Greetings. In this short video presentation, we're going to see how to go about establishing a VNC shell using meta printer. For this lab, I'll be using one virtual install of Kali Linux, and I will have a victim or a target of Windows XP. As with every cyber offense lab, we want to make sure that we confirm that we have network connectivity before starting the lab. To do this, I'm going to go to each one of my machines. I'm going to find the IP address and then I'm going to do a ping between one machine to the other.

So I'm gonna start with Kali. And up on my Kali machine, I've opened up a terminal I type in if config, I have located the Ethernet zero adapter and the IP address that is assigned to it. I then go on over to my Windows XP machine. I type in IP config at the command prompt and I checked and find what IP address It has been assigned to over here on my Windows XP machine, I want to ensure that my firewall is disabled, automatic updates are not going to happen and there's no virus protection installed. Go ahead and close that out. Next thing we have to do is go over here and click on our start button.

Let's go to my computer, right click, go to properties. And we're going to go to remote. And we're going to allow users to connect remotely to this computer. And we're going to say Apply, say, OK, I've now returned back over to my calling machine where I'm going to run a ping from my Kali on over to my Windows XP machine to ensure that I have network connectivity. So I'm gonna go ahead and hit Enter, and you'll notice we start getting those good replies. To break the sequence.

I'm just going to type in Ctrl C, reach back to my command prompt. I can now go ahead and just type in clear that clears a terminal Now we can conduct a and so we're going to treat this Windows XP box as if we know nothing about it. And what we're going to do to help us discover what's going on with our XP target is we're going to run an end map. And we're going to look for services and ports that are going to help us determine what is vulnerable. So I've typed in n map, space dash, small letter s capital, the space the IP address of the target, which in this case is my 131, or my Windows XP machine. I'm going to go ahead and hit Enter.

And in just a moment, it's going to come back up with those good results. So see a couple of things that I'm interested in. First thing is the SMB port that's open that is for Port 445. Then we have the 3389 which is for remote desktop. Now I can see both of these are available and I know that both of these are pretty vulnerable. So we're going to go ahead and begin our exploitation of this machine.

Go ahead and clear the screen. Now what I need to establish here is a meta predator session between my Cali machine and the Windows XP target. To do this, I'm going to use a well known exploit, which is the Microsoft Security Bolton 08 underscore 067. net API. Now this is located up inside of the MS console. So let's go ahead and get busy. We're going to start by launching meta sploit.

So I cleared my terminal, and we're back up to the terminal prompt where I've typed in MSF console. And this is going to launch a misquote for us. So let's go ahead and hit Enter. And just a moment meta sploit will open up so meta sploit has completed loading up and we're now at the minute sploit prompt. And we're now ready to begin using that wonderful exploit for establishing our reverse shell and getting a meterpreter session going on with our Windows XP target. And for this we're going to be using a well known exploit which is Microsoft To 08 underscore 067 underscore net API.

This is a well known exploit for exploiting a vulnerability with SMB on a Windows XP machine that has not been patched. So we're going to go ahead and type into use Command, followed up with the exploit that we want to use. This is a Windows exploit. It is for SMB. And this is the exploit that we want to use. So we're going to go ahead and hit Enter.

And notice that my prompt changes to let me know that we have loaded the correct exploit, so that the exploit knows where to attack or where it needs to go, we need to configure some options to know what options that need to be configured for any exploit. We just type in show options. And we see that what is required is that the remote host has to be set up. The Port 445 has to be established and we need the s&p five browser. Now the only one we need to concern ourselves with is for the remote host. So let's go ahead and set up the target IP address for the remote host real quick, I've now set the remote host option using the IP address of my Windows XP target.

And this is why it's so important that we establish that we do have network connectivity before we start these labs. Because if it's going to fail, this is where it's going to happen. And normally, it just fails because there's just a lack of connectivity between Kali and the target. So I'm gonna go ahead and hit Enter. And my remote host has been set. We're now ready to launch the payload for this exploit, which is the meta predator payload.

