1
00:00:00,840 --> 00:00:03,900
‫So now open your terminal and.

2
00:00:05,370 --> 00:00:06,900
‫Start the MSF console.

3
00:00:09,670 --> 00:00:12,220
‫The first command of this part is show.

4
00:00:13,320 --> 00:00:19,230
‫Now, when you work with a module, it helps you to display the variables and properties of that module.

5
00:00:20,180 --> 00:00:23,630
‫So the help screen is for showing us that.

6
00:00:25,310 --> 00:00:34,430
‫Type the show command and then the name of the object, so let's have a look at knob generators by typing

7
00:00:34,430 --> 00:00:35,870
‫show knob's.

8
00:00:37,010 --> 00:00:39,650
‫And as you see the generators list.

9
00:00:40,790 --> 00:00:47,900
‫Appears so there's no plug in for this phase and here are the encoders.

10
00:00:49,380 --> 00:00:51,390
‫And also, he exploits.

11
00:00:53,020 --> 00:00:56,710
‫But it might take a little while to list all the exploits if you try to list them.

12
00:00:58,930 --> 00:01:02,920
‫And then here are all the exploits in Métis Point.

13
00:01:04,920 --> 00:01:13,800
‫Now, when you need to use an exploit, you can search these exploits, for example, if you want to

14
00:01:13,800 --> 00:01:16,890
‫exploit a Java RMI server code execution.

15
00:01:17,820 --> 00:01:25,820
‫You can search for terms like RMI, RMI registry, so, yeah, let's perform a search just like that

16
00:01:26,310 --> 00:01:28,770
‫search RMI registry.

17
00:01:29,990 --> 00:01:33,260
‫And you see, it brings me the appropriate XPoint.

18
00:01:34,410 --> 00:01:42,270
‫So I want to make an important point here, when you are conducting a test, you should perform an extensive

19
00:01:42,270 --> 00:01:45,900
‫enumeration on the target to choose the right boy.

20
00:01:46,560 --> 00:01:49,050
‫That's how you know what to search for.

21
00:01:50,040 --> 00:01:55,860
‫Although Métis Point has many exploits, it doesn't mean that you can use every single one in every

22
00:01:55,860 --> 00:01:56,610
‫circumstance.

23
00:01:57,390 --> 00:02:00,060
‫First, you need to find the vulnerability.

24
00:02:00,750 --> 00:02:04,530
‫And then if Métis Boyd has a suitable exploit, you can use that.

25
00:02:05,430 --> 00:02:11,060
‫Otherwise, you may have a headache if you randomly run exploits and it's a waste of time.

26
00:02:12,200 --> 00:02:18,980
‫OK, so back to the RMI registry XPoint, so now you have the name of the XPoint.

27
00:02:19,900 --> 00:02:25,210
‫And if you recall from the previous videos, how do you use this exploit?

28
00:02:26,590 --> 00:02:29,740
‫Type views and then the name of the boy.

29
00:02:31,450 --> 00:02:33,490
‫Now, you can work with that XPoint.

30
00:02:35,280 --> 00:02:43,140
‫If you want to be sure about the XPoint or if you want to configure the details, you can use the info

31
00:02:43,140 --> 00:02:47,700
‫command to get detailed information about whether he exploits going to do.

32
00:02:48,740 --> 00:02:49,580
‫And in this case.

33
00:02:50,820 --> 00:02:56,760
‫This is an XPoint, but for sure it can be any other Métis flight module.

34
00:02:57,690 --> 00:03:04,500
‫So read the description, examine the variables, or follow the reference link to get additional information

35
00:03:04,500 --> 00:03:06,060
‫about that particular exploit.

36
00:03:08,080 --> 00:03:10,360
‫So the options to view the variables.

37
00:03:11,480 --> 00:03:13,250
‫And these are the basic variables.

38
00:03:14,570 --> 00:03:21,750
‫And yes, you can set some advance variables to have more control over the exploit code.

39
00:03:22,430 --> 00:03:24,800
‫How do you do that show advanced?

40
00:03:26,800 --> 00:03:27,160
‫So.

41
00:03:27,980 --> 00:03:32,360
‫Here are the other variables of the XPoint to make some of the advanced configurations.

42
00:03:33,520 --> 00:03:39,670
‫Some X boys only work with a specific operating system or software versions, whatever.

43
00:03:40,820 --> 00:03:47,510
‫Now, to send the target, the right exploit code, you've got to know the version of what you're trying

44
00:03:47,510 --> 00:03:49,500
‫to exploit makes sense, right?

