1
00:00:01,340 --> 00:00:04,580
The simple network management protocol S&amp;P.

2
00:00:05,830 --> 00:00:13,450
Is used to query networked devices for information such as bandwidth utilization, collision rates and

3
00:00:13,720 --> 00:00:15,100
a whole lot of other information.

4
00:00:16,860 --> 00:00:20,790
But it doesn't only provide network management and monitoring capabilities.

5
00:00:21,910 --> 00:00:28,900
But it's also capable of changing the configurations on the host, allowing the remote management of

6
00:00:28,900 --> 00:00:29,880
the network device.

7
00:00:31,170 --> 00:00:34,020
Yes, I can tell this gets you excited, huh?

8
00:00:34,750 --> 00:00:36,280
My young apprentice.

9
00:00:37,450 --> 00:00:39,220
And you are right.

10
00:00:40,290 --> 00:00:48,360
So S&amp;P servers can offer considerable information for penetration testers to perform reconnaissance

11
00:00:48,390 --> 00:00:57,300
on a specific system, you may also see S&amp;P installations on some operating systems to specify information

12
00:00:57,300 --> 00:01:01,290
such as CPU utilization, free memory and so on.

13
00:01:02,580 --> 00:01:10,260
It's often automatically installed on many network devices with public and the restring and private

14
00:01:10,260 --> 00:01:11,130
in the right string.

15
00:01:12,530 --> 00:01:21,170
On Windows based devices by poorly configured S&amp;P, you can extract patch levels, running services,

16
00:01:21,710 --> 00:01:32,090
usernames, uptime routes and, well, so much information that it'll totally level up the penetration

17
00:01:32,090 --> 00:01:32,690
test for you.

18
00:01:35,400 --> 00:01:39,420
So let's use the services command to search for S&amp;P service.

19
00:01:40,480 --> 00:01:46,450
And yes, indeed, you only have to open the S&amp;P report on Métis voidable three.

20
00:01:47,950 --> 00:01:48,910
The version is one.

21
00:01:49,850 --> 00:01:58,940
As an MP, version one and version two, both have proven security flaws, but S&amp;P version three is

22
00:01:58,940 --> 00:02:03,500
improved with encryption as well as better check mechanisms.

23
00:02:06,060 --> 00:02:09,360
But anyway, I'll search for S&amp;P auxiliaries.

24
00:02:13,290 --> 00:02:17,520
And this time I'm going to start with S&amp;P Inam.

25
00:02:19,060 --> 00:02:20,340
Show me the options.

26
00:02:21,880 --> 00:02:28,360
Oh, and by the way, the community strings are essentially passwords that are used to read or write

27
00:02:28,360 --> 00:02:29,590
information to a device.

28
00:02:30,700 --> 00:02:36,610
So if the SNP version is right and you guess the community strings.

29
00:02:37,960 --> 00:02:46,090
The S&amp;P itself can allow anything from excessive information disclosure to full system compromise.

30
00:02:47,410 --> 00:02:54,160
Let me give you an example, if you get the read right, S&amp;P community string for a Cisco router, you

31
00:02:54,160 --> 00:02:59,710
can download, modify and upload the configuration to the router with a back door.

32
00:03:01,510 --> 00:03:05,080
So here, I'm not going to change the community variable.

33
00:03:07,290 --> 00:03:11,280
I will just set the poor to one six one.

34
00:03:12,440 --> 00:03:15,230
And yeah, everything looks quite good.

35
00:03:16,360 --> 00:03:17,590
Now, I'll run the module.

36
00:03:20,400 --> 00:03:26,370
So as you can see, S&amp;P brings all the information about the target, Métis voidable three.

37
00:03:27,800 --> 00:03:32,690
From running applications to network interfaces.

38
00:03:34,210 --> 00:03:42,610
Service information, device, information, user enumeration, nearly everything about the target.