Greetings, and in this short video presentation, we're going to get a good look at the Nmap scripting engine. One of the first things we need to do when we start working on any of these labs is to ensure that we have network connectivity between each of the devices in the lab. So we're going to start by looking at my Kali machine. My Kali machine is up and I have done an IP or an IF config. And I can see that I have an Ethernet zero adapter, and I have a loopback adapter. I'm not concerned with the loopback adapter at this point.

I'm only concerned with the Ethernet zero adapter. And I see that I have an IP address assigned to this adapter of 192 dot 168 dot one four or five dot 132 the 192 dot 168 that 145 portion of the IP address is the network portion. The 132 is the host IP assigned to my Cali. So that will remain unique. But the first three octets of the IP address will remain the same if I'm going to have any chance of network connectivity between Kali and my Windows XP, or any other host on the network, so I'm going to go on over to my Windows XP target, and we're going to check the IP address over here. Now you'll notice that the network IP assigned to my Windows XP machine is also 192 dot 168 dot 145.

And the host is unique and it is 129. So these two machines will be able to see each other We're going to confirm this by doing a ping from my Kali over to the Windows XP. So I typed in the ping command, and I followed that up with the IP address of my Windows XP machine. And I'm going to go ahead and just hit Enter. And we see that I have replies coming back from my Windows XP machine telling me that it is responsive. So I know that the Kali and the Windows XP XP machine can see each other.

Now I can break this ping by just doing a Ctrl C. I'm out. All right, so now that we've confirmed that we have connectivity, we can proceed on with the lab. Now I recommend that you do this each time that you're thinking about starting a lab or working with tally and the Windows XP machine or Medicine portable to whatever the other host might be. I would confirm that you have network connectivity before you get too far along into it and then you start having issues with the lab failing. If your primary host is a Mac or an apple and you do not see an Ethernet Adapter present and all you see is the loopback then you do not have network connectivity. You need to have an Ethernet adapter, either emulated or installed onto your Mac or your Apple machine so that this lab can work.

Now if you have only a wireless adapter, that is to say all you have is the apple arrow net wireless adapter that's not going to work because that is proprietary and what that means Is that Kali and VMware and VirtualBox and Windows XP are not going to recognize the adapter because they don't have a driver for it. There's not a driver for proprietary hardware that is produced by Apple that is universal. So to overcome this, what you should do is go out to your local PC parts store, go to Best Buy or wherever you buy your computer stuff and purchase a USB to a rj 45 adapter and make sure that you have a network cable. When you plug this in your Apple machine or your Mac box will recognize it and you'll be able to then have an onboard Nic adapter that you can use for the labs then just take the cable, plug it in here, plug the other cable into your wireless router or your modem.

And you'll be working like you should be. Anytime we get into Kali and we start to use any of the tools on a regular basis, we want to make sure that those tools are updated. And they are the latest packages that are available for us. So that makes no exception within that. In this case, I've typed in app dash get space install and map I'm going to go ahead and hit Enter. And now I'm going to just type in Y and I'm gonna hit ENTER again and now the package, the latest package for n map will download and install.

From the terminal we can locate the location for in map scripts just by typing in locate space asterik period and S e. I'm gonna go ahead and just type in, Enter. And now I can see all the scripts that are currently available within map and if you need More scripts, you can go out to Dan Matt site and you can download custom made scripts by and map users. And we see that in other labs as we go through the course. So among the most useful scripts are the vulnerable vulnerability scanning scripts. And we can locate these easily by just typing in locate space asterik, typing in Vu, fel an Asterix, period, ns, E, someone locate all my vulnerabilities get scripts at this time. And here they are.

These can be very useful. These can help me find scripts that I can use to look for a Pacific vulnerability that may be relevant to my pen test or to the victim that I'm trying to hack into. We can also locate a Pacific script by typing in locate and we want to look inside the end map and now we're going to pipe off the results using a grep Command, and I'm looking for the MS 08. And I'm going to go ahead and I'm going to hit Enter. And it's going to come back and it's going to show me that yes, there is a script up inside of an Nmap in the Scripts folder, and it is called SMB dash v u n, v Vu LN dash m s 08 dash 067 dot an S II. Now that I have found the location of this particular vulnerability script for Ms yearly dash 067, I can tell and map to run it from that very location just by typing in map space.

Dash script equals, now I've got the path to where the script is located, and I've told it the script that I want to run. And we'll go ahead and do this real quick. Now before I do this, I'm going to have to tell it The IP address of the machine or the network that I want to scan. So for this target for this script, I have told it that I want you to scan the entire network and look for any IP address that it belongs to 192 dot 168 dot 145 dot zero. And I'm telling it to look in the last octet with this slash 24. I'm saying the first three octets of this IP address are taken up for the network.

So I want you to scan the last octet for any available hosts. I'm gonna go ahead and hit hit hit enter. Give us a minute it'll come back with the results. Now we see from the results that my Windows XP is showing up here and it is vulnerable for the SMB vulnerability script and We see that that is the case, by looking right here we see that Port 445 is available. In this example, we're going to scan a single host. And all I've done is type in the IP address for the machine that was identified in the network scan that I used previously, for in math.

