Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,090 --> 00:00:05,270 Now that taken some time to enumerate web pages on port 80 and four for three. 2 00:00:05,280 --> 00:00:11,200 We're gonna go ahead and shift our focus over to SMB on port one thirty nine. 3 00:00:11,280 --> 00:00:17,530 So if you are unfamiliar with what SMB is SMB is a file share. 4 00:00:17,550 --> 00:00:20,430 So think about your work environment. 5 00:00:20,430 --> 00:00:26,800 If you go to work and let's say that you have a drive you access that's not like your common drive a 6 00:00:26,800 --> 00:00:27,450 C drive. 7 00:00:27,480 --> 00:00:33,750 Maybe it's like a Z drive or a G drive and you access that that drive to get files and you can upload 8 00:00:33,750 --> 00:00:39,620 the files download the files and then maybe some of your co-workers can also see that file share. 9 00:00:39,780 --> 00:00:42,180 And that's why it's called a file share. 10 00:00:42,180 --> 00:00:49,380 Another example is say you have a scans folder and you go to your printer and you scan something and 11 00:00:49,380 --> 00:00:52,770 magically it appears in your scans folder on your computer. 12 00:00:52,770 --> 00:01:01,020 That's another example of SMB So S&P is commonly used in work environments and internal environments. 13 00:01:01,020 --> 00:01:06,990 So when we see it we think internal and we think about all these exploits that I have mentioned in the 14 00:01:06,990 --> 00:01:14,610 past with especially with latest and greatest being M.S. 17 0 1 0 and even though it's 2 years old it 15 00:01:14,610 --> 00:01:18,660 still shows up and it's gonna show up again in this course later on. 16 00:01:18,660 --> 00:01:24,030 So we're gonna do is we're just gonna take a quick look at our scan and see what we have available to 17 00:01:24,030 --> 00:01:24,820 us. 18 00:01:24,860 --> 00:01:27,810 So on port one thirty nine here we see that. 19 00:01:28,260 --> 00:01:28,740 OK. 20 00:01:28,740 --> 00:01:31,660 Net bios SMB workgroup my group. 21 00:01:32,070 --> 00:01:38,490 Not really a lot of information we could scroll down and the great thing about the dash capital a that 22 00:01:38,490 --> 00:01:44,130 I had you run with this scan is that it does run script for us. 23 00:01:44,160 --> 00:01:49,500 So these scripts that we're running go out and do a little bit of a numerator iron or additional enumeration 24 00:01:49,510 --> 00:01:54,250 in here it came through and it's pulling down some information we could see that. 25 00:01:54,270 --> 00:01:55,030 Okay. 26 00:01:55,060 --> 00:01:57,180 The net bios theme of this is called Capture X.. 27 00:01:57,180 --> 00:02:03,780 Well we already knew that but and we can see here that it's running SMB version too. 28 00:02:03,840 --> 00:02:07,860 We really don't know that for sure or what S&P version it's running. 29 00:02:07,890 --> 00:02:09,250 Exactly. 30 00:02:09,270 --> 00:02:15,480 So that's really important because the type of SMB version that's running could potentially lead to 31 00:02:15,480 --> 00:02:19,200 an exploit and we need to know that kind of information. 32 00:02:19,230 --> 00:02:21,450 So we're gonna look for version information. 33 00:02:21,450 --> 00:02:24,570 The other thing is we're going to try to connect to this machine. 34 00:02:24,570 --> 00:02:27,170 We're going to see if there's any connections available to us. 35 00:02:27,600 --> 00:02:32,190 And if we can make that connection if we can get to the files on the share and see if there's anything 36 00:02:32,220 --> 00:02:35,730 potentially malicious or that we could do potentially malicious. 37 00:02:35,760 --> 00:02:43,980 So let's go ahead and let's get into a terminal and we're going to load up a tool that you're going 38 00:02:43,980 --> 00:02:45,690 to be intimately familiar with. 39 00:02:45,690 --> 00:02:51,270 By the time this course is over and that tool is called Meadows flight so to run that tool just go ahead 40 00:02:51,270 --> 00:02:56,190 and type an MSF console like this and hit enter. 41 00:02:56,420 --> 00:03:04,170 Now Meadows boy is a exploitation framework and it does a lot more than exploitation. 