Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,120 --> 00:00:05,340 Let's talk now about identifying and researching potential vulnerabilities. 2 00:00:05,460 --> 00:00:10,560 So we have our notes here and all I've done is move them off of notepad and into cherry tree because 3 00:00:10,560 --> 00:00:15,140 Cherry Tree is a bit more visual and bigger font for us on video. 4 00:00:15,270 --> 00:00:22,220 And I made two notes I made the main note here of notes and then I made a child node here of vulnerabilities. 5 00:00:22,410 --> 00:00:30,060 So if we recall from our nodes we have 18 4 4 3 and we've identified some findings that we're gonna 6 00:00:30,090 --> 00:00:36,450 write up on a pen test report and those findings are you know a default web page for a poor page was 7 00:00:36,450 --> 00:00:40,980 giving a little bit of information disclosure and the server headers were disclosing some information 8 00:00:40,980 --> 00:00:41,910 as well. 9 00:00:42,270 --> 00:00:46,220 On top of that we've identified some information that we need for research. 10 00:00:46,260 --> 00:00:53,010 Now we've got 80 here and on port 80 we've got this Apache does not SSL in this Open SSL that we could 11 00:00:53,010 --> 00:01:00,540 research and really ran our Nick doe scan we identified something potentially juicy here where mod SSL 12 00:01:00,570 --> 00:01:06,540 2.8 point four falls in line with this which is two point eight and seven or lower which we are are 13 00:01:06,570 --> 00:01:13,110 vulnerable to a remote buffer overflow which may allow a remote shell remote buffer overflow meaning 14 00:01:13,110 --> 00:01:20,850 that we are don't have to be local we can be remote which we are and we can gain access to a remote 15 00:01:20,850 --> 00:01:24,180 shell meaning we can gain access to that machine. 16 00:01:24,180 --> 00:01:25,920 So that's good. 17 00:01:25,950 --> 00:01:27,390 That's really good. 18 00:01:27,390 --> 00:01:34,440 The other one here we see is SMB and we identified Sam aversion version to point two point one a We 19 00:01:34,440 --> 00:01:42,720 also identified a web lies version 2.0 one and we've identified open SDH two point nine P P2 so for 20 00:01:42,720 --> 00:01:48,960 this video we're going to target the low hanging fruit and I put this in order of how I would attack 21 00:01:48,960 --> 00:01:49,500 it. 22 00:01:49,560 --> 00:01:56,970 Now again I always think eighty four for three and one thirty nine four four five are the juiciest To 23 00:01:56,970 --> 00:02:04,520 me this web adviser might be juicy open SSA probably not that juicy so we're gonna do is I'm going to 24 00:02:04,520 --> 00:02:10,700 go ahead and research eighty four for three and we'll research the S&P as well and then I'll leave you 25 00:02:10,700 --> 00:02:17,070 to do a little digging on these just as practice and we can see where we go so from here we're just 26 00:02:17,070 --> 00:02:28,080 going to go out and open up Firefox and we'll go out to Google and on Google we can pick and choose 27 00:02:28,080 --> 00:02:29,850 which one we want to research here. 28 00:02:29,850 --> 00:02:36,810 Now this mod SSL two point point four is probably the juiciest of the items and we might want to start 29 00:02:36,810 --> 00:02:37,170 there. 30 00:02:37,170 --> 00:02:44,760 So let's just say something like mod SSL to point a point for you see the two point eight point seven 31 00:02:44,760 --> 00:02:46,370 exploit showing up by the way. 32 00:02:46,700 --> 00:02:54,030 Will this do you two point eight point four exploit and we'll see what comes up now. 33 00:02:54,030 --> 00:02:56,140 Naughty words naughty words. 34 00:02:56,250 --> 00:02:58,480 We'll just call it open luck OK. 35 00:02:58,650 --> 00:02:59,420 And you could see. 36 00:02:59,460 --> 00:03:00,090 Don't cheat. 37 00:03:00,100 --> 00:03:07,250 Catch tricks is coming up as well but we're gonna go ahead and is openness open this Apache mod and 38 00:03:07,250 --> 00:03:12,460 then we're gonna also open this get hub one and I'll cheat a little bit and tell you why. 39 00:03:12,460 --> 00:03:18,200 Here in a minute so Apache mod SSL two point eight point seven. 