Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,120 --> 00:00:05,340
Let's talk now about identifying and researching potential vulnerabilities.
2
00:00:05,460 --> 00:00:10,560
So we have our notes here and all I've done is move them off of notepad and into cherry tree because
3
00:00:10,560 --> 00:00:15,140
Cherry Tree is a bit more visual and bigger font for us on video.
4
00:00:15,270 --> 00:00:22,220
And I made two notes I made the main note here of notes and then I made a child node here of vulnerabilities.
5
00:00:22,410 --> 00:00:30,060
So if we recall from our nodes we have 18 4 4 3 and we've identified some findings that we're gonna
6
00:00:30,090 --> 00:00:36,450
write up on a pen test report and those findings are you know a default web page for a poor page was
7
00:00:36,450 --> 00:00:40,980
giving a little bit of information disclosure and the server headers were disclosing some information
8
00:00:40,980 --> 00:00:41,910
as well.
9
00:00:42,270 --> 00:00:46,220
On top of that we've identified some information that we need for research.
10
00:00:46,260 --> 00:00:53,010
Now we've got 80 here and on port 80 we've got this Apache does not SSL in this Open SSL that we could
11
00:00:53,010 --> 00:01:00,540
research and really ran our Nick doe scan we identified something potentially juicy here where mod SSL
12
00:01:00,570 --> 00:01:06,540
2.8 point four falls in line with this which is two point eight and seven or lower which we are are
13
00:01:06,570 --> 00:01:13,110
vulnerable to a remote buffer overflow which may allow a remote shell remote buffer overflow meaning
14
00:01:13,110 --> 00:01:20,850
that we are don't have to be local we can be remote which we are and we can gain access to a remote
15
00:01:20,850 --> 00:01:24,180
shell meaning we can gain access to that machine.
16
00:01:24,180 --> 00:01:25,920
So that's good.
17
00:01:25,950 --> 00:01:27,390
That's really good.
18
00:01:27,390 --> 00:01:34,440
The other one here we see is SMB and we identified Sam aversion version to point two point one a We
19
00:01:34,440 --> 00:01:42,720
also identified a web lies version 2.0 one and we've identified open SDH two point nine P P2 so for
20
00:01:42,720 --> 00:01:48,960
this video we're going to target the low hanging fruit and I put this in order of how I would attack
21
00:01:48,960 --> 00:01:49,500
it.
22
00:01:49,560 --> 00:01:56,970
Now again I always think eighty four for three and one thirty nine four four five are the juiciest To
23
00:01:56,970 --> 00:02:04,520
me this web adviser might be juicy open SSA probably not that juicy so we're gonna do is I'm going to
24
00:02:04,520 --> 00:02:10,700
go ahead and research eighty four for three and we'll research the S&P as well and then I'll leave you
25
00:02:10,700 --> 00:02:17,070
to do a little digging on these just as practice and we can see where we go so from here we're just
26
00:02:17,070 --> 00:02:28,080
going to go out and open up Firefox and we'll go out to Google and on Google we can pick and choose
27
00:02:28,080 --> 00:02:29,850
which one we want to research here.
28
00:02:29,850 --> 00:02:36,810
Now this mod SSL two point point four is probably the juiciest of the items and we might want to start
29
00:02:36,810 --> 00:02:37,170
there.
30
00:02:37,170 --> 00:02:44,760
So let's just say something like mod SSL to point a point for you see the two point eight point seven
31
00:02:44,760 --> 00:02:46,370
exploit showing up by the way.
32
00:02:46,700 --> 00:02:54,030
Will this do you two point eight point four exploit and we'll see what comes up now.
33
00:02:54,030 --> 00:02:56,140
Naughty words naughty words.
34
00:02:56,250 --> 00:02:58,480
We'll just call it open luck OK.
35
00:02:58,650 --> 00:02:59,420
And you could see.
36
00:02:59,460 --> 00:03:00,090
Don't cheat.
37
00:03:00,100 --> 00:03:07,250
Catch tricks is coming up as well but we're gonna go ahead and is openness open this Apache mod and
38
00:03:07,250 --> 00:03:12,460
then we're gonna also open this get hub one and I'll cheat a little bit and tell you why.
39
00:03:12,460 --> 00:03:18,200
Here in a minute so Apache mod SSL two point eight point seven.
40
00:03:18,240 --> 00:03:20,130
Less than twenty point seven.