42 00:03:04,190 --> 00:03:12,020 As you could see down here you could see that it does exploits what are called auxiliary modules now 43 00:03:12,020 --> 00:03:18,620 auxiliary modules is like scanning an enumeration so we can actually do port scanning we can do all 44 00:03:18,620 --> 00:03:22,660 kinds of information gathering with these auxiliary modules. 45 00:03:22,670 --> 00:03:23,310 They're awesome. 46 00:03:23,310 --> 00:03:25,140 We're gonna go through one right now. 47 00:03:25,160 --> 00:03:28,300 There's also these post modules which do post exploitation. 48 00:03:28,310 --> 00:03:32,980 So say we get a a shell on a machine which means we've exploded a machine. 49 00:03:32,990 --> 00:03:35,270 We can do some things in post. 50 00:03:35,410 --> 00:03:39,920 There's all different types of payloads which are going to cover when we get into the exploit section 51 00:03:39,950 --> 00:03:43,970 and then the rest of this you'll have to worry about that for the scope of this course but we will be 52 00:03:43,970 --> 00:03:50,240 seeing another tool by that display which is MSF venom later in the exploit development section of the 53 00:03:50,240 --> 00:03:56,560 course because we're going to utilize that to build payloads out for our own shells. 54 00:03:56,600 --> 00:04:00,590 So what we're gonna do for now is we're just going to introduce this slowly. 55 00:04:00,590 --> 00:04:02,150 Don't feel overwhelmed. 56 00:04:02,150 --> 00:04:06,620 It's just a little bit of a learning curve when it comes to learning all the features that it has available 57 00:04:06,860 --> 00:04:11,420 but it's second nature once you learn it and it's gonna be one of the most commonly used tools that 58 00:04:11,420 --> 00:04:13,700 you use as a tester in the field. 59 00:04:13,700 --> 00:04:19,280 So we're gonna go ahead and just search for SMB here and I'm going to do this the terrible way we're 60 00:04:19,280 --> 00:04:24,260 just going to search SMB and you could see that there's one hundred and twenty one results. 61 00:04:24,260 --> 00:04:31,010 Now that's going to be quite a pain to sift through but what we're after and say we we didn't know much 62 00:04:31,100 --> 00:04:36,040 but we were we're trying to see if hey maybe does medicinally have any kind of modules. 63 00:04:36,050 --> 00:04:39,590 I don't know for SMB enumeration. 64 00:04:39,620 --> 00:04:44,690 Well we know auxiliary modules are enumeration and we can look right here in the front and see what 65 00:04:44,690 --> 00:04:46,240 type of module it is. 66 00:04:46,250 --> 00:04:50,650 So you see this is a post module and you see if you could scroll up we're going through exploits now 67 00:04:50,650 --> 00:04:53,390 we're gonna go up into auxiliary. 68 00:04:53,390 --> 00:05:02,240 Now the second part of this is the type of of action it's doing so you could see auxiliary denial service 69 00:05:02,360 --> 00:05:10,180 auxiliary fuzzing auxiliary scanning gathering and we're going to utilize this to our advantage. 70 00:05:10,190 --> 00:05:12,100 We're going to take a look at the syntax. 71 00:05:12,170 --> 00:05:16,130 Now what we are after is SMP version information. 72 00:05:16,130 --> 00:05:21,330 And if we look kind of through this we can come down a scanner here and you can see it's looking S&P 73 00:05:21,340 --> 00:05:28,750 1 to GBP which we're going to talk about MH 17 0 1 0 which we've talked about. 74 00:05:28,790 --> 00:05:33,350 You have an auxiliary scanner to see if there's anything out there with that vulnerability. 75 00:05:33,590 --> 00:05:40,820 And if we look right here on number 60 auxiliary scanner SMB SMB version. 76 00:05:41,100 --> 00:05:44,910 Now this is a bit of a long convoluted way to do this. 77 00:05:44,910 --> 00:05:50,310 Go ahead and copy this by the way or memorize your number I'll give you two options. 78 00:05:50,340 --> 00:05:54,960 This is a long way to do it but I wanted to show you this way of doing it because you're going to get 79 00:05:54,960 --> 00:06:01,170 better at it but you know when you see something on a scan results and you don't know a lot about the 80 00:06:01,170 --> 00:06:06,770 tool the best thing that you can do is just say hey you know I know medicinally does things like this. 81 00:06:06,840 --> 00:06:10,490 Let me see if maybe they have any sort of enumeration or exploitation. 