1 00:00:00,180 --> 00:00:07,590 So today we're gonna go ahead and start with legacy and legacy is going to be a Windows machine. 2 00:00:07,600 --> 00:00:12,790 The reason we're starting with legacy is Windows is a very familiar operating system. 3 00:00:12,790 --> 00:00:20,620 The difficulty rating is very very easy as you can see and I think it will be a nice introductory video 4 00:00:20,620 --> 00:00:21,940 on what to do. 5 00:00:22,030 --> 00:00:23,720 So I have connected to the network. 6 00:00:23,730 --> 00:00:32,020 I'm going to open up a new tab and I'm going to start with my scanning process here and in order to 7 00:00:32,020 --> 00:00:37,780 scan this machine this machine is going to live at 10 dot 10 that turned up for I'm going to type in 8 00:00:37,780 --> 00:00:39,040 the command here 9 00:00:43,970 --> 00:00:47,470 and I'm going to hit enter now. 10 00:00:47,510 --> 00:00:50,060 This should give you time to type it in and follow along. 11 00:00:50,570 --> 00:00:57,440 While this is going on let's talk through some things first things first we are running a cool a tool 12 00:00:57,440 --> 00:01:02,840 called n map this cool tool is network mapping. 13 00:01:02,840 --> 00:01:10,010 So it stands for network mapper what we're doing here is we are looking for open ports now and that 14 00:01:10,010 --> 00:01:14,550 can run on the TPP side and the UDP side. 15 00:01:14,570 --> 00:01:18,230 Right now we are working on the T S.P. side. 16 00:01:18,230 --> 00:01:25,070 So what we are doing is the syntax here is we are scanning for all here this capital means all we're 17 00:01:25,070 --> 00:01:30,620 searching for everything we're searching at a dash T which is a speed of four. 18 00:01:30,680 --> 00:01:37,190 The speed runs 1 through 5 and we're looking through all ports one through sixty five thousand five 19 00:01:37,190 --> 00:01:38,470 hundred and thirty five. 20 00:01:38,480 --> 00:01:42,320 Don't quote me on that I'm not sure but I think that sounds right. 21 00:01:42,320 --> 00:01:45,770 And then lastly we're scanning against this IP address. 22 00:01:45,770 --> 00:01:49,250 Now that may be a little confusing and I may have gone through that quick. 23 00:01:49,250 --> 00:01:55,730 So let's go ahead and just do a math dash dash help and we can talk through this a little further. 24 00:01:55,730 --> 00:02:03,050 So if you're ever confused with anything and you need to know what syntax is if you come into a dash 25 00:02:03,080 --> 00:02:09,020 help of a program or you can use the man command in Linux you're going to get something similar to this 26 00:02:09,080 --> 00:02:11,930 a printout of all the commands and what they do. 27 00:02:11,930 --> 00:02:15,460 So let's cover again what it is that we just did. 28 00:02:15,470 --> 00:02:21,670 Now we did and map and map by default runs this dash as asked. 29 00:02:21,680 --> 00:02:26,350 We didn't actually hit the type it so this stands for a stealth scan. 30 00:02:26,480 --> 00:02:30,150 Now a stealth scan is a basic scan. 31 00:02:30,170 --> 00:02:32,360 It was meant to be stealthy back in the day. 32 00:02:32,390 --> 00:02:34,010 And it's really not. 33 00:02:34,010 --> 00:02:36,760 We'll talk about this here in a second. 34 00:02:36,770 --> 00:02:40,850 There's also the dash as you for UDP scan. 35 00:02:40,910 --> 00:02:47,810 So really all you're going to be using is between these two you're going to want to look on the TCB 36 00:02:47,810 --> 00:02:56,060 side and the UDP side and we'll talk about that as well so we need to specify what ports we're going 37 00:02:56,060 --> 00:02:59,410 to scan if we just leave it out. 38 00:02:59,420 --> 00:03:05,700 If we take out the dash P dash we're going to be scanning against the top 1000 ports. 39 00:03:05,750 --> 00:03:13,400 Now we can specify specific ports like Port 22 here or they've got port 53 111. 40 00:03:13,460 --> 00:03:14,600 This is UDP here. 41 00:03:14,630 --> 00:03:19,850 So you can specify specifics you could specify a range. 42 00:03:20,030 --> 00:03:26,160 But it's really just easier to scan all parts if you're scanning the top 1000 very quick. 43 00:03:26,300 --> 00:03:27,500 Maybe that's OK. 44 00:03:27,530 --> 00:03:34,430 But in all reality it's best to scan all ports because you don't know if a high number of ports going 45 00:03:34,430 --> 00:03:35,060 to be out there. 46 00:03:35,060 --> 00:03:41,210 That's not a common port that's running some weird service and you don't know what's going to pop up. 47 00:03:41,210 --> 00:03:47,210 So on the TCT side very important in my opinion to be running dash P Dash. 48 00:03:47,360 --> 00:03:51,140 Now when you're scanning UDP you don't really have to specify the ports. 49 00:03:51,140 --> 00:03:57,090 If you were to scan all ports on the UDP side you're going to be scanning for ever. 50 00:03:57,530 --> 00:04:04,640 So my opinion is to just leave out the ports on the UDP side scan the top one thousand and play around 51 00:04:04,640 --> 00:04:07,190 with it get accustomed to how you like scanning. 52 00:04:07,340 --> 00:04:13,730 But for me personally I don't miss much by not scanning outside the top 1000 and I don't have enough 53 00:04:13,730 --> 00:04:21,370 time to wait for all sixty five thousand ports to report back on a UDP scan so coming through and doing 54 00:04:21,370 --> 00:04:25,200 a little bit more we could skip down just a little bit. 55 00:04:25,270 --> 00:04:30,850 You see a lot of stuff in here that we're skipping over S.V. we're doing service detection dash 0 for 56 00:04:30,850 --> 00:04:33,330 OS detection operating system. 57 00:04:33,430 --> 00:04:38,640 Now those are actually all covered if we scroll down under this dash a. 58 00:04:39,160 --> 00:04:46,540 So we're doing OS detection version detection script scanning and trace route so we don't need to specify 59 00:04:46,570 --> 00:04:48,240 all those switches. 