Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,090 --> 00:00:05,270
Now that taken some time to enumerate web pages on port 80 and four for three.
2
00:00:05,280 --> 00:00:11,200
We're gonna go ahead and shift our focus over to SMB on port one thirty nine.
3
00:00:11,280 --> 00:00:17,530
So if you are unfamiliar with what SMB is SMB is a file share.
4
00:00:17,550 --> 00:00:20,430
So think about your work environment.
5
00:00:20,430 --> 00:00:26,800
If you go to work and let's say that you have a drive you access that's not like your common drive a
6
00:00:26,800 --> 00:00:27,450
C drive.
7
00:00:27,480 --> 00:00:33,750
Maybe it's like a Z drive or a G drive and you access that that drive to get files and you can upload
8
00:00:33,750 --> 00:00:39,620
the files download the files and then maybe some of your co-workers can also see that file share.
9
00:00:39,780 --> 00:00:42,180
And that's why it's called a file share.
10
00:00:42,180 --> 00:00:49,380
Another example is say you have a scans folder and you go to your printer and you scan something and
11
00:00:49,380 --> 00:00:52,770
magically it appears in your scans folder on your computer.
12
00:00:52,770 --> 00:01:01,020
That's another example of SMB So S&P is commonly used in work environments and internal environments.
13
00:01:01,020 --> 00:01:06,990
So when we see it we think internal and we think about all these exploits that I have mentioned in the
14
00:01:06,990 --> 00:01:14,610
past with especially with latest and greatest being M.S. 17 0 1 0 and even though it's 2 years old it
15
00:01:14,610 --> 00:01:18,660
still shows up and it's gonna show up again in this course later on.
16
00:01:18,660 --> 00:01:24,030
So we're gonna do is we're just gonna take a quick look at our scan and see what we have available to
17
00:01:24,030 --> 00:01:24,820
us.
18
00:01:24,860 --> 00:01:27,810
So on port one thirty nine here we see that.
19
00:01:28,260 --> 00:01:28,740
OK.
20
00:01:28,740 --> 00:01:31,660
Net bios SMB workgroup my group.
21
00:01:32,070 --> 00:01:38,490
Not really a lot of information we could scroll down and the great thing about the dash capital a that
22
00:01:38,490 --> 00:01:44,130
I had you run with this scan is that it does run script for us.
23
00:01:44,160 --> 00:01:49,500
So these scripts that we're running go out and do a little bit of a numerator iron or additional enumeration
24
00:01:49,510 --> 00:01:54,250
in here it came through and it's pulling down some information we could see that.
25
00:01:54,270 --> 00:01:55,030
Okay.
26
00:01:55,060 --> 00:01:57,180
The net bios theme of this is called Capture X..
27
00:01:57,180 --> 00:02:03,780
Well we already knew that but and we can see here that it's running SMB version too.
28
00:02:03,840 --> 00:02:07,860
We really don't know that for sure or what S&P version it's running.
29
00:02:07,890 --> 00:02:09,250
Exactly.
30
00:02:09,270 --> 00:02:15,480
So that's really important because the type of SMB version that's running could potentially lead to
31
00:02:15,480 --> 00:02:19,200
an exploit and we need to know that kind of information.
32
00:02:19,230 --> 00:02:21,450
So we're gonna look for version information.
33
00:02:21,450 --> 00:02:24,570
The other thing is we're going to try to connect to this machine.
34
00:02:24,570 --> 00:02:27,170
We're going to see if there's any connections available to us.
35
00:02:27,600 --> 00:02:32,190
And if we can make that connection if we can get to the files on the share and see if there's anything
36
00:02:32,220 --> 00:02:35,730
potentially malicious or that we could do potentially malicious.
37
00:02:35,760 --> 00:02:43,980
So let's go ahead and let's get into a terminal and we're going to load up a tool that you're going
38
00:02:43,980 --> 00:02:45,690
to be intimately familiar with.
39
00:02:45,690 --> 00:02:51,270
By the time this course is over and that tool is called Meadows flight so to run that tool just go ahead
40
00:02:51,270 --> 00:02:56,190
and type an MSF console like this and hit enter.
41
00:02:56,420 --> 00:03:04,170
Now Meadows boy is a exploitation framework and it does a lot more than exploitation.
