Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,000 --> 00:00:03,486 2 00:00:03,486 --> 00:00:06,474 [MUSIC LOGO] 3 00:00:06,474 --> 00:00:09,960 4 00:00:09,960 --> 00:00:11,790 We're going to jump into our next protocol. 5 00:00:11,790 --> 00:00:15,990 It's FTP, which stands for File Transfer Protocol. 6 00:00:15,990 --> 00:00:19,110 And like you would expect, it's used 7 00:00:19,110 --> 00:00:22,710 for storing files on a server and being 8 00:00:22,710 --> 00:00:25,030 able to access them remotely. 9 00:00:25,030 --> 00:00:27,465 So let's take a look at what that actually means. 10 00:00:27,465 --> 00:00:31,996 11 00:00:31,996 --> 00:00:34,210 We've got our machine. 12 00:00:34,210 --> 00:00:35,950 Check our IP address. 13 00:00:35,950 --> 00:00:40,450 We are 192.213.157.2. 14 00:00:40,450 --> 00:00:52,630 So let's ping 192.213.157.3, and it's up. 15 00:00:52,630 --> 00:00:53,830 Let's run Nmap scan. 16 00:00:53,830 --> 00:00:59,780 17 00:00:59,780 --> 00:01:01,430 And we get back port 21. 18 00:01:01,430 --> 00:01:04,910 And it's says service is FTP. 19 00:01:04,910 --> 00:01:10,070 So let's hone in and do an operating system scan 20 00:01:10,070 --> 00:01:19,040 and a services scan on port 21. 21 00:01:19,040 --> 00:01:21,305 Port 21 is the default FTP port. 22 00:01:21,305 --> 00:01:24,020 23 00:01:24,020 --> 00:01:27,540 You could configure it to be anywhere. 24 00:01:27,540 --> 00:01:30,240 You can only keep it where it's at. 25 00:01:30,240 --> 00:01:37,400 It's running ProFTPD 1.3.5. 26 00:01:37,400 --> 00:01:42,140 And it was able to fingerprint and say that it's Linux. 27 00:01:42,140 --> 00:01:46,180 2.6 is its best guess. 28 00:01:46,180 --> 00:01:46,960 And that's fine. 29 00:01:46,960 --> 00:01:48,490 We can live with that. 30 00:01:48,490 --> 00:01:49,990 It's probably some version of Linux. 31 00:01:49,990 --> 00:01:53,710 32 00:01:53,710 --> 00:01:56,480 So from there, we could try some things. 33 00:01:56,480 --> 00:02:03,500 If we do ftp, which will just run the host 34 00:02:03,500 --> 00:02:08,400 software on our computer to reach out, 35 00:02:08,400 --> 00:02:10,220 we can put in the server. 36 00:02:10,220 --> 00:02:13,940 And it asks for a name. 37 00:02:13,940 --> 00:02:15,500 We can go with nothing. 38 00:02:15,500 --> 00:02:17,660 Try anonymous. 39 00:02:17,660 --> 00:02:21,050 And nothing for the password. 40 00:02:21,050 --> 00:02:23,463 Said login failed. 41 00:02:23,463 --> 00:02:24,380 So we'll just say bye. 42 00:02:24,380 --> 00:02:26,930 43 00:02:26,930 --> 00:02:32,990 Let's try to figure out what some usernames 44 00:02:32,990 --> 00:02:34,190 and passwords would be. 45 00:02:34,190 --> 00:02:36,860 We're going to use Hydra. 46 00:02:36,860 --> 00:02:41,782 Hydra is a brute forcing program that we have 47 00:02:41,782 --> 00:02:43,005 or that we can get. 48 00:02:43,005 --> 00:02:45,710 49 00:02:45,710 --> 00:02:49,200 So with Hydra, you do tack-L for your logins, 50 00:02:49,200 --> 00:02:51,450 uppercase if you want to do a list, 51 00:02:51,450 --> 00:02:54,356 and we do for the user/share/metasploit 52 00:02:54,356 --> 00:02:57,108 framework/data/wordlists/common users.txt. 53 00:02:57,108 --> 00:03:08,770 54 00:03:08,770 --> 00:03:11,200 You'll get familiar with all your wordlists. 55 00:03:11,200 --> 00:03:12,670 They're all in user share. 56 00:03:12,670 --> 00:03:19,480 57 00:03:19,480 --> 00:03:22,930 Tab completion is also your friend. 58 00:03:22,930 --> 00:03:26,030 If you hit Tab twice, it'll show you more information. 59 00:03:26,030 --> 00:03:35,330 So like, I want data wordlists and then unix passwords. 60 00:03:35,330 --> 00:03:39,980 And then, we tell it the IP address that we're attacking 61 00:03:39,980 --> 00:03:41,690 and the service, ftp. 62 00:03:41,690 --> 00:03:44,090 That's it. 63 00:03:44,090 --> 00:03:47,540 Hydra capital L, the login wordlist, capital P, 64 00:03:47,540 --> 00:03:51,530 the password wordlist, our ip and ftp. 65 00:03:51,530 --> 00:03:54,140 Then we'll let it go. 66 00:03:54,140 --> 00:03:57,035 And that went pretty fast. 67 00:03:57,035 --> 00:04:01,430 68 00:04:01,430 --> 00:04:05,540 The login sysadmin has a password of 654321. 