41
00:03:20,310 --> 00:03:24,800
Scroll through here and it just has the code for us.
42
00:03:24,930 --> 00:03:29,010
Now this is where you have a chance to come through and read the code.
43
00:03:29,010 --> 00:03:33,870
Now it looks like to me that they're just identifying if you've never seen a buffer overflow which you
44
00:03:33,870 --> 00:03:34,860
probably haven't.
45
00:03:34,860 --> 00:03:42,030
There will be one later in the course it's identifying where it's going to have the architecture right.
46
00:03:42,030 --> 00:03:44,600
So the architecture has its own identifier.
47
00:03:44,910 --> 00:03:51,230
So depending on which it looks like this works for quite a bit of different architectures of Linux depending
48
00:03:51,250 --> 00:03:55,380
which Linux you're running is this return address here.
49
00:03:55,380 --> 00:03:57,240
So that's all this is doing.
50
00:03:57,240 --> 00:04:02,250
And then there's going to be code done here I'm guessing for an overflow which you see a bunch of A's
51
00:04:02,310 --> 00:04:04,160
as you're going to see later in the course.
52
00:04:04,170 --> 00:04:05,250
This is this overflow.
53
00:04:05,280 --> 00:04:11,100
So you'll learn to read this over time again like you do not have to code this you do not have to be
54
00:04:12,460 --> 00:04:16,650
you know you don't have to be super good developer but just understanding kind of what's going on and
55
00:04:16,650 --> 00:04:22,300
making sure that you know the code that you download is safe on your computer and it's good to go.
56
00:04:22,300 --> 00:04:25,820
Now this is coming off exploit database so you can.
57
00:04:25,890 --> 00:04:30,480
I wouldn't say assume but you can trust it for the most part that this is safe code.
58
00:04:30,600 --> 00:04:34,890
You have the option here to download the exploit and you actually have the option to download the vulnerable
59
00:04:34,890 --> 00:04:38,870
app as well if you ever want to build out a machine and play on your own.
60
00:04:38,880 --> 00:04:46,350
So we have a little bit information here that just says hey you know this is less than two point eight
61
00:04:46,350 --> 00:04:51,070
point seven open SSL and we've got a remote buffer inflow.
62
00:04:51,600 --> 00:04:53,030
There's nothing else here.
63
00:04:53,400 --> 00:04:54,180
But that's OK.
64
00:04:54,180 --> 00:04:56,940
That's you know this might be good for us.
65
00:04:56,940 --> 00:04:58,930
This is something that we need to note.
66
00:04:59,280 --> 00:05:06,020
So we can copy this and I would put it here and we could just say something like eighty four for three
67
00:05:07,530 --> 00:05:16,980
potentially vulnerable to we'll call it open luck and then we'll just put it here and we'll also we
68
00:05:16,980 --> 00:05:26,820
should also save this open luck and I'll cheat a little bit and tell you guys why is because this open
69
00:05:27,210 --> 00:05:34,370
had the the exploit database form without saying bad words is not going to allow us to work.
70
00:05:34,380 --> 00:05:35,700
It's not going to work.
71
00:05:35,950 --> 00:05:42,330
The the exploit is a little dated and that's why there is a get hub one out there that actually does
72
00:05:42,330 --> 00:05:42,600
work.
73
00:05:42,600 --> 00:05:47,600
So we're going to utilize to get hub one instead when we do get to the exploitation section.
74
00:05:47,610 --> 00:05:53,210
So a little bit of a hint a little bit of a foreshadowing we are going to utilize this exploit.
75
00:05:53,400 --> 00:05:59,610
So we could also go in and research we could say Apache HPD one point three point two zero.
76
00:05:59,610 --> 00:06:06,060
Copy that and come to Google and just say hey I wonder if there's an exploit for that and you would
77
00:06:06,060 --> 00:06:11,370
just search something like this and you could see and hear Apache one point three point two zeros actually
78
00:06:11,370 --> 00:06:13,650
showing up in this vulnerability as well.
79
00:06:14,070 --> 00:06:15,420
So that's good.
80
00:06:15,420 --> 00:06:21,280
And then sometimes we see these Web sites like this see these details these are ok to look at they're
81
00:06:21,440 --> 00:06:22,310
there all right.
82
00:06:22,320 --> 00:06:24,800
Like you come in here and what you want to look for is the score.