42
00:03:04,190 --> 00:03:12,020
As you could see down here you could see that it does exploits what are called auxiliary modules now
43
00:03:12,020 --> 00:03:18,620
auxiliary modules is like scanning an enumeration so we can actually do port scanning we can do all
44
00:03:18,620 --> 00:03:22,660
kinds of information gathering with these auxiliary modules.
45
00:03:22,670 --> 00:03:23,310
They're awesome.
46
00:03:23,310 --> 00:03:25,140
We're gonna go through one right now.
47
00:03:25,160 --> 00:03:28,300
There's also these post modules which do post exploitation.
48
00:03:28,310 --> 00:03:32,980
So say we get a a shell on a machine which means we've exploded a machine.
49
00:03:32,990 --> 00:03:35,270
We can do some things in post.
50
00:03:35,410 --> 00:03:39,920
There's all different types of payloads which are going to cover when we get into the exploit section
51
00:03:39,950 --> 00:03:43,970
and then the rest of this you'll have to worry about that for the scope of this course but we will be
52
00:03:43,970 --> 00:03:50,240
seeing another tool by that display which is MSF venom later in the exploit development section of the
53
00:03:50,240 --> 00:03:56,560
course because we're going to utilize that to build payloads out for our own shells.
54
00:03:56,600 --> 00:04:00,590
So what we're gonna do for now is we're just going to introduce this slowly.
55
00:04:00,590 --> 00:04:02,150
Don't feel overwhelmed.
56
00:04:02,150 --> 00:04:06,620
It's just a little bit of a learning curve when it comes to learning all the features that it has available
57
00:04:06,860 --> 00:04:11,420
but it's second nature once you learn it and it's gonna be one of the most commonly used tools that
58
00:04:11,420 --> 00:04:13,700
you use as a tester in the field.
59
00:04:13,700 --> 00:04:19,280
So we're gonna go ahead and just search for SMB here and I'm going to do this the terrible way we're
60
00:04:19,280 --> 00:04:24,260
just going to search SMB and you could see that there's one hundred and twenty one results.
61
00:04:24,260 --> 00:04:31,010
Now that's going to be quite a pain to sift through but what we're after and say we we didn't know much
62
00:04:31,100 --> 00:04:36,040
but we were we're trying to see if hey maybe does medicinally have any kind of modules.
63
00:04:36,050 --> 00:04:39,590
I don't know for SMB enumeration.
64
00:04:39,620 --> 00:04:44,690
Well we know auxiliary modules are enumeration and we can look right here in the front and see what
65
00:04:44,690 --> 00:04:46,240
type of module it is.
66
00:04:46,250 --> 00:04:50,650
So you see this is a post module and you see if you could scroll up we're going through exploits now
67
00:04:50,650 --> 00:04:53,390
we're gonna go up into auxiliary.
68
00:04:53,390 --> 00:05:02,240
Now the second part of this is the type of of action it's doing so you could see auxiliary denial service
69
00:05:02,360 --> 00:05:10,180
auxiliary fuzzing auxiliary scanning gathering and we're going to utilize this to our advantage.
70
00:05:10,190 --> 00:05:12,100
We're going to take a look at the syntax.
71
00:05:12,170 --> 00:05:16,130
Now what we are after is SMP version information.
72
00:05:16,130 --> 00:05:21,330
And if we look kind of through this we can come down a scanner here and you can see it's looking S&P
73
00:05:21,340 --> 00:05:28,750
1 to GBP which we're going to talk about MH 17 0 1 0 which we've talked about.
74
00:05:28,790 --> 00:05:33,350
You have an auxiliary scanner to see if there's anything out there with that vulnerability.
75
00:05:33,590 --> 00:05:40,820
And if we look right here on number 60 auxiliary scanner SMB SMB version.
76
00:05:41,100 --> 00:05:44,910
Now this is a bit of a long convoluted way to do this.
77
00:05:44,910 --> 00:05:50,310
Go ahead and copy this by the way or memorize your number I'll give you two options.
78
00:05:50,340 --> 00:05:54,960
This is a long way to do it but I wanted to show you this way of doing it because you're going to get
79
00:05:54,960 --> 00:06:01,170
better at it but you know when you see something on a scan results and you don't know a lot about the
80
00:06:01,170 --> 00:06:06,770
tool the best thing that you can do is just say hey you know I know medicinally does things like this.
81
00:06:06,840 --> 00:06:10,490
Let me see if maybe they have any sort of enumeration or exploitation.