40 00:03:18,240 --> 00:03:20,130 Less than twenty point seven. 41 00:03:20,310 --> 00:03:24,800 Scroll through here and it just has the code for us. 42 00:03:24,930 --> 00:03:29,010 Now this is where you have a chance to come through and read the code. 43 00:03:29,010 --> 00:03:33,870 Now it looks like to me that they're just identifying if you've never seen a buffer overflow which you 44 00:03:33,870 --> 00:03:34,860 probably haven't. 45 00:03:34,860 --> 00:03:42,030 There will be one later in the course it's identifying where it's going to have the architecture right. 46 00:03:42,030 --> 00:03:44,600 So the architecture has its own identifier. 47 00:03:44,910 --> 00:03:51,230 So depending on which it looks like this works for quite a bit of different architectures of Linux depending 48 00:03:51,250 --> 00:03:55,380 which Linux you're running is this return address here. 49 00:03:55,380 --> 00:03:57,240 So that's all this is doing. 50 00:03:57,240 --> 00:04:02,250 And then there's going to be code done here I'm guessing for an overflow which you see a bunch of A's 51 00:04:02,310 --> 00:04:04,160 as you're going to see later in the course. 52 00:04:04,170 --> 00:04:05,250 This is this overflow. 53 00:04:05,280 --> 00:04:11,100 So you'll learn to read this over time again like you do not have to code this you do not have to be 54 00:04:12,460 --> 00:04:16,650 you know you don't have to be super good developer but just understanding kind of what's going on and 55 00:04:16,650 --> 00:04:22,300 making sure that you know the code that you download is safe on your computer and it's good to go. 56 00:04:22,300 --> 00:04:25,820 Now this is coming off exploit database so you can. 57 00:04:25,890 --> 00:04:30,480 I wouldn't say assume but you can trust it for the most part that this is safe code. 58 00:04:30,600 --> 00:04:34,890 You have the option here to download the exploit and you actually have the option to download the vulnerable 59 00:04:34,890 --> 00:04:38,870 app as well if you ever want to build out a machine and play on your own. 60 00:04:38,880 --> 00:04:46,350 So we have a little bit information here that just says hey you know this is less than two point eight 61 00:04:46,350 --> 00:04:51,070 point seven open SSL and we've got a remote buffer inflow. 62 00:04:51,600 --> 00:04:53,030 There's nothing else here. 63 00:04:53,400 --> 00:04:54,180 But that's OK. 64 00:04:54,180 --> 00:04:56,940 That's you know this might be good for us. 65 00:04:56,940 --> 00:04:58,930 This is something that we need to note. 66 00:04:59,280 --> 00:05:06,020 So we can copy this and I would put it here and we could just say something like eighty four for three 67 00:05:07,530 --> 00:05:16,980 potentially vulnerable to we'll call it open luck and then we'll just put it here and we'll also we 68 00:05:16,980 --> 00:05:26,820 should also save this open luck and I'll cheat a little bit and tell you guys why is because this open 69 00:05:27,210 --> 00:05:34,370 had the the exploit database form without saying bad words is not going to allow us to work. 70 00:05:34,380 --> 00:05:35,700 It's not going to work. 71 00:05:35,950 --> 00:05:42,330 The the exploit is a little dated and that's why there is a get hub one out there that actually does 72 00:05:42,330 --> 00:05:42,600 work. 73 00:05:42,600 --> 00:05:47,600 So we're going to utilize to get hub one instead when we do get to the exploitation section. 74 00:05:47,610 --> 00:05:53,210 So a little bit of a hint a little bit of a foreshadowing we are going to utilize this exploit. 75 00:05:53,400 --> 00:05:59,610 So we could also go in and research we could say Apache HPD one point three point two zero. 76 00:05:59,610 --> 00:06:06,060 Copy that and come to Google and just say hey I wonder if there's an exploit for that and you would 77 00:06:06,060 --> 00:06:11,370 just search something like this and you could see and hear Apache one point three point two zeros actually 78 00:06:11,370 --> 00:06:13,650 showing up in this vulnerability as well. 79 00:06:14,070 --> 00:06:15,420 So that's good. 80 00:06:15,420 --> 00:06:21,280 And then sometimes we see these Web sites like this see these details these are ok to look at they're 81 00:06:21,440 --> 00:06:22,310 there all right. 