82 00:06:10,490 --> 00:06:15,500 It never hurts to use a search feature to try to look up items and learn about them. 83 00:06:15,540 --> 00:06:18,050 So let's say we've never used this before. 84 00:06:18,240 --> 00:06:22,620 We're gonna go ahead and just say use and then we're gonna paste this module in here. 85 00:06:22,620 --> 00:06:26,370 Your other option is instead of pasting this module you can put the number that you had. 86 00:06:26,370 --> 00:06:31,570 So like for example 60 you could say use 60 and it will also love this model. 87 00:06:31,590 --> 00:06:38,790 So go ahead it hit enter for that and you can see here that it says now we're an auxiliary module of 88 00:06:38,800 --> 00:06:40,060 scanner S&P. 89 00:06:40,060 --> 00:06:48,970 S&P underscore version so from here it's always good to type out info and see what info is available 90 00:06:49,390 --> 00:06:53,920 and just tells you a little bit about the module that you're running so here you see that this is going 91 00:06:53,920 --> 00:06:56,680 to display version information about each system. 92 00:06:56,830 --> 00:06:57,250 Perfect. 93 00:06:57,250 --> 00:06:59,110 It's an S&P version detection. 94 00:06:59,110 --> 00:07:01,180 That's really what we're after right now. 95 00:07:01,240 --> 00:07:02,520 So this is great. 96 00:07:02,680 --> 00:07:03,760 And we have options here. 97 00:07:03,760 --> 00:07:04,800 These basic options. 98 00:07:04,810 --> 00:07:06,680 Now you're going to see me do this a lot. 99 00:07:06,700 --> 00:07:12,100 You can go right into options by just typing options and just see that instead of printing out all the 100 00:07:12,100 --> 00:07:14,230 long stuff if you don't want to. 101 00:07:14,230 --> 00:07:16,800 So our options were presented with some items. 102 00:07:16,900 --> 00:07:18,390 We've got something called our hosts. 103 00:07:18,400 --> 00:07:21,560 Now our hosts are what stands for remote hosts. 104 00:07:21,580 --> 00:07:25,500 You're also going to see an el host later on which chance for local hosts. 105 00:07:25,570 --> 00:07:27,520 Our host is always the victim. 106 00:07:27,520 --> 00:07:28,750 That's who we are attacking. 107 00:07:28,750 --> 00:07:30,520 This is the target address. 108 00:07:30,670 --> 00:07:34,370 You might see our host or our hosts plural. 109 00:07:34,630 --> 00:07:40,260 Our hosts means you can only import one host if we have our hosts plural. 110 00:07:40,270 --> 00:07:46,780 We can use cyber notation mean that we can put slash twenty four and try to sweep a range for example. 111 00:07:46,780 --> 00:07:50,140 But in this instance we're only attacking one machine anyway. 112 00:07:50,230 --> 00:07:57,760 The rest of these SMB domain password and user if we knew the domain password and user in this instance 113 00:07:57,790 --> 00:08:00,660 we could fill it out and try to get a little bit more information. 114 00:08:00,790 --> 00:08:02,530 But we are an authenticated. 115 00:08:02,530 --> 00:08:07,840 We have no credentials at this point so we're just gonna go ahead and just put in our hosts which is 116 00:08:07,840 --> 00:08:11,950 required and not feel any of the non required fields here. 117 00:08:11,950 --> 00:08:16,480 And what we're gonna do is we're just gonna say set our hosts and this is in case sensitive. 118 00:08:16,480 --> 00:08:18,150 I'd just like to type it out of case sensitive. 119 00:08:18,670 --> 00:08:22,990 And then the IP address of the machine that you're going to scan. 120 00:08:23,140 --> 00:08:33,450 So we're gonna say 1 9 2 1 6 8 minus 5 7 dot 1 3 9 and then I'm just gonna type in run give you a second 121 00:08:33,450 --> 00:08:37,940 to catch up and run okay. 122 00:08:37,960 --> 00:08:44,380 I totally lied my IP address is one thirty nine the machine I'm after is one thirty four and run your 123 00:08:44,380 --> 00:08:49,900 screen should look something like this I'm over here instead of copying pasting trying to memorize so 124 00:08:49,930 --> 00:08:53,040 hopefully you can see that I make mistakes too. 125 00:08:53,170 --> 00:08:55,290 So here we are. 