In this lesson, I'll talk about exploitation. Exploitation is using a threat to take advantage of a vulnerability. It's going to be a very small part of the actual pen testing methodology. If we've done our homework and research, exploitation may be a streamlined process. Now, from the previous lesson we talked about vulnerabilities and vulnerability scanning. We're going to take those vulnerabilities and identify how we can exploit those to our advantage to actually compromise a system. Exploitation allows us to reduce or eliminate false positives from our vulnerability scanning. Vulnerability scanning is just looking for vulnerabilities, it's not actually attacking or trying to compromise the system. So we don't know in vulnerability scanning, if it actually works, if the system can actually be exploited. Exploitation also helps us understand risk. So if we're able to compromise a system, how easy it is, how difficult it is, maybe we can't even get into the system, which lowers our risk significantly. Exploitation also allows us to pivot to other parts of the network which may have other vulnerabilities. Because vulnerability scanning only scans the systems that we tell it to. When we're exploiting systems, it may allows us to jump to other parts of the network that we didn't scan during our vulnerability scanning process. However, there are risks to vulnerability scanning. System crashes, service crashes, accessing content that you didn't mean to, and exposure sensitive information are all risks that we have when we are exploiting systems. One common risk that we have is accessing content that we didn't mean to. So if we're able to pivot from system to system, maybe we accidentally touch a system that is not part of our penetration testing plan. There are many different resources available for pen testing. There are many websites out there such as Offensive Security, Exploit-db.com, which is a great website to look at actual code. And actually process those services and applications that are vulnerable. Shodan allows us to see websites that could be vulnerable, perhaps our own, actually. There are distributions out there, I've been working off of Kali Linux for many years, it used to be called Back Track. Backbox and Parrot Security and Samurai, Samurai is a web application vulnerability testing distribution. These are all distributions or Linux distributions that allow us to compromise systems or exploit systems. They're also suites of hacking tools and exploitation tools out there. Burpsuite focuses on web applications. Metasploit focuses on nearly all kinds of vulnerabilities. CoreImpact is around the same as Metasploit, but it is a paid for, professional piece of software. Ophcrack, or John the Ripper, focuses on password exploitation. W3af and Nikto focus also on web application exploitation. One thing that isn't covered very often is physical exploitation. And this is something that I always cover in any of my courses, because people forget this. If your systems are not locked down, in locked offices, in somewhere where they're going to be protected, it's game over if they're not encrypted. And that's what I want to show you today as a demonstration, is systems that are unencrypted are very vulnerable. Let's switch over to my virtual machine, here. You know what, for the life of me I have no idea what the password is. I built this computer probably four or five years ago and I can't get into it. But let's pretend that I'm an attacker and this system was a laptop that was just sitting around that I found and I need to get into it. And let's say that the laptop belonged to some human resources employee and they had a bunch of documents, but the person was very conscientious and had strong passwords on everything. So what I'm going to do is, because I don't know what this password is and I can't get to the files, I'm going to stick a CD-ROM in. I put in a boot CD that contains some tools for booting hard drives but it also contains a offline password changer. Now, if this were a real computer, like a laptop, like the scenario is, I'm going to be able to stick the CD in the CD-ROM drive and boot as normal. So I have this laptop that this HR employee left, and it has a whole bunch of files on it, sensitive files. And I just stuck the boot disk in that is called the Hiren's BootCD. It contains a lot of tools for booting or helping boot a system. But it also contains an offline password changer. So that's what I'm going to do. As the attacker, I'm going to go down to Password Changer. And it's going to boot from the drive. Okay, for one, it's going to identify the hard drive. So I want to select the hard drive. Usually the defaults are okay. And, I'm going to say I want to force looking at the hard drive. So looks like it found System32/config. So I'm going to look at the password reset, the SAM file of Windows, And I'm going to edit the user. It looks like I have Administrator, Greg, Guest, and a couple of other accounts. So I want to reset the Administrator account, so I'm going to select the first one which is Administrator, and I'm going to press number 1 for Clear the User Password. Okay, it's cleared and now I'm going to restart the system. And let's see if I can use the blank password to get into the system. Just going to hit the Enter button and see if I can get in. Looks like I can get in. So, in conclusion, exploitation is not only about the tools that you use electronically, but it's also about the physical systems that you have. And you need to remember that when going through an analysis and a vulnerability scan, it's not just about software compromising software. It can be about physical systems as well.
