" Wow."

" This episode 35 is brought to -- go to assist express. Game fly at domain dot com. Got a great idea it all starts with a great domain."

" It as a welcome -- this episode of Hak5 nine Amos and -- And US have been lingering for some Metasploit so we're bringing you -- just that all episode dedicated to it. Olympics written or sixty tip comes down -- presence since -- misplaced it may or may not out. Stick around for that but first alert and response gets."

" The best way to provide technical support is to do online would go to assists express. You can help friends learn how to use -- software or fixed him with computer problems without being there in person good to -- express lets you easily view and control computer online seeking quickly resolve technical issues. Whether your customer support technical consulting or management or just a computer guru. Go to assists expressed hope to increase revenue reduce travel support time. And service more clients. Try go to assist express free for thirty days for this special offer you must visit go to assist dot com slash Hak5 that's good to assist dot com. Forward slash H a K 54 pretrial."

" So today we're gonna show you. Basic wanna one on Metasploit it's not that scary exportation to -- things we're gonna actually attic like big indeed with it. And kind of understand the total value of it. As more than just an exploitation for an hour and when I say framework. I wrote that that really defines best what -- which started in 2002. And has grown into the biggest ruby project in the world. And it has so many libraries -- so many other things and just exploitation easy because the libraries in the API call Rex. That it's. Personifies the word framework has some things. So we're actually some of the advanced features the little hocus pocus stuff that I've shown. Before. And then we're gonna get into some cool stuff that it can also do that isn't exploitation. Sort of start off with the export module. Section. And let me set that up a little bit before and but first a real quick public service announcement. Please -- yes -- copy you can find out how to do that at the bottom of the download page. It helps the -- in all the people on the -- willingness to answer questions because you're using the most updated version. Which probably has fixes for some of the stuff that you might be asking anyways. So just report that and we're gonna go over here. Actually what we're gonna be we're we're gonna be doing."

" So we have the hacker. Box out here now. And we have. Perimeter. And their defense in depth we have alleged Iraqi news. And ask counselor here. A domain. And a workstation."

" Yeah as a student who. Right. So we're gonna show you real quick how to. Getting to that set of systems. And start moving around with the exploit. Expert models. And to make a demo go a little bit easier we're not gonna actually use a real exploit has sometimes they FAO. He just after -- it. The right steps of demo fell gods can't give us what we're using. Standard username password. So let's start off with getting into. -- and test exports framework theory. And -- console. The second to -- The reason why it takes a second load is -- have both. Oh ruby one point 91 and -- one point eight. Compatibility what one point 91 if you get it working. Is so much faster and they're really trying to get people to move over to that today they can get it so that you can run -- Ten times faster and is closed because it looked illiterate loads all the modules up one's. So we it's loaded and we are gonna get into. Use. Does that tell you -- to mob rule. Windows. Assembly. Yes the exe. Now appears that yes exact model is exactly like since internals except for has one cool little feature that we'll talk about later. But what it does is runs a one's -- binder area or or payload and rationally you. On the target box. So we show the options. That has available and there's also show advanced. Where you have some of these advanced options including. Proxies. So you can actually send this through poor if you want. That should move options. So we set our our hosts. And I'll probably be do what dyslexic again. And get this wrong. We set our payload. Now let me show you before you -- in the setting payloads show payloads. That this thing has national foods. This thing hasn't Hun commencement project has a ton payloads and they're really well. Set up so that you can kind of you know the format you can understand exactly what it does so the first part of the payload name. Is the OS or operating system it's. It is run on her available for. The second part is kind of what it guys. There is shells. Upload XQ. The NC inject. My interpreter interprets the fund that's the real good but -- the time and you can look through it. Now if that portion of it is followed by an underscore. You know that it's an in line payload and what and in light payload is is means that the whole payload is sent over the wire -- the same time. Now this can be good for stability reasons but. What is most. Widely used as the stage one stranger is used when there's a slash right after the second portion of the payload. That's how you know at the stage or in the description. And state your payload is smaller -- who are quicker but come back and get the rest of it pulls him. This is good because some exploits have a very small buffer area that's very small amount of room. For an exploit happen and sometimes cannot take the hole in line. Injection because. The B and C inject one particularly is I think around seven megs when he goes over the wire so staging that is the best way to go. So we're gonna select. Windows router perverse and -- that means it's there -- TCV that means it's coming back to us from that box to. The system that we're running. Now the cool thing the other cool thing about Metasploit is that it tells you what variables are required. You have to actually you set. And the variable name or it doesn't work. So you as you can see now we have more options. Set L host that's our local host and and zero again I think I've been dyslexic on this. And for PS executive takes it SNB user and password. We're doing this again for demo purposes when using an actual exploit you won't need these you'll just use the exploit. -- And you know it it loads exactly same way this is. This exactly as an exploit model so you're doing everything exactly the same as you would a real export. Which has 400 -- and this. So SNB pass we are you know we're just using the password so we can get this demo done. Again you need to use set."

