service that is stable trustworthy and isn't going to get you busted in 10 seconds right you can see background that'll just background this the session exit these are very common um you can see these are normal file system commands boom boom boom but some of the bigger ones that you want that i personally think are fun um because material lets you have fun too that's the other thing you can see here some of them are really fun if you take over your buddy's computer let's say you have an old windows laptop that you want to mess with or something you can actually go ahead and use these and you can take screenshots of the interactive desktop um you can actually take screen share allows you to watch the remote and we'll do we'll do the screen share today so that way you guys can see it it's really cool it's just fun to do and you can actually watch if someone's on that machine what they're doing all right so these are just the this is just the help commands i'm not going to cover them word for word because you guys can go ahead and go through um one that you'll see a lot is a key scan start these are just adding a key logger basically that's common um if you if you want to see like see if someone will type in passwords like i did a uh i did a exercise years ago um that was nationwide and we had to i'm not gonna say which state i was against but it was state versus state and all we did was we had one one account because we took over one person's account and we just put um he was an admin so we just put a key logger on his machine because this is this was a couple of weeks exercise it wasn't uh overnight so you had time to wait um we put a keylogger on his machine and we just waited until he logged in from server to server to server to server because he's an admin working on things and we got all the passwords for all of their stuff for their admin accounts once we did that it's game over because we could log into the domain controller and create our own accounts if we wanted to at that point right so keep keep in mind key loggers are an old school form of hacking but they work really well i also have physical key loggers i think that's what i'm gonna do on my 500 giveaway or 500 sub giveaway is give away a key logger to someone one of the subs obviously um so that's just a thought but key loggers work really well they're very hidden and they work extremely well like i said physical key loggers i'll just tell you are way better in my opinion because they don't get detected the way that software ones do all right enough with the key logs i've gotten on a rant here all right so here's the help commands boom you see it you see it all right so some of the commands you want to do first one get uid because this shows you who you logged in as right if you're in t authority system on a windows computer you're root you've got it your admin right the ps command that's processes you can see all the processes that are running now when you're gonna migrate to one you're gonna actually look at the process id number and that's what you'll put in okay and i'll show you guys that here in a little bit we're gonna go through it here's the key logger start scan stop dump so you start it whenever you stop it and you dump it and it'll give you all the different things it did here you go migrate 716 so that's let's see what here which one he migrated to so he migrated to the lsas which is what we're going to do today so he migrated to it perfect and it's completed successfully sometimes it won't complete successfully and that's okay um just keep that in mind sometimes it's not gonna be perfect um hash dump we've done that before you're just gonna dump the hashes search so keep in mind too when you're a process so the process that we're going to log into today as today excuse me is not going to allow us to do a hash dump because it doesn't have permissions to do that so we have to migrate to the lsas which will give us permissions so sometimes you'll run a command and you it won't work and you don't know why it's because whatever service you have is not capable of running that okay now the search command we've done that before we did that last time we're going to do that a couple of times today and then the shell so the shell will create a physical shell on the box um what i mean by that is it's just going to dump you into a regular command line not an interpreter session so that's if you oops if you are a little bit more familiar with the shell itself why can't i move now there we go okay so if if you like the actual physical shell better than the meterpreter session you can do that that's all it is um sometimes like certain shells will allow you to do a couple of things it's just all preference all right so now get system so get system well is supposed to try and automatically escalate its privileges to admin now keep in mind this doesn't always work i will say the majority time it's not going to work in a real scenario but it might and if if it does that's awesome you didn't have to do anything to get escalated privileges it just did it for you hash dump again perfect because you can dump those hashes and you can start trying to break those passwords which we're going to break one today um here you can load python so this is just showing you you can load different modules at after you have a material session and it will load that so that you can then use their functions so now you see they have extra help menu like kiwi cmd execute mimi cats command boom boom boom so if you guys aren't familiar mimi cats kiwi all that it's just a post exploitation tool um you can load those in and it gives you much