Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 1 00:00:00,720 --> 00:00:04,880 Now, in the previous lecture we had a quick look on Zenmap 2 2 00:00:04,880 --> 00:00:07,780 and how it can be used to gather information. 3 3 00:00:07,780 --> 00:00:10,560 So in this lecture we'll build up on that, 4 4 00:00:10,560 --> 00:00:13,950 and the main scan that I wanna show you right now 5 5 00:00:13,950 --> 00:00:15,883 is the quick scan plus. 6 6 00:00:17,570 --> 00:00:21,480 This scan takes the quick scan one step further. 7 7 00:00:21,480 --> 00:00:23,960 So first of all it'll be slower, 8 8 00:00:23,960 --> 00:00:27,870 but it's going to show us even more information. 9 9 00:00:27,870 --> 00:00:32,060 So first we're gonna be able to see the operating system 10 10 00:00:32,060 --> 00:00:35,140 running on the discovered devices. 11 11 00:00:35,140 --> 00:00:38,250 We will also be able to see the device type, 12 12 00:00:38,250 --> 00:00:41,660 whether it's a phone or a laptop or a router, 13 13 00:00:41,660 --> 00:00:45,290 and we'll be able to discover the program, 14 14 00:00:45,290 --> 00:00:49,470 and the program version running on the discovered ports. 15 15 00:00:49,470 --> 00:00:51,010 So before for example, 16 16 00:00:51,010 --> 00:00:53,950 we were able to discover port 80 is open, 17 17 00:00:53,950 --> 00:00:57,740 but we didn't know what program is running on this port 18 18 00:00:57,740 --> 00:01:00,000 or what version of this program. 19 19 00:01:00,000 --> 00:01:03,460 Getting the exact program version is really helpful 20 20 00:01:03,460 --> 00:01:06,090 when we get to the gaining access section, 21 21 00:01:06,090 --> 00:01:08,570 and you'll see then how we can use that 22 22 00:01:08,570 --> 00:01:11,220 to exploit vulnerable services 23 23 00:01:11,220 --> 00:01:14,640 and gain full control over the computers 24 24 00:01:14,640 --> 00:01:17,023 that have these services installed. 25 25 00:01:18,960 --> 00:01:21,270 Now straight away when you look at the results, 26 26 00:01:21,270 --> 00:01:23,790 you'll se that we got much more information 27 27 00:01:23,790 --> 00:01:26,950 than all of the scans we ran so far. 28 28 00:01:26,950 --> 00:01:29,240 So the first thing you'll notice is the icons 29 29 00:01:29,240 --> 00:01:33,070 beside the IPs of the discovered devices. 30 30 00:01:33,070 --> 00:01:35,870 These icons represent the operating system 31 31 00:01:35,870 --> 00:01:38,040 running on these devices. 32 32 00:01:38,040 --> 00:01:39,980 So right now we have the operating system 33 33 00:01:39,980 --> 00:01:42,360 for all of the connected devices, 34 34 00:01:42,360 --> 00:01:45,240 and now it's shown us the programs running 35 35 00:01:45,240 --> 00:01:47,530 on each of the discovered ports 36 36 00:01:47,530 --> 00:01:50,360 and the versions of these programs. 37 37 00:01:50,360 --> 00:01:53,850 So for example if we look at the 191.168.1.12, 38 38 00:01:53,850 --> 00:01:55,090 the Apple device, 39 39 00:01:55,090 --> 00:01:57,460 on the last scan we knew that port 22 open 40 40 00:01:57,460 --> 00:01:59,690 and we knew that SSH is running on it, 41 41 00:01:59,690 --> 00:02:03,220 but we didn't know what version of SSH was running. 42 42 00:02:03,220 --> 00:02:07,083 Right now we can see that it's running open SSH version 6.1, 43 43 00:02:08,360 --> 00:02:10,880 so we can go on Google and look for exploits 44 44 00:02:10,880 --> 00:02:14,430 and vulnerabilities in this specific version, 45 45 00:02:14,430 --> 00:02:16,740 and we might actually find something. 46 46 00:02:16,740 --> 00:02:18,490 We'll actually talk more about that 47 47 00:02:18,490 --> 00:02:20,203 in the "gaining access" section. 48 48 00:02:21,240 --> 00:02:23,430 Now if you look at the device type, 49 49 00:02:23,430 --> 00:02:26,960 you can see that it's a media device; it's a phone. 50 50 00:02:26,960 --> 00:02:29,500 So before we knew this is an Apple device 51 51 00:02:29,500 --> 00:02:31,450 but we didn't know whether it's a tablet, 52 52 00:02:31,450 --> 00:02:33,570 a phone, or a MacBook. 53 53 00:02:33,570 --> 00:02:36,380 Right now we know that it is a phone. 