" And -- exploit but before we do. As in a lot of things in in the Metasploit framework you and to attack H and five all the cool help. Most people don't know about the help it's -- exploit. There's lot of cool features you can actually. I'd get to a point where you couldn't script this using something code resource file that we can talk about time. That's for the whole thing and get it in one line you can get all the options the payload. And and the background all in one line with with export -- exploit attacked -- tech Z. Now. -- Z well. Make sure that when the payload come back. The session isn't it immediately attacked this is. This is good when you're doing multiple exploits or multiple systems. You don't want it to automatically attached. To the session so they you have to background you can just. Exploit. Have it automatically background with -- they C and run the exploit again different box if you wanted to. Tactic accident job. Background units of disease actually so it doesn't act of right so that's what -- disease. And armor to recessions open. So. There are a ton of commands and here. Everything from upload to XQ 22. To reboot to do registry changes but your -- can do amazing things with little bit. Like with the least amount knowledge whereas if you're just had a command show. You have to know a lot of commands to -- a lot of stuff that we do here done. So what we're doing is pretending like we just actually of the web server out on the permanent. We have Richard recession going we got some kind of web exploit or some congrats to injection to get this going. And we have interpret. So if this if this is actually attached to -- domain name so we -- domain server over here ask your server here. And this is actually attached to a domain. Which happens all the time. Then we're gonna show you how we can take that and have it in through the insert internals part of the network. So. So one of the one of the modules that is automatically loaded when you have a we had a mature -- script. That is running as administrator or system. Like we are right now. Is -- Now there's a bunch of other other. Modules that are out there. Including card you go to going to next on the approval allows you do -- And has done allows you to do basically. Up PW dump without having the tools they get caught by. -- AV products. So. Passed a bizarre our printers automatically loaded. So you don't have to use or do anything to your router show and just you hashed out and there it is there's all the hashes that our -- system. And hopefully. People don't use different patterns -- different systems because. Patches in windows world are exactly the same on every other box so if Bob uses pastor. Password. On the web servers and users news password. Password on the domain controller the hash is going to be exactly thing. So. Instead of cracking passwords -- something called past the hash. Now remember that cool thing to say that PS exact doesn't. The modules for -- Metasploit. Does that that PS exact -- doesn't. That's passing the hat now and in Europe -- and Ochoa from course security actually -- this method and what it does is. Instead of well you know what -- money went -- it and show you exactly what's going on when you're doing past past. So. Win this windows workstation. Walk the talk to this domain controller and logging. It will take the password to the users. Has. Hash it with using and kill them. And then."

" Austin office and authentication -- two. The only controller. May control it then goes. Let me look at the -- that I have on file and compare it if it's good. Then you're authenticated. To -- no time does the clear text password go across the wire. Security right. Well that's good for us because we can take that -- without. Pre computing part. As we don't have to have it and do the exact same thing that the workstation it. So that's the basic things aren't past the hash."

" So what we're gonna do -- With this is we're gonna background. That much -- session using controls me."

" We're gonna copy of the administrator password. Her minister had some sorry."

" Show options."

" We're gonna pretend that we have a another system. And we've changed the our host we're gonna change it from the from the windows or other web server to be doing controller."

" Hopefully the ministry -- the same on both. So order set. SNB."

" And paste in our hatch. Now."

" so options. They can see in the options that instead of password we now have a hash as the SB. Now if we're running in an actual domain. In the show advanced portion. You can see that SNB domain is another variable there needs to be set. But we're not for this demo so well we'll just run. On the export. With a hash. Now we have our return procession open on arguing controller. He's is that we've just now use. Hash instead of password. That we obtained from a different system on another system. Virtually in our minds right. Two -- another system without using a password without cracking that actual past. Pretty cool. Well so that we really really Macy's the need to crack passage right. What oh. What if it's attached it to Maine but. All you give us the local. Local counts. Can't really use that well. Napster. Tokens are another. Method that are you. Another authentication method on windows that are used kind of like cookies. Now if you think about when web cookies they store your authentication so that you. When you go to a different portion of the site you don't have to think Ayers and -- imagine if you had to -- Are -- to log in every every time between -- Especially for people with like thousands and thousands of updates. So that's we're tokens coming. Let me show you on board again. If demanding a or Bob."

" Sites to log into. The workstation to help out. The user whatever problem. His poking instead of his username password. Or his his username past or cents a here authenticate the domain but once -- arm and starts doing things his cocaine. It actually stored on that change. Now there's a bunch of tokens that are loaded by default and used for services in and things like that. And if you're -- system level on the domain on the yeah. On the computer or workstation or server that your wrong you can see all of those tokens. Ministers can always end users can we see the ones that they have access to that system has axis -- So."