many more options so keep that in mind all right so here we go so use the credentials below to simulate an initial compromise over smb all right so what's that mean first things first let's start let's go ahead and get the metasploit open all right so it tells us right here it already gives us what we're going to use we're going to use the exploit windows smb ps exec perfect so what we're going to do is i'm just going to say use and i'm just going to follow exactly what they said exploit windows smb ps exec hit enter boom we're in there like swimwear now we just show options now you notice all right it didn't set them for me so we have to set the option so we need to set our hosts like normal and the r host here is 10 10 117 138 okay now you notice here there's also an option it's not required but it's an option right here for smb pass and smb user well they gave us the username and password so we're going to go ahead and use that smbuser and we'll say b allen all right now we're going to say whoops i didn't set it smb user b allen set smb pass as password one all right so that should be good and then we'll run it now i'll tell you it doesn't work every single time it you're going to notice that about metasploit sometimes it'll do this and it might not work now here we got it we got the session so we're in we're in so now watch this if we want to have fun we say screen share okay and you can see not gonna work you can see it doesn't work okay waiting waiting waiting perfect so let's go ahead first thing we need to do in my opinion is we need to migrate to the lsas now all we're gonna do ps so we need to look at the processes find the lsas there it is 764. now again we're only doing this because this one doesn't have permissions or can't open what we need it to do so let's migrate to lsats where we know we can have full access migration completed successfully now let's see if screen share will work then it might not and it does not current session was spawned let's see it all right so it's just waiting waiting waiting blah blah blah by service on windows 8 plus no desktops are available to screenshot so okay so it doesn't have a desktop that's why it's just a strict server with no desktop so it's you can't screenshot it perfect okay so we know that now so now what is the computer name so you can see we're just going to type sysinfo system info and you can see the computer name is acme test perfect easy enough now this one might give you a little uh a little bit of a run but all you got to do is they're trying to get you to see how to background it so control z background the session this is running really slow there we go all right it didn't background it for some reason or did it okay it did it just took for some reason it lagged and took two y's okay so now here if you look at the hint it'll give you exactly which one you're looking for post windows gather new data or noom domain excuse me so we're going to say use post gather i think it's windows post but we'll see all right post windows windows gather a new date or domain excuse me so now when we use this so we have to go we have to look at our sessions so sessions tech i which will give us information about it and you can see we only have one so the id number is one which is what we need so now we'll set session and if you guys don't understand what's going on here what we did is we background our session our interpreter session and then we started using this post exploitation module which is a new domain so we want the domain so we're going to set the session to one which is the session id right here and when you do that you're gonna see when we run this it's just gonna all it's gonna do is go into that session or into that module for you and it's going to do the enumeration for the domain for you and you can see right there the domain is flash it found it for us perfect alright so what is the name of the share likely created by the user okay so that now we're going to do basically the same thing so we're going to say use windows this is a pain in my butt so post windows if i could type gather but we want a new smb shares or maybe it's just shares a new shares okay now set session to one and run it and you can see here so it's asking us what is the name of the share likely created by the user well we know system volumes probably not likely created by the user because that's a default one we know net logon is probably not created by the user because it's default one so it's probably speedster so speedster is the answer it's the one that was probably created by the user now we can't prove that we don't know that but we're guessing right so now what is the ntlm hash of j chambers user so now if you didn't migrate here so first things first we're gonna jump back into our sessions so we go to sessions tech i and hit one to interact with the first session okay so now we're back in the you can see here we're right back in it um but you can see here it's going to ask us for a hash dump so we want to hash dump this boom and it's asking for jay chambers so jay chambers there's his his uh hash right there so now it's saying what is the hash we got it so now what's the clear text so we know this is an ntlm hash so we go to crack hashes we can do whatever you want all right we'll just go to online and it's i'm pretty sure it's crack yep crackstation.net and you just hit enter or paste it in there excuse me crack hash it and boom it's an nclm hash now this only works i'll tell you right now if you use an online hash cracker like this they only work for low level encryption algorithms they're not going to work for today's passwords