60 00:04:48,400 --> 00:04:50,640 We just need to specify a dash a. 61 00:04:50,650 --> 00:04:52,510 And it works just fine. 62 00:04:52,510 --> 00:04:56,710 You can see down here is somebody specified dash a as an example. 63 00:04:56,710 --> 00:04:57,950 Perfect. 64 00:04:57,970 --> 00:04:58,800 OK. 65 00:04:58,840 --> 00:05:01,500 And then the last thing is this timing. 66 00:05:01,570 --> 00:05:06,700 So we've got a TI 135 and it says the higher is faster that is accurate. 67 00:05:07,270 --> 00:05:09,620 I personally like to scan it at T for. 68 00:05:09,640 --> 00:05:12,620 You could also get away with scanning a T three. 69 00:05:12,700 --> 00:05:17,620 I have noticed no performance issues or miss ports running at either of these. 70 00:05:17,620 --> 00:05:24,290 Now t one might be very slow for you and T five might be fast but t five might miss some things and 71 00:05:24,290 --> 00:05:27,850 to one might take forever if you're in a time crunch. 72 00:05:27,880 --> 00:05:31,840 Now we've been scanning this already and we're at ninety nine percent. 73 00:05:31,840 --> 00:05:36,790 We've been scanning for almost five minutes here and you can see that the average scan may take anywhere 74 00:05:36,790 --> 00:05:40,440 I've had them take from seconds to over an hour before. 75 00:05:41,320 --> 00:05:45,700 But this is my my my method here right. 76 00:05:45,700 --> 00:05:49,140 This is the easiest simplest way to scan a machine. 77 00:05:49,150 --> 00:05:54,910 You will see all kinds of and map syntax out there and maybe you find something in here and you start 78 00:05:54,910 --> 00:06:00,730 playing around with things like Max retried or a rate limiting or something else that really you know 79 00:06:00,760 --> 00:06:02,080 you find your niche. 80 00:06:02,230 --> 00:06:04,790 My niche has always been keep it simple stupid. 81 00:06:04,810 --> 00:06:07,210 And that's exactly what I'm going to do here. 82 00:06:07,210 --> 00:06:09,500 I'm just going to keep it very very simple. 83 00:06:09,610 --> 00:06:16,120 And for this machine I am scanning on TGP I am not scanning on UDP we will focus on that and a later 84 00:06:16,120 --> 00:06:18,790 machine that actually needs the UDP scan. 85 00:06:18,880 --> 00:06:24,840 But in a perfect world and in theory you should be scanning UDP as well. 86 00:06:24,850 --> 00:06:33,100 The only difference here say we want to scan this in UDP is we would just paste this here and we would 87 00:06:33,100 --> 00:06:40,930 add in front of this as you like we saw and that would scan for UDP instead of the stealth scan then 88 00:06:40,930 --> 00:06:47,650 we talked about now we've got our scan back but before we do this this is a for dummies course. 89 00:06:47,660 --> 00:06:51,530 So I want to talk through everything that I possibly can. 90 00:06:51,540 --> 00:06:57,330 First things first we need to talk about the TCB handshake now the three way handshake if you're not 91 00:06:57,330 --> 00:07:03,570 familiar from networking classes is something like this all this type it out real quick and then we 92 00:07:03,570 --> 00:07:04,870 can demonstrate it. 93 00:07:04,890 --> 00:07:10,250 So we've got a sin a sin ACH and then attack. 94 00:07:10,320 --> 00:07:17,910 So when we want to connect to a port add a specific IP address we say hey I want to connect to you. 95 00:07:18,230 --> 00:07:26,740 And this is a sin packet sent right now if we're able to connect to that port that port is open then 96 00:07:27,100 --> 00:07:33,400 the server or IP address that we targeted responds back with sin ach. 97 00:07:33,610 --> 00:07:39,790 And if we want to establish a connection to that port we respond back with ach. 98 00:07:39,790 --> 00:07:41,460 Now we can demonstrate this. 99 00:07:41,590 --> 00:07:49,480 We can come over to here and if we go in we just say something along the lines of Why are shark not 100 00:07:49,480 --> 00:07:50,740 in capitals. 101 00:07:50,740 --> 00:07:57,430 Just say why you're shark and we're going to capture on our ether net zero. 102 00:07:57,430 --> 00:08:04,510 That's absolutely fine and you're gonna see a bunch of stuff starting to come through that's OK. 103 00:08:04,530 --> 00:08:10,920 As well we are looking for a handshake and one quick way we can generate one is just by going out to 104 00:08:10,950 --> 00:08:17,570 Google and hitting Enter and then going a pause this and sorry I smacked my microphone there. 105 00:08:17,570 --> 00:08:26,810 So if you heard a smack that was me and then we can filter by C.P. dot port is equal to four four three 106 00:08:26,870 --> 00:08:35,730 like this and we are just looking for any sort of handshake that came through here that looks like there 107 00:08:35,720 --> 00:08:43,030 is a sin packet sent a sin accent and then we'd have an act packet back. 108 00:08:43,160 --> 00:08:44,980 Normally they're a little closer together. 109 00:08:44,990 --> 00:08:46,810 Let's see if we can find one. 110 00:08:46,910 --> 00:08:47,570 There's a client. 111 00:08:47,570 --> 00:08:48,650 Hello there. 112 00:08:48,650 --> 00:08:51,460 So this is over. 113 00:08:51,950 --> 00:08:53,360 This is over ITV 6. 114 00:08:53,360 --> 00:08:54,600 That's interesting. 115 00:08:54,620 --> 00:08:56,890 So you see that we went out to four for three. 116 00:08:56,900 --> 00:09:02,170 We requested a sin that server responded back to us and said sin act. 117 00:09:02,180 --> 00:09:05,100 You can't connect to my part on four four three. 118 00:09:05,120 --> 00:09:10,360 And then we said OK we acknowledge that we do want to connect and the client said back to us. 119 00:09:10,460 --> 00:09:11,010 Hello. 