" Tokens. Have. A limited lifespan. Patches don't. So that the you know this -- is modest in both tokens you can use for domains and possibly. Period that way -- have. More lifespan. That can stay until this is is actually reboot. So we're show you how immature for -- we can use those tokens to add a user. And and essentially execute commands on a different system. Using. Using the tokens -- So I'm interpreter you actually have to load this module called calling card veto by saying use. In -- And this loads that -- into. The -- recession still are hitting disk at all. Now you have some extra commands available to you and me in -- incarnate -- commands to category. At group user at a local group user add user impersonate token -- list tokens -- star passes. Now this tokens as long wanna start off with. I so we ran this tokens we actually have to do attacked you do list all the user names. The user tokens at least. And let me."

" Let me go to the right word and show you. Let's let's Alter our little reality real quick. So. Say through the web server we got to the SQL server has a lot of corporations and people. Are not that bright and do the web and yes -- server inside the prayer so. Because the Webster has sparked this jewels -- So say we have our second interpret show here -- Coetzer. Now there's a possibility that sold with privileges is gonna be on the via secure ulcer or the tokens at least so we're gonna be logged --"

" Because that's a high maintenance. Type -- server. So. We're gonna use the tokens. That we see here and we're gonna pretend. That one of the domain tokens showed up just as if right here where it says. New PC administrator. We're gonna pretend that that says domain Bob with domain -- Bob -- And."

" Easy we just use add user."

" And it shows you some help if you just senator. Right here we do attack H if we're gonna add a user to the domain controller. And you can see that or you can you can. Like type in the IP address so the host name and at a user to domain using this token. But for our example right now we're gonna pretend that we're doing that or just gonna add user locally to the box -- right now. The reverend Bob. Admin. Password. Saying that we've been using. Candidates we've now added a username and password that we can use the -- expect module. Without an hashes to be done so we can if we had done this on and to make sure we can now use the PS exact module."

" And throw it at our domain controller and now have. Which her murder armed to make jokes we've officially activated. From web server to Eskew also over to domain controller and when your on the domain. --"

" So next. We're gonna go into some of the auxiliary modules. Oh. -- Real -- the other cool thing that. -- does that I'd like they're really point out is they. And in the not so distant past they. They added a key logger Alec -- August kind of cool because what you do is attach it to a specific process. And that's cool and the fact that you don't get all of the other. Depending on what processor attach if you -- attach it to win logon. You just hit log -- and log out. So guess what -- You names passwords. And that's it so you have. Haven't attest to log on when Lauren never stops. Because it's always running. You just get used and is the bastards you typed up -- Mikey he he don't. -- and don't -- it has been set so users pastors is only get which is X. And -- going to go through so next up we got the I'm doing."

" It's a free -- diet that's ridiculous. I did want to research so it turns out you can lose a lot early on as you can be. Points to break up --"

" I figured -- it hit me yet."

" Its -- anger actually the best. However I'm sure the world are registered pre op diet dot com. No I motorists are resolved I have come first and put -- picture -- moron. To say it's got. Pop up until May not cost domain registries and all all the yes."

" Her car or. We dot coms from less than ten bucks without -- up selling. Reseller dedicated servers received panel and killer DPS -- with root access domain dot com is the place to go next time you're looking to start a website. Or build your new massively multi skilled side business best of all there offering Hak5 -- sweet deals on domain names private registrations and web hosting. Just -- domain dot com and use coupon code Hak5 that's H a K five that check out to get 15% off your order. Got a great idea it all starts with a great domain domain dot com."