Now I'm going to go ahead and just hit Enter. And it's going to come back up in just a second, it's going to give me the results. Now I've just confirmed that the one to nine machine is vulnerable on port 445, which is the Microsoft SMB vulnerability that was scanning for. So now that we have identified a victim, it's time to get busy trying to exploit that vulnerability. And we're going to do this using the MSF console, or the meta squid console, and I've typed in mini sploit at the Cali prompt, I'm just going to go ahead and hit hit enter and this will start your service or the application My MF console. So as you can see, once you start the MSF console, you have to be patient and allow it to load.

There's a lot of information, there's a lot of things going on here in the background. And you can see that there's a lot of exploits a lot of payloads. There's just a lot of stuff going on. Alright, so what we want to do now is we want to find that exploit that we can use against our target machine. So in our previous scan, we identified that the host 129 was vulnerable for the MS zero a dash 067 exploit. So what I'm going to do now is I'm going to search meta sploit and I want to find that particular exploit and then we're going to use that against the target.

So I'm going to use the search command up inside of Metasploit and I'm going to search for any package Any payload, any exploit that comes up with Ms 08. In its title, I'm just going to go ahead and hit enter now. And it's going to slowly check the database. And when it does, we'll come back and we'll see if it's found. So the search has concluded, and we do see that we have an exploit called SMB forward slash ms 08, underscore 067 underscore net API. So what I'm going to do now is I'm just going to go ahead and highlight that as I've done here, and I'm going to right click, I'm going to copy that.

I'm going to go down here to my prompt, and I'm going to type in the word use, like that. Now I'm going to place my mouse right after that with the space and I'm going to go to paste and now I can use this particular exploit or this attack on to the Windows XP Target, I'm going to go ahead and hit Enter. And notice my prompt changes to let me know that the exploit has been loaded. So what you're looking for when you look and you search for an exploit is this back up and just kind of cover over the fundamentals just a little bit here one more time. First off, we're looking for a port, a port runs a service. So when we scan for a victim, we're trying to see what ports are open.

And then we want to see if we can identify a possible exploit to run against a specific port. In this case, we weren't we wanted to run an exploit against Port 445 because we know that that's a very vulnerable port for Windows XP. And we found the exploit was available up inside of medicine by just doing the search for Ms. 08. Now, we got that information from em map right? When we chose to run the script for Ms. 08067. That's what we were doing.

We were trying to see if there was an exploit available on the network. And we found it. And it was available using the Windows XP target. Now take a look. Where we see the exploit that we're using here, take a look at this is available starting in 2008. And it has a ranking of great and you get some more information over here about how the service is exploitable using this exploit.

Now, if you want more information about Ms 08, underscore 067 or dash 067, just go to Google and type it in. That's a Microsoft security update. And you can go out there and you can find out just exactly how This SMTP service is being exploited and what happens when we run this exploit. Now the next thing we have to do is type in the show options command, so that we see exactly what is needed for us to run this exploit. So we type this and let's go over this real quick. You see that the remote host is yes required.

That's the target IP address. And in this case, it will be the IP address for my Windows XP victim. It's second thing that we need to have up and running on the victim is Port 445 is required. Yes, that is the SMB service port. Okay, so now we're ready to start setting these parameters. So the first option that we want to set is the remote host.

So I'm going to type in set our host 192 dot 168 dot 145 dot one to nine, I'll hit Enter. And that option has been set. Now another option that we can set is the IP address for the local host. In this case, that's going to be the IP address from my Cali. So I've gone ahead and I type in set L host 192 dot 168 dot 145 dot 132. I'm going to go ahead, hit Enter, and that option has been set.

So we've set the exploit. Now we have to look at what payloads are available inside of the exploit. So to do this, I'm going to do the show payloads. And we're going to hit Enter. And then we're going to pick the correct payload for this particular attack. So the results are pretty intimidating.

And we have to scroll through them until we find exactly what it is we're going to use for a payload so that we can exploit the target and this case we want the windows for slash meta predator For slash reverse underscore TCP payload. So I've gone ahead and highlighted that. Now I'm going to right click on it, and I'm going to go ahead and copy. So I'm going to use the set command. And this time, we're going to set the payload. So I'll type in set space payload.

And now I'm going to right click and I'm going to paste the payload that I want to use. Once I've done that, I'm going to go ahead and hit enter. We're now ready to send the payload over to Windows XP, and see if we can actually gain a reverse shell. So I typed in the command that we need to execute which is exploit. So I'm going to go ahead and hit Enter. And in just a second, we're going to come back and we should get a positive response saying that the meta predator session opened and we see that we get the meta predator prompt.

Once you see the meta predator prompt, that means that you are established on to the remote victim in this case, my Windows XP machine Okay. So just as if I was sitting physically at the Windows XP machine and I typed it typed in CMD at the run line, I would get a command prompt. Well for me to do this from my meta prayer session, all I have to do is type in Shell. I'm typing in Shell, I'm gonna hit Enter, and I will be given access to the command prompt onto my Windows XP machine. Now I can do IP config, which is the windows command for show me the TCP IP stack on your current network adapter. And it pops up and it shows me so I'm actually on on the victim.

And anything I want to do here, I can do it through the metal printer. Now this is how we gain access. This is one way we gain access, but it's also how we take over the machine and we gain access into the administrative areas of the machine, whether it's Windows XP Windows seven 2003 server whatever it is, it makes no difference. So as we go through the course and we go through more of these labs we will be looking a lot more at meta printer and all of the wonderful commands and things that we can do using a reverse shell. Okay, that's all I got for this short video presentation. And if you have any questions don't hesitate to contact your instructor and I hope to see you in my next video.