120 00:09:11,540 --> 00:09:17,460 So this is done over IP six but you can see that there's other things going through as well for IP for. 121 00:09:17,480 --> 00:09:24,070 Looks like most of the traffic coming through right now is IP 6 but yours should probably have IP before 122 00:09:24,080 --> 00:09:27,860 and if you want to capture or similar to this you should be able to capture that three way handshake 123 00:09:28,820 --> 00:09:32,270 why is this important Well let's take a look at this. 124 00:09:33,280 --> 00:09:37,380 So when we are doing scanning we're doing something called stealth scanning. 125 00:09:37,480 --> 00:09:41,950 And like I said earlier this scanning used to be stealthy. 126 00:09:41,980 --> 00:09:43,410 Nowadays it's not stealthy. 127 00:09:43,420 --> 00:09:50,460 If you scan with this you're gonna get picked up by any decent Sim any kind of detection it's gonna 128 00:09:50,470 --> 00:09:54,690 pick you up scanning but you should know what you're doing right. 129 00:09:54,700 --> 00:09:56,650 And this may come up in interviews. 130 00:09:56,680 --> 00:09:57,790 How do you scan. 131 00:09:57,820 --> 00:10:00,660 What's the process for a cell scan. 132 00:10:00,660 --> 00:10:02,590 And only one thing changes. 133 00:10:02,590 --> 00:10:06,290 This act here becomes what's called an iris T. 134 00:10:06,330 --> 00:10:08,920 Now this artist T stands for a reset. 135 00:10:09,010 --> 00:10:13,570 This whole process goes from hey I want to connect you to all right. 136 00:10:13,630 --> 00:10:20,400 You can connect me to us saying no just kidding we actually don't really want to connect. 137 00:10:20,440 --> 00:10:22,210 Well why is this important. 138 00:10:22,210 --> 00:10:28,170 Well we're establishing here that we want to connect to a port in at the port is open. 139 00:10:28,360 --> 00:10:33,930 Well we're going to get a response back that says hey Sinek we're open for business and we're going 140 00:10:33,930 --> 00:10:37,900 to say just kidding because we don't actually want to make the connection to the port. 141 00:10:38,260 --> 00:10:41,710 Now if we make a connection the port we're not really being stealthy. 142 00:10:41,710 --> 00:10:44,070 Again the scanning is not really stealthy anymore. 143 00:10:44,080 --> 00:10:49,500 But this was the logic behind it so let's go ahead and close out of this and let's take a look at our 144 00:10:49,500 --> 00:10:59,600 scan and talk through it so our scan came back and we've got a few things here. 145 00:10:59,680 --> 00:11:06,240 Now we've got our scan result and the scan results dash a gives us a lot of detail. 146 00:11:06,250 --> 00:11:10,930 If we don't trigger with a dash a all we're going to see is the port. 147 00:11:11,170 --> 00:11:13,350 And if it's open that's about it. 148 00:11:13,360 --> 00:11:18,980 You're not going to see service information or version information that could be incredibly useful. 149 00:11:19,240 --> 00:11:24,930 So we could see that two ports came back as open one port came back as closed. 150 00:11:25,030 --> 00:11:30,050 So it triggered on this three three eight nine but it doesn't actually see it as open. 151 00:11:30,080 --> 00:11:31,550 So what does that leave us with. 152 00:11:31,550 --> 00:11:35,630 Well that leaves us with a port one thirty nine and a port for forty five. 153 00:11:35,630 --> 00:11:39,380 And if you're not familiar these are SMB related. 154 00:11:39,380 --> 00:11:47,630 So on windows these tie directly to SMB on Linux 139 would tie to samba which is basically the same 155 00:11:47,630 --> 00:11:48,650 thing. 156 00:11:48,650 --> 00:11:55,240 So these are file shares folders that are out there being shared by a user or accessible by users. 157 00:11:55,250 --> 00:12:02,060 These are very very common when we're scanning internal networks and very common to see you know in 158 00:12:02,060 --> 00:12:07,250 a Windows environment especially but most computers if you think about your work environment have some 159 00:12:07,430 --> 00:12:13,950 sort of shared folder structure so and then it comes down here and it takes a best guess at the Windows 160 00:12:14,010 --> 00:12:15,130 operating system. 161 00:12:15,220 --> 00:12:18,760 Here you can actually see that the version pulled back as Windows XP. 162 00:12:19,260 --> 00:12:19,690 OK. 163 00:12:19,700 --> 00:12:22,410 And it's guessing that it's anywhere from XP to 2008. 164 00:12:22,410 --> 00:12:24,070 That's a really broad guess. 165 00:12:24,090 --> 00:12:27,710 But it's thinking it's windows and it's correct that it's windows. 166 00:12:27,720 --> 00:12:29,190 This is not always correct. 167 00:12:29,190 --> 00:12:30,030 Just a heads up. 168 00:12:30,150 --> 00:12:33,380 But sometimes it gives you an inkling OK. 169 00:12:33,380 --> 00:12:37,740 And then we come down here in this dash a also provide some script results. 170 00:12:37,790 --> 00:12:42,470 Now we can get some things out of here we can see that there is a net bias name of legacy. 171 00:12:42,470 --> 00:12:43,950 That is the computer name. 172 00:12:44,120 --> 00:12:45,550 We also get a mac address. 173 00:12:45,560 --> 00:12:47,570 You can see we're running on a VM where Mac. 174 00:12:47,570 --> 00:12:49,100 That's fine. 175 00:12:49,100 --> 00:12:52,700 And then we come in here and it says OK we're running on Windows XP. 176 00:12:52,700 --> 00:12:54,070 This is a definite. 177 00:12:54,080 --> 00:12:59,540 Now we know for sure that we're running on Windows XP and this is important because if we're fingerprinting 178 00:12:59,540 --> 00:13:05,310 machines and we're looking for exploits these exploits sometimes our operating system dependent. 179 00:13:05,360 --> 00:13:11,870 So knowing the operating system will help us later on a lot of the times again we see the computer name 180 00:13:11,900 --> 00:13:20,360 and the net bios computer name we see the workgroup slash domain here and we can see the security mode 181 00:13:21,630 --> 00:13:22,560 now. 182 00:13:22,720 --> 00:13:28,180 This is going to come up in later videos if you are getting to the more advanced stage you're looking 183 00:13:28,180 --> 00:13:29,620 for internal pen testing. 