1
00:00:00,700 --> 00:00:04,360
‫So let's go get some hash dumps to use in the further Hands-On experiment.

2
00:00:06,640 --> 00:00:10,510
‫Go to Colly, hack a Windows system and Atash file.

3
00:00:10,990 --> 00:00:13,630
‫Keep it fast, because we've seen these steps several times.

4
00:00:14,550 --> 00:00:17,730
‫Open a terminal screen, start MSF console.

5
00:00:19,640 --> 00:00:25,670
‫I'll use Exact to open an interpreter session on the victim search for the exploit module.

6
00:00:27,360 --> 00:00:29,280
‫Now I'll set an appropriate payload.

7
00:00:33,050 --> 00:00:34,040
‫So the options.

8
00:00:35,230 --> 00:00:42,340
‫Set our host as my Windows XP pvm to zero seven and almost as my colleague to TA to.

9
00:00:45,150 --> 00:00:51,360
‫Remember, the user is the administrator and the password is one, two, three, four, QQQ uppercase.

10
00:00:51,360 --> 00:00:54,300
‫Q But please don't mind this.

11
00:00:54,300 --> 00:00:58,320
‫It's just an intermediate step that we need to retrieve the hash file.

12
00:01:01,820 --> 00:01:03,380
‫Now we're ready to run the export.

13
00:01:04,650 --> 00:01:10,510
‫Interpretive sessions, open use, hash dump command to get the hashes and here they are.

14
00:01:10,680 --> 00:01:14,910
‫So let's copy them all and place them into a text file, which will be our hash file.

15
00:01:16,920 --> 00:01:19,630
‫I'll use the nano ed for this purpose.

16
00:01:20,340 --> 00:01:24,090
‫I'll open a new text file named Hash, expe that text.

17
00:01:25,220 --> 00:01:26,750
‫Right, click and paste.

18
00:01:27,980 --> 00:01:33,920
‫Control exit to exit wider, to save changes and hit enter to, say, the file that we named at the

19
00:01:33,920 --> 00:01:34,290
‫beginning.

20
00:01:35,540 --> 00:01:37,440
‫Now look at the upper left corner.

21
00:01:38,180 --> 00:01:40,070
‫Now we have a hash file on the desktop.

22
00:01:41,940 --> 00:01:45,710
‫So now I want to get the hash file of my Windows eight VM as well.

23
00:01:46,760 --> 00:01:52,790
‫I said the current interpretor session to the background, I'll use Pesek once more for Windows eight

24
00:01:52,790 --> 00:01:53,240
‫PVM.

25
00:01:53,240 --> 00:01:56,120
‫This time our host is two to three.

26
00:01:57,290 --> 00:02:05,450
‫Username is a Meydan, suppose that we collect this data in the exploitation phase and run the exploit.

27
00:02:10,070 --> 00:02:17,480
‫Now I have an interpreter session on Windows eight VM, so run hash to collect the hashes, huh?

28
00:02:17,510 --> 00:02:18,020
‫It failed.

29
00:02:18,590 --> 00:02:19,620
‫Will it stop us?

30
00:02:20,000 --> 00:02:21,600
‫I don't think so.

31
00:02:22,310 --> 00:02:24,410
‫Remember, we have another hashed out method.

32
00:02:25,190 --> 00:02:29,600
‫Run post windows, gather hash dump and hit enter.

33
00:02:30,470 --> 00:02:34,070
‫This method runs in a different way from the previous hashed dump method.

34
00:02:37,250 --> 00:02:43,460
‫And here's the hash down for Windows eight, VM again, open a text editor and create a new text file

35
00:02:43,460 --> 00:02:44,690
‫to keep these hashes.

36
00:02:51,490 --> 00:02:57,100
‫So let's just for fun, have one more Hassidim, this time from Oleynik system.

37
00:02:58,170 --> 00:03:01,290
‫I send the second interpreter session to the background.

38
00:03:02,740 --> 00:03:10,300
‫Now, I remember that my Métis voidable Linux VM has Java, RMI, server insecure default config vulnerability.

39
00:03:10,780 --> 00:03:14,430
‫So that's what I search for, Java RMI keywords.

40
00:03:14,680 --> 00:03:16,420
‫And let's pick this one.

41
00:03:17,870 --> 00:03:26,240
‫Show payloads to select an appropriate one, I'll set Java Interpretor, reverse TCP show options and

42
00:03:26,240 --> 00:03:26,890
‫set the option.

43
00:03:27,920 --> 00:03:35,720
‫Our host as Métis voidable Lennix to zero six host his colleague to to to leave the ports with the default

44
00:03:35,720 --> 00:03:37,880
‫values and run the XPoint.

45
00:03:41,040 --> 00:03:48,690
‫More than one session open, so I use sessions I to interact with one of them, for example, session

46
00:03:48,690 --> 00:03:53,280
‫three and I have a session on Métis Voidable Linux VM.

47
00:03:54,700 --> 00:04:02,470
‫Interpretor has no Hasheem function for Linux systems by default, so I'll use a post module type run

48
00:04:02,470 --> 00:04:05,560
‫post Linux hash dump and hit enter.

49
00:04:08,170 --> 00:04:14,230
‫And once again, we have the dump, the password hashes of the victim, so let's create a third hash

50
00:04:14,230 --> 00:04:21,490
‫file for Métis, voidable to VM, same method, copy the hashes, open a text editor, paste them and

51
00:04:21,490 --> 00:04:22,330
‫save the file.

52
00:04:34,140 --> 00:04:39,360
‫So at the end, we have three hash files for three of our victims.