54 54 00:02:36,380 --> 00:02:38,180 It's also discovering that it's running 55 55 00:02:38,180 --> 00:02:40,750 Apple iOS four, five or six. 56 56 00:02:40,750 --> 00:02:43,270 Now it's actually running a newer version of iOS, 57 57 00:02:43,270 --> 00:02:45,900 I'm not entirely sure, I think nine or 10, 58 58 00:02:45,900 --> 00:02:48,410 but still, it's close enough it's getting me. 59 59 00:02:48,410 --> 00:02:50,300 It's telling me it's an Apple. 60 60 00:02:50,300 --> 00:02:53,330 It's telling me that it's a phone, it's running iOS. 61 61 00:02:53,330 --> 00:02:55,113 So this is really really good. 62 62 00:02:56,610 --> 00:03:00,840 Now if we go to the next device here, the 192.168.1.20. 63 63 00:03:00,840 --> 00:03:05,520 This is a Linux device and when we run the quick scan 64 64 00:03:05,520 --> 00:03:10,410 we are able to identify port 80 and port 49152 open, 65 65 00:03:10,410 --> 00:03:12,780 but again, we didn't know the program running 66 66 00:03:12,780 --> 00:03:16,010 or the service version running on this port. 67 67 00:03:16,010 --> 00:03:21,010 So right now we know it's a Apache httpd 2.2.22, 68 68 00:03:21,600 --> 00:03:23,360 it's running on Ubuntu so again 69 69 00:03:23,360 --> 00:03:25,330 now we have the operating system, 70 70 00:03:25,330 --> 00:03:28,520 the exact version of the service running 71 71 00:03:28,520 --> 00:03:31,200 so we can go and look for weaknesses and exploits 72 72 00:03:31,200 --> 00:03:33,730 in this specific version. 73 73 00:03:33,730 --> 00:03:35,540 And this port, we didn't even know 74 74 00:03:35,540 --> 00:03:37,440 what service was running on it. 75 75 00:03:37,440 --> 00:03:40,450 Right now we know it's a UPnP service 76 76 00:03:40,450 --> 00:03:43,480 and the server is MediaTomb UPnP. 77 77 00:03:43,480 --> 00:03:45,640 We have the exact version again 78 78 00:03:45,640 --> 00:03:48,290 so again we can go ahead and look for exploits 79 79 00:03:48,290 --> 00:03:50,290 in these specific versions, 80 80 00:03:50,290 --> 00:03:52,550 and if we discover any we'll be able 81 81 00:03:52,550 --> 00:03:56,400 to gain full control on this computer. 82 82 00:03:56,400 --> 00:04:01,210 Again if we go down to the 192.168.1.22 machine we can see 83 83 00:04:01,210 --> 00:04:06,040 that it's running a Microsoft HTTPAPI, on port 5357. 84 84 00:04:09,220 --> 00:04:11,640 You can also browse by the services. 85 85 00:04:11,640 --> 00:04:14,950 So from here on the left if you click on services 86 86 00:04:14,950 --> 00:04:19,250 you'll be able to categorize the discovered clients 87 87 00:04:19,250 --> 00:04:20,540 based on the services. 88 88 00:04:20,540 --> 00:04:23,570 So if we click on http we'll see all the clients 89 89 00:04:23,570 --> 00:04:25,940 that have a http service running. 90 90 00:04:25,940 --> 00:04:29,450 If you click on ssh we can see the Apple device here. 91 91 00:04:29,450 --> 00:04:32,743 It's the only device that has a ssh service running. 92 92 00:04:33,990 --> 00:04:37,090 So let me actually show you a quick and fun example. 93 93 00:04:37,090 --> 00:04:38,860 If we go back here to the hosts 94 94 00:04:38,860 --> 00:04:43,780 and go back to the apple device, the 192.168.1.12. 95 95 00:04:43,780 --> 00:04:46,470 As we see and as I said we know it's a phone, 96 96 00:04:46,470 --> 00:04:47,890 we know it's an Apple phone, 97 97 00:04:47,890 --> 00:04:51,340 we know that it has an ssh service installed on it 98 98 00:04:51,340 --> 00:04:56,070 running on port 22, and we know that ssh is a service 99 99 00:04:56,070 --> 00:05:00,700 that allows you to remotely execute system commands 100 100 00:05:00,700 --> 00:05:05,700 on the computer that has the ssh service installed. 101 101 00:05:05,820 --> 00:05:08,680 Now obviously before you can use this service 102 102 00:05:08,680 --> 00:05:11,170 you have to use a username and a password. 103 103 00:05:11,170 --> 00:05:14,440 Once you authenticate it will allow you to execute 104 104 00:05:14,440 --> 00:05:18,883 system commands remotely on that computer or on that phone. 105 105 00:05:19,720 --> 00:05:24,720 Now by default iOS devices do not have an ssh server. 106 106 00:05:24,880 --> 00:05:28,380 Usually when you jailbreak the phone or the device 107 107 00:05:28,380 --> 00:05:31,880 it will automatically install an ssh server 108 108 00:05:31,880 --> 00:05:34,470 and the password for that server 109 109 00:05:34,470 --> 00:05:37,320 is set to "alpine", by default. 