1
00:00:00,210 --> 00:00:01,580
<v ->In this demonstration,</v>

2
00:00:01,580 --> 00:00:04,380
I've created a small lab environment with two machines

3
00:00:04,380 --> 00:00:07,000
to show you how I can conduct a privilege escalation

4
00:00:07,000 --> 00:00:08,520
against a victim.

5
00:00:08,520 --> 00:00:10,780
My attacking machine is the Kali Linux machine,

6
00:00:10,780 --> 00:00:12,000
shown here on the left.

7
00:00:12,000 --> 00:00:13,450
This is going to be used to simulate

8
00:00:13,450 --> 00:00:15,490
an attacker's machine for my example.

9
00:00:15,490 --> 00:00:17,730
Kali is a commonly used version of Linux

10
00:00:17,730 --> 00:00:19,690
that's focused on providing us with tools

11
00:00:19,690 --> 00:00:23,450
that we use as a penetration tester or a simulated attacker.

12
00:00:23,450 --> 00:00:25,430
My second machine, shown here on the right,

13
00:00:25,430 --> 00:00:27,340
is going to serve as my victim machine.

14
00:00:27,340 --> 00:00:29,270
This computer is running the Windows 7

15
00:00:29,270 --> 00:00:31,220
64-bit operating system.

16
00:00:31,220 --> 00:00:33,960
For this demonstration, I'm going to do a quick walkthrough of

17
00:00:33,960 --> 00:00:36,100
how to find a target machine and attack it

18
00:00:36,100 --> 00:00:37,680
using a known exploit.

19
00:00:37,680 --> 00:00:39,360
In this case, the target is missing

20
00:00:39,360 --> 00:00:42,000
an important Windows update, which contained the patch for

21
00:00:42,000 --> 00:00:44,260
a vulnerability in the way Windows 7 conducts

22
00:00:44,260 --> 00:00:46,420
its file sharing over a network.

23
00:00:46,420 --> 00:00:50,640
This patch was named MS17-010 by Microsoft,

24
00:00:50,640 --> 00:00:52,200
meaning that it was the 10th patch

25
00:00:52,200 --> 00:00:55,810
released by Microsoft in the year 2017.

26
00:00:55,810 --> 00:00:57,640
This patch addresses a security flaw

27
00:00:57,640 --> 00:00:59,830
in the underlying Windows operating system.

28
00:00:59,830 --> 00:01:02,760
The same flaw that was used by the WannaCry ransomware,

29
00:01:02,760 --> 00:01:05,600
which was later codenamed EternalBlue.

30
00:01:05,600 --> 00:01:07,720
In order to get started, I'm going to need to find

31
00:01:07,720 --> 00:01:10,220
the IP address of my victim machine.

32
00:01:10,220 --> 00:01:11,530
If this was a normal attack

33
00:01:11,530 --> 00:01:12,950
and I was going over the internet,

34
00:01:12,950 --> 00:01:14,960
I would have to perform a lot of reconnaissance

35
00:01:14,960 --> 00:01:17,020
and research to figure out their IP.

36
00:01:17,020 --> 00:01:18,960
But since I know that these two machines

37
00:01:18,960 --> 00:01:21,160
are both on the same network, instead,

38
00:01:21,160 --> 00:01:23,860
I'm just going to identify what the IP range being used is

39
00:01:23,860 --> 00:01:25,570
on this network.

40
00:01:25,570 --> 00:01:28,490
Using the ifconfig command on my Kali machine,

41
00:01:28,490 --> 00:01:31,320
I'm able to see the IP address of my attack machine.

42
00:01:31,320 --> 00:01:36,320
And this is 192.168.56.102.

43
00:01:37,000 --> 00:01:38,920
Next, I'm going to look at the sub-netmask,

44
00:01:38,920 --> 00:01:43,060
which is 255.255.255.0.

45
00:01:43,060 --> 00:01:45,900
This means we're dealing with a /24 network,

46
00:01:45,900 --> 00:01:49,240
which consists of up to 254 host IP addresses.

47
00:01:49,240 --> 00:01:52,330
We know this based on our experiences in Network+.

48
00:01:52,330 --> 00:01:54,560
So to perform my scan, I'm going to open up

49
00:01:54,560 --> 00:01:55,940
a program called Zenmap.