typically sometimes they will if you find some but if they're you know already found or whatever because this is just a large database that has this information already so if it's a password that hasn't been uploaded it's not going to be in there so hopefully that makes sense to you guys so there's the answer trust no one all right so we have the answer trust no one is his clear text password really cool we cracked it we didn't have to do anything now you could keep going and try and crack all these if you wanted to and i recommend doing stuff like that because that's how you get better and learn things now what is it where is the secret.txt file located so search tack f for file and we're going to say secrets.txt and this may take a second uh the first time it it got hung up on me i had to control see it and stop it and then run it again and it worked in about 30 seconds or so there you go so there it is c program files 86 windows multimedia platform and boom you can see right there that's our answer i don't know if you guys can see it if you guys can't we'll do this for you so you can see right there there's our answer c program files blah blah all right so now if we go ahead and you can do multiple things you can download the file or you can just open it so you just cat it so we know it's i just do this to go to the home directory so you can see if we go to secrets.txt fi where it's located so we go to cd and we're going to go to program files and now keep in mind when you're doing this you'll have to do it in quotations the only reason is because the files have spaces and that is why linux doesn't do spaces because they're smart so now you have to do the and you do present working directory and you can see i'm in c program files 86 but if you don't do quotations it's not going to understand what you want so now we'll go to cd and again quotations because there are um spaces now keep in mind also that when there's spaces like that you can't tab it because you have the quotations it's frustrating i know now if we cat which is to open the secrets.txt my twitter password is boom so we get her twitter password boom boom boom easy day all right now it's asking where's the real secret so now we need the real secret so now we're going to do the same search function and we're looking for real secret dot txt and when we get this this is what this is the type of stuff you would be doing post exploitation meaning you've already taken over the machine you're not trying to take over the machine at this point you're trying to gather information so there's the real one see init pub www root so let's go ahead and go to that alright so we're in it pub www root and then we'll we'll go ahead and list them and there it is real secret dot text now cat real secret dot text and boom the real secret is the flash is the fastest man alive so there you go guys this box is a lot of fun because you actually they just give you the box and you get to have fun with it you don't have to worry about breaking it you don't have to worry about doing anything crazy try and migrate to other processes try to you know ha or crack all the hashes try to have fun with it this is a fun box i really like this one when i was going through it tests one through four just talked about it i wasn't super thrilled about it because i thought crap they're just going to talk about it nothing's going to happen they did a great job of really showing you what to do here um another thing i really recommend is loading kiwi we'll go ahead and load it so that you guys can see it all right so now when we do help you can see here you can cred get all creds these are kiwi commands keep that in mind they're different than the regular commands um you can see to do create a golden kerberos ticket that's huge if you guys don't know what that is it's outside the scope of this but that's all right list wi-fi profiles creds for the current user now i don't think this server probably has any wi-fi lists but we'll try it yep it doesn't um we can try the list shared but i don't think this this server's probably never been on wi-fi or even has a wi-fi um interface but um you can change the password of a user i mean there's a lot that kiwi can do there's a lot more than this even so have fun with it enjoy it dive in start messing with metasploit google some stuff have fun i'm telling you medisplay is a lot of fun just don't rely on it that's my only suggestion don't rely on it because real hackers may use metasploit but they do not rely on it they know how to do back end stuff themselves also they use mess plates to save time so hopefully you guys liked it again we're reaching that 500 subs so if you guys like the video please sub because once we reach that 500 subs i'm going to do a giveaway um either a keylogger or a wife uh wi-fi pineapple something like that so hopefully you guys enjoyed it and i appreciate you guys have a great day

Info

Channel: stuffy24

Views: 8,155

Rating: undefined out of 5

Keywords: pc, linux, windows, computer, hacker, try, hack, me, be, ne, tryhackeme, tryhackme, hacked, pawned, pwnd, hacking, burp, suite, pro, community, burpsuite, community editions, edition, passive, recon, reconnaissance, network, security, email, whois, dig, nslookup, dnsdumpster, shodan.io, nmap, nmap advanced, advanced, port, scans, scanner, n map, NMAP, scanning, ports, protocols, common, network ports, smtp, http, ftp, rdp, https, SSH, vulnerabilities, vulns, vulnerability, metasploit, framework, meta, sploit, exploit, exploitation, meterpreter

Id: vrIhvxkYvW4

Channel Id: undefined

Length: 24min 31sec (1471 seconds)

Published: Thu Feb 10 2022