110 110 00:05:37,320 --> 00:05:39,920 That's A-L-P-I-N-E. 111 111 00:05:39,920 --> 00:05:41,950 Now since we know that this is an iPhone 112 112 00:05:41,950 --> 00:05:45,440 and it has port 22 open with open ssh server, 113 113 00:05:45,440 --> 00:05:48,200 we know that that this phone has been jailbroken. 114 114 00:05:48,200 --> 00:05:49,920 Now since the phone is jailbroken, 115 115 00:05:49,920 --> 00:05:53,580 we know the password to log into ssh is "alpine" 116 116 00:05:53,580 --> 00:05:55,850 unless the user changed it. 117 117 00:05:55,850 --> 00:05:58,730 Now most users do not even know about this, 118 118 00:05:58,730 --> 00:06:00,640 and even the ones that know about this, 119 119 00:06:00,640 --> 00:06:03,760 like myself, are too lazy to change it. 120 120 00:06:03,760 --> 00:06:06,150 So it's always worth a try if you discover 121 121 00:06:06,150 --> 00:06:08,770 a phone like this in the same network. 122 122 00:06:08,770 --> 00:06:10,700 It's always worth a try to go and try 123 123 00:06:10,700 --> 00:06:13,760 to connect to it with the default password. 124 124 00:06:13,760 --> 00:06:15,940 So I'm just gonna go to my terminal 125 125 00:06:15,940 --> 00:06:19,097 and I'm gonna try to connect to this phone using ssh. 126 126 00:06:20,050 --> 00:06:23,200 So I'm gonna type "ssh root", 127 127 00:06:23,200 --> 00:06:26,944 which is the username for the admin in Linux, 128 128 00:06:26,944 --> 00:06:31,944 "@192.168.1.12". This is the IP of the phone. 129 129 00:06:32,420 --> 00:06:33,630 I'm gonna hit enter. 130 130 00:06:33,630 --> 00:06:35,890 It's asking me if I should trust this connection, 131 131 00:06:35,890 --> 00:06:39,810 I'm gonna say yes, and now it's asking me for the password. 132 132 00:06:39,810 --> 00:06:42,310 And like I said, when the phone is jailbroken 133 133 00:06:42,310 --> 00:06:44,980 the password is set to "alpine". 134 134 00:06:44,980 --> 00:06:48,750 So I'm gonna type A-L-P-I-N-E. 135 135 00:06:48,750 --> 00:06:50,143 I'm gonna hit enter. 136 136 00:06:51,140 --> 00:06:54,570 And as you can see, I logged in as root. 137 137 00:06:54,570 --> 00:06:57,880 So right now I have the highest privileges on the phone 138 138 00:06:57,880 --> 00:07:01,700 and I can do whatever I want on the system. 139 139 00:07:01,700 --> 00:07:03,820 And now we can use system commands 140 140 00:07:03,820 --> 00:07:06,003 to completely control the phone. 141 141 00:07:07,370 --> 00:07:09,720 Now this is a little bit ahead of time, 142 142 00:07:09,720 --> 00:07:12,080 we are still in the "network hacking" section, 143 143 00:07:12,080 --> 00:07:13,730 so don't worry too much about this, 144 144 00:07:13,730 --> 00:07:17,480 we'll talk more about it in the "gaining access" section, 145 145 00:07:17,480 --> 00:07:20,520 but it's just a quick example that I wanted to show you 146 146 00:07:20,520 --> 00:07:23,590 of how powerful information gathering is, 147 147 00:07:23,590 --> 00:07:26,860 because we literally did not exploit anything right here, 148 148 00:07:26,860 --> 00:07:29,860 we just relied on the information we gathered 149 149 00:07:29,860 --> 00:07:32,200 and we were able to hack an iPhone 150 150 00:07:32,200 --> 00:07:34,623 that is connected to the same network as us. 151 151 00:07:36,610 --> 00:07:39,960 Now like I said Nmap is a huge tool. 152 152 00:07:39,960 --> 00:07:41,420 I highly recommend you go ahead 153 153 00:07:41,420 --> 00:07:43,900 and try the other profiles in here, 154 154 00:07:43,900 --> 00:07:45,970 and like I said, once done with the course, 155 155 00:07:45,970 --> 00:07:49,940 I think the Nmap book would be a really really good read. 156 156 00:07:49,940 --> 00:07:52,067 We'll also use Nmap much more in the 157 157 00:07:52,067 --> 00:07:54,540 "gaining access" section and we'll see how we can use 158 158 00:07:54,540 --> 00:07:58,170 this information to gain full control over the computers 159 159 00:07:58,170 --> 00:08:01,840 using code execution vulnerabilities and so on. 160 160 00:08:01,840 --> 00:08:03,950 But in this lecture I just wanted to give you 161 161 00:08:03,950 --> 00:08:06,670 a quick overview and we'll build up on this 162 162 00:08:06,670 --> 00:08:08,353 as we go through the course. 14418