Time
4 hours 21 minutes
Difficulty
Beginner
CEU/CPE
5

Video Transcription

00:00
Now, this server is very, very friendly and nice, and it shows us exactly where it got uploaded. And we're gonna use that in just one second. But first, we have to give it something to connect back to. Remember that I said that this is a reverse show. So we establish the shell, and then we're gonna give it something to reach back to on our side. And to do that, we're gonna run another commander called MSF Consul,
00:18
which is just opening up the medicine framework Counsel.
00:21
It's gonna take a little bit to run because it's a little bit slow to start it up.
00:25
It's got a nice little, pretty loading going for it. So what? We're doing this. We can talk a little bit about sort of what the day in the life looks like for hacking. Uh, you know, I talked about there's a ton of paperwork. You spend a lot of time on site talking to your clients once you've done that once. You actually started sort of this process. I'm doing this very, very quickly because this sort of, you know, just an intra video to show it to you.
00:45
But you're going to be exhaustively scanning every port on the target system. You're going to try and get information.
00:50
You'll query those ports. You'll see if you can send arbitrary data back and forth to them. You might pull down their entire Web server with a carefully crafted W get or a curl. Just to get access to all of the data you can and really spend some time examining and looking into how their systems configured how it's designed, you build you. I often will build my own network map in my office
01:08
to see what their entire enterprise system looks like.
01:11
I'm just sort of been a very, very
01:14
exhaustively find step by step, because a lot of what happens when you're looking for security flaws is that you're looking for something that there sis had been missed. You're looking for a mistake that was made that no one has thought to fix yet, which means that you have to know that system better than anyone who made it or anyone who's currently administering.
01:32
So what? That done, we've finally load up into our indoor framework. We're gonna use multi slash handler wrong thing
01:40
handler.
01:44
There you go, l host we said is
01:48
I gotta set l host
01:51
192.16856 dot one
01:57
to believe, because the other one's wanna want yet
02:00
I want to
02:00
set payload,
02:02
which is gonna be the same command we gave earlier with interpreter.
02:07
Uh,
02:07
hang on. It's hanging for a second.
02:10
One of the things that I will say is that if you're going to be using, I'm using medicine framework in a bun to VM right now. I do highly recommend pulling down the Cali VM if that's what you're actually gonna spend your time doing. I did it here for for reasons that aren't terribly important right now that involved having to rewrite a bunch of my server in Python because it wasn't working
02:30
PHP interpreter and then reverse
02:32
TCP.
02:35
That's gonna be our payload and said l port 12345
02:39
So with all of that, they're going to clear a screen up a little bit here and then we're just going to run
02:45
so you could see it started a reverse PCB handler on that address on that port. All that is that's that's an open port that is currently listening for a connection from our target. So I've uploaded a PHP to that. We've started our handler over here. We're gonna be able to look and see.
03:00
And what we're looking for here is just what is just
03:04
indication. Sorry I accidentally hit the wrong control sequence we're looking for is an indication
03:09
that we have reached back and we have connected to our TCP handler interpreters gonna spit up some messages for us. It'll say a session is created. If that happened, were successfully able to execute this PHP a notorious system. Now it may not always give you back a shell. In this particular case, I don't think it does because of some configurations I have up.
03:28
But the goal here is initially just to find out.
03:30
Can you get arbitrary PHP to execute once that's done, Really, all you're in stage you're in is just figuring out the puzzle of what configurations they have established and how you need to modify your shell code or how you need to modify your payload in order to establish your connection more fully and give you that sort of arbitrary command access. You're looking for
03:50
control, See, instead of commands, joke could USP and you throw it in the parking lot of a company?
03:58
Yes, actually, so So they're different names for that. Ah, lot of times you hear that called a road apple or a bad Apple attack. Basically, with the idea, there is just taking advantage of human curiosity. It's one of my absolute favorite attacks because
04:13
it has never
04:15
failed. I have never, ever attempted that without getting success. I drop USB sticks in the in the parking lots of buildings where people are not allowed to take US bees in. They're not allowed to use USB devices, and I can still guarantee you that at least one of those people will pick up the USB stick, plug it into their computer and try and find out whose it is.
04:32
That is a terrible, terrible thing to do.
04:35
If you're not aware of that already, never, ever plug in a USB stick to a computer directly to that. You don't know what the USB stick is. It is possible to construct files on those on those USB devices, such that they automatically execute as soon as it's plugged in.
04:51
So even though you may never see any virus you may never see any indication of a virus
04:56
as soon as you blood that USB in it can start executing malicious code. So yes, dropping us be dropping CDs. It's an old favorite. There are. There are pen testers who will tell you that. That's sort of ah,
05:08
kind of, ah, low attack or like a cheating attack, mostly because of the fact that it almost always works. It's such a ridiculously successful that it's kind of considered bad sportsmanship.
05:18
So here we've got our show. We're gonna run this, and you see this is gonna hang
05:24
what really matters to us right now. You can see it set the stage, and this session has been open, so we have a connection to our target system.
05:30
So again, if you've got your pH, be perfectly configured, it's gonna give you back a shell. Here you'll be able to start executing.
05:36
I have my Apache, currently configured with too short of a time out value on trying to reconfigure that with that particular Web server is a nightmare. So I just kind of left it there. What I really wanted you to see here is opening this interpreter session and gaining that access in that connection.
05:50
So once you once you're finished with something like that, once you've created your over shell and you've gotten your access to target system, your goal there is like I said before, gonna be the maintaining access and covering tracks. But what we've kind of run through here in a brief 15 20 minute example is sort of the steps of first initially deciding what your target's going to be, finding out what they have running.
06:09
You know, we saw that they had an HD piece of rope, And so even if we didn't already know
06:13
that D V W, a server was running a Web service right now, as soon as that end map returned. Oh, this has Port 80 open. All you want to do is just plug that I pee in your browser and see if you can connect to and see what Web servers being serviced. Ah, lot of times, you know, there are a lot of people who have servers up on their machine who are not at all qualified to do so.
06:31
They're people who are running a CZ. I am with this BM. They're people who are running
06:35
a Web server off of their personal laptop. Very commonly, people will use the python simple HDP module in order to share files out, get files back from co workers and just leave it up these air. You're slightly more technically apt users. But a lot of times that's gonna be where your access comes from because they have a little bit more comfort modifying a machine.
06:54
And because of the fact that they're you know, they're comfortable doing it, they may not necessarily think about security is much
07:00
again. That's what you're really looking for. Our cases where people have done something without really thinking through the security, implement implications of their actions
07:09
s Oh, yeah, in general, just you want to find what ports are open on your machine, gonna see you in a query that you want to see if you can get into them and then once that's done, you're generally that's gonna be where you break out your medicine framework. Start throwing river shells, start throwing exploits and see what works for you. Depending on the volume sort of the
07:26
wariness of your target system, you may want to be more careful. Use quieter attacks. You know, silent and map scams, scans. Rather you might want to construct your medicinally attacks, such They don't necessarily trip. You know, ideas is an I. P s is.
07:41
Like I said, this was not necessarily contrived example, but a very simple example that we can go through in an intro video in about 15 minutes.

Up Next

Introduction to IT & Cybersecurity

In this FREE IT and cybersecurity training for beginners, you will learn about the four primary disciplines of information technology (IT) and cybersecurity. This introduction to IT course is designed to help you decide which career path is right for you.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor
Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor