Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,000 --> 00:00:10,520 2 00:00:10,520 --> 00:00:14,450 We're going to start looking at a database-- in this case, 3 00:00:14,450 --> 00:00:17,760 a SQL or SQL database. 4 00:00:17,760 --> 00:00:22,280 One of the most common open versions of the SQL database 5 00:00:22,280 --> 00:00:24,020 is MySQL. 6 00:00:24,020 --> 00:00:27,890 It usually runs on Ubuntu or some version of Linux-- 7 00:00:27,890 --> 00:00:36,440 rather, or Unix, and it allows many users to store information 8 00:00:36,440 --> 00:00:38,150 in the database. 9 00:00:38,150 --> 00:00:43,520 It can be pulled and used in many different operations, 10 00:00:43,520 --> 00:00:48,610 and it's very common to find on an enterprise network. 11 00:00:48,610 --> 00:00:52,980 It's also very often misconfigured 12 00:00:52,980 --> 00:00:54,370 and very vulnerable. 13 00:00:54,370 --> 00:00:58,020 So we're going to look at what that would normally 14 00:00:58,020 --> 00:01:01,680 look like when you're come across an SQL Server 15 00:01:01,680 --> 00:01:04,980 and how you would enumerate or gather information from it. 16 00:01:04,980 --> 00:01:11,410 17 00:01:11,410 --> 00:01:15,075 So in our console, we'll look at our IP address. 18 00:01:15,075 --> 00:01:23,960 19 00:01:23,960 --> 00:01:30,470 We'll take that same IP address and use the .3 of the subnet. 20 00:01:30,470 --> 00:01:34,070 And we see that we've got 3306, which usually 21 00:01:34,070 --> 00:01:38,940 ties to the MySQL service. 22 00:01:38,940 --> 00:01:43,920 We'll run a service scan on 3306, 23 00:01:43,920 --> 00:01:46,870 and it should go quite a bit quicker. 24 00:01:46,870 --> 00:01:57,950 But it does confirm it is a MySQL 5.5.62 running on Ubuntu. 25 00:01:57,950 --> 00:02:00,690 Now we can try a few different things. 26 00:02:00,690 --> 00:02:05,570 The first being we'll run a MySQL command using 27 00:02:05,570 --> 00:02:10,789 the -h for the host, our IP address, and then 28 00:02:10,789 --> 00:02:12,200 -u for the username. 29 00:02:12,200 --> 00:02:13,580 And we'll go with root. 30 00:02:13,580 --> 00:02:15,950 Since it's running on Ubuntu, root 31 00:02:15,950 --> 00:02:19,790 tends to be the default admin. 32 00:02:19,790 --> 00:02:21,320 Let's see if we're able to log in. 33 00:02:21,320 --> 00:02:26,370 34 00:02:26,370 --> 00:02:28,920 And it looks like it did take correctly 35 00:02:28,920 --> 00:02:32,580 and we were able to log in. 36 00:02:32,580 --> 00:02:37,290 With that, we can now look at the databases with a show 37 00:02:37,290 --> 00:02:37,970 databases. 38 00:02:37,970 --> 00:02:57,950 39 00:02:57,950 --> 00:03:01,980 It requires a semicolon at the end. 40 00:03:01,980 --> 00:03:03,690 Otherwise, it just gives you a new line. 41 00:03:03,690 --> 00:03:10,318 So we have 11 rows in the set, so those are 11 databases. 42 00:03:10,318 --> 00:03:20,160 If we wanted to script it, we could dig into that. 43 00:03:20,160 --> 00:03:22,500 But now let's look at some information 44 00:03:22,500 --> 00:03:23,610 in one of these databases. 45 00:03:23,610 --> 00:03:29,930 Let's use books, include that semicolon at the end, 46 00:03:29,930 --> 00:03:38,690 and now we're looking in the books table for the database. 47 00:03:38,690 --> 00:03:41,550 And let's now dig into authors. 48 00:03:41,550 --> 00:03:58,980 So if we select count from all things from authors, 49 00:03:58,980 --> 00:04:01,780 it should give us a count of all the options. 50 00:04:01,780 --> 00:04:02,880 So there's 10 in there. 51 00:04:02,880 --> 00:04:05,010 If you're curious what that looks like, 52 00:04:05,010 --> 00:04:07,710 we just wanted to see everything from the database. 53 00:04:07,710 --> 00:04:10,800 Select star, for wild card, from authors. 54 00:04:10,800 --> 00:04:15,520 55 00:04:15,520 --> 00:04:18,040 And now inside of the book's database, there's authors 56 00:04:18,040 --> 00:04:23,780 and there's all this information that goes with those authors. 57 00:04:23,780 --> 00:04:26,870 These are all just different tables in the database. 58 00:04:26,870 --> 00:04:30,310 What they're used for may or may not matter. 