82
00:06:10,490 --> 00:06:15,500
It never hurts to use a search feature to try to look up items and learn about them.
83
00:06:15,540 --> 00:06:18,050
So let's say we've never used this before.
84
00:06:18,240 --> 00:06:22,620
We're gonna go ahead and just say use and then we're gonna paste this module in here.
85
00:06:22,620 --> 00:06:26,370
Your other option is instead of pasting this module you can put the number that you had.
86
00:06:26,370 --> 00:06:31,570
So like for example 60 you could say use 60 and it will also love this model.
87
00:06:31,590 --> 00:06:38,790
So go ahead it hit enter for that and you can see here that it says now we're an auxiliary module of
88
00:06:38,800 --> 00:06:40,060
scanner S&P.
89
00:06:40,060 --> 00:06:48,970
S&P underscore version so from here it's always good to type out info and see what info is available
90
00:06:49,390 --> 00:06:53,920
and just tells you a little bit about the module that you're running so here you see that this is going
91
00:06:53,920 --> 00:06:56,680
to display version information about each system.
92
00:06:56,830 --> 00:06:57,250
Perfect.
93
00:06:57,250 --> 00:06:59,110
It's an S&P version detection.
94
00:06:59,110 --> 00:07:01,180
That's really what we're after right now.
95
00:07:01,240 --> 00:07:02,520
So this is great.
96
00:07:02,680 --> 00:07:03,760
And we have options here.
97
00:07:03,760 --> 00:07:04,800
These basic options.
98
00:07:04,810 --> 00:07:06,680
Now you're going to see me do this a lot.
99
00:07:06,700 --> 00:07:12,100
You can go right into options by just typing options and just see that instead of printing out all the
100
00:07:12,100 --> 00:07:14,230
long stuff if you don't want to.
101
00:07:14,230 --> 00:07:16,800
So our options were presented with some items.
102
00:07:16,900 --> 00:07:18,390
We've got something called our hosts.
103
00:07:18,400 --> 00:07:21,560
Now our hosts are what stands for remote hosts.
104
00:07:21,580 --> 00:07:25,500
You're also going to see an el host later on which chance for local hosts.
105
00:07:25,570 --> 00:07:27,520
Our host is always the victim.
106
00:07:27,520 --> 00:07:28,750
That's who we are attacking.
107
00:07:28,750 --> 00:07:30,520
This is the target address.
108
00:07:30,670 --> 00:07:34,370
You might see our host or our hosts plural.
109
00:07:34,630 --> 00:07:40,260
Our hosts means you can only import one host if we have our hosts plural.
110
00:07:40,270 --> 00:07:46,780
We can use cyber notation mean that we can put slash twenty four and try to sweep a range for example.
111
00:07:46,780 --> 00:07:50,140
But in this instance we're only attacking one machine anyway.
112
00:07:50,230 --> 00:07:57,760
The rest of these SMB domain password and user if we knew the domain password and user in this instance
113
00:07:57,790 --> 00:08:00,660
we could fill it out and try to get a little bit more information.
114
00:08:00,790 --> 00:08:02,530
But we are an authenticated.
115
00:08:02,530 --> 00:08:07,840
We have no credentials at this point so we're just gonna go ahead and just put in our hosts which is
116
00:08:07,840 --> 00:08:11,950
required and not feel any of the non required fields here.
117
00:08:11,950 --> 00:08:16,480
And what we're gonna do is we're just gonna say set our hosts and this is in case sensitive.
118
00:08:16,480 --> 00:08:18,150
I'd just like to type it out of case sensitive.
119
00:08:18,670 --> 00:08:22,990
And then the IP address of the machine that you're going to scan.
120
00:08:23,140 --> 00:08:33,450
So we're gonna say 1 9 2 1 6 8 minus 5 7 dot 1 3 9 and then I'm just gonna type in run give you a second
121
00:08:33,450 --> 00:08:37,940
to catch up and run okay.
122
00:08:37,960 --> 00:08:44,380
I totally lied my IP address is one thirty nine the machine I'm after is one thirty four and run your
123
00:08:44,380 --> 00:08:49,900
screen should look something like this I'm over here instead of copying pasting trying to memorize so
124
00:08:49,930 --> 00:08:53,040
hopefully you can see that I make mistakes too.
125
00:08:53,170 --> 00:08:55,290
So here we are.