82 00:06:22,320 --> 00:06:24,800 Like you come in here and what you want to look for is the score. 83 00:06:24,820 --> 00:06:26,540 Immediately my eyes shift to the score. 84 00:06:26,550 --> 00:06:28,090 I don't care about anything else. 85 00:06:28,290 --> 00:06:33,290 If I see something that's red I get excited but we see no red here. 86 00:06:33,300 --> 00:06:38,970 So I don't think that necessarily this is vulnerable to a remote code execution. 87 00:06:38,970 --> 00:06:44,160 It's got a lot of denial of service but I would want to see like a high score which means a critical. 88 00:06:44,160 --> 00:06:45,690 That's what red is red is critical. 89 00:06:45,690 --> 00:06:51,340 So we've got high moderate and low here but we don't have a critical one. 90 00:06:51,390 --> 00:06:57,180 So this doesn't look like it really probably has anything but it is tied to this which is another wheel 91 00:06:57,180 --> 00:06:59,990 spinning indicator here that hey you know what. 92 00:07:00,000 --> 00:07:04,860 We probably got an X flight here with this thing early something that we should try and that Open SSL 93 00:07:04,860 --> 00:07:06,850 is tied directly to this model ourselves. 94 00:07:06,840 --> 00:07:11,480 We don't really have to research it now let's move on to samba here. 95 00:07:11,540 --> 00:07:12,210 Samba. 96 00:07:12,380 --> 00:07:15,890 Point two point one a Let's copy this. 97 00:07:15,920 --> 00:07:17,280 Let's check for an explain. 98 00:07:17,780 --> 00:07:27,220 So just as simple as is doing this and saying exploit and we've got a few here we've got this samba. 99 00:07:27,220 --> 00:07:30,530 Two point two point eight remote code execution. 100 00:07:30,640 --> 00:07:37,420 We've got samba to point to point X remote buffer overflow and we've got one down here which I love 101 00:07:37,420 --> 00:07:37,870 to see. 102 00:07:37,870 --> 00:07:39,650 This is Rapid 7. 103 00:07:39,660 --> 00:07:44,720 So let's go to rapid 7 First why do I like to see rapid 7. 104 00:07:44,730 --> 00:07:52,680 Well rapid 7 makes Metis Floyd so it looks like this exploit is called samba trance to open and let's 105 00:07:52,680 --> 00:07:54,140 read a little bit about the description. 106 00:07:54,150 --> 00:07:59,850 So it says this explains the buffer overflow found in some versions two point two point zero a two point 107 00:07:59,850 --> 00:08:02,240 two point eight that meets our criteria. 108 00:08:02,250 --> 00:08:05,760 This particular model's Capel explain the fall on x eighty six Linux systems. 109 00:08:05,760 --> 00:08:13,170 That's important to know that do not have the know exact stack options set notes some older versions 110 00:08:13,170 --> 00:08:18,850 read had to not seem to be vulnerable since they apparently do not allow anonymous access to IPC. 111 00:08:18,910 --> 00:08:26,350 So remember we did get anonymous access to IPC earlier when we connected to it via our SMB client. 112 00:08:26,350 --> 00:08:27,780 We never got access to admit. 113 00:08:27,790 --> 00:08:33,370 We could never do anything in IPC we tried to say alas and it said denied but we still logged in. 114 00:08:33,880 --> 00:08:36,040 So we do have anonymous access to IPC. 115 00:08:36,070 --> 00:08:37,450 That's interesting. 116 00:08:37,450 --> 00:08:40,900 And we are potentially running against an next 86 Linux system. 117 00:08:40,900 --> 00:08:42,590 So that's interesting as well. 118 00:08:42,700 --> 00:08:46,690 It looks like we're potentially meeting some of the requirements here. 119 00:08:46,690 --> 00:08:48,540 Now here is where this is great. 120 00:08:48,550 --> 00:08:53,020 You scroll down here and you see module options and look this is Metis boy. 121 00:08:53,080 --> 00:08:54,650 It gives you the module options. 