" So we've covered. -- what Metasploit is we've covered you know hocus -- part where you can. Do some cool stuff like past the hash and -- in stealing. And kind of contributing through the network to a game where where you want. But now. I want show you some of the -- features that I I really like about Metasploit. But first. Or show -- some of the other cool things that interpreter can do. -- inside of the Scripps directory under interpreter. There are host. Just a ton. Whichever Scripps that you. When you're in your root servers shell you'd think who attack our -- run space the name of the script minus the dot are being. And it will do like there's. Just go look at them you got stings from gig doing which is. Cool tool that will enable remote desktop. Adding user for years so the into the road desktop users. And basically you can. Then RDP into the system to a cool thing called get countermeasures what where it will. Stop the fire wall. Kill the ADB killed Windows Defender. And basically make it so that you can load anything any tool they wanted to on there after that you know afterward about your key logger. For not using the one built in the Metasploit. And interpreter. -- So let's get back into the exhilarated modules so inside. You know just Metasploit and his apostles. It. So auxiliary if I can -- right. And like I said earlier it's hotter ninety something. Different auxiliary modules they had and there are now. Everything from. Voice over IP. Telephony. Brute force or skating like. Where is where things things were dialing two. Just ask your -- Nixon's where you can connect to a secure server issues you commands. To cool thing called study map it's a set of modules. Scanners. Ask your injection in servers. Obvious. If you've ever heard of Karmetasploit. Karmetasploit actually uses. The servers inside of Metasploit in a RC or resource file to strip out this starting of all the servers you can grab credentials out of the air. But. I really employer -- into. And look at the modules in C. Just how many there are and how they can be used but. For just the time that we have when we go -- options one which is pretty cool. It shows you what options are available sometime he would locking out web dad or put. But I'm gonna I selected this one because. Later on we'll show you how to get into. And develop your -- Or export -- if you're so inclined. So in here we do use just like an export module. Scanner. It's the options so show options just like we would again. And now I have all the available options for that scanner the difference here if you've noticed is that you have and our hosts. Options our host. Our host has the ability if you're taking. Just like you would do with eight our host option you have. Either -- if they weren't IP. But with the Archos option you have the added ability view cider notation. And a little known fact that you can do file. On file is a line separated lists post -- you want to load and you're scanners so say you do a and maps scanned and you -- just the hosts to have. Port eighty open and you have no you have a list of posts that have that in. Just so you can run this module. You can do file coal in Hearst. News commissioner set. Our hosts file Cohen. -- Based TP servers dot text that's my head and right there it would then. -- to be our host variable and when it wrong it's an exploit causes on doing module. It would load that file and injury through each line and run the scanner against the but for. This demo we're gonna use Darren Kitchen dot net. Again you can use proxies so -- is your friend. It's real fast because we're just ring on one single. Single host and we got get head post option methods available to us. And that. It seems simple and it doesn't seem very powerful at all. But it's the little things that really gets you foreign and test and it's of little periods than -- holds that really make a difference. In the more information you have the better. So. We're gonna get we're gonna back out of this and out of the rest of consul in -- show how easy. The framework makes it to make something like this. So. If you go into. The directory form the framework and you go into modules."

" You can see that it's set up exactly like. It is inside the framework you go into -- exhilarating."

" In the scanner into its -- And there's all the eight. There's all the modules that are exactly the same as if they were in. The menu systems so. You connect so when you make in the module you put it in the same directory structure and I'll get loaded just the exact same Leo so show up in scanner based. -- It's the options or whatever you -- go back in here. And nano. I know -- whatever. Options. And we're gonna look at the options module so the first part you got the basics to load. A a very basic module you say include an -- hogs who -- scanning cruise Harrison port. All the stuff that you can kind of copy and paste. In -- all the modules you -- And in this lies is just there now."

" That is it. You see that we do -- again. That's all the lines of code needed to. Sending get send an options request."

" Parse it. And put it to the screen so the socket opening the the request getting them response back parson. And that's it. Even -- seeing the the file from our hosts this -- notation all that is handled by the framework. That's a powerful thing and most of this most of the stuff in there. Is just the incorporation of it into. The W mapped portion of the database. Section that we have actually covered. So I mean it gets down to. May be ten lines of code if you just look at the only things that are actual code that you have to think about right. So. That. I don't know how to say it any better that is the power of Metasploit framework that right there and I so I challenge you check out the SVN. I get the most of the copy and mic module for yourself most likely there's something similar to what you wanna do or so and he kind of know something about and can make it. My guess and -- a code to make this module plus the nationalization. So you can find out more at. Metasploit dot com download. Signaling version if you wanna run -- news check out how to check it out from via S here. You can also see. How to get involved via the -- what mailing list via higher C. And it's some the other three ventures -- wear hats. You can also of course you're on -- market right now. And the guys over -- actually have of course columnist -- unleashed. And offensive that security dot com slash Metasploit -- unleashed. It's it's the great course and it's completely free seeking go through and and step through all this by yourself pay your own pace. And me you can find it router solution to our com. And printers flash through our contest Lumix. And as always. Hak5 go to our we'll have all the shows notes and links and feedback I've got -- you have any questions -- it."

" I wanna let everybody knows that. Game -- this news service. They are the largest online video game rental service and offer a choice over 6000 new and classic titles across all councils and -- we plants are you 1595. -- game plan members can rent one to four games at a time and keep them for as long. Ads like you can also purchase a game if you fall in love with it feels into the box and manual. Pornography. And head over to gain slide dot com slash Hak5 to get. Two week free trial membership -- dot com slash act."

" I'd like to think they'll fix for coming onto the episode this week you can buy an all of his information chat room 362 dot com. And if you have any questions concerns or comments -- you should email us at feedback at Hak5 dot org. This we got Revision 3 any is reviewing a rock and iPhone application on app judgment is sure to check that out at revision3.com slash app that's. -- judgments is on Monday's Wednesday's and Friday's. Coming up next week we're going to have everything from deep in cracking to Linux device hacking. And all sorts other safety tips and tricks for you. But first. I'm just gonna remind you set -- last -- next week."

" Welcome model three what -- Today we don't know this and that and that -- view and."