126
00:08:55,300 --> 00:09:01,150
We see a little bit more information and it might not look like a lot right now but knowing this samba
127
00:09:01,180 --> 00:09:06,700
to point to point one A is very specific and this is going to help us out quite a bit.
128
00:09:06,730 --> 00:09:13,720
So let's just copy this guy and let's open up that text editor we've had going and let's just come in
129
00:09:13,720 --> 00:09:18,340
here and maybe make some notes or just put it in here and say something like SMB and then we can just
130
00:09:18,340 --> 00:09:25,540
put paste that we know the version now and this is going to become important when we start doing research
131
00:09:25,600 --> 00:09:27,020
on what we've found.
132
00:09:27,070 --> 00:09:33,880
So we found all these different type of versions running up here and we're and do research on exploitations
133
00:09:33,880 --> 00:09:38,800
against them but we're also going to do research on this and exploitations against this.
134
00:09:38,800 --> 00:09:41,380
So as much detail as we can get.
135
00:09:41,560 --> 00:09:47,350
That's what's important and what's going to set you apart from other hackers or other people even trying
136
00:09:47,350 --> 00:09:53,140
to break into the field is your ability to information gather and your ability to enumerate if you can
137
00:09:53,140 --> 00:09:54,370
do both of those.
138
00:09:54,370 --> 00:09:56,320
The exploitation is actually the easy part.
139
00:09:56,320 --> 00:09:57,270
In my opinion.
140
00:09:57,970 --> 00:10:01,810
So we've got the virgin information that's great.
141
00:10:01,810 --> 00:10:03,510
We're going to use a new tool now.
142
00:10:03,520 --> 00:10:12,170
So go ahead and go file new tab and I'm going to go ahead and show you a tool called SMB client now
143
00:10:12,190 --> 00:10:17,380
SMB client is going to attempt to connect to the file share that's out there.
144
00:10:17,380 --> 00:10:23,260
Now if we have the ability to connect to the file share with anonymous access what that will do is we
145
00:10:23,260 --> 00:10:26,260
can get in there and we could potentially see files.
146
00:10:26,290 --> 00:10:32,200
Now these files might give us an inkling of what's going on the network or they may even be you know
147
00:10:32,230 --> 00:10:33,220
valuable to us.
148
00:10:33,220 --> 00:10:37,270
They may be something like a backup file or password stored in a text file.
149
00:10:37,270 --> 00:10:40,810
You never know what you're going to find until you actually look.
150
00:10:40,810 --> 00:10:46,900
So what I'm going to go ahead and do is do a dash L and that's going to be to list out the files and
151
00:10:46,900 --> 00:10:48,960
then the syntax looks something like this.
152
00:10:48,970 --> 00:10:51,740
You can do two back slashes.
153
00:10:51,940 --> 00:10:52,840
I'd like to do four.
154
00:10:52,840 --> 00:10:54,330
It really doesn't matter.
155
00:10:54,400 --> 00:10:59,170
And then you just type in the IP address of the machine that you want to try to connect to.
156
00:10:59,170 --> 00:11:03,760
So 1 9 2 1 6 8 fifty seven one thirty four for me.
157
00:11:03,760 --> 00:11:08,830
And then two more slashes like that if you're running it with just two slashes you don't have to put
158
00:11:08,830 --> 00:11:09,780
any there.
159
00:11:09,790 --> 00:11:12,960
So this is just character escaping because we're in Linux.
160
00:11:13,090 --> 00:11:20,230
So go ahead and hit enter and you see that the server does not support extended security.
161
00:11:20,250 --> 00:11:20,640
OK.
162
00:11:20,640 --> 00:11:22,860
Don't worry about that anonymous log and successful.
163
00:11:22,860 --> 00:11:25,820
Go ahead and hit enter and root password as we don't know it.
164
00:11:26,190 --> 00:11:30,000
And you could see that we did list out a file share.
165
00:11:30,450 --> 00:11:34,560
So let's go ahead and try to connect a different way.
166
00:11:36,170 --> 00:11:43,180
Let's tab up and let's delete this dash shell and we see that there's two file shares.
167
00:11:43,180 --> 00:11:48,100
There is an IP see dollar sign in an AB and dollar sign.
168
00:11:48,380 --> 00:11:54,110
The IPC is not really usually valuable to us but to AB and would be really valuable if we could connect
169
00:11:54,110 --> 00:11:54,470
to that.
170
00:11:54,530 --> 00:11:54,960
Let's go ahead.