122 00:08:54,650 --> 00:09:01,270 It says hey use exploit Linux samba trans to open and then it tells you hey how to do this. 123 00:09:01,480 --> 00:09:02,970 And then you're good to go. 124 00:09:03,100 --> 00:09:03,970 That's really nice. 125 00:09:03,970 --> 00:09:05,190 I really like that. 126 00:09:05,320 --> 00:09:12,340 So I'm going to copy this one and we'll just come to our notes and we'll say something like one thirty 127 00:09:12,370 --> 00:09:23,270 nine potentially vulnerable to trans to open and we'll lose paste a link here and we could come read 128 00:09:23,270 --> 00:09:25,080 these as well. 129 00:09:25,100 --> 00:09:27,850 So this is the Trans to open overflow here. 130 00:09:27,860 --> 00:09:34,280 This looks like the manual version of the trans to open overflow looks like it is a perl script. 131 00:09:34,430 --> 00:09:37,330 And again it looks like an overflow. 132 00:09:37,760 --> 00:09:41,900 So you'll learn to read these and see what they look like just over time. 133 00:09:41,900 --> 00:09:45,800 But you know you just want to look at the code make sure everything's good to go. 134 00:09:45,800 --> 00:09:47,240 You will need to run this with Perl. 135 00:09:47,240 --> 00:09:48,410 It gives you the options here. 136 00:09:48,410 --> 00:09:55,370 Trans to root Perl what option to select what target type to select your IP address and your target 137 00:09:55,400 --> 00:09:56,630 IP address. 138 00:09:56,630 --> 00:09:58,520 So we'll say this one as well why not 139 00:10:02,990 --> 00:10:06,080 and we'll take a look at the other one and just see what it is 140 00:10:10,670 --> 00:10:15,640 and it looks like it could work for us. 141 00:10:15,630 --> 00:10:23,770 Remote route exploit for samba to point to point X that works against all the Nix distributions samba 142 00:10:23,850 --> 00:10:25,180 that si. 143 00:10:25,440 --> 00:10:27,560 I think this is a possibility as well. 144 00:10:27,990 --> 00:10:30,960 So this is C code here. 145 00:10:31,050 --> 00:10:37,110 We're going to go ahead and just copy this and we'll go ahead and add this to our list as well and we'll 146 00:10:37,110 --> 00:10:37,680 figure it out. 147 00:10:38,620 --> 00:10:42,940 So all we're doing right now is the research OK. 148 00:10:43,070 --> 00:10:45,790 So from here I've showed you the Google way. 149 00:10:46,280 --> 00:10:49,090 Let's say for some reason you want to do this on the fly. 150 00:10:49,100 --> 00:10:55,910 You want to use another tool or you're you know you're in a network and the network has no access you 151 00:10:55,910 --> 00:11:02,410 have no Internet access out you have no research capabilities you can go to the terminal and there's 152 00:11:02,420 --> 00:11:04,130 a great way to research this as well. 153 00:11:05,160 --> 00:11:07,850 So let's go back up to our notes and take a peek. 154 00:11:07,860 --> 00:11:15,350 Now let's take this unique samba to point to point a for example and let's do a tool called search flight. 155 00:11:15,360 --> 00:11:19,700 Now search boy it's going to search for the exploit database. 156 00:11:19,710 --> 00:11:25,080 This whole database here that we're looking through it's brought down onto your machine every time you 157 00:11:25,080 --> 00:11:29,940 update your machine in the database updates it updates down your machine and all those exploits get 158 00:11:29,940 --> 00:11:36,140 downloaded for you already but you could say search point and maybe we search something like samba to 159 00:11:36,180 --> 00:11:40,750 point to point one a let's see what happens no results. 160 00:11:40,750 --> 00:11:42,670 Well OK. 161 00:11:43,120 --> 00:11:43,990 Why is that. 162 00:11:43,990 --> 00:11:46,070 Well let's delete this now. 163 00:11:47,140 --> 00:11:51,710 You can not be too specific with search flight. 164 00:11:51,850 --> 00:11:58,180 The more specific you are the worse off you are because search plate is searching the exact string that 165 00:11:58,180 --> 00:11:58,980 you are using. 166 00:11:59,890 --> 00:12:05,260 Now you see that we search samba and it's searching for samba in a two. 167 00:12:05,260 --> 00:12:05,620 OK. 168 00:12:05,620 --> 00:12:08,320 Now we can start to see some things here. 169 00:12:08,320 --> 00:12:12,370 We see a Linux remote code execution right here and we're going to have to look through these. 170 00:12:12,370 --> 00:12:13,950 Now it's not pretty. 