83
00:06:24,820 --> 00:06:26,540
Immediately my eyes shift to the score.
84
00:06:26,550 --> 00:06:28,090
I don't care about anything else.
85
00:06:28,290 --> 00:06:33,290
If I see something that's red I get excited but we see no red here.
86
00:06:33,300 --> 00:06:38,970
So I don't think that necessarily this is vulnerable to a remote code execution.
87
00:06:38,970 --> 00:06:44,160
It's got a lot of denial of service but I would want to see like a high score which means a critical.
88
00:06:44,160 --> 00:06:45,690
That's what red is red is critical.
89
00:06:45,690 --> 00:06:51,340
So we've got high moderate and low here but we don't have a critical one.
90
00:06:51,390 --> 00:06:57,180
So this doesn't look like it really probably has anything but it is tied to this which is another wheel
91
00:06:57,180 --> 00:06:59,990
spinning indicator here that hey you know what.
92
00:07:00,000 --> 00:07:04,860
We probably got an X flight here with this thing early something that we should try and that Open SSL
93
00:07:04,860 --> 00:07:06,850
is tied directly to this model ourselves.
94
00:07:06,840 --> 00:07:11,480
We don't really have to research it now let's move on to samba here.
95
00:07:11,540 --> 00:07:12,210
Samba.
96
00:07:12,380 --> 00:07:15,890
Point two point one a Let's copy this.
97
00:07:15,920 --> 00:07:17,280
Let's check for an explain.
98
00:07:17,780 --> 00:07:27,220
So just as simple as is doing this and saying exploit and we've got a few here we've got this samba.
99
00:07:27,220 --> 00:07:30,530
Two point two point eight remote code execution.
100
00:07:30,640 --> 00:07:37,420
We've got samba to point to point X remote buffer overflow and we've got one down here which I love
101
00:07:37,420 --> 00:07:37,870
to see.
102
00:07:37,870 --> 00:07:39,650
This is Rapid 7.
103
00:07:39,660 --> 00:07:44,720
So let's go to rapid 7 First why do I like to see rapid 7.
104
00:07:44,730 --> 00:07:52,680
Well rapid 7 makes Metis Floyd so it looks like this exploit is called samba trance to open and let's
105
00:07:52,680 --> 00:07:54,140
read a little bit about the description.
106
00:07:54,150 --> 00:07:59,850
So it says this explains the buffer overflow found in some versions two point two point zero a two point
107
00:07:59,850 --> 00:08:02,240
two point eight that meets our criteria.
108
00:08:02,250 --> 00:08:05,760
This particular model's Capel explain the fall on x eighty six Linux systems.
109
00:08:05,760 --> 00:08:13,170
That's important to know that do not have the know exact stack options set notes some older versions
110
00:08:13,170 --> 00:08:18,850
read had to not seem to be vulnerable since they apparently do not allow anonymous access to IPC.
111
00:08:18,910 --> 00:08:26,350
So remember we did get anonymous access to IPC earlier when we connected to it via our SMB client.
112
00:08:26,350 --> 00:08:27,780
We never got access to admit.
113
00:08:27,790 --> 00:08:33,370
We could never do anything in IPC we tried to say alas and it said denied but we still logged in.
114
00:08:33,880 --> 00:08:36,040
So we do have anonymous access to IPC.
115
00:08:36,070 --> 00:08:37,450
That's interesting.
116
00:08:37,450 --> 00:08:40,900
And we are potentially running against an next 86 Linux system.
117
00:08:40,900 --> 00:08:42,590
So that's interesting as well.
118
00:08:42,700 --> 00:08:46,690
It looks like we're potentially meeting some of the requirements here.
119
00:08:46,690 --> 00:08:48,540
Now here is where this is great.
120
00:08:48,550 --> 00:08:53,020
You scroll down here and you see module options and look this is Metis boy.
121
00:08:53,080 --> 00:08:54,650
It gives you the module options.
122
00:08:54,650 --> 00:09:01,270
It says hey use exploit Linux samba trans to open and then it tells you hey how to do this.
123
00:09:01,480 --> 00:09:02,970
And then you're good to go.
124
00:09:03,100 --> 00:09:03,970
That's really nice.
125
00:09:03,970 --> 00:09:05,190
I really like that.
