1 00:00:00,560 --> 00:00:07,340 ‫Before going deep on exploitation framework's, let's see how we can find and run and exploit manually. 2 00:00:08,220 --> 00:00:14,220 ‫Because it's not the subject of the course, I'll not show you how to develop and exploit, but we are 3 00:00:14,220 --> 00:00:16,830 ‫going to use the exploit from exploit databases. 4 00:00:18,090 --> 00:00:25,590 ‫So in this demo, let's say that we think that the target system has the MSO three underscore 026 vulnerability 5 00:00:26,400 --> 00:00:28,800 ‫to exploit, the vulnerability will follow these steps. 6 00:00:29,320 --> 00:00:35,130 ‫First, we'll search for the exploit mouse zero three underscore 026. 7 00:00:36,230 --> 00:00:43,190 ‫Then compile the code, if there are errors in the code, we have to find and fix the errors or find 8 00:00:43,190 --> 00:00:43,870 ‫another exploit. 9 00:00:45,200 --> 00:00:52,010 ‫And finally will run the exploit now, if we're lucky enough, we can successfully exploit the target 10 00:00:52,010 --> 00:00:54,460 ‫system and have a command show on it. 11 00:00:56,280 --> 00:01:05,400 ‫So go to college and open a Web browser type, exploit Debe to search for the exploit database, I click 12 00:01:05,400 --> 00:01:08,160 ‫the first link, which is Exploit DeVita Dockum. 13 00:01:09,420 --> 00:01:11,910 ‫Now click search at the upper right hand corner. 14 00:01:13,640 --> 00:01:14,850 ‫Right, Ms. 15 00:01:14,930 --> 00:01:22,610 ‫Zero three underscore 026 in the search bar and prove that you are not a robot and click search. 16 00:01:30,480 --> 00:01:36,780 ‫We found three exploits in the database, so let's try the oldest one, which is developed by H.D. Moore, 17 00:01:37,290 --> 00:01:39,910 ‫who is the developer of Métis Boyd framework, by the way. 18 00:01:40,380 --> 00:01:41,280 ‫So click the link. 19 00:01:42,810 --> 00:01:48,720 ‫And here's a source code of the exploit, so let's download the code and save the code to Colly. 20 00:01:50,360 --> 00:01:55,730 ‫Now open a terminal screen and go to the folder where the exploit code is downloaded. 21 00:01:58,820 --> 00:02:07,340 ‫And here's a source code 66, not see, it's a source code of C programming language, and we can compile 22 00:02:07,340 --> 00:02:11,990 ‫it using the compiler, the Ganu Compiler Collection. 23 00:02:11,990 --> 00:02:18,800 ‫Gok is a compiler system produced by the new project supporting various programming languages. 24 00:02:19,580 --> 00:02:26,810 ‫GCC is a key component of the Guanyu toolchain and the standard compiler for most Unix like operating 25 00:02:26,810 --> 00:02:27,350 ‫systems. 26 00:02:28,450 --> 00:02:34,000 ‫Originally named the Ganu C compiler, when it only handled the C programming language in the first 27 00:02:34,000 --> 00:02:44,050 ‫release, then it was extended to compile C++ Objective C Objective, C++, Fortran, Java, Ayda and 28 00:02:44,260 --> 00:02:45,540 ‫go, among others. 29 00:02:46,420 --> 00:02:55,600 ‫So anyway, type JTC give the source file name and then output file name with dash o parameter and hit 30 00:02:55,600 --> 00:02:55,840 ‫enter. 31 00:02:57,220 --> 00:03:04,720 ‫Use the last command to see the file produced here, it is compiled and produced an executable binary 32 00:03:04,720 --> 00:03:05,080 ‫file. 33 00:03:06,130 --> 00:03:09,310 ‫I've got slash and file name to run the executable. 34 00:03:10,240 --> 00:03:11,950 ‫And it shows the help by default. 35 00:03:12,490 --> 00:03:16,480 ‫OK, good for us, because here we learn how to use the executable. 36 00:03:17,470 --> 00:03:22,180 ‫First parameter is target ID, so we have to learn the target operating system. 37 00:03:23,140 --> 00:03:29,320 ‫And we can use and map the network map or tool to interrogate the operating system of the target. 38 00:03:30,480 --> 00:03:36,420 ‫Now, I'm not going to tell you more about and map here, because it's a subject of the network scanning 39 00:03:36,420 --> 00:03:36,840 ‫cause. 40 00:03:37,590 --> 00:03:39,900 ‫Well, let's create the map query. 41 00:03:41,070 --> 00:03:49,620 ‫Dash as V for version detection dash oh, for the operating system, detection now is a target IP. 42 00:03:51,460 --> 00:03:53,380 ‫And top 10 ports to scan. 43 00:04:03,820 --> 00:04:09,460 ‫Here are the results, our end map query, he says that the target operating system is either Windows 44 00:04:09,460 --> 00:04:16,450 ‫2000 with a service back zero to four or Windows XP with a service pack zero or one. 45 00:04:17,930 --> 00:04:23,960 ‫We can try the ResultSet one by one, but to keep it quick, let's look at the target system. 46 00:04:25,070 --> 00:04:33,020 ‫So here's the target system, right, click my computer select properties, the system is Windows XP 47 00:04:33,020 --> 00:04:34,370 ‫with service pack one. 48 00:04:35,180 --> 00:04:36,560 ‫OK, so back to Cali. 49 00:04:37,250 --> 00:04:39,410 ‫Let's remember the usage of or exploit again. 50 00:04:43,360 --> 00:04:52,360 ‫Now, first parameter is Target ID and it's a six, second parameter is a target IP, which is one seven 51 00:04:52,360 --> 00:04:56,380 ‫two one six nine nine two zero seven for me. 52 00:04:59,500 --> 00:05:01,990 ‫And yes, we got the shell from the target system. 53 00:05:03,120 --> 00:05:04,680 ‫So let's look at the IP address. 54 00:05:06,730 --> 00:05:08,590 ‫It says two zero seven. 55 00:05:09,790 --> 00:05:12,220 ‫So I go to the target system to check if it's true. 56 00:05:13,610 --> 00:05:21,540 ‫So I'll open a command line type YPP config and yes, the IPE, the target is two zero seven. 57 00:05:22,750 --> 00:05:26,120 ‫Turn back to Colleano and type exit to close the shell. 58 00:05:27,270 --> 00:05:33,930 ‫Now, look at the target system, as you see the system crashed, all the exploits may have had some 59 00:05:33,930 --> 00:05:38,820 ‫side effect, so you better test it before using on the live systems.