126 00:08:55,300 --> 00:09:01,150 We see a little bit more information and it might not look like a lot right now but knowing this samba 127 00:09:01,180 --> 00:09:06,700 to point to point one A is very specific and this is going to help us out quite a bit. 128 00:09:06,730 --> 00:09:13,720 So let's just copy this guy and let's open up that text editor we've had going and let's just come in 129 00:09:13,720 --> 00:09:18,340 here and maybe make some notes or just put it in here and say something like SMB and then we can just 130 00:09:18,340 --> 00:09:25,540 put paste that we know the version now and this is going to become important when we start doing research 131 00:09:25,600 --> 00:09:27,020 on what we've found. 132 00:09:27,070 --> 00:09:33,880 So we found all these different type of versions running up here and we're and do research on exploitations 133 00:09:33,880 --> 00:09:38,800 against them but we're also going to do research on this and exploitations against this. 134 00:09:38,800 --> 00:09:41,380 So as much detail as we can get. 135 00:09:41,560 --> 00:09:47,350 That's what's important and what's going to set you apart from other hackers or other people even trying 136 00:09:47,350 --> 00:09:53,140 to break into the field is your ability to information gather and your ability to enumerate if you can 137 00:09:53,140 --> 00:09:54,370 do both of those. 138 00:09:54,370 --> 00:09:56,320 The exploitation is actually the easy part. 139 00:09:56,320 --> 00:09:57,270 In my opinion. 140 00:09:57,970 --> 00:10:01,810 So we've got the virgin information that's great. 141 00:10:01,810 --> 00:10:03,510 We're going to use a new tool now. 142 00:10:03,520 --> 00:10:12,170 So go ahead and go file new tab and I'm going to go ahead and show you a tool called SMB client now 143 00:10:12,190 --> 00:10:17,380 SMB client is going to attempt to connect to the file share that's out there. 144 00:10:17,380 --> 00:10:23,260 Now if we have the ability to connect to the file share with anonymous access what that will do is we 145 00:10:23,260 --> 00:10:26,260 can get in there and we could potentially see files. 146 00:10:26,290 --> 00:10:32,200 Now these files might give us an inkling of what's going on the network or they may even be you know 147 00:10:32,230 --> 00:10:33,220 valuable to us. 148 00:10:33,220 --> 00:10:37,270 They may be something like a backup file or password stored in a text file. 149 00:10:37,270 --> 00:10:40,810 You never know what you're going to find until you actually look. 150 00:10:40,810 --> 00:10:46,900 So what I'm going to go ahead and do is do a dash L and that's going to be to list out the files and 151 00:10:46,900 --> 00:10:48,960 then the syntax looks something like this. 152 00:10:48,970 --> 00:10:51,740 You can do two back slashes. 153 00:10:51,940 --> 00:10:52,840 I'd like to do four. 154 00:10:52,840 --> 00:10:54,330 It really doesn't matter. 155 00:10:54,400 --> 00:10:59,170 And then you just type in the IP address of the machine that you want to try to connect to. 156 00:10:59,170 --> 00:11:03,760 So 1 9 2 1 6 8 fifty seven one thirty four for me. 157 00:11:03,760 --> 00:11:08,830 And then two more slashes like that if you're running it with just two slashes you don't have to put 158 00:11:08,830 --> 00:11:09,780 any there. 159 00:11:09,790 --> 00:11:12,960 So this is just character escaping because we're in Linux. 160 00:11:13,090 --> 00:11:20,230 So go ahead and hit enter and you see that the server does not support extended security. 161 00:11:20,250 --> 00:11:20,640 OK. 162 00:11:20,640 --> 00:11:22,860 Don't worry about that anonymous log and successful. 163 00:11:22,860 --> 00:11:25,820 Go ahead and hit enter and root password as we don't know it. 164 00:11:26,190 --> 00:11:30,000 And you could see that we did list out a file share. 165 00:11:30,450 --> 00:11:34,560 So let's go ahead and try to connect a different way. 166 00:11:36,170 --> 00:11:43,180 Let's tab up and let's delete this dash shell and we see that there's two file shares. 167 00:11:43,180 --> 00:11:48,100 There is an IP see dollar sign in an AB and dollar sign. 168 00:11:48,380 --> 00:11:54,110 The IPC is not really usually valuable to us but to AB and would be really valuable if we could connect 169 00:11:54,110 --> 00:11:54,470 to that. 170 00:11:54,530 --> 00:11:54,960 Let's go ahead. 