126
00:09:05,320 --> 00:09:12,340
So I'm going to copy this one and we'll just come to our notes and we'll say something like one thirty
127
00:09:12,370 --> 00:09:23,270
nine potentially vulnerable to trans to open and we'll lose paste a link here and we could come read
128
00:09:23,270 --> 00:09:25,080
these as well.
129
00:09:25,100 --> 00:09:27,850
So this is the Trans to open overflow here.
130
00:09:27,860 --> 00:09:34,280
This looks like the manual version of the trans to open overflow looks like it is a perl script.
131
00:09:34,430 --> 00:09:37,330
And again it looks like an overflow.
132
00:09:37,760 --> 00:09:41,900
So you'll learn to read these and see what they look like just over time.
133
00:09:41,900 --> 00:09:45,800
But you know you just want to look at the code make sure everything's good to go.
134
00:09:45,800 --> 00:09:47,240
You will need to run this with Perl.
135
00:09:47,240 --> 00:09:48,410
It gives you the options here.
136
00:09:48,410 --> 00:09:55,370
Trans to root Perl what option to select what target type to select your IP address and your target
137
00:09:55,400 --> 00:09:56,630
IP address.
138
00:09:56,630 --> 00:09:58,520
So we'll say this one as well why not
139
00:10:02,990 --> 00:10:06,080
and we'll take a look at the other one and just see what it is
140
00:10:10,670 --> 00:10:15,640
and it looks like it could work for us.
141
00:10:15,630 --> 00:10:23,770
Remote route exploit for samba to point to point X that works against all the Nix distributions samba
142
00:10:23,850 --> 00:10:25,180
that si.
143
00:10:25,440 --> 00:10:27,560
I think this is a possibility as well.
144
00:10:27,990 --> 00:10:30,960
So this is C code here.
145
00:10:31,050 --> 00:10:37,110
We're going to go ahead and just copy this and we'll go ahead and add this to our list as well and we'll
146
00:10:37,110 --> 00:10:37,680
figure it out.
147
00:10:38,620 --> 00:10:42,940
So all we're doing right now is the research OK.
148
00:10:43,070 --> 00:10:45,790
So from here I've showed you the Google way.
149
00:10:46,280 --> 00:10:49,090
Let's say for some reason you want to do this on the fly.
150
00:10:49,100 --> 00:10:55,910
You want to use another tool or you're you know you're in a network and the network has no access you
151
00:10:55,910 --> 00:11:02,410
have no Internet access out you have no research capabilities you can go to the terminal and there's
152
00:11:02,420 --> 00:11:04,130
a great way to research this as well.
153
00:11:05,160 --> 00:11:07,850
So let's go back up to our notes and take a peek.
154
00:11:07,860 --> 00:11:15,350
Now let's take this unique samba to point to point a for example and let's do a tool called search flight.
155
00:11:15,360 --> 00:11:19,700
Now search boy it's going to search for the exploit database.
156
00:11:19,710 --> 00:11:25,080
This whole database here that we're looking through it's brought down onto your machine every time you
157
00:11:25,080 --> 00:11:29,940
update your machine in the database updates it updates down your machine and all those exploits get
158
00:11:29,940 --> 00:11:36,140
downloaded for you already but you could say search point and maybe we search something like samba to
159
00:11:36,180 --> 00:11:40,750
point to point one a let's see what happens no results.
160
00:11:40,750 --> 00:11:42,670
Well OK.
161
00:11:43,120 --> 00:11:43,990
Why is that.
162
00:11:43,990 --> 00:11:46,070
Well let's delete this now.
163
00:11:47,140 --> 00:11:51,710
You can not be too specific with search flight.
164
00:11:51,850 --> 00:11:58,180
The more specific you are the worse off you are because search plate is searching the exact string that
165
00:11:58,180 --> 00:11:58,980
you are using.
166
00:11:59,890 --> 00:12:05,260
Now you see that we search samba and it's searching for samba in a two.
167
00:12:05,260 --> 00:12:05,620
OK.
168
00:12:05,620 --> 00:12:08,320
Now we can start to see some things here.
169
00:12:08,320 --> 00:12:12,370
We see a Linux remote code execution right here and we're going to have to look through these.
170
00:12:12,370 --> 00:12:13,950
Now it's not pretty.
171
00:12:14,020 --> 00:12:14,380
Right.
172
00:12:14,380 --> 00:12:18,240
It's not the prettiest but you see the trends to open does show up.