171 00:12:14,020 --> 00:12:14,380 Right. 172 00:12:14,380 --> 00:12:18,240 It's not the prettiest but you see the trends to open does show up. 173 00:12:18,340 --> 00:12:19,720 Now it's not the easiest way. 174 00:12:19,720 --> 00:12:21,090 I do prefer Google. 175 00:12:21,190 --> 00:12:26,380 But if you're in a pinch or you want to look at all the different possibilities and see maybe hey is 176 00:12:26,380 --> 00:12:28,300 there a two point two in here. 177 00:12:28,300 --> 00:12:33,870 So like look samba two point two point zero to two point two point eight OSX. 178 00:12:33,880 --> 00:12:39,550 That's not our operating system but it's called trans to open and we see that over and over and over 179 00:12:39,550 --> 00:12:39,850 again. 180 00:12:39,850 --> 00:12:43,500 So maybe the wheels spin again and it says hey trans to open. 181 00:12:43,510 --> 00:12:46,800 I think that that's potentially what we're looking for here. 182 00:12:46,840 --> 00:12:52,630 And then once we get down to the 3s we know hey we've gone too far this is not our version etc. We could 183 00:12:52,630 --> 00:13:01,270 do the same thing with let's say the mod SSL and we can say something like mod SSL to by type search 184 00:13:01,270 --> 00:13:07,090 but in front of it and do some searching there and we can see OK. 185 00:13:07,090 --> 00:13:09,850 There's denial of service not it. 186 00:13:09,910 --> 00:13:12,370 Two point eight point X potentially. 187 00:13:12,430 --> 00:13:12,940 Right. 188 00:13:12,970 --> 00:13:14,290 And then mod SSL. 189 00:13:14,290 --> 00:13:16,110 Two point eight point seven. 190 00:13:16,150 --> 00:13:18,650 And another thing to look at over here. 191 00:13:18,820 --> 00:13:24,820 Denial of Service denial service remote remote it's huge remote means remote code execution. 192 00:13:24,910 --> 00:13:29,770 So learning to read these as well exploit check Unix. 193 00:13:29,770 --> 00:13:30,000 OK. 194 00:13:30,010 --> 00:13:30,900 We're running on linux. 195 00:13:30,910 --> 00:13:31,760 Check. 196 00:13:32,020 --> 00:13:36,830 Remote code execution check and Apache mod SSL. 197 00:13:36,850 --> 00:13:39,800 Less than two point eight point seven check. 198 00:13:39,940 --> 00:13:44,370 So there's three different versions of this and this is kind of why when I said earlier that you know 199 00:13:44,410 --> 00:13:46,150 they don't really work. 200 00:13:46,180 --> 00:13:47,050 One's been broken. 201 00:13:47,050 --> 00:13:47,920 They've rebuilt it. 202 00:13:48,040 --> 00:13:49,460 I just like the one off get hub. 203 00:13:49,480 --> 00:13:52,140 So we'll play around with that one and just a little bit. 204 00:13:52,390 --> 00:13:53,910 But this is what you're doing. 205 00:13:53,920 --> 00:13:58,010 You're either going out to Google with the information that you find or you're going to search for it. 206 00:13:58,150 --> 00:13:59,680 You're just doing research. 207 00:13:59,680 --> 00:14:04,120 So now we've identified a couple of potential vulnerabilities and we can go from there. 208 00:14:04,120 --> 00:14:10,430 So what I encourage you to do is just do some research on this Web Eliza do some research on open SSD 209 00:14:10,440 --> 00:14:16,870 age see what you can find out just for research sake practice with search boy practice at Google and 210 00:14:16,870 --> 00:14:19,060 then meet me in the next video. 211 00:14:19,060 --> 00:14:24,790 So what I want to do before we get into exploitation I want to give you a quick sneak peek at what your 212 00:14:24,790 --> 00:14:26,430 notes should look like so far. 213 00:14:26,440 --> 00:14:31,180 So you can see what good know keeping is and this is in terms of an assessment. 214 00:14:31,210 --> 00:14:31,930 OK. 215 00:14:32,020 --> 00:14:36,670 Just in terms of an assessment and then from there we're going to practice with some other scanning 216 00:14:36,670 --> 00:14:41,430 tools just to get you familiar with other things than using just an map. 217 00:14:41,470 --> 00:14:44,410 And then finally we'll move into our exploitation. 218 00:14:44,500 --> 00:14:48,130 So I will see you in the next video and we look quickly at our notes. 21862