Time
4 hours 21 minutes
Difficulty
Beginner
CEU/CPE
5

Video Transcription

00:00
before I jump into the PM's, I do want to show you the exploit database, the Google hacking databases. This is not a library product is actually maintained by offensive security. But the exploit database in the Google hacking database are just spectacular tools. And you can see here this is just a list of what they called dorks or Google dorks.
00:18
Basically, what that is is it's a four Matic Google search
00:21
you can use to find vulnerable systems. So, for example, I've gotta search here for Apache and you can see one of the most. Where is one of the most common?
00:29
Uh,
00:31
I can't even pull it over Now one of the most common Apache things you'll find is the phrase it works, and the reason for that here I know how to get it. The reason for that is that it works is part of
00:43
the default page for Apache server. So if someone has put up in Apache Server that is Web facing but hasn't actually, you know,
00:52
configured it with their website hasn't figured it with an index hasn't actually secured that server. This page is going to be exposed. The Internet and you can use that to do a search and find it. And that searches. Azizi is actually just typing in.
01:07
If I could get my chrome to respond to me entitled, There we go
01:11
Now, in this particular case because it works is such a famous search. You're gonna get some websites that come up first. But if you search through, you know you're looking at we've got, what,
01:22
two and 1/2 1,000,000 results. If you're going in, you know, Page 15 page 20 you're gonna find service or actually exposed to the Internet that are just miss configured Apache.
01:30
And it's a really fantastic tool, this Google hacking database, because what you're doing here, there's no actual. There's no testing happen. You're not performing any vulnerability analysis. You're not running any risks. You're very, very safe, sort of way back behind Google. It's a really useful initial reconnaissance stool, and you can use it to find information out about whatever you're targeting.
01:49
So there's that. Now we're gonna go ahead. We're actually gonna jump into these PM's assuming that they were because, of course, VM is on a live course will crash. It's it's a corral ary of Murphy's law,
02:00
make sure my d v w a servers up and running. Same thing with tools on a pen test you right when you need him. They don't work. It's very that is absolutely true. I, uh Yeah, I've managed crash everything from bash all the way up through wire shark with running completely normal commands.
02:15
So you see, here I have a new bunch of'em This may look a little bit weird even using a program called Terminator.
02:22
It's just sort of a quality of life upgrade for for the basic, you know, bun to show inside of that. I have just I'm in a folder here and I've changed my prompted to attacker, so that should explain all of the weird things they're happening.
02:34
So what we're gonna do now is we're gonna have a look at
02:37
the D V. W A. I was testing it out before this video to make sure it would work, so d v w ay, if you've never heard of it, is a really awesome tool. What it is is it's a It's the *** vulnerable web app and it's published by the same same group of people will no longer published by the same people. But it's published by the group of people who are involved with a WASP.
02:55
So they talked about all the top 10 vulnerabilities. This gives you the ability to kind of actually practice those.
03:00
So you see, you've got brute force command execution. You've got cross site request, forgery, sequel, injection file, inclusion all that today what we're actually gonna be doing. And I'll refresh this so it doesn't
03:09
give any spoilers today. What we're gonna be doing is a file upload vulnerability. So to talk about that very briefly. Basically, what happens with a vial of upload vulnerability is that a server somewhere is taking arbitrary file inputs they let you upload in this case is has choose an image to upload. They let you upload some kind of arbitrary file,
03:30
and they're just storing it on their server for you to touch.
03:32
Now that's useful, because obviously there are executed all files and you can upload those and use those to gain access to your target
03:38
eso. Because of that, all we've got to do here is we're gonna create a PHP file that's going to execute when it's when it's actually addressed. It's gonna execute, and it's gonna give us back a connection to our interpreter. Shell Interpreter. For those who don't know is one of the most common tools, it's part of the Medicis played framework.
03:58
The medicine framework in general is probably the single most common
04:01
pen testing tool. It has a bunch of exploits a bunch of different handlers, river shells, all sorts of just sort of exploit tools. I'm trying not to get too technical with it with an intravenous e o. But it just has an incredible variety of tools you can implement and make use of to attack your target system. So what we're gonna do now,
04:19
I'm gonna write it out, and then I'm going to explain it.
04:24
Let's see if I can get it right on the first try
04:27
first. I've actually gotta check, eh? So you're gonna need to know your own I p address for this, which in this case is gonna be 56 02
04:35
and then I'm gonna cheat very slightly
04:39
because I
04:40
have access to
04:42
server over here.
04:44