184 00:13:29,620 --> 00:13:33,730 I do have a video out there on SMB relays and how to get shells. 185 00:13:34,090 --> 00:13:38,390 If you ever see message signing disabled this is dangerous. 186 00:13:38,440 --> 00:13:43,910 You might also see something along the lines of message signing enabled but not required. 187 00:13:44,020 --> 00:13:45,940 That is equally as dangerous. 188 00:13:45,940 --> 00:13:51,010 This is a finding on a pen test report and could allow an attacker to get a shell. 189 00:13:51,010 --> 00:13:55,840 Now I'm just noting that out there so you keep that in the back of your mind not as important for this 190 00:13:55,840 --> 00:14:00,640 lesson today but if you're ever curious there are videos out there and you could read up on this. 191 00:14:00,700 --> 00:14:06,320 But it's a little bit more of advanced topic so down here we have traced out information. 192 00:14:06,320 --> 00:14:13,920 This isn't really that important or attacking an internal lab OK so we have one port really two parts 193 00:14:13,920 --> 00:14:15,030 one service. 194 00:14:15,090 --> 00:14:15,310 OK. 195 00:14:15,330 --> 00:14:17,790 We're going to be attacking SMB. 196 00:14:17,880 --> 00:14:21,610 Now there are a couple of things that I really like to do when I'm looking at SMB. 197 00:14:21,720 --> 00:14:25,260 The first one is I like to go to SMB client. 198 00:14:25,260 --> 00:14:26,910 Now if you never use this that's OK. 199 00:14:26,910 --> 00:14:29,130 It's a built in tool to Kelly linux. 200 00:14:29,220 --> 00:14:35,890 You just start typing SMB client and you can hit TAB and it should autocomplete for you. 201 00:14:35,890 --> 00:14:41,420 The next is a dash L that is to list out any of the files that are in there. 202 00:14:41,580 --> 00:14:45,720 And then we're just going to type in the IP address similar to this. 203 00:14:45,720 --> 00:14:51,370 And we said we were at DOT for I believe and hit enter. 204 00:14:51,810 --> 00:14:53,020 So invalid parameter. 205 00:14:53,050 --> 00:15:00,490 Let's try one other thing I like to do it would double or quadruple and then double on the backslash 206 00:15:00,490 --> 00:15:00,970 is there. 207 00:15:00,970 --> 00:15:01,380 Let's try. 208 00:15:01,380 --> 00:15:04,130 Alan still getting invalid parameter. 209 00:15:04,210 --> 00:15:09,060 We might not be able to access this with the the way it's listed right now. 210 00:15:09,070 --> 00:15:13,940 We can try connecting and you can see there's just really no connection here. 211 00:15:13,990 --> 00:15:16,300 We could try listed out all different kinds of ways. 212 00:15:16,330 --> 00:15:17,480 And it's just not going to work. 213 00:15:17,920 --> 00:15:27,010 Now in some cases if we had a a root password that was anonymous and we tried to log in it would say 214 00:15:27,040 --> 00:15:28,330 hey you're in. 215 00:15:28,330 --> 00:15:31,230 Here's a listing of all the files that are in the share. 216 00:15:31,390 --> 00:15:33,700 That's bad in this case. 217 00:15:33,700 --> 00:15:39,920 We're not getting a listing of all the files in the share we're getting this status invalid parameter. 218 00:15:40,210 --> 00:15:45,730 And it as of right now is kind of a dead end and that's OK. 219 00:15:45,730 --> 00:15:51,730 So if we were able to connect which you'll see in later videos we can use SMB client and say there was 220 00:15:51,730 --> 00:15:58,270 like a common one is a dot admin folder here and we say admin and we want to connect to that. 221 00:15:58,450 --> 00:16:04,380 We could try to connect and it would let us connect with password or no password then we're money right. 222 00:16:04,390 --> 00:16:09,040 We we can enumerate the share we can pull down information but here we're just not getting any access 223 00:16:09,040 --> 00:16:09,640 at all. 224 00:16:10,060 --> 00:16:11,700 So and that's fine. 225 00:16:11,710 --> 00:16:15,810 So what we're gonna do instead is we're going to enumerate this a little further. 226 00:16:16,180 --> 00:16:21,260 Now a tool that is out there and you may have heard of is called a noon for Linux. 227 00:16:21,430 --> 00:16:24,430 I don't like using this if you like using it that's fine. 228 00:16:24,430 --> 00:16:27,700 In my case in most instances I've ever tried using it. 229 00:16:27,700 --> 00:16:29,920 It has not work has been broken. 230 00:16:29,920 --> 00:16:37,360 So what I like to do is actually run medicinally which is MSF console hit enter on that and it's going 231 00:16:37,360 --> 00:16:41,870 to take a second to spin up especially if this is your first time spinning it up. 232 00:16:41,910 --> 00:16:48,740 Now let's let this run here and then I'm going to search for SMP underscore version. 233 00:16:49,920 --> 00:16:56,340 Now this didn't come up when we first did our map scan and that's OK that's kind of common but we can 234 00:16:56,340 --> 00:17:03,440 copy this auxiliary scanner here and we can use this to try to detect it now let's talk about Metis 235 00:17:03,440 --> 00:17:04,660 boy as well. 236 00:17:04,880 --> 00:17:09,600 And I should note that my explanations I'm not going to repeat myself as we go further and further into 237 00:17:09,610 --> 00:17:10,110 videos. 238 00:17:10,130 --> 00:17:14,930 I'm going to assume that you have watched the previous video and that you kind of understand where we're 239 00:17:14,930 --> 00:17:16,150 at as we go along. 240 00:17:16,160 --> 00:17:21,590 But this video's probably gonna be really really detailed and broken down on some of these topics especially 241 00:17:21,590 --> 00:17:23,040 if you've never seen it before. 242 00:17:23,330 --> 00:17:28,720 So auxiliary modules now there's a few different modules you can see here there's exploits auxiliary 243 00:17:28,720 --> 00:17:33,890 posed payloads etc. Meadows boy is a treasure trove of options. 