" Wow."

" This episode 35 is brought to -- go to assist express. Game fly at domain dot com. Got a great idea it all starts with a great domain."

" It as a welcome -- this episode of Hak5 nine Amos and -- And US have been lingering for some Metasploit so we're bringing you -- just that all episode dedicated to it. Olympics written or sixty tip comes down -- presence since -- misplaced it may or may not out. Stick around for that but first alert and response gets."

" The best way to provide technical support is to do online would go to assists express. You can help friends learn how to use -- software or fixed him with computer problems without being there in person good to -- express lets you easily view and control computer online seeking quickly resolve technical issues. Whether your customer support technical consulting or management or just a computer guru. Go to assists expressed hope to increase revenue reduce travel support time. And service more clients. Try go to assist express free for thirty days for this special offer you must visit go to assist dot com slash Hak5 that's good to assist dot com. Forward slash H a K 54 pretrial."

" So today we're gonna show you. Basic wanna one on Metasploit it's not that scary exportation to -- things we're gonna actually attic like big indeed with it. And kind of understand the total value of it. As more than just an exploitation for an hour and when I say framework. I wrote that that really defines best what -- which started in 2002. And has grown into the biggest ruby project in the world. And it has so many libraries -- so many other things and just exploitation easy because the libraries in the API call Rex. That it's. Personifies the word framework has some things. So we're actually some of the advanced features the little hocus pocus stuff that I've shown. Before. And then we're gonna get into some cool stuff that it can also do that isn't exploitation. Sort of start off with the export module. Section. And let me set that up a little bit before and but first a real quick public service announcement. Please -- yes -- copy you can find out how to do that at the bottom of the download page. It helps the -- in all the people on the -- willingness to answer questions because you're using the most updated version. Which probably has fixes for some of the stuff that you might be asking anyways. So just report that and we're gonna go over here. Actually what we're gonna be we're we're gonna be doing."

" So we have the hacker. Box out here now. And we have. Perimeter. And their defense in depth we have alleged Iraqi news. And ask counselor here. A domain. And a workstation."

" Yeah as a student who. Right. So we're gonna show you real quick how to. Getting to that set of systems. And start moving around with the exploit. Expert models. And to make a demo go a little bit easier we're not gonna actually use a real exploit has sometimes they FAO. He just after -- it. The right steps of demo fell gods can't give us what we're using. Standard username password. So let's start off with getting into. -- and test exports framework theory. And -- console. The second to -- The reason why it takes a second load is -- have both. Oh ruby one point 91 and -- one point eight. Compatibility what one point 91 if you get it working. Is so much faster and they're really trying to get people to move over to that today they can get it so that you can run -- Ten times faster and is closed because it looked illiterate loads all the modules up one's. So we it's loaded and we are gonna get into. Use. Does that tell you -- to mob rule. Windows. Assembly. Yes the exe. Now appears that yes exact model is exactly like since internals except for has one cool little feature that we'll talk about later. But what it does is runs a one's -- binder area or or payload and rationally you. On the target box. So we show the options. That has available and there's also show advanced. Where you have some of these advanced options including. Proxies. So you can actually send this through poor if you want. That should move options. So we set our our hosts. And I'll probably be do what dyslexic again. And get this wrong. We set our payload. Now let me show you before you -- in the setting payloads show payloads. That this thing has national foods. This thing hasn't Hun commencement project has a ton payloads and they're really well. Set up so that you can kind of you know the format you can understand exactly what it does so the first part of the payload name. Is the OS or operating system it's. It is run on her available for. The second part is kind of what it guys. There is shells. Upload XQ. The NC inject. My interpreter interprets the fund that's the real good but -- the time and you can look through it. Now if that portion of it is followed by an underscore. You know that it's an in line payload and what and in light payload is is means that the whole payload is sent over the wire -- the same time. Now this can be good for stability reasons but. What is most. Widely used as the stage one stranger is used when there's a slash right after the second portion of the payload. That's how you know at the stage or in the description. And state your payload is smaller -- who are quicker but come back and get the rest of it pulls him. This is good because some exploits have a very small buffer area that's very small amount of room. For an exploit happen and sometimes cannot take the hole in line. Injection because. The B and C inject one particularly is I think around seven megs when he goes over the wire so staging that is the best way to go. So we're gonna select. Windows router perverse and -- that means it's there -- TCV that means it's coming back to us from that box to. The system that we're running. Now the cool thing the other cool thing about Metasploit is that it tells you what variables are required. You have to actually you set. And the variable name or it doesn't work. So you as you can see now we have more options. Set L host that's our local host and and zero again I think I've been dyslexic on this. And for PS executive takes it SNB user and password. We're doing this again for demo purposes when using an actual exploit you won't need these you'll just use the exploit. -- And you know it it loads exactly same way this is. This exactly as an exploit model so you're doing everything exactly the same as you would a real export. Which has 400 -- and this. So SNB pass we are you know we're just using the password so we can get this demo done. Again you need to use set."