You can use and map to a full scan of the network and figure out what your target system is. That can take a little bit of time to run. We're not gonna worry about it. It's okay if you can't see the text on that screen, This is the last time we're gonna look at it. So 19 to 116856101 Cool.
04:58
So let's have a look at that. An end mat before I jump ahead and actually show you the exploit
05:03
here, you can see that they've got a few different service is open because of the D. D d v W A. They've got FTP as his age, http SUVs and my sequel. So this is the scanning phase that I talked about a little bit ago where you're just gonna examine your target system real quick Sometimes for bigger networks you might spend a lot of time with and map. You've got a bunch of different formatted and map commands. You could run
05:23
because of the length of this video of the nature of it. We're not gonna dig too far into that.
05:27
It's not an end, Matt Video, but we do have some of those on our site, so absolutely worth checking out. So back to what I was doing before I distracted myself. MSF venom tak e p h p
05:38
I'm gonna be doing interpreter and a reverse.
05:42
So this part of it is telling MSF venom basically create this payload. For me, that is a PHP reverse show. A reverse shell is a program and execute herbal program that you put on your target that will connect back to your machine and give you access to their system. So instead of trying, you know, if you may be familiar with S H
06:00
instead of S is aging into their machine,
06:01
they're actually gonna reach back to you and initiate the connection. That's done for a lot of reasons. The simplest is because a lot of systems are designed to prevent you from connecting in with a show, but not necessarily designed to prevent connecting out,
06:15
particularly one of the things you're gonna do when you're doing this. You're gonna create your own your own. You're gonna have your own host i p four to reach out to you gonna pick your own port.
06:25
So if your target system has ports that are open,
06:29
you might want to use that. If your target system, you know, is secured so that only one or two ports were able to be access in or out. You're going to use that for It's one of those sorts of things where you can configure this so that the attack is gonna be sure to come back to you.
06:41
So 192.16856 dot 10 this is so Joe, we're doing this is this we're like in the Hollywood movies. I see the neon lights think this is exactly where people's computer screens are reflected on their face and they're typing very quickly with, like, five people on one keyboard,
06:59
which is easily the worst scene ever written in a television show.
07:02
For those who don't know what I'm referring to, there's a famous scene in NCS called two idiots. One keyboard NCs was a maybe basically Navy law and order show. So because I was in the Navy, I did watch it a lot. But yes, there are a lot of hacking scenes in that show that are
07:17
distressing. So our local port we're gonna go and we're gonna put 12345
07:23
and they were going to say, Give me just the rod dump of this exploit. So MSF venom is gonna work for a little bit. It's going to spit out. Hopefully it's gonna spit out this this PHP just in case it doesn't, because the medicine framework on this particular VM has been kind of weird. So I did actually save a copy earlier, but it looks like we got to get execution here
07:42
and you can see it just spit out a bunch of really strange looking PHP.
07:45
We're just gonna copy and paste that. So we've got the copy. You're gonna start right at the opening tag for PHP, and then you're going to stop where it says die.
07:53
And then we're gonna open g et it,
07:58
and we're gonna paste
08:01
that malicious PHP into it.
08:03
We're gonna go ahead and save this will stick it
08:05
on her desktop.
08:07
Call it whatever you want, as long as it's dot PHP shell dot PHP is a pretty simple standard,
08:13
so you create your show
08:16
Now again, I am aware that this code looks completely ridiculous and confusing. The reason for that is because it's being packaged in such a way that it can be delivered in this exploit exploit code doesn't generally look much like programming code. If you create a python shell are a python river shell in MSF Mm, You'll see that it's It's just this string of characters. They're encoded.
08:35
It's gonna depend on the specific system you're targeting.
08:37
But MSF venom or the medicine framework in general is designed to give you exploits, give you reverse shell packages that are less likely to be caught by anti viruses.
08:50
So we've got that. We've got our show. Now we're gonna go back to the Web server That's actually up the way. We've got it right here. For those who have never used the V w ay, you are going to for the specific example giving today you're gonna want to set your security toe low. The reason for that is just that there are different sort of stages of difficulty,
09:07
and the medium and high both require that we make use of burps week
09:11
burps suite, which is just one too many tools to use in this video. Right now
09:16
we're gonna browse the shell that we just created, and it's just gonna be this PHP file that we have sitting on her desktop shell dot PHP
09:22
and we're gonna upload it

Up Next

Introduction to IT & Cybersecurity

In this FREE IT and cybersecurity training for beginners, you will learn about the four primary disciplines of information technology (IT) and cybersecurity. This introduction to IT course is designed to help you decide which career path is right for you.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor
Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor