Hello, I'm Ketron Evans and we're back again. And what we're going to do in this particular course is it's almost like a kind of a get you up to speed and to show you how all the things that we covered in the intro actually applies to what we do in the real world. So what I'm going to do is walk through a penetration test scenario. We're pin testing a small network with some devices on it. We're going to go all the way from the reconnaissance to where we find things and we scan things all the way to the point of actually breaking in to a device and taking information off that device. And then we'll talk about writing a report. And along the way, I'm going to stop to point out where the beginner things like the commands I told you need to practice over and over and over again. I'm going to show you where all that stuff applies once you make it to where you're doing something like a real engagement, in this case, we'll do a pen test. So, we're going to start off with this process and I'm just going to pretend that our target is Mississippi state. So I'll just do who is Mississippi state.edu. And what we see there is we get all this Mississippi state information back now. It really doesn't matter who the target is. But the point we're making here is all the beginner stuff that we talked about, such as I introduced you to the grip command. If I wanted to look for just email addresses I could now say grip at after we get the domain right here and I get just that instead of all that other data. So one of the big parts of being a pen tester and other things is being able to take a lot of data really quickly and make decisions about what part of that data is relevant to what you're doing right then. Now in this particular case, we have all this data, and we only care about email addresses. So I use the grip operation here to bring it down to just email addresses because I know that the only strings in this text have a at symbol would be the actual email addresses, right? So even with the basic recon there, the skills that you learn when we talked about here some fundamentals of the Linux command line. If you go back and review that course, these things are already coming in right here. So what we're going to do next is we're going to pretend that this little internal knotted network that I have. It's part of the public Mississippi state or whoever target network is. So I'm going to say scan that entire network, do a paying scan or a discovery scan and write the results to a graspable file named targets. Now, even though in the intro course I didn't really get into what end map was its support scanner. But what I did teach you is how to teach yourself about these things. So for example if you wanted to know well what is he entering dash SN therefore. Well, one of the things that introduced you to in the intro courses was man. So we could literally go to a terminal. Do man in map and then search for that dash SN. Now how do you search in the main page? Is this going to be a forward slash and then search for your strings. So we're going to do dash SN. We put that in and it takes us right into man pages where that is and it tells us this is a ping scan, it disables the portscan, right? So now if we wanted to do that we know that we can add that string if we wanted to do a pink skin. So yes I want a ping scan every IP address in this range. Now, what is dash OG, how would we find out what that is? Well, I can go back to my terminal, I can man in map again and I can simply search for dash OG. And I can see that that means OG is output graspable. So it means it's going to output the format in a way that's nicely graspable. What I'm trying to get at here is I don't have to tell you what these flags are. And you don't have to when you're watching my videos or YouTube videos or anybody's videos where they're using these tools and they don't have time and they're not explaining to you what all these switches are. You can look them up and figure out on your own pretty quickly using just a man pages like we're showing here, and this is why in the intro part of this course I stressed using the man pages and using it to search. So we're out putting the results to a graspable format named targets. And we go ahead and run the scan. So it comes back and tells us, hey, out of the 256 possibles, there's six devices that are up or six devices that responded. Now remember we said OG or output graspable to a file named target. So if we look at the file name targets, again, we're using a command that I introduced to you in the beginning of the course, more, we look at the targets file and you can see it's formatted and not a lot better than what you have up here. Now what we're going to do next is we're going to introduce some basic commands that we showed you earlier and kind of take these things out of it. Like, all I really need is just a list of IPs. Okay, so I'm going to take that and try to tell Linux command line tools to clean this file up and give me just each IP address in the file. Quick way to do that is I'm going to introduce you to something called cut here in a minute or awk, but we can grab right for just the string awk, capital UP since Lennox's case sensitive. And that cleans it up significantly because now all we have left, we don't have any of this stuff up here, any of the tool output, we just got the results here. The last thing to do is clean it up to where we get just this field. So I'm going to introduce you to another basic command line tool called awk. So I'm going to say let's take this, do the same thing we just did but just pipe it out once more the awk and say print field 2, because if we look at this awkward automatically assume that space is our field separator which would make this field one and then this would become field 2 and that's the only field that we want. So I'm going to tell awk to print for us field 2. And if we do that operation strung together now we get as our output just the string of IP addresses. Okay, so realistically, this is way faster and way better than trying to put it into an Excel document and create a pivot table and do all that other stuff that most people that are only using Windows would try to do. So I'm going to write that to a file now, how would you know how to write it to a file? In the Linux and Windows command line course we stressed, if you use these greater than you can write it out to a file, we're just going to call it target list. Now if we go back and use more to re target list you can see that we've got like a file that's just a list of IPs. Well, why is that important? Because now we're going to use End Map again, and instead of having it scanned all 256 possibles we're going to have it scanned just these six devices. Now how do we give this list to in map as input? Well, if you don't know how to do that you could always do man in map. And then you can do your forge slash research and then search for the string input. And right away you see it says, hey if you give in map the dash IL flag and then give it a file name, it will take that file name and scan the device is on that list as long as they're in proper format, which is a list of hosts which loosely translates to list of IP addresses or lists of networks. We have that in this file right here. So we can tell in map, I'm going to give you an input list dash IL that list is named target list. I want you to do a full ports scan to all those IPs and show me the results on the screen. So it's now trying to connect to the 1000 most common ports on each one of those IP addresses. Now again, I'm not trying to teach you in map, I'm showing you that you can teach yourself as long as you kind of know where to start. So what it did is it went out and it scanned each one of these devices and told us which ports are open on each device. And what we can see here is clearly 198 seems to have a lot of ports open or there's a lot of services running on it. And generally when you see that in a network, it means that device is probably what we call a server which is running and holding a lot of services. So we're going to focus our attention on 198 because the more services there are, the more likely is we're going to find one that's vulnerable. So we talked about risk management and that stuff previously and this is where the term vulnerability and vulnerable and threat and all that comes in because currently I'm acting as a threat agent. And what I'm looking for is a vulnerability that I as a threat agent can exploit to take control of this machine and cause loss to this organization, okay. So I'm going to go ahead and focus on 198. I'm going to scan all the ports that are open on it. Instead of a list we're going to focus on a single IP. We're going to tell it to do a version probe skin. And what this is doing is it's not only scanning and checking to see if the ports are open but now it's going to interrogate each port to see essentially what actual services running there. Because the truth of the matter is I could run something on ports 80 and it be something other than a web server. Now, the reason I say that is generally web servers listen on ports 80 or port 443, but you don't have to have them run on those designated ports. We can make anything run on any ports that we want. So just because you find a device that scan port 80 open, it doesn't guarantee you it's a web server, it could be anything. So the reason I'm doing this scan is to verify that. Now again, even though you know nothing about in map really if you've only taken my intro course. But you can still teach yourself because now what you should be asking is well he just threw a new flag at us that we didn't know what is sV, how would you find it out? You can go right into man and do man in map and guess what search forward slash for sV, whoops sV. And it takes you right to that and tells you what it is. SV can be used to differentiate between two truly open ports. And if we search for that again because it might show up more than once you can see that sV means version detection. Enables version detection as discussed above alternately, you can use the dash A which enables version detection among other things, dash A means aggressive. So what I'm showing you here is you see how we were looking for sV and it told us what it means but it also kind of digging us deeper into the rabbit hole. Taking us further down saying, hey by the way, if you want to do sV on steroids, you can do dash A. And it does diversion detection plus some more stuff. But while we're doing that, let's go back and look at what's happening with our skin. Now because we're doing such an intensive scan notice it's taking a little bit longer than the first scan did, because we're digging in to each of those services running on this device to see what those services actually are. And what I'm doing there is hitting inner to get it to tell me what its word is and of course then it finishes. So now not only do I know which ports are open or which connections this device is taking, I also know essentially what those services are. Like I know this is running Microsoft IS 8.5 which I might go out and look on the internet for vulnerabilities related to that service because remember we're the threat agent we're looking for vulnerabilities to exploit. Okay, this is these are all terms that we covered in risk management. Now, when I go down we can see there are several services here, but there's one particular service that I want to show you something with. So there's a service here named http file server, httpd 2.3b that's a service. I don't know what that service is. So guess what? I'm just going to copy it and paste it. Now we've been using the skills that you learned the first time you learned to use a computer, but it's still a valid skill, copy and paste is underestimated great technical skill to have. [LAUGH] All right, so we're going to open my browser here. I'm going to go out to google and I'm going to search for vulnerabilities. I'm just going to paste that string and add the word vulnerability to it. And sure enough, there are vulnerabilities out in the public domain associated with that service, all right? There's some 2020, 2019 all the way back to 2014 because this is a very popular service, it's been around for a long time. So now that I know it's there and now I know it's related to this service called Rejetto, I'm going to go read up on it and see what there is to say about it. And of course, the write up tells me that it's an exploitable service, you can do different things with it. There's the source code if you want that for the exploit. I'm just going to say, all right, well, I know there's a vulnerability now, let me see if I already have it. So I'm going to search my exploit framework here. Remember we talked about Linux distributions in the fundamentals of operating systems course. And this is a specific Linux distribution Kali that I'm using here and it actually has on it, some tools that allow us to search. I'm going to do search exploit Rejetto and it comes back, and says, yep I've got something for that software, I've got an exploit for it. So now I the threat agent have identified a vulnerability and now I found an exploit to take advantage of that vulnerability which will hopefully get me onto that machine, okay. So I'm going to go ahead and load my exploit framework tool which in this case we'll just use meta spot. The reason I'm using meta sport in Kali is because if you go in this type of technical cybersecurity, you're probably going to be exposed to these tools more likely than you would others, okay. So just kind of trying to prepare you and get you up to speed on the things you'll be seeing. Now we're waiting for me to split the load, remember we have a target, right? The target is this guy, and we looked at this sport that was running this service. We found that that service is an http service named rejetto. So now I search in Metasploit for anything related to rejetto exploits. And sure enough it's going to come back here with the result. And when it comes back, we're simply going to load that particular exploit. All right, so I'm going to say let's load that and we're going to