69 00:04:05,540 --> 00:04:08,480 And what it's doing is, it's trying a username 70 00:04:08,480 --> 00:04:11,315 and then it tries passwords. 71 00:04:11,315 --> 00:04:13,190 It tries all the passwords for that username. 72 00:04:13,190 --> 00:04:14,880 And then it'll try the next username. 73 00:04:14,880 --> 00:04:16,130 It'll try all those passwords. 74 00:04:16,130 --> 00:04:19,890 So it worked. 75 00:04:19,890 --> 00:04:20,990 We got quite a list. 76 00:04:20,990 --> 00:04:26,270 We would want to write all these down and save them 77 00:04:26,270 --> 00:04:28,940 because now what we can do is ftpd. 78 00:04:28,940 --> 00:04:31,850 Let's just hit up a few times. 79 00:04:31,850 --> 00:04:38,720 80 00:04:38,720 --> 00:04:49,775 Sysadmin and 654321. 81 00:04:49,775 --> 00:04:51,150 And it says that we're logged in. 82 00:04:51,150 --> 00:04:54,390 We can do an ls. 83 00:04:54,390 --> 00:04:57,660 You can run help if you want to know all the commands. 84 00:04:57,660 --> 00:05:01,380 But ls shows you the list and their secret.txt. 85 00:05:01,380 --> 00:05:12,820 So we can get secret.txt and it says it sent it. 86 00:05:12,820 --> 00:05:15,440 87 00:05:15,440 --> 00:05:17,140 So then, we can say goodbye. 88 00:05:17,140 --> 00:05:20,440 89 00:05:20,440 --> 00:05:24,820 We'll look at ours, and we have secret.txt. 90 00:05:24,820 --> 00:05:27,830 91 00:05:27,830 --> 00:05:30,590 And it's that code right there. 92 00:05:30,590 --> 00:05:40,400 Another way we can go about this is using an Nmap brute forcer 93 00:05:40,400 --> 00:05:48,320 So what we'll do is, we know sysadmin was in there. 94 00:05:48,320 --> 00:05:51,290 95 00:05:51,290 --> 00:06:01,280 Let's put it in this little single wordlist called users. 96 00:06:01,280 --> 00:06:02,550 I cat it out, and it's there. 97 00:06:02,550 --> 00:06:04,490 OK. 98 00:06:04,490 --> 00:06:05,930 Let's go back to our Nmap scan. 99 00:06:05,930 --> 00:06:11,190 100 00:06:11,190 --> 00:06:14,835 And what we can do is script. 101 00:06:14,835 --> 00:06:17,900 102 00:06:17,900 --> 00:06:31,250 We'll do the ftp-brute with script-args userdb equals 103 00:06:31,250 --> 00:06:32,135 root/users. 104 00:06:32,135 --> 00:06:34,970 105 00:06:34,970 --> 00:06:40,730 We'll do port 21 on that machine. 106 00:06:40,730 --> 00:06:45,500 And let's see what the Nmap FTP brute forcer 107 00:06:45,500 --> 00:06:51,020 script returns for us using that username of sysadmin. 108 00:06:51,020 --> 00:07:00,360 109 00:07:00,360 --> 00:07:11,360 And it came back that sysadmin 654321 were valid credentials. 110 00:07:11,360 --> 00:07:14,540 Fairly straightforward. 111 00:07:14,540 --> 00:07:18,920 So it utilizes a username and password. 112 00:07:18,920 --> 00:07:21,390 And then, you can get files. 113 00:07:21,390 --> 00:07:23,000 Depending on how it's configured, 114 00:07:23,000 --> 00:07:27,180 there might be anonymous login, which we'll look at next. 115 00:07:27,180 --> 00:07:32,460 But that's FTP in a nutshell and how we can use it. 116 00:07:32,460 --> 00:07:34,520 Could we put files there? 117 00:07:34,520 --> 00:07:40,490 Could we find useful files that were just not stored securely? 118 00:07:40,490 --> 00:07:43,370 And that may or may not be the pen test itself. 119 00:07:43,370 --> 00:07:44,330 It's really not. 120 00:07:44,330 --> 00:07:47,780 Usually, that's going to be a foothold or enumeration 121 00:07:47,780 --> 00:07:50,733 to then gain full access. 122 00:07:50,733 --> 00:07:51,900 Because that's what we want. 123 00:07:51,900 --> 00:07:53,480 We want full access. 124 00:07:53,480 --> 00:07:55,550 And if you're thinking like a defender, 125 00:07:55,550 --> 00:07:57,050 then you want to block all that. 126 00:07:57,050 --> 00:07:59,460 You want to lock this stuff down. 127 00:07:59,460 --> 00:08:02,320 So let's move on. 8130