And I'm at the prompt at the prompt. I'm going to type in exploit and if I hit Enter, it's now going to try to establish that connection with our Windows XP machine. And we know we have a connection when it comes back and it gives us the meterpreter process. Now that we have this reverse shell established between Kali and our Windows XP target, we can go ahead and run some checks. So first check we want to run is just a check for a virtual machine. And it goes over to our target machine.

And it wants to know if it's a virtual machine, checking if target is a virtual machine. And this is a VMware virtual machine. So we now know that this is not a physical machine, it is a virtual machine. We can also check to see if there are any countermeasures in place. And this is going to tell us if there's anything that could be blocking or in our way of stopping our attack onto this Windows XP machine. So we'll go ahead and run this looking at the firewall configuration.

And it tells us that everything disabled, which is cool, so we're ready to move on to our next step here, which is run get local subnets. So we're going to take a look at that real quick. So a lot of Fun, you can have a with these meta printer commands and get used to using them. So they will give you a welcome information. And we see what subnet is available. And the only subnet that we have is the 145. subnet.

So that came back correct. And now we can do a get applications list. And this is going to show us what applications are actually installed and running on our Windows XP target. So if there's some type of exploit that might be available for a certain application, this might be a way to detect it. So when you need to establish a reverse shell and you just need to have it right now, you can use this exploit if it is available on the target machine to establish that reverse shell using meta predator. We've had some fun with meta predator but now it's time to move on.

So at the meta predator prompt, I'm going to go ahead and type in quit. That's going to take me back to my medicine. console, we're going to run another payload. And this time we're going to try to establish a VNC. Connection. VNC is pretty much comparable to the remote desktop protocol.

It's the same thing is allows us to establish that remote desktop experience from our Kali machine. So we're going to go ahead and just type in here, I'm gonna copy and paste this, set the payload, this over here just a little bit to establish the VNC inject using reverse to reverse underscore TCP. So I'm going to go ahead and hit Enter. And lets us know that the payload has been loaded course, we haven't exported yet but we're getting ready to first thing we got to do again is Do what? show those options right. So let's do some show options.

Find out what we have to configure. First thing we have to do is set the IP address for the VNC host which is my callings machine. So we're going to type in the word set. And we're going to follow that up with VNC host and the IP address of my Cali machine, which is one nine. And we're going to hit enter, the local host is already set. But I do need to establish the remote host again.

So I'm going to type in set our host and the IP address of my remote target, which is 192 dot 168 dot 145 dot 131. And I'm gonna hit enter. Now I've established that the remote host, and its IP address is dot 131. So that we have full control of the remote session using VNC. And not just the ability to view we're going to set the view only option to false. So I've typed in set view only to false, hit enter.

We're now ready to see if we can establish a VNC remote desktop and to do this at the prompt I'm just going to type in exploit to launch the payload. Give it a second. And you'll see now that we do have access to the Windows XP desktop remotely from my Kali machine. So now you can have complete run of this Windows XP machine remotely. And show you how this works is I'm just going to go click on the start button here, I'm on Windows XP box. I'm doing this remotely from my Cali machine, right click on my computer go to manage, and that goes up into Computer Management.

From here I can go to the local users and groups. And for instance, I can right click on the administrators password and I can set a new password if I so desire. Now it's up to you if you want to set the password just remember what you set it to. Alright. And let's not forget that this is also great for troubleshooting if you're doing some type of helpdesk so when you're all done playing around with your Windows XP and the remote desktop session using the VNC viewer You can go up here to the top or your taskbar, and you have the VNC viewer present, hold down that arrow and then you can click on the quit that also close out my minutes closed session, that's not a big deal. I go back to the prompt, and I relaunch Metasploit.