use the word use now watch this. Again I'm going to use a technique that I taught you in the intro course. Remember we talked about tab complete. I'm going to say use exploit/ and I'm going to say win TAB because it knows Windows is the next directory and then I'm going to say http TAB. I'm going to say rej TAB. See how smoothly that went. See how much time I saved myself. Because let me tell you a little secret, I guarantee you If you asked me to type that entire string out fast, I would type over it nine times out of ten. But if I'm using tab complete, it autocompletes it and it takes away my brain. It takes away the weakest link which is trust me, in any scenario the weakest link is probably my brain. But it takes that out of the equation and allows me to focus on what the task is. So again, your autocomplete is in clear use right here. Okay, so now I'm going to use it for other things. I'm going to set my payload which is what I want this exploit to do for me. Guess what, I'm going to say windows/ TAB. The payload I want to use is something called meterpreter. I'm going to say that TAB. I'm going to say reverse_tcp, and I'm tabbing through all that. Now I'm going to set my target which is rhost. I'm going to set this machine is my lhost which is this is where I want my connection to come back to which is 251. Now I'm going to set the target port that I'm going to be exploiting which we know is 8081 because that support we were scanning and we found that service on. So watch closely, I'm just going to type the command exploit. And sure enough, we found that this exploit actually successfully exploits the vulnerability that exists on the system because of that software. And we're able to now exploit that as the threat agent and give ourselves an interpreter session. Now watch this, once you get onto the machine, I'm going to drop into what we call a shell. And now I have Windows command line access to this Windows machine without ever logging into it without knowing the user name and password. I own this machine because of that vulnerability. Now what do you think I have to do here? I have to know Windows commands because now if I'm going to do anything with this machine that I've taken control of, I have to know how to navigate this machine. Or this operating system from the command line. So all that stuff that we talked about in the Windows foundations command line, you're going to need to use that now, even at this advance of a level. So what I'm going to do is let's go back to the root. I'm going to create a user named davidd. And then I'm going to give that user a password and I'm going to add that user to this device. And when I do that, Window says successful. Now I want to pause and reflect on something here. That step that I just did this right here, creating a user for myself named David, that's not hacking. That's just Windows command line. So the fundamental Windows command line stuff, it is going to translate all the way to this level. Now if you hadn't mastered the Windows command line, someone takes you right into cybersecurity throws you into the deep end and start you using Metasploit. Well great, you learn how to use Metasploit. You learn those five commands to get you into a system. But when you get there, what are you going to do from that point if you don't understand how to navigate the command line, right? So this is why you take this in steps. Well now I want to elevate my privileges. So I'm going to try to do that. I'm going to drop to my shell again. And now I want to make my davidd account part of the administrators group. So I'm going to say net Group "Domain Admins" davidd /ADD. Now here's something I didn't show you. I didn't show you how to create groups and Windows. But if you took any of the active directory courses or the Windows administration courses in these skills platform. You would have learned how to do things like create and add two groups from the command line. Again, this is not a hacking technique. This is just basic network administration because when as a hacker, once you get into a system, that's essentially what you become. You become a network admin or a network engineer. So you need those foundational things so that when you get into a system and when you do whatever your cyber task is, you have that skill set that you can pull out of your bucket and start using it. Now the next thing I want to do here is I'm going to make my own group so that I can kind of hide in it. I'm going to do net Group. We're going to create a group named FiveSix. We add it and now on this machine, this active directory domain controller, we've created a group named FiveSIx that we can control right there. And then we can start adding things into that group. This is a full Windows administrative group here that we can do things with. So now, let's go ahead and get out of that. Now we've found a vulnerability. We've exploited the system. We need to now get rid of evidence that we were there. So I'm going to do a command called clearev. And this wipes out the Windows event logs that would have any proof that I was ever there in the system. So now if an investigator were to go look at the event logs on the system, evidence of me being there wouldn't be there. Now I will get out of the meterpreter, I'll go back and at that point, the attack is over. I've gotten in and I got in because I discovered a vulnerability that I the threat agent is able to exploit and give myself control of this machine. But what you should have noticed there is while you shouldn't have been familiar with everything that I did, some of those things should have jumped out to you like more. And cat and using different Windows commands to do things in Windows. All those things should have been somewhat familiar as well as the Linux commands that we operated and ran here. And one of the things that I find over and over again when people are struggling going through these hacking exercises, it's never the exploit stuff that slows them down. It's the fundamental stuff like this. Once they get that command shell, how do they move a file from one place to the other. That's what tends to slow them down. That's what creates the problems. Now you just saw a real life pin test situation where we found a machine, found vulnerabilities on that machine, exploited that machine, took control, created users elevated privileges. And we did most of it using just regular Linux and Windows commands. I only use about two commands that were actually hacking commands. I entered a total of about 30 commands and most of them were just Windows or Linux commands wrapped around a hacking exercise. So this is what hackers mean when they tell you the first thing is learn the fundamentals. So hopefully this demonstration was a good primer to show you how we can take fundamental command line stuff and turn it into a specific hacking exercise like this. I look forward to more comments coming from you guys and I'm looking to produce more content for you. Hopefully you find some useful links in this and I look forward to seeing you in another course.
