1
00:00:00,080 --> 00:00:05,360
In this skill, we're going to be looking at memory exploitation and a couple of kind of a

2
00:00:06,080 --> 00:00:13,120
background segments of this, if you will, because we're focusing solely on things that are in the

3
00:00:13,120 --> 00:00:18,719
running memory and not necessarily hard-coded or written to the hard drive itself. This is

4
00:00:18,719 --> 00:00:27,200
where attacks are only focused on things inside the RAM itself. So take for instance the fact

5
00:00:27,200 --> 00:00:32,639
that when we look at a computer system and remote into it, that there's all sorts of information

6
00:00:32,639 --> 00:00:38,480
that we've been pulling so far, but the majority of it has been on the actual hard drive. Now,

7
00:00:38,480 --> 00:00:44,320
there is information that we pull that is in the running memory, but that just so happens to

8
00:00:44,320 --> 00:00:51,279
coexist inside the running memory, and it also takes a place on the actual hard drive itself.

9
00:00:51,279 --> 00:00:56,880
I'm going to give you an example. When we go into a system, whether it be through MSF Console or

10
00:00:56,880 --> 00:01:03,040
on an actual system itself, we run a command like ifconfig or ipconfig if you're in a Windows

11
00:01:03,040 --> 00:01:08,959
environment, and once we get the response to that in the command line or terminal, that gives us all

12
00:01:08,959 --> 00:01:14,959
the IP information on that system. Now, primarily that information is written to the hard drive

13
00:01:14,959 --> 00:01:21,040
itself. Specifically in Windows, it's written to the actual registry, and what you're getting when

14
00:01:21,040 --> 00:01:29,120
you get the return prompt from ipconfig in that Windows world is stuff that's been assigned and

15
00:01:29,120 --> 00:01:36,239
written to some sort of file that's being saved at that moment. Think Windows System 32 inside the

16
00:01:36,239 --> 00:01:42,639
Etsy folder, and your configuration is going to be stored there, but it's also in the running memory

17
00:01:42,639 --> 00:01:48,239
as well because we need to be able to refer back to it at any given time, so it takes a piece of

18
00:01:48,239 --> 00:01:55,839
the RAM up to keep that as randomly as it needs to be pulled. So, like I said, things that we've

19
00:01:55,839 --> 00:02:03,279
been working with so far have primarily been in both arenas as far as hard drive and

20
00:02:03,279 --> 00:02:11,119
the actual running memory. Now, the running memory, just as a refresher for us, is the RAM on a system

21
00:02:11,119 --> 00:02:17,520
or virtual RAM if you're in that virtualized environment for virtual machines, where we have a

22
00:02:17,520 --> 00:02:24,000
buffer of memory for us to be able to call up different programs and have them remain open or

23
00:02:24,000 --> 00:02:30,479
remain running without having to have the CPU constantly go back and forth to the hard drive

24
00:02:30,479 --> 00:02:36,240
itself. It resides in a different portion of the actual processing world overall, and I don't want

25
00:02:36,240 --> 00:02:43,199
to get too far into that because that's covered under A+, here at CBT Nuggets, and it's very well

26
00:02:43,199 --> 00:02:50,080
dived into talking about things like Northbridge, Southbridge, and all the like like that. So, we

27
00:02:50,080 --> 00:02:56,399
open up a program like Word, and the program itself, Word.exe, resides, gets put into the

28
00:02:56,399 --> 00:03:04,639
actual RAM itself because it's currently being utilized, and then we open up PowerShell, and then

29
00:03:04,639 --> 00:03:10,479
the PowerShell prompt gets pulled up, not the commands, but the prompt itself gets put into the

30
00:03:10,479 --> 00:03:17,440
actual RAM as well. Now, when you close Word.exe, that doesn't necessarily mean Word.exe is going to

31
00:03:17,440 --> 00:03:23,279
dump out of the RAM. It could be that it still resides there until something else pushes it out,

32
00:03:23,839 --> 00:03:29,360
and once that memory capacity is full, the RAM itself, if there's nothing open or if there's

33
00:03:29,360 --> 00:03:35,839
something that is not open that has been closed earlier, it's going to get pushed out in preference

34
00:03:35,839 --> 00:03:41,919
for all the things that are currently being called upon and open at that time. Now, yes, I am

35
00:03:41,919 --> 00:03:47,839
oversimplifying this a lot, and we've covered some of this earlier in the course when we went into

36
00:03:47,839 --> 00:03:54,559
things like buffer overflow, where a buffer overflow is where the RAM is not only just this

37
00:03:54,559 --> 00:04:01,759
one continuous cup that we're waiting to fill up. It's broken down into different segments, sectors,

38
00:04:01,839 --> 00:04:08,800
and, you know, just portions of memory that are dedicated in these predefined chunks based on

39
00:04:08,800 --> 00:04:16,399
your operating system and hardware that have portions of programs in them or portions of

40
00:04:16,399 --> 00:04:23,040
memory usage in them. In a buffer overflow, what it does is sends a command usually full of zeros or

41
00:04:23,040 --> 00:04:32,480
nops and makes the cup overflow and fill either into another storage container or just go out

42
00:04:32,480 --> 00:04:40,720
altogether and cause that program or data inside that buffer to either break or allow us to be able

43
00:04:40,720 --> 00:04:49,440
to slip in a command through the fact that it's now open. And again, still oversimplifying everything,

44
00:04:49,440 --> 00:04:53,679
but I wanted to kind of make sure that we understood the basics of what it is that we're

45
00:04:53,679 --> 00:04:58,720
dealing with when we're talking about memory exploits. Because it can be confused with the

46
00:04:58,720 --> 00:05:03,200
fact that we're going in on the actual hard drive and messing with files and programs,

47
00:05:03,200 --> 00:05:08,079
but that's not the case. We're actually taking a look at this from attacking the memory of the

48
00:05:08,079 --> 00:05:13,760
actual system itself. And we're going to be diving deeper into the understanding of all this here in

49
00:05:13,760 --> 00:05:19,200
the beginning of this skill. And then as we continue throughout, we'll do a couple of examples and

50
00:05:19,519 --> 00:05:24,799
get a little bit behind the scenes as far as what we can do with that memory once we

51
00:05:24,799 --> 00:05:27,760
have access to it or if we just want to go ahead and break it.