50
00:01:55,940 --> 00:01:59,770
And I'm going to do a search across this entire /24 network.

51
00:01:59,770 --> 00:02:00,920
This'll help me to identify

52
00:02:00,920 --> 00:02:02,490
what machines are on the network.

53
00:02:02,490 --> 00:02:04,760
And in this case, there are only two machines,

54
00:02:04,760 --> 00:02:08,090
my Kali machine and the victim Windows machine.

55
00:02:08,090 --> 00:02:09,890
Zenmap takes a few moments to scan

56
00:02:09,890 --> 00:02:13,140
every IP in the /24 network and their ports.

57
00:02:13,140 --> 00:02:15,070
So I'm going to pause the video here

58
00:02:15,070 --> 00:02:17,410
and come back when it's finished so we don't waste time

59
00:02:17,410 --> 00:02:19,410
sitting here and watching it churn away.

60
00:02:20,770 --> 00:02:22,810
Now that that's done, we can see the fact that

61
00:02:22,810 --> 00:02:24,550
it found the Windows 7 machine,

62
00:02:24,550 --> 00:02:26,630
which will be our victim for our attack.

63
00:02:26,630 --> 00:02:31,420
This machine has three open ports: port 135, 139, and 445.

64
00:02:33,060 --> 00:02:35,320
These three ports are used to allow file sharing

65
00:02:35,320 --> 00:02:36,980
in a Windows system.

66
00:02:36,980 --> 00:02:38,950
Based on my experience as an attacker,

67
00:02:38,950 --> 00:02:42,130
I know that the EternalBlue exploit requires port 445

68
00:02:42,130 --> 00:02:44,130
to be open for my attack to work.

69
00:02:44,130 --> 00:02:45,700
This port is open by default

70
00:02:45,700 --> 00:02:48,030
if you have file and printer sharing enabled.

71
00:02:48,030 --> 00:02:50,150
If file and printer sharing aren't enabled,

72
00:02:50,150 --> 00:02:53,200
port 445 will be closed and this particular exploit

73
00:02:53,200 --> 00:02:54,273
won't be effective.

74
00:02:55,130 --> 00:02:57,160
Now that we've found a possible victim,

75
00:02:57,160 --> 00:02:58,830
let's look at what the target machine is

76
00:02:58,830 --> 00:03:00,380
a little bit closer.

77
00:03:00,380 --> 00:03:02,450
You can see that this is a Windows machine.

78
00:03:02,450 --> 00:03:04,670
Based on the scans, Zenmap believes this is

79
00:03:04,670 --> 00:03:06,820
a Windows Server 2008 machine,

80
00:03:06,820 --> 00:03:10,210
instead of a Windows 7 workstation, which it really is.

81
00:03:10,210 --> 00:03:13,340
This is because Windows Server 2008 and Windows 7

82
00:03:13,340 --> 00:03:15,250
both share a very common code base

83
00:03:15,250 --> 00:03:16,610
in their operating system.

84
00:03:16,610 --> 00:03:18,760
As you can see, Zenmap is a little confused

85
00:03:18,760 --> 00:03:20,260
on what operating system it is.

86
00:03:20,260 --> 00:03:23,490
Under the host details, it showed it as Windows 2008,

87
00:03:23,490 --> 00:03:24,890
but here under the ports,

88
00:03:24,890 --> 00:03:27,430
it's responding as if it's Windows 7.

89
00:03:27,430 --> 00:03:29,680
Now, we know the truth because we can see the machine

90
00:03:29,680 --> 00:03:30,790
on the right side of the screen.

91
00:03:30,790 --> 00:03:32,500
It is a Windows 7 machine.

92
00:03:32,500 --> 00:03:34,520
So now that we've identified the target,

93
00:03:34,520 --> 00:03:36,650
we're going to go into our exploitation.

94
00:03:36,650 --> 00:03:38,510
First, I'm going to open up another terminal

95
00:03:38,510 --> 00:03:40,800
and I'm going to load the Metasploit framework.

96
00:03:40,800 --> 00:03:42,240
This is an attack program that has

97
00:03:42,240 --> 00:03:43,900
lots of preloaded exploits,

98
00:03:43,900 --> 00:03:47,220
including the one for the WannaCry ransomware.