171 00:11:54,960 --> 00:11:58,890 Just paste that in here and see if we can get that connection. 172 00:11:58,930 --> 00:12:00,090 OK let's try this. 173 00:12:00,100 --> 00:12:02,380 Hit enter and you could see we have. 174 00:12:02,380 --> 00:12:03,580 Wrong password. 175 00:12:03,850 --> 00:12:06,830 So it's not going to let us connect to this. 176 00:12:06,850 --> 00:12:09,530 Share with anonymous access. 177 00:12:09,910 --> 00:12:11,080 So that's unfortunate. 178 00:12:11,080 --> 00:12:12,160 We could also try. 179 00:12:12,160 --> 00:12:19,270 Proof of concept to see if IPC works hit enter on that and you can see now we're actually in this in. 180 00:12:19,300 --> 00:12:20,800 This is interesting. 181 00:12:20,800 --> 00:12:23,830 So we could say help to see the list of commands. 182 00:12:24,010 --> 00:12:26,740 And it's very similar to being inside of a Linux machine. 183 00:12:26,740 --> 00:12:32,410 Now we can do something like l asked to list the files and we're actually access denied here. 184 00:12:32,440 --> 00:12:34,960 So this is what we call a dead end. 185 00:12:34,990 --> 00:12:36,510 We can't really access this. 186 00:12:36,540 --> 00:12:39,460 So we don't have any information extra gathered. 187 00:12:39,520 --> 00:12:43,120 We're going to come back to this time and time again with SMB client. 188 00:12:43,120 --> 00:12:45,740 This isn't the last time you're going to see it in the course. 189 00:12:45,910 --> 00:12:50,860 But I want you to know that it exists in the reason behind what we're doing here and this is some of 190 00:12:50,920 --> 00:12:53,560 where the information's coming from in our scan. 191 00:12:53,560 --> 00:12:54,630 We're trying to connect out. 192 00:12:54,640 --> 00:12:56,500 We see the server names cap tricks. 193 00:12:56,530 --> 00:13:01,990 There's a comment that it's a samba server and we're going to try to come in here and connect to a file 194 00:13:01,990 --> 00:13:03,050 and maybe get lucky. 195 00:13:03,100 --> 00:13:05,170 But this time we didn't get lucky. 196 00:13:05,170 --> 00:13:11,220 So we're just gonna go ahead and x out so that's all you need to know right now for S&P. 197 00:13:11,220 --> 00:13:16,560 S&P is an amazing protocol when I see S&P I get very happy. 198 00:13:16,680 --> 00:13:23,100 But we're going to focus on that very heavily when we get into the internal part of the Active Directory 199 00:13:23,100 --> 00:13:26,520 portion of this course because that's when things get really juicy. 200 00:13:26,520 --> 00:13:28,160 Right now we're just going to do. 201 00:13:28,230 --> 00:13:30,480 Keep it simple stupid on a lot of this stuff. 202 00:13:30,480 --> 00:13:34,570 It might feel really easy or very very straightforward depending. 203 00:13:34,620 --> 00:13:39,720 But I promise this is just going to keep building and building and building until we have a pretty big 204 00:13:39,720 --> 00:13:40,760 understanding on this. 205 00:13:40,770 --> 00:13:44,130 And there's going to be a lot of repetition and a lot of practice and I think that's the best way to 206 00:13:44,130 --> 00:13:44,460 learn. 207 00:13:45,120 --> 00:13:52,770 So from here I'm going to do a brief enumeration on SSA and how we can do enumeration with SSA age and 208 00:13:52,770 --> 00:13:57,440 then we're going to talk other items of enumeration and talk research. 209 00:13:57,540 --> 00:13:58,410 What are we doing. 210 00:13:58,410 --> 00:14:02,450 We've been collecting all this information and putting it into a text document. 211 00:14:02,460 --> 00:14:03,940 You're probably like so what. 212 00:14:04,050 --> 00:14:05,150 What can we do with it. 213 00:14:05,160 --> 00:14:09,770 And that's where things get exciting and that's how we start to lead into exploitation. 214 00:14:09,960 --> 00:14:13,290 But we've got do a little bit more research first before we can get there. 215 00:14:13,290 --> 00:14:15,040 So that's it for this video. 216 00:14:15,090 --> 00:14:18,750 I'll catch you over in the next video when we are a Newman rating SS age. 22133