244 00:17:33,920 --> 00:17:42,200 Now what we're doing is auxiliary and we can think of auxiliary as pre exploit so auxiliary is our scanning 245 00:17:42,230 --> 00:17:45,100 our enumeration our information gathering. 246 00:17:45,140 --> 00:17:50,870 There are over a thousand different auxiliary modules in this instance we are using auxiliary module 247 00:17:50,870 --> 00:17:53,510 to look for an SMB version. 248 00:17:53,630 --> 00:17:56,850 It does not always work but it works a lot. 249 00:17:57,170 --> 00:18:04,550 Now the SMB version is really really important if we can pull it down because historically SMB has been 250 00:18:04,550 --> 00:18:06,350 incredibly vulnerable. 251 00:18:06,350 --> 00:18:13,250 If you can think back to Most recently we have had the want to cry slash Eternal Blue slash whatever 252 00:18:13,250 --> 00:18:20,510 you want to call it the M.S. 17 dash 0 1 0 exploit ramp SMB and in the past as you're going to see in 253 00:18:20,510 --> 00:18:21,190 a minute. 254 00:18:21,260 --> 00:18:25,100 There have been numerous SMB exploits. 255 00:18:25,100 --> 00:18:31,750 So because of that it's very critical to try to detect not only the version but the operating system 256 00:18:31,750 --> 00:18:34,370 you're running on because that is important as well. 257 00:18:34,370 --> 00:18:37,090 Now we already have an operating system listed here. 258 00:18:37,190 --> 00:18:44,390 So we're gonna go ahead and just try to find a version we're gonna say options and you can see here 259 00:18:44,390 --> 00:18:46,580 what's required and what's not. 260 00:18:46,640 --> 00:18:51,660 Only thing that's really required of us that is not set already here is this. 261 00:18:51,680 --> 00:18:52,850 Our hosts. 262 00:18:52,880 --> 00:18:54,810 So that stands for remote host. 263 00:18:54,980 --> 00:18:58,030 All you can think about is that's what we're going to be attacking. 264 00:18:58,040 --> 00:19:03,640 Now we can say set our host tend not to hand out turned up for now. 265 00:19:03,710 --> 00:19:08,610 If this module can only take one host it will say our host. 266 00:19:08,810 --> 00:19:12,010 If you notice this can actually take multiple hosts with an s. 267 00:19:12,050 --> 00:19:18,080 You can enter in a side or notation and you could do something like slash twenty four if you're trying 268 00:19:18,080 --> 00:19:20,030 to see every single machine in the network. 269 00:19:20,540 --> 00:19:23,870 But in this instance we're only attacking one box setting one. 270 00:19:23,870 --> 00:19:26,150 Our host is fine. 271 00:19:26,150 --> 00:19:26,790 OK. 272 00:19:26,840 --> 00:19:30,180 We can say options again just to make sure it really set for us. 273 00:19:30,200 --> 00:19:35,150 And then we're going to type in a run or if you really want to feel cool you can type an exploit. 274 00:19:35,810 --> 00:19:40,690 Either way at all where and we can see here. 275 00:19:40,930 --> 00:19:41,440 OK. 276 00:19:41,470 --> 00:19:49,150 Now we are running Windows XP Service Pack 3 and it really doesn't tell us anything else about the SMB 277 00:19:49,150 --> 00:19:49,690 version. 278 00:19:49,720 --> 00:19:50,670 That's a bummer. 279 00:19:51,400 --> 00:19:53,960 So we don't know anything else but S&P version. 280 00:19:54,070 --> 00:19:59,920 That's OK we can start with what we know so we'll copy this information then right and we're going to 281 00:19:59,920 --> 00:20:06,670 go out to Firefox and just go back to Google if you went to there when you were doing our our handshake 282 00:20:06,850 --> 00:20:13,630 and we'll just paste this in and then Google will learn you eventually but if you start typing an exploit 283 00:20:14,290 --> 00:20:15,880 It'll start coming up. 284 00:20:16,150 --> 00:20:16,600 Right. 285 00:20:17,020 --> 00:20:22,420 So we can start looking for the different types of exploits that exist. 286 00:20:22,420 --> 00:20:25,780 One that I like to look for there's two Web sites. 287 00:20:25,810 --> 00:20:26,850 OK. 288 00:20:26,890 --> 00:20:29,690 In my opinion there's two Web sites I look for out the bad. 289 00:20:29,800 --> 00:20:32,290 One is exploit D.B. dot com. 290 00:20:32,290 --> 00:20:33,910 We can open this one. 291 00:20:33,910 --> 00:20:35,820 The other one is rapid 7. 292 00:20:36,100 --> 00:20:40,300 So let's look at both and here. 293 00:20:40,310 --> 00:20:43,940 This is a PSP three exploit. 294 00:20:45,020 --> 00:20:46,430 It's possible. 295 00:20:46,430 --> 00:20:52,850 Now one thing that we didn't do and I should have typed in is we didn't describe the service and that's 296 00:20:52,850 --> 00:20:54,140 bad on my part. 297 00:20:54,200 --> 00:21:00,020 Let's type an SMB Windows 3 and now because I looked at this and I said I'm not sure that that's actually 298 00:21:00,020 --> 00:21:00,820 SMB. 299 00:21:00,830 --> 00:21:07,470 Let's go ahead and close this one and the first one that comes up for us is actually going to be M.S. 300 00:21:07,490 --> 00:21:09,290 0 8 0 6 7. 301 00:21:09,290 --> 00:21:14,750 Now this possible that this is on exploit database but you can see one of the things that comes up on 302 00:21:14,750 --> 00:21:20,620 your save tabs if you're on a newer version of Cally is your exploit dash DV exploit database. 303 00:21:20,630 --> 00:21:27,460 This is where you're gonna find a lot of exploits that you can just download perhaps modify and run. 304 00:21:28,220 --> 00:21:34,680 But here today we're not going to have to do that rapid 7 is the other Web site that I like a lot. 305 00:21:34,690 --> 00:21:35,920 Why is that. 306 00:21:35,920 --> 00:21:41,370 That's because rapid 7 actually makes this here are medicinally. 307 00:21:41,500 --> 00:21:48,130 So because they make Meadows blight and because it's medicinal a module we come here we can see that 308 00:21:48,130 --> 00:21:54,260 this is actually a medicinal module that means we can just run this in those fly and perhaps get a shell. 