" And -- exploit but before we do. As in a lot of things in in the Metasploit framework you and to attack H and five all the cool help. Most people don't know about the help it's -- exploit. There's lot of cool features you can actually. I'd get to a point where you couldn't script this using something code resource file that we can talk about time. That's for the whole thing and get it in one line you can get all the options the payload. And and the background all in one line with with export -- exploit attacked -- tech Z. Now. -- Z well. Make sure that when the payload come back. The session isn't it immediately attacked this is. This is good when you're doing multiple exploits or multiple systems. You don't want it to automatically attached. To the session so they you have to background you can just. Exploit. Have it automatically background with -- they C and run the exploit again different box if you wanted to. Tactic accident job. Background units of disease actually so it doesn't act of right so that's what -- disease. And armor to recessions open. So. There are a ton of commands and here. Everything from upload to XQ 22. To reboot to do registry changes but your -- can do amazing things with little bit. Like with the least amount knowledge whereas if you're just had a command show. You have to know a lot of commands to -- a lot of stuff that we do here done. So what we're doing is pretending like we just actually of the web server out on the permanent. We have Richard recession going we got some kind of web exploit or some congrats to injection to get this going. And we have interpret. So if this if this is actually attached to -- domain name so we -- domain server over here ask your server here. And this is actually attached to a domain. Which happens all the time. Then we're gonna show you how we can take that and have it in through the insert internals part of the network. So. So one of the one of the modules that is automatically loaded when you have a we had a mature -- script. That is running as administrator or system. Like we are right now. Is -- Now there's a bunch of other other. Modules that are out there. Including card you go to going to next on the approval allows you do -- And has done allows you to do basically. Up PW dump without having the tools they get caught by. -- AV products. So. Passed a bizarre our printers automatically loaded. So you don't have to use or do anything to your router show and just you hashed out and there it is there's all the hashes that our -- system. And hopefully. People don't use different patterns -- different systems because. Patches in windows world are exactly the same on every other box so if Bob uses pastor. Password. On the web servers and users news password. Password on the domain controller the hash is going to be exactly thing. So. Instead of cracking passwords -- something called past the hash. Now remember that cool thing to say that PS exact doesn't. The modules for -- Metasploit. Does that that PS exact -- doesn't. That's passing the hat now and in Europe -- and Ochoa from course security actually -- this method and what it does is. Instead of well you know what -- money went -- it and show you exactly what's going on when you're doing past past. So. Win this windows workstation. Walk the talk to this domain controller and logging. It will take the password to the users. Has. Hash it with using and kill them. And then."

" Austin office and authentication -- two. The only controller. May control it then goes. Let me look at the -- that I have on file and compare it if it's good. Then you're authenticated. To -- no time does the clear text password go across the wire. Security right. Well that's good for us because we can take that -- without. Pre computing part. As we don't have to have it and do the exact same thing that the workstation it. So that's the basic things aren't past the hash."

" So what we're gonna do -- With this is we're gonna background. That much -- session using controls me."

" We're gonna copy of the administrator password. Her minister had some sorry."

" Show options."

" We're gonna pretend that we have a another system. And we've changed the our host we're gonna change it from the from the windows or other web server to be doing controller."

" Hopefully the ministry -- the same on both. So order set. SNB."

" And paste in our hatch. Now."

" so options. They can see in the options that instead of password we now have a hash as the SB. Now if we're running in an actual domain. In the show advanced portion. You can see that SNB domain is another variable there needs to be set. But we're not for this demo so well we'll just run. On the export. With a hash. Now we have our return procession open on arguing controller. He's is that we've just now use. Hash instead of password. That we obtained from a different system on another system. Virtually in our minds right. Two -- another system without using a password without cracking that actual past. Pretty cool. Well so that we really really Macy's the need to crack passage right. What oh. What if it's attached it to Maine but. All you give us the local. Local counts. Can't really use that well. Napster. Tokens are another. Method that are you. Another authentication method on windows that are used kind of like cookies. Now if you think about when web cookies they store your authentication so that you. When you go to a different portion of the site you don't have to think Ayers and -- imagine if you had to -- Are -- to log in every every time between -- Especially for people with like thousands and thousands of updates. So that's we're tokens coming. Let me show you on board again. If demanding a or Bob."

" Sites to log into. The workstation to help out. The user whatever problem. His poking instead of his username password. Or his his username past or cents a here authenticate the domain but once -- arm and starts doing things his cocaine. It actually stored on that change. Now there's a bunch of tokens that are loaded by default and used for services in and things like that. And if you're -- system level on the domain on the yeah. On the computer or workstation or server that your wrong you can see all of those tokens. Ministers can always end users can we see the ones that they have access to that system has axis -- So."