And I'll be back up inside of the same exploit Just a moment. Now we're going to use our up arrows, pull up our history and show the exploit that we want to run here. Got a lot of things to do here. So again, we're going to use the windows SMB exploit, give it a moment, it's going to load it and we use our up arrow sets remote host, and we're ready to go ahead run the exploit one more time. Again, I'm just using my up arrows. And just a moment we'll have that meta prayer session we established back with our Windows XP target and there it is.

So we can see what processes are running on our target machine just by typing in PS at the meta predator prop Let us know what the processes are and what the process IDs are. So now we have established what processes are running on our Windows XP target, we want to disguise or we want to take over one of the processes that is running under the administrator account, so that we get complete administrative access to the machine. To do this, we're going to migrate our meterpreter session over to a another process. We're going to swap processes in this case, I'm going to swap processes with Windows Explorer dot exe. And that process ID is 1576. So if I just type in enter, or hit enter in just a moment meterpreter is going to change processes from 1012 over to 1576.

So I was getting a timeout error when I tried to migrate from one process to the next for my meta predator. We know that The administrator account is needed to run the Process Explorer dot txt, I would like to migrate this process ID on over to meterpreter, so that it has full administrative access to Windows XP. So I have confirmed that it is a problem with the particular build that you're using for Tally. So I'm on a different build that has not been updated recently. And I'm running the migrate command, and it works just fine. So we're going to go on and continue to the left from here.

So we're now going to commence with launching a keylogger onto Windows XP. And we're going to capture anything that gets typed into any program up on that Windows XP target. We can monitor that from our Kali machine using this meta printer session. So I'm going to type in the Command key scan underscore start, hit Enter. And it's starting the keystroke sniffer Now I'm going to go to my Windows XP machine. And I'm just going to open up Notepad.

And if I type in anything up here inside of Notepad, I can capture this on over on my Cali machine. So I'm going to type in my secret password, just like that. And now I can return on over to my Cali machine. And we can now capture this information. So that my meta predator Prop, I have typed in key scan underscore dump. If I hit Enter, it's going to come up and it's going to tell me or show me everything that was typed into Notepad.

For this next step of the lab, I'm going to go to my Windows XP machine, close out this Notepad, and I'm going to log off and then we're going to log on and capture my password that I used to log on with. So I'm now back over here on to my Cali machine. And this time, we're going to do the same thing that we did before. If you got kicked out after you logged off of the Windows XP machine, just go back to your mini sploit prompt and type in exploit and you'll reestablish that meterpreter session one more time. So again, we're going to change processes. And we're looking for the win login.

So I'm going to scroll up here until I find one login. And we're going to change our meterpreter session over to the wind login process, so that we can capture what's ever typed in for our password on our Windows XP machine. And we see that the process ID is 624. So I'm gonna go down down here, I'm gonna type in migrate 64 and hit enter. So it comes back and it lets me know that that command completed successfully. So let me use my up arrows and try to get to that key scan.

Start again. So we're going to start the key scan one more time. And we're watching, we're listening. And we're waiting for somebody to try to log into that Windows XP machine. So I'm going to go over to my Windows XP machine. Now I'm going to type in the password and it's going To log me on, and I'm going to go back on over here to my XP box.

And we're going to do the dump. And you'll see that the password that I use to log into that Windows XP machine was captured. So even though it is recommended that we always update Kali and make sure that we have the latest and the greatest files and fixes and patches for meta sploit, it's not always going to be that way. Sometimes the developers are going to skip over things, and they're not going to see that some of their commands get broke as we witness with our meterpreter prompt. So be aware of that. When that happens.

You just got to go back to a previous version of Kali and see if it works with the older version. In this short video presentation, we got to see how we can use the network console to establish a meterpreter session using a well known exploit against an SMB vulnerability that has not been patched. Now a lot of these exploits will work across multiple operating systems, not just Windows XP, SMB is SMB if it hasn't been patched and it'll work on Windows 2008 2003 It may even work on a newer operating system. If you have any questions or concerns about the contents of this video and or the lab, please do not hesitate to reach out and contact your instructor and I'll see you in my next video.