309 00:21:54,280 --> 00:21:59,320 We don't have to mess with exploits of exploit D.B. we don't have to download anything it's already 310 00:21:59,320 --> 00:22:02,090 built into a tool that we have. 311 00:22:02,140 --> 00:22:05,310 OK so let's go ahead and just look at the directions here. 312 00:22:05,310 --> 00:22:12,020 It's always best to read the instructions and see if this has to deal with what we're dealing with. 313 00:22:12,060 --> 00:22:19,140 So it says that a target's Windows XP but two thousand three will often crash or hang. 314 00:22:19,140 --> 00:22:24,810 So it's important to note that in case we're running on a pen test and we don't want to you know crash 315 00:22:24,810 --> 00:22:31,320 a server it's always important to see you know if if there's any kind of denial of service here right 316 00:22:31,320 --> 00:22:32,920 now this looks good. 317 00:22:32,950 --> 00:22:38,190 We're gonna do is we're just going to copy this and we're going to paste it here 318 00:22:41,110 --> 00:22:47,490 and then we can just say options again similarly we have these set our host. 319 00:22:47,510 --> 00:22:55,430 Now I can just tab up to where I set the our host and is still that and now it says exploit target. 320 00:22:55,850 --> 00:23:01,370 So it's always best practice to say show targets to see what kind of targets are available for us. 321 00:23:01,370 --> 00:23:02,290 And holy crap. 322 00:23:02,300 --> 00:23:08,510 There are 72 so we know we're running SPF 3 windows XP XP 3. 323 00:23:08,510 --> 00:23:14,800 Probably the English version if we wanted to pick it out but we could just leave this alone. 324 00:23:14,810 --> 00:23:18,970 It looks like there's automatic targeting and it will figure it out on its own. 325 00:23:19,190 --> 00:23:24,320 If for some reason we are sure on this exploit and the automatic targeting is failing now we can come 326 00:23:24,320 --> 00:23:27,270 down here pick out the target and go from there. 327 00:23:27,350 --> 00:23:28,790 But let's go ahead and take a look. 328 00:23:28,790 --> 00:23:30,860 By just running this and seeing what happens 329 00:23:33,620 --> 00:23:40,390 and it's detecting the target it detected that it is XP XP 3 English perfect and then it ran it and 330 00:23:40,390 --> 00:23:43,640 said maternity session one opened. 331 00:23:43,640 --> 00:23:44,150 Great. 332 00:23:44,150 --> 00:23:48,310 This means we have a shell we have access on the machine. 333 00:23:48,510 --> 00:23:51,080 Now what we just did is called a reverse shell. 334 00:23:51,090 --> 00:23:54,600 There are mainly two different types of shells that we could run. 335 00:23:54,600 --> 00:23:58,530 One is a reverse shell and one is the other is a bind shell. 336 00:23:58,590 --> 00:24:02,570 Now reverse shells what they do is we set up a listener. 337 00:24:02,580 --> 00:24:04,360 We set up a port that we're listening on. 338 00:24:04,410 --> 00:24:05,880 See this handler here. 339 00:24:05,880 --> 00:24:08,590 So we're listening on port four four four four. 340 00:24:09,030 --> 00:24:14,820 When we exploit the machine we tell it hey connect back to this IP address on these ports. 341 00:24:15,000 --> 00:24:16,350 And that is a reverse shell. 342 00:24:16,380 --> 00:24:21,720 When a victim connects back to us that is considered reverse shell. 343 00:24:21,720 --> 00:24:23,320 When we connect to a victim. 344 00:24:23,340 --> 00:24:30,900 So say we run an exploit and we open up a port and then we say hey let's connect to that port that is 345 00:24:30,900 --> 00:24:32,970 considered a bind shell. 346 00:24:33,120 --> 00:24:39,840 The majority of your time when you're doing lab testing is going to be running with reverse shells. 347 00:24:40,050 --> 00:24:47,820 Even when you're doing internal testing now external testing if you're doing real pain tests sometimes 348 00:24:47,820 --> 00:24:53,220 you're going to want to use a bind shell unless you want to setup port forwards on your router or wherever 349 00:24:53,220 --> 00:24:56,360 you're testing in order to trigger back into your machine. 350 00:24:56,430 --> 00:24:59,360 A lot of times is just way easier to do a buying shell. 351 00:24:59,390 --> 00:25:01,920 But sometimes you have to get flexible and do both. 352 00:25:02,250 --> 00:25:05,980 But the majority of time you're gonna be working with reverse shell. 353 00:25:06,030 --> 00:25:09,030 So from here a couple of things we should do. 354 00:25:09,060 --> 00:25:13,400 The first thing is we could say get you I.D. let's see what user level we're at. 355 00:25:13,960 --> 00:25:14,310 Okay. 356 00:25:14,310 --> 00:25:19,680 We are a authority system now authority system is the highest level if we are a system we have own this 357 00:25:19,680 --> 00:25:24,060 machine completely and we just lost our session here. 358 00:25:24,060 --> 00:25:24,840 Not sure why. 359 00:25:24,840 --> 00:25:32,190 Let's go ahead and run it again see what happens and it's possible that we we lost this machine here. 360 00:25:32,190 --> 00:25:33,420 So let's go ahead and just see 361 00:25:36,170 --> 00:25:37,730 and there is a connection timeout. 362 00:25:38,060 --> 00:25:40,400 So I've had this happen with hacked the box as well. 363 00:25:41,030 --> 00:25:46,970 So what happens sometimes is hack the box just you know you lose the you lose your session and hack 364 00:25:46,970 --> 00:25:51,170 the box it used to be that somebody could reset the box on you. 365 00:25:51,890 --> 00:25:54,270 It looks like that. 366 00:25:54,520 --> 00:25:59,620 You can actually still reset on people so I'm not sure if somebody just reset the box on me or what 367 00:25:59,620 --> 00:26:05,410 happened but hopefully you don't have this experience but this is a good one to keep in the video just 368 00:26:05,410 --> 00:26:07,490 in case you ever run into this. 369 00:26:07,500 --> 00:26:10,330 So team you're trying to run it it might not work right this second. 