" Tokens. Have. A limited lifespan. Patches don't. So that the you know this -- is modest in both tokens you can use for domains and possibly. Period that way -- have. More lifespan. That can stay until this is is actually reboot. So we're show you how immature for -- we can use those tokens to add a user. And and essentially execute commands on a different system. Using. Using the tokens -- So I'm interpreter you actually have to load this module called calling card veto by saying use. In -- And this loads that -- into. The -- recession still are hitting disk at all. Now you have some extra commands available to you and me in -- incarnate -- commands to category. At group user at a local group user add user impersonate token -- list tokens -- star passes. Now this tokens as long wanna start off with. I so we ran this tokens we actually have to do attacked you do list all the user names. The user tokens at least. And let me."

" Let me go to the right word and show you. Let's let's Alter our little reality real quick. So. Say through the web server we got to the SQL server has a lot of corporations and people. Are not that bright and do the web and yes -- server inside the prayer so. Because the Webster has sparked this jewels -- So say we have our second interpret show here -- Coetzer. Now there's a possibility that sold with privileges is gonna be on the via secure ulcer or the tokens at least so we're gonna be logged --"

" Because that's a high maintenance. Type -- server. So. We're gonna use the tokens. That we see here and we're gonna pretend. That one of the domain tokens showed up just as if right here where it says. New PC administrator. We're gonna pretend that that says domain Bob with domain -- Bob -- And."

" Easy we just use add user."

" And it shows you some help if you just senator. Right here we do attack H if we're gonna add a user to the domain controller. And you can see that or you can you can. Like type in the IP address so the host name and at a user to domain using this token. But for our example right now we're gonna pretend that we're doing that or just gonna add user locally to the box -- right now. The reverend Bob. Admin. Password. Saying that we've been using. Candidates we've now added a username and password that we can use the -- expect module. Without an hashes to be done so we can if we had done this on and to make sure we can now use the PS exact module."

" And throw it at our domain controller and now have. Which her murder armed to make jokes we've officially activated. From web server to Eskew also over to domain controller and when your on the domain. --"

" So next. We're gonna go into some of the auxiliary modules. Oh. -- Real -- the other cool thing that. -- does that I'd like they're really point out is they. And in the not so distant past they. They added a key logger Alec -- August kind of cool because what you do is attach it to a specific process. And that's cool and the fact that you don't get all of the other. Depending on what processor attach if you -- attach it to win logon. You just hit log -- and log out. So guess what -- You names passwords. And that's it so you have. Haven't attest to log on when Lauren never stops. Because it's always running. You just get used and is the bastards you typed up -- Mikey he he don't. -- and don't -- it has been set so users pastors is only get which is X. And -- going to go through so next up we got the I'm doing."

" It's a free -- diet that's ridiculous. I did want to research so it turns out you can lose a lot early on as you can be. Points to break up --"

" I figured -- it hit me yet."

" Its -- anger actually the best. However I'm sure the world are registered pre op diet dot com. No I motorists are resolved I have come first and put -- picture -- moron. To say it's got. Pop up until May not cost domain registries and all all the yes."

" Her car or. We dot coms from less than ten bucks without -- up selling. Reseller dedicated servers received panel and killer DPS -- with root access domain dot com is the place to go next time you're looking to start a website. Or build your new massively multi skilled side business best of all there offering Hak5 -- sweet deals on domain names private registrations and web hosting. Just -- domain dot com and use coupon code Hak5 that's H a K five that check out to get 15% off your order. Got a great idea it all starts with a great domain domain dot com."