45
00:03:50,540 --> 00:03:56,660
‫I'll assume here that you have made enumeration and you know your target well.

46
00:03:57,290 --> 00:03:59,480
‫So that's what you tell Metters boy.

47
00:04:00,480 --> 00:04:05,270
‫You specify the available targets by the show Targets Command.

48
00:04:06,500 --> 00:04:10,520
‫As I hope you see on the screen, there's only five types of target.

49
00:04:11,700 --> 00:04:18,000
‫So this means that this exploit can't be utilized on environment other than these particular five.

50
00:04:19,580 --> 00:04:20,480
‫For the most part.

51
00:04:22,930 --> 00:04:30,750
‫In a production environment, your exploit may fail due to IPPs IDs or firewall rules.

52
00:04:31,390 --> 00:04:34,960
‫So I think it's good practice to evade the security measures.

53
00:04:36,150 --> 00:04:40,290
‫For each XPoint, there are different evasion techniques and Métis Point.

54
00:04:41,410 --> 00:04:47,140
‫So let's use the show Evasion Command to display the available techniques.

55
00:04:48,640 --> 00:04:50,410
‫And if you want, you can choose these.

56
00:04:52,060 --> 00:04:58,000
‫And these are the payloads that I listed by the show, Payloads Command.

57
00:05:00,550 --> 00:05:04,930
‫Now, like evasion for each exploit, there are different pelote.

58
00:05:06,270 --> 00:05:10,020
‫So this means you can't use a Linux payload for Windows system.

59
00:05:11,140 --> 00:05:15,000
‫And for this point, there are these available paillard.

60
00:05:16,950 --> 00:05:21,180
‫Now, I'll show you these variables again and let's set them.

61
00:05:22,110 --> 00:05:28,770
‫You may remember from some of the previous videos how to set a variable, so we'll do that now, use

62
00:05:28,950 --> 00:05:31,210
‫this at command just like that.

63
00:05:31,500 --> 00:05:33,030
‫That's why I like the Linux console.

64
00:05:34,020 --> 00:05:40,410
‫Setting the value a variable means you can get the value of the same variable.

65
00:05:41,450 --> 00:05:46,370
‫I simply typing get as a command and then the variable name.

66
00:05:47,590 --> 00:05:51,640
‫This is the medicine voidable to IP address in my lab environment.

67
00:05:52,840 --> 00:05:58,060
‫Now, you can also unset a variable value by using the unset command.

68
00:06:00,180 --> 00:06:03,660
‫And I just unset our host value, as you see here.

69
00:06:04,820 --> 00:06:11,420
‫So you may come across a situation that you need to use the same value in every XPoint.

70
00:06:12,630 --> 00:06:19,380
‫So you can just set the variable to the same value in each exploit again.

71
00:06:20,630 --> 00:06:27,290
‫If you use set command, you can globally set a variable value.

72
00:06:28,500 --> 00:06:36,030
‫And by using the get G- command, you can get the global value of a variable.

73
00:06:37,290 --> 00:06:44,310
‫And then simply, you can unset a global variable by using the unset G command.

74
00:06:45,520 --> 00:06:55,570
‫Now, after setting all the variables, you can get the exploit to execute by either using the run or

75
00:06:55,570 --> 00:06:57,160
‫the exploit commands.

76
00:06:58,260 --> 00:06:59,400
‫It actually doesn't matter.

77
00:07:00,120 --> 00:07:03,570
‫So these messages here show what's going on in the background.

78
00:07:04,410 --> 00:07:08,670
‫And you will also be informed by Métis boy if a session is open.

79
00:07:09,600 --> 00:07:16,770
‫So now I have this session, and by taping the Sessions command, I will list my available sessions.

80
00:07:17,800 --> 00:07:26,380
‫And as expected, I have only this one now to interact with that session type sessions as your command

81
00:07:26,380 --> 00:07:29,920
‫with the eye parameter and then.

82
00:07:30,960 --> 00:07:33,090
‫An index of this session appears.

83
00:07:34,360 --> 00:07:36,070
‫In my case, it's three.

84
00:07:37,110 --> 00:07:40,620
‫OK, so now I'm in the Metro Operator Show.

85
00:07:42,170 --> 00:07:45,810
‫Later, you're going to have your deep dive in an interpreter, I promise.

86
00:07:46,520 --> 00:07:52,280
‫But for now, I'm going to only show you that I have exploited them at exploitable to.

87
00:07:53,250 --> 00:07:59,190
‫Then let's type in background to turn back to the MSF console again.