370 00:26:10,330 --> 00:26:11,610 That's fine. 371 00:26:11,690 --> 00:26:15,270 Let's go ahead and talk about this anti authorities system. 372 00:26:15,430 --> 00:26:24,010 So when we're system on a machine that means we have the highest highest privilege level we can do whatever 373 00:26:24,010 --> 00:26:25,720 we want on that machine. 374 00:26:25,720 --> 00:26:26,020 Right. 375 00:26:26,020 --> 00:26:31,510 This is a local local level but we are full authority. 376 00:26:31,510 --> 00:26:35,790 This is equivalent if you are a Linux user to being root on a Linux machine. 377 00:26:36,340 --> 00:26:37,080 OK. 378 00:26:37,090 --> 00:26:43,170 So we have the highest potential level that that we that we need here right. 379 00:26:43,180 --> 00:26:45,850 So let's go ahead and try to run one more time. 380 00:26:45,970 --> 00:26:53,840 If this fails I'm going to go ahead and refresh and try restarting my box on my end and 381 00:26:56,530 --> 00:27:01,250 somebody has cancel termination of the machine. 382 00:27:01,250 --> 00:27:02,100 Don't know what that is. 383 00:27:02,140 --> 00:27:03,790 Guys I'm going to pause this video. 384 00:27:03,800 --> 00:27:06,230 Get the shell back up and then figure that out. 385 00:27:06,230 --> 00:27:07,580 Give me one second. 386 00:27:07,610 --> 00:27:08,150 All right. 387 00:27:08,150 --> 00:27:10,660 I am back and we have a new session. 388 00:27:10,760 --> 00:27:17,810 So again we did it get you Idi and let's go ahead and look at one other thing here we're gonna get assists 389 00:27:17,840 --> 00:27:25,260 info and what we're looking at facility info is we're looking at this here we want to make sure that 390 00:27:25,260 --> 00:27:31,740 we have an architecture that matches the mature fritters shell so our x eighty six here on the architecture 391 00:27:32,220 --> 00:27:38,930 matches the mature British shell on windows this is good this allows us to do a lot. 392 00:27:39,030 --> 00:27:45,580 So one of the things that we can do and let's type and help with your brand new to meadows flight we 393 00:27:45,580 --> 00:27:50,830 have a lot of things that we can do here that come through look at this list. 394 00:27:50,840 --> 00:27:53,290 Now don't be intimidated by this list. 395 00:27:53,330 --> 00:27:58,860 You will learn it as it goes in most of these you'll probably never use some of the interesting things 396 00:27:58,860 --> 00:28:01,240 as we can navigate around the file system. 397 00:28:01,370 --> 00:28:03,780 We can download files from the file system. 398 00:28:03,890 --> 00:28:08,020 We can upload files to the file system and we can make directories. 399 00:28:08,240 --> 00:28:12,790 We could do a lot of Linux commands that are typical if you're used to using Linux. 400 00:28:12,800 --> 00:28:15,530 There are some great networking commands. 401 00:28:15,530 --> 00:28:21,950 Now if we're doing post exploitation we get a shell in the machine and we are in a real network looking 402 00:28:21,950 --> 00:28:23,890 at the ARP table or the ARB cache. 403 00:28:23,930 --> 00:28:27,320 Really good looking at your IP address your eye. 404 00:28:27,380 --> 00:28:33,170 I have config IP config really good looking at your routing table really good net stack. 405 00:28:33,230 --> 00:28:34,070 Same thing. 406 00:28:34,400 --> 00:28:39,320 So looking at where you're at from a networking perspective once you get a shell. 407 00:28:39,440 --> 00:28:41,570 Very very good idea. 408 00:28:41,630 --> 00:28:45,110 Some other things that we can look at we can see what processes are running. 409 00:28:45,110 --> 00:28:46,900 This is very useful. 410 00:28:46,910 --> 00:28:49,380 We can shut down the machine if we want to. 411 00:28:49,400 --> 00:28:56,160 We can do some crazy stuff too like a key scan or a keystroke. 412 00:28:56,450 --> 00:29:00,720 Dumping here we can capture the keystrokes and we can dump them. 413 00:29:01,010 --> 00:29:01,750 Very scary. 414 00:29:01,760 --> 00:29:04,640 We can do a screenshot of the desktop. 415 00:29:04,640 --> 00:29:07,310 We can do a screenshot of the webcam. 416 00:29:07,400 --> 00:29:09,260 We can record the microphone. 417 00:29:09,260 --> 00:29:11,030 This can be incredibly malicious. 418 00:29:11,030 --> 00:29:12,110 Right. 419 00:29:12,140 --> 00:29:17,020 These are things that we should not be doing unless we have absolute permission to do them. 420 00:29:17,120 --> 00:29:19,880 So Metis boy is just just show you. 421 00:29:19,880 --> 00:29:21,850 It's a very powerful tool. 422 00:29:21,860 --> 00:29:24,210 Now there's a couple of things in here that we can do. 423 00:29:24,440 --> 00:29:30,710 If we did not have authority system we could try to just type and get system sometimes as crashes a 424 00:29:30,710 --> 00:29:31,250 machine. 425 00:29:31,250 --> 00:29:35,500 So if you have a shell on a machine in a network and you're doing a real pen death. 426 00:29:35,600 --> 00:29:36,790 Be very careful with this. 427 00:29:36,790 --> 00:29:39,650 Perhaps ask how sensitive the machine is. 428 00:29:39,650 --> 00:29:42,720 And if you crash it as somebody available to turn it back on. 429 00:29:42,920 --> 00:29:47,510 So no of this one and no this one hash them. 430 00:29:47,570 --> 00:29:49,950 Now let's type in hashtag. 431 00:29:50,950 --> 00:29:54,470 Now hashtag is dumping these Sam. 432 00:29:54,560 --> 00:30:01,250 Now the Sam is what stores are local user passwords and we are dumping the hashes here. 433 00:30:01,700 --> 00:30:08,660 So with these hashes we can take these off line and use a tool something like John the Ripper or hash 434 00:30:08,660 --> 00:30:12,830 cat and we can try to crack these against the word list. 435 00:30:12,830 --> 00:30:17,030 Now if you never cracked passwords before this is something maybe you should look into if you're at 436 00:30:17,030 --> 00:30:17,910 this point. 