59 00:04:30,310 --> 00:04:32,045 In this case, it looks like it is. 60 00:04:32,045 --> 00:04:37,740 61 00:04:37,740 --> 00:04:40,260 For something nondescript, there's books. 62 00:04:40,260 --> 00:04:43,260 There's videos. 63 00:04:43,260 --> 00:04:43,950 There's a store. 64 00:04:43,950 --> 00:04:45,150 There's secrets and vendors. 65 00:04:45,150 --> 00:04:51,650 66 00:04:51,650 --> 00:04:54,390 But mostly, we're trying to enumerate this thing. 67 00:04:54,390 --> 00:04:59,030 So, generally, you log in with MySQL. 68 00:04:59,030 --> 00:05:02,990 You use a database, and then you can select items 69 00:05:02,990 --> 00:05:04,340 from that database. 70 00:05:04,340 --> 00:05:09,190 71 00:05:09,190 --> 00:05:15,110 And if you ever need help, you just type "help" and you 72 00:05:15,110 --> 00:05:21,980 get a whole list of what is in here, what options you have. 73 00:05:21,980 --> 00:05:28,050 Now, if you're not familiar with SQL, S-Q-L, 74 00:05:28,050 --> 00:05:31,800 then it might be more useful to use some tools that we 75 00:05:31,800 --> 00:05:34,430 are more comfortable with. 76 00:05:34,430 --> 00:05:37,310 And leave the syntax up to those who created the tools. 77 00:05:37,310 --> 00:05:41,650 78 00:05:41,650 --> 00:05:43,360 Our good friend Metasploit-- we're 79 00:05:43,360 --> 00:05:48,670 going to use an auxiliary scanner, very common 80 00:05:48,670 --> 00:05:51,580 with enumeration. 81 00:05:51,580 --> 00:05:53,530 And let's look at writable directories. 82 00:05:53,530 --> 00:05:57,780 83 00:05:57,780 --> 00:06:05,450 So the options-- we'll pick a dir_list, 84 00:06:05,450 --> 00:06:09,470 and we use this one right out of Metasploit-- 85 00:06:09,470 --> 00:06:13,640 Metasploit data, word lists, and directory. 86 00:06:13,640 --> 00:06:16,550 87 00:06:16,550 --> 00:06:18,875 And I used tab completion whenever possible. 88 00:06:18,875 --> 00:06:21,420 89 00:06:21,420 --> 00:06:24,780 It prevents typos, especially if you hit Tab. 90 00:06:24,780 --> 00:06:28,350 And it goes all the way to the end, and you know you're good. 91 00:06:28,350 --> 00:06:34,680 We'll setg rhosts because we're going to keep using this. 92 00:06:34,680 --> 00:06:37,290 And setg sets it as a global variable 93 00:06:37,290 --> 00:06:41,050 for this whole Metasploit session. 94 00:06:41,050 --> 00:06:45,550 Also verbose to false because it's 95 00:06:45,550 --> 00:06:48,430 going to tell us a lot of information, 96 00:06:48,430 --> 00:06:50,860 and this will just make life a little easier for us. 97 00:06:50,860 --> 00:06:52,600 If you're curious where verbose is, 98 00:06:52,600 --> 00:07:00,160 since it's not showing up here, it's in the advanced options. 99 00:07:00,160 --> 00:07:03,890 100 00:07:03,890 --> 00:07:08,450 And verbose gives you a detailed status messages. 101 00:07:08,450 --> 00:07:13,212 It's going to run a brute force of all the directories, testing 102 00:07:13,212 --> 00:07:14,670 things to see if they're relatable. 103 00:07:14,670 --> 00:07:18,390 And if we have verbosity on verbose, 104 00:07:18,390 --> 00:07:22,380 then we're going to get flooded with messages. 105 00:07:22,380 --> 00:07:25,050 Let's set a password to annul password. 106 00:07:25,050 --> 00:07:29,175 107 00:07:29,175 --> 00:07:30,550 Double check that we have all the 108 00:07:30,550 --> 00:07:37,095 required items, yes, yes, yes, and we'll run. 109 00:07:37,095 --> 00:07:45,210 110 00:07:45,210 --> 00:07:46,740 It gave us quite a list-- 111 00:07:46,740 --> 00:07:53,760 112 00:07:53,760 --> 00:07:54,655 went too far. 113 00:07:54,655 --> 00:08:03,080 114 00:08:03,080 --> 00:08:06,440 For a lot of your enumeration, if you are able to output 115 00:08:06,440 --> 00:08:11,780 to a file, and then look at that file, that can be quite useful. 116 00:08:11,780 --> 00:08:14,680 117 00:08:14,680 --> 00:08:17,370 So it checked some common places-- 118 00:08:17,370 --> 00:08:21,630 came up with tmp is writable and root is writable. 119 00:08:21,630 --> 00:08:27,660 There's some error codes in here, 120 00:08:27,660 --> 00:08:32,380 but it looks like temp and root are the only writable 121 00:08:32,380 --> 00:08:33,