" So we've covered. -- what Metasploit is we've covered you know hocus -- part where you can. Do some cool stuff like past the hash and -- in stealing. And kind of contributing through the network to a game where where you want. But now. I want show you some of the -- features that I I really like about Metasploit. But first. Or show -- some of the other cool things that interpreter can do. -- inside of the Scripps directory under interpreter. There are host. Just a ton. Whichever Scripps that you. When you're in your root servers shell you'd think who attack our -- run space the name of the script minus the dot are being. And it will do like there's. Just go look at them you got stings from gig doing which is. Cool tool that will enable remote desktop. Adding user for years so the into the road desktop users. And basically you can. Then RDP into the system to a cool thing called get countermeasures what where it will. Stop the fire wall. Kill the ADB killed Windows Defender. And basically make it so that you can load anything any tool they wanted to on there after that you know afterward about your key logger. For not using the one built in the Metasploit. And interpreter. -- So let's get back into the exhilarated modules so inside. You know just Metasploit and his apostles. It. So auxiliary if I can -- right. And like I said earlier it's hotter ninety something. Different auxiliary modules they had and there are now. Everything from. Voice over IP. Telephony. Brute force or skating like. Where is where things things were dialing two. Just ask your -- Nixon's where you can connect to a secure server issues you commands. To cool thing called study map it's a set of modules. Scanners. Ask your injection in servers. Obvious. If you've ever heard of Karmetasploit. Karmetasploit actually uses. The servers inside of Metasploit in a RC or resource file to strip out this starting of all the servers you can grab credentials out of the air. But. I really employer -- into. And look at the modules in C. Just how many there are and how they can be used but. For just the time that we have when we go -- options one which is pretty cool. It shows you what options are available sometime he would locking out web dad or put. But I'm gonna I selected this one because. Later on we'll show you how to get into. And develop your -- Or export -- if you're so inclined. So in here we do use just like an export module. Scanner. It's the options so show options just like we would again. And now I have all the available options for that scanner the difference here if you've noticed is that you have and our hosts. Options our host. Our host has the ability if you're taking. Just like you would do with eight our host option you have. Either -- if they weren't IP. But with the Archos option you have the added ability view cider notation. And a little known fact that you can do file. On file is a line separated lists post -- you want to load and you're scanners so say you do a and maps scanned and you -- just the hosts to have. Port eighty open and you have no you have a list of posts that have that in. Just so you can run this module. You can do file coal in Hearst. News commissioner set. Our hosts file Cohen. -- Based TP servers dot text that's my head and right there it would then. -- to be our host variable and when it wrong it's an exploit causes on doing module. It would load that file and injury through each line and run the scanner against the but for. This demo we're gonna use Darren Kitchen dot net. Again you can use proxies so -- is your friend. It's real fast because we're just ring on one single. Single host and we got get head post option methods available to us. And that. It seems simple and it doesn't seem very powerful at all. But it's the little things that really gets you foreign and test and it's of little periods than -- holds that really make a difference. In the more information you have the better. So. We're gonna get we're gonna back out of this and out of the rest of consul in -- show how easy. The framework makes it to make something like this. So. If you go into. The directory form the framework and you go into modules."

" You can see that it's set up exactly like. It is inside the framework you go into -- exhilarating."

" In the scanner into its -- And there's all the eight. There's all the modules that are exactly the same as if they were in. The menu systems so. You connect so when you make in the module you put it in the same directory structure and I'll get loaded just the exact same Leo so show up in scanner based. -- It's the options or whatever you -- go back in here. And nano. I know -- whatever. Options. And we're gonna look at the options module so the first part you got the basics to load. A a very basic module you say include an -- hogs who -- scanning cruise Harrison port. All the stuff that you can kind of copy and paste. In -- all the modules you -- And in this lies is just there now."

" That is it. You see that we do -- again. That's all the lines of code needed to. Sending get send an options request."

" Parse it. And put it to the screen so the socket opening the the request getting them response back parson. And that's it. Even -- seeing the the file from our hosts this -- notation all that is handled by the framework. That's a powerful thing and most of this most of the stuff in there. Is just the incorporation of it into. The W mapped portion of the database. Section that we have actually covered. So I mean it gets down to. May be ten lines of code if you just look at the only things that are actual code that you have to think about right. So. That. I don't know how to say it any better that is the power of Metasploit framework that right there and I so I challenge you check out the SVN. I get the most of the copy and mic module for yourself most likely there's something similar to what you wanna do or so and he kind of know something about and can make it. My guess and -- a code to make this module plus the nationalization. So you can find out more at. Metasploit dot com download. Signaling version if you wanna run -- news check out how to check it out from via S here. You can also see. How to get involved via the -- what mailing list via higher C. And it's some the other three ventures -- wear hats. You can also of course you're on -- market right now. And the guys over -- actually have of course columnist -- unleashed. And offensive that security dot com slash Metasploit -- unleashed. It's it's the great course and it's completely free seeking go through and and step through all this by yourself pay your own pace. And me you can find it router solution to our com. And printers flash through our contest Lumix. And as always. Hak5 go to our we'll have all the shows notes and links and feedback I've got -- you have any questions -- it."

" I wanna let everybody knows that. Game -- this news service. They are the largest online video game rental service and offer a choice over 6000 new and classic titles across all councils and -- we plants are you 1595. -- game plan members can rent one to four games at a time and keep them for as long. Ads like you can also purchase a game if you fall in love with it feels into the box and manual. Pornography. And head over to gain slide dot com slash Hak5 to get. Two week free trial membership -- dot com slash act."

" I'd like to think they'll fix for coming onto the episode this week you can buy an all of his information chat room 362 dot com. And if you have any questions concerns or comments -- you should email us at feedback at Hak5 dot org. This we got Revision 3 any is reviewing a rock and iPhone application on app judgment is sure to check that out at revision3.com slash app that's. -- judgments is on Monday's Wednesday's and Friday's. Coming up next week we're going to have everything from deep in cracking to Linux device hacking. And all sorts other safety tips and tricks for you. But first. I'm just gonna remind you set -- last -- next week."

" Welcome model three what -- Today we don't know this and that and that -- view and."