Skip to 0 minutes and 7 seconds Okay, so now that we’ve done the reconnaissance stage and figured out a particular exploit against a particular service that’s running on that victim machine, now we get to the fun part, the hacking part. So what we want to use for this is a particular tool that comes with Kali Linux. Now if we go down to exploitation tools,
Skip to 0 minutes and 26 seconds we should see it there: Metasploit. It’s the one I mentioned at the very start of the video. So we’ll just launch that up. Essentially what we’ve got here is a piece of software which has got a huge library of exploits in it. We’ve got to basically pick out the one that we found and target against that particular victim machine and exploit that weakness in vsftpd, which is the FTP server. From there we can hopefully break into the system and gain some information. Let’s give it a go. So we get into the Metasploit interface. We’ve got the command line here. So let’s do a little search and see if we can find that particular exploit in the database.
Skip to 1 minute and 12 seconds Yep, there it is there. So we’ll just go back to the website again.
Skip to 1 minute and 18 seconds Yeah, vsftpd version 2.34. That’s that one. So our next point is we want to– it’s in the library, so we need to actually go ahead and be able to use that. So we’ll just simply go ‘use exploit/unix/ftp/vsftpd 234 backdoor’.
Skip to 1 minute and 48 seconds So I’m basically taking this from here. I have to give it the name, use this particular name, which will use that particular exploit. So that’s good. Then we run a command called ‘show options’. And these are the parameters that we have to fill in before it will actually work. OK, so it’s asking us to put in– the only blank spot here is for the remote host, which is the victim machine that we want to attack. So if we go to ‘set RHOST 192.168.56.101’. So as we recall earlier, this was the IP address of the web server we’re trying to get access to. [Enters information, including Mossack Fonseca URL.]
Skip to 2 minutes and 49 seconds So as you can see it there, I’ll show you that again. So we’ll just set that as our remote host, or our target machine … 56.101, ‘Show options’ again. As you can see there, that’s been changed– the target’s address, the IP address or the port. Here we’re trying to attack port 21 because that’s what– as we saw earlier– that’s the port that the service is actually running on. And pretty much simply after that, we just run exploit and see what happens. That will start it off and target that particular machine with this particular exploit.
Skip to 3 minutes and 43 seconds It’s just going through the processes, or the steps, to see if it can actually use this exploit against that particular vulnerability. And as we see here, it’s got to a point at the very end where it said, ‘Command shell session 1 opened’. That means it’s actually successfully exploited that particular weakness in that particular FTP server. So this is good news. We’ve got access now. So it’s basically dropped us into that remote web server with a command line interface. So thanks for watching.
Skip to 4 minutes and 13 seconds Hopefully you gained some new skills and insights into seeing how a hacker actually operates, and where we used a mock scenario from the Panama Papers case, and it will give you a better insight to see how hackers operate and how they’re trying to break into your systems. Getting that kind of insight on how they operate can help you to think about how you’re going to defend your particular systems.
A cyber hacker's toolkit: exploitation
Once a weakness is found, it can be exploited.
In this video, Dr Nick Patterson continues to demonstrate the back-end mechanics of an attack such as the Panama Papers hack.
The simulation is set up in a mock environment to mimic what might have happened in this case and will show you what happens once hackers have found a vulnerability and how they can use that to access your information. The use of these tools and techniques to access web servers you do not control is of course illegal and this video shows a part of the process as an educational tool to help you think more carefully about guarding your systems.
Watch the video and share your observations about how hackers can exploit weaknesses in your security.
© Deakin University