173
00:12:18,340 --> 00:12:19,720
Now it's not the easiest way.
174
00:12:19,720 --> 00:12:21,090
I do prefer Google.
175
00:12:21,190 --> 00:12:26,380
But if you're in a pinch or you want to look at all the different possibilities and see maybe hey is
176
00:12:26,380 --> 00:12:28,300
there a two point two in here.
177
00:12:28,300 --> 00:12:33,870
So like look samba two point two point zero to two point two point eight OSX.
178
00:12:33,880 --> 00:12:39,550
That's not our operating system but it's called trans to open and we see that over and over and over
179
00:12:39,550 --> 00:12:39,850
again.
180
00:12:39,850 --> 00:12:43,500
So maybe the wheels spin again and it says hey trans to open.
181
00:12:43,510 --> 00:12:46,800
I think that that's potentially what we're looking for here.
182
00:12:46,840 --> 00:12:52,630
And then once we get down to the 3s we know hey we've gone too far this is not our version etc. We could
183
00:12:52,630 --> 00:13:01,270
do the same thing with let's say the mod SSL and we can say something like mod SSL to by type search
184
00:13:01,270 --> 00:13:07,090
but in front of it and do some searching there and we can see OK.
185
00:13:07,090 --> 00:13:09,850
There's denial of service not it.
186
00:13:09,910 --> 00:13:12,370
Two point eight point X potentially.
187
00:13:12,430 --> 00:13:12,940
Right.
188
00:13:12,970 --> 00:13:14,290
And then mod SSL.
189
00:13:14,290 --> 00:13:16,110
Two point eight point seven.
190
00:13:16,150 --> 00:13:18,650
And another thing to look at over here.
191
00:13:18,820 --> 00:13:24,820
Denial of Service denial service remote remote it's huge remote means remote code execution.
192
00:13:24,910 --> 00:13:29,770
So learning to read these as well exploit check Unix.
193
00:13:29,770 --> 00:13:30,000
OK.
194
00:13:30,010 --> 00:13:30,900
We're running on linux.
195
00:13:30,910 --> 00:13:31,760
Check.
196
00:13:32,020 --> 00:13:36,830
Remote code execution check and Apache mod SSL.
197
00:13:36,850 --> 00:13:39,800
Less than two point eight point seven check.
198
00:13:39,940 --> 00:13:44,370
So there's three different versions of this and this is kind of why when I said earlier that you know
199
00:13:44,410 --> 00:13:46,150
they don't really work.
200
00:13:46,180 --> 00:13:47,050
One's been broken.
201
00:13:47,050 --> 00:13:47,920
They've rebuilt it.
202
00:13:48,040 --> 00:13:49,460
I just like the one off get hub.
203
00:13:49,480 --> 00:13:52,140
So we'll play around with that one and just a little bit.
204
00:13:52,390 --> 00:13:53,910
But this is what you're doing.
205
00:13:53,920 --> 00:13:58,010
You're either going out to Google with the information that you find or you're going to search for it.
206
00:13:58,150 --> 00:13:59,680
You're just doing research.
207
00:13:59,680 --> 00:14:04,120
So now we've identified a couple of potential vulnerabilities and we can go from there.
208
00:14:04,120 --> 00:14:10,430
So what I encourage you to do is just do some research on this Web Eliza do some research on open SSD
209
00:14:10,440 --> 00:14:16,870
age see what you can find out just for research sake practice with search boy practice at Google and
210
00:14:16,870 --> 00:14:19,060
then meet me in the next video.
211
00:14:19,060 --> 00:14:24,790
So what I want to do before we get into exploitation I want to give you a quick sneak peek at what your
212
00:14:24,790 --> 00:14:26,430
notes should look like so far.
213
00:14:26,440 --> 00:14:31,180
So you can see what good know keeping is and this is in terms of an assessment.
214
00:14:31,210 --> 00:14:31,930
OK.
215
00:14:32,020 --> 00:14:36,670
Just in terms of an assessment and then from there we're going to practice with some other scanning
216
00:14:36,670 --> 00:14:41,430
tools just to get you familiar with other things than using just an map.
217
00:14:41,470 --> 00:14:44,410
And then finally we'll move into our exploitation.
218
00:14:44,500 --> 00:14:48,130
So I will see you in the next video and we look quickly at our notes.
21862
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.