437 00:30:18,080 --> 00:30:20,980 Take these off line and go try to crack them. 438 00:30:20,990 --> 00:30:22,880 I have no idea what's going to come up. 439 00:30:22,880 --> 00:30:26,810 You can eliminate the guest the help assistant and probably the support. 440 00:30:26,840 --> 00:30:31,430 I would try to crack the administrator password and this John user account and see if you can get either 441 00:30:31,430 --> 00:30:34,100 of them as I said I haven't done this before. 442 00:30:34,120 --> 00:30:38,240 So you could try and see if either of them are crackle against a worry list. 443 00:30:38,270 --> 00:30:39,960 It's always good practice. 444 00:30:40,040 --> 00:30:47,030 Now another thing you could do is copy the hash here the second part of the hash and you can use tools 445 00:30:47,240 --> 00:30:50,660 like crack map Zack or PSA Zack. 446 00:30:50,690 --> 00:30:54,920 There's a lot of tools out there where we can take this hash and try to do something called past the 447 00:30:54,920 --> 00:30:55,830 hash. 448 00:30:55,850 --> 00:30:59,330 Now it's not going to work in this network and that's OK. 449 00:30:59,330 --> 00:31:04,670 This whole lesson and course is going to be about enumeration and exploitation. 450 00:31:04,670 --> 00:31:07,880 It's not really going to be about all the advanced attacks we can do. 451 00:31:07,880 --> 00:31:12,990 There are other courses out there the zero to hero talks about these topics as well. 452 00:31:13,010 --> 00:31:16,510 So what we're really after is again enumeration exploitation. 453 00:31:16,530 --> 00:31:22,820 I'm giving you some ideas of things that we look for once where once we're in a machine this hash here 454 00:31:22,850 --> 00:31:24,000 we can pass that around. 455 00:31:24,000 --> 00:31:26,490 See if it gets us in any other machines in the network. 456 00:31:26,660 --> 00:31:31,730 Again it's not going to work here because we're only against this one machine in this one isolated network 457 00:31:32,660 --> 00:31:37,910 and we could try again to crack it and we can see it that pass where the ATM and password logs is in 458 00:31:37,910 --> 00:31:38,840 anywhere. 459 00:31:38,840 --> 00:31:44,390 I have an impersonal experience never cracked an administrative password but gained access to every 460 00:31:44,390 --> 00:31:49,790 single machine in a network because they were passing the hash around they were using the same hash 461 00:31:49,790 --> 00:31:50,990 on every single machine. 462 00:31:50,990 --> 00:31:56,040 So very critical to check this trying to pass it around see where you can access to. 463 00:31:56,120 --> 00:31:58,410 Very very easy to do. 464 00:31:58,520 --> 00:32:05,330 So from here we can also type in the word shell and you will notice that this gives us something similar 465 00:32:05,330 --> 00:32:12,140 to a command prompt if you are following along and you're you're doing these machines and you want to 466 00:32:12,140 --> 00:32:15,080 have some fun take credit. 467 00:32:15,080 --> 00:32:22,100 One thing that we can do is we can see over to the users folder and looks like let's see you to see 468 00:32:22,100 --> 00:32:22,510 this night. 469 00:32:22,520 --> 00:32:24,830 This is an older machine it's going to be something different. 470 00:32:25,310 --> 00:32:27,430 It's going to be documents and settings. 471 00:32:27,440 --> 00:32:34,670 So we'll see these in the documents and settings and then we'll say they're here and then we can go 472 00:32:34,670 --> 00:32:43,940 into John and we can say they're just show you but we could type going to see the desktop and then we're 473 00:32:43,950 --> 00:32:47,250 gonna say there one more time and we'll type it and type. 474 00:32:47,300 --> 00:32:49,320 User got. 475 00:32:49,440 --> 00:32:50,760 Now you can take this. 476 00:32:50,910 --> 00:32:52,850 I don't know if I've already done this for this machine. 477 00:32:52,850 --> 00:32:59,640 You can copy this one income over a legacy and then you can just go into submit user flag and that'll 478 00:32:59,640 --> 00:33:00,890 work just fine. 479 00:33:00,900 --> 00:33:05,520 So it'll it'll submit your flag for you and then you can do the same thing with the root. 480 00:33:05,820 --> 00:33:16,140 So you can just go you can go see the administrator slash desktop and then on the desktop you should 481 00:33:16,140 --> 00:33:18,390 have the root text. 482 00:33:18,420 --> 00:33:24,660 You can go ahead and type that and also capture that that flag there and submit it to hack the box. 483 00:33:24,660 --> 00:33:28,220 You won't get any points for it but you can count it under underneath your own. 484 00:33:28,270 --> 00:33:32,580 Well you know which ones you've done before and you haven't done before. 485 00:33:32,580 --> 00:33:39,150 So with that being said other things that we're doing in the shell here we can be looking for you know 486 00:33:39,150 --> 00:33:45,270 we could be looking for sensitive files and data things that are out there if you like to navigate around 487 00:33:45,270 --> 00:33:45,930 a shell. 488 00:33:46,020 --> 00:33:51,890 You can absolutely do the same thing from a medicine point slash maternal critter shell so we can hit 489 00:33:51,890 --> 00:33:56,070 control C and go yes we want to cancel but we're still in the shell right. 490 00:33:56,100 --> 00:33:58,140 We could save TWD. 491 00:33:58,140 --> 00:34:02,380 We could seeded a seed of all that slash like this WD. 492 00:34:02,910 --> 00:34:07,100 And there's a little bit of character escaping you saw I had to use two back slashes. 493 00:34:07,290 --> 00:34:09,060 That's pretty pretty standard. 494 00:34:09,060 --> 00:34:13,440 We can do a dir here and you're seeing pretty much the same stuff that we just were. 495 00:34:13,440 --> 00:34:16,230 So you don't actually have to dive into a shell. 496 00:34:16,230 --> 00:34:18,930 This is just showing you the flexibility of return fritter.