99
00:03:47,220 --> 00:03:49,590
To get it loaded, I'm just going to type use,

100
00:03:49,590 --> 00:03:50,820
the exploit I want, which is

101
00:03:50,820 --> 00:03:55,430
exploit/windows/smb/ms17_010_eternalblue.

102
00:03:59,000 --> 00:04:02,460
From here, I'll set my options by saying show options.

103
00:04:02,460 --> 00:04:04,750
You can see, everything's pretty much already configured.

104
00:04:04,750 --> 00:04:06,910
All I need to do is set my remote host,

105
00:04:06,910 --> 00:04:08,850
which is the victim machine I'm going to attack.

106
00:04:08,850 --> 00:04:13,180
In this case, 192.168.56.101.

107
00:04:13,180 --> 00:04:14,690
And then type run.

108
00:04:14,690 --> 00:04:17,480
And at this point Metasploit is sending the exploit

109
00:04:17,480 --> 00:04:19,600
over to the Windows 7 machine.

110
00:04:19,600 --> 00:04:22,150
You can see that showing here in the logs.

111
00:04:22,150 --> 00:04:25,220
Once it's done, it will give me a command shell.

112
00:04:25,220 --> 00:04:27,380
And here I now have root access

113
00:04:27,380 --> 00:04:30,077
or administrative access over that Windows machine.

114
00:04:30,077 --> 00:04:31,600
I'm going to go the the root of the drive

115
00:04:31,600 --> 00:04:32,950
by changing my directory.

116
00:04:32,950 --> 00:04:34,200
And I'm going to create a directory

117
00:04:34,200 --> 00:04:35,757
called "You've Been Hacked."

118
00:04:36,680 --> 00:04:38,510
Notice, on the right side, "You've Been Hacked"

119
00:04:38,510 --> 00:04:40,760
now showed up on the Windows machine.

120
00:04:40,760 --> 00:04:42,150
I can do all sorts of things here

121
00:04:42,150 --> 00:04:43,860
because I now have root access.

122
00:04:43,860 --> 00:04:45,680
Here, I'm going to go and change directories

123
00:04:45,680 --> 00:04:47,990
into the You've Been Hacked directory.

124
00:04:47,990 --> 00:04:48,930
Notice, it's empty.

125
00:04:48,930 --> 00:04:52,650
Well, now I'm going to make a file by echoing some text.

126
00:04:52,650 --> 00:04:56,267
I'm going to echo "This works only on Windows 7 and 2008,

127
00:04:56,267 --> 00:04:58,430
64-bit versions, of the OS."

128
00:04:58,430 --> 00:05:01,880
and I'm going to put that in a file called Works.txt.

129
00:05:01,880 --> 00:05:04,040
Now you can see, if I look at the directory,

130
00:05:04,040 --> 00:05:05,660
Works.txt is there.

131
00:05:05,660 --> 00:05:06,850
I can go to the Windows machine

132
00:05:06,850 --> 00:05:09,200
and I can see that Works.txt is there

133
00:05:09,200 --> 00:05:11,170
with the stuff that I just put in.

134
00:05:11,170 --> 00:05:14,320
Now, at this point I can do whatever I want to this machine.

135
00:05:14,320 --> 00:05:15,810
I have administrative rights.

136
00:05:15,810 --> 00:05:18,480
I can install programs, I could put in backdoors,

137
00:05:18,480 --> 00:05:20,120
I can make static connections.

138
00:05:20,120 --> 00:05:22,150
Whatever it is I want to do, I now have

139
00:05:22,150 --> 00:05:24,040
total power over this machine.

140
00:05:24,040 --> 00:05:26,850
Hopefully this example shows you just how easy it can be

141
00:05:26,850 --> 00:05:28,220
to do a privilege escalation

142
00:05:28,220 --> 00:05:31,070
and how much power that person could have over your machine.

143
00:05:31,070 --> 00:05:33,330
Now, to prevent this, we want to make sure that

144
00:05:33,330 --> 00:05:35,120
we patch and update our machines.

145
00:05:35,120 --> 00:05:36,960
If this Windows 7 machine had gotten

146
00:05:36,960 --> 00:05:39,160
the patch that it was supposed to from Microsoft,

147
00:05:39,160 --> 00:05:40,983
this exploit would not work.