171
00:11:54,960 --> 00:11:58,890
Just paste that in here and see if we can get that connection.
172
00:11:58,930 --> 00:12:00,090
OK let's try this.
173
00:12:00,100 --> 00:12:02,380
Hit enter and you could see we have.
174
00:12:02,380 --> 00:12:03,580
Wrong password.
175
00:12:03,850 --> 00:12:06,830
So it's not going to let us connect to this.
176
00:12:06,850 --> 00:12:09,530
Share with anonymous access.
177
00:12:09,910 --> 00:12:11,080
So that's unfortunate.
178
00:12:11,080 --> 00:12:12,160
We could also try.
179
00:12:12,160 --> 00:12:19,270
Proof of concept to see if IPC works hit enter on that and you can see now we're actually in this in.
180
00:12:19,300 --> 00:12:20,800
This is interesting.
181
00:12:20,800 --> 00:12:23,830
So we could say help to see the list of commands.
182
00:12:24,010 --> 00:12:26,740
And it's very similar to being inside of a Linux machine.
183
00:12:26,740 --> 00:12:32,410
Now we can do something like l asked to list the files and we're actually access denied here.
184
00:12:32,440 --> 00:12:34,960
So this is what we call a dead end.
185
00:12:34,990 --> 00:12:36,510
We can't really access this.
186
00:12:36,540 --> 00:12:39,460
So we don't have any information extra gathered.
187
00:12:39,520 --> 00:12:43,120
We're going to come back to this time and time again with SMB client.
188
00:12:43,120 --> 00:12:45,740
This isn't the last time you're going to see it in the course.
189
00:12:45,910 --> 00:12:50,860
But I want you to know that it exists in the reason behind what we're doing here and this is some of
190
00:12:50,920 --> 00:12:53,560
where the information's coming from in our scan.
191
00:12:53,560 --> 00:12:54,630
We're trying to connect out.
192
00:12:54,640 --> 00:12:56,500
We see the server names cap tricks.
193
00:12:56,530 --> 00:13:01,990
There's a comment that it's a samba server and we're going to try to come in here and connect to a file
194
00:13:01,990 --> 00:13:03,050
and maybe get lucky.
195
00:13:03,100 --> 00:13:05,170
But this time we didn't get lucky.
196
00:13:05,170 --> 00:13:11,220
So we're just gonna go ahead and x out so that's all you need to know right now for S&P.
197
00:13:11,220 --> 00:13:16,560
S&P is an amazing protocol when I see S&P I get very happy.
198
00:13:16,680 --> 00:13:23,100
But we're going to focus on that very heavily when we get into the internal part of the Active Directory
199
00:13:23,100 --> 00:13:26,520
portion of this course because that's when things get really juicy.
200
00:13:26,520 --> 00:13:28,160
Right now we're just going to do.
201
00:13:28,230 --> 00:13:30,480
Keep it simple stupid on a lot of this stuff.
202
00:13:30,480 --> 00:13:34,570
It might feel really easy or very very straightforward depending.
203
00:13:34,620 --> 00:13:39,720
But I promise this is just going to keep building and building and building until we have a pretty big
204
00:13:39,720 --> 00:13:40,760
understanding on this.
205
00:13:40,770 --> 00:13:44,130
And there's going to be a lot of repetition and a lot of practice and I think that's the best way to
206
00:13:44,130 --> 00:13:44,460
learn.
207
00:13:45,120 --> 00:13:52,770
So from here I'm going to do a brief enumeration on SSA and how we can do enumeration with SSA age and
208
00:13:52,770 --> 00:13:57,440
then we're going to talk other items of enumeration and talk research.
209
00:13:57,540 --> 00:13:58,410
What are we doing.
210
00:13:58,410 --> 00:14:02,450
We've been collecting all this information and putting it into a text document.
211
00:14:02,460 --> 00:14:03,940
You're probably like so what.
212
00:14:04,050 --> 00:14:05,150
What can we do with it.
213
00:14:05,160 --> 00:14:09,770
And that's where things get exciting and that's how we start to lead into exploitation.
214
00:14:09,960 --> 00:14:13,290
But we've got do a little bit more research first before we can get there.
215
00:14:13,290 --> 00:14:15,040
So that's it for this video.
216
00:14:15,090 --> 00:14:18,750
I'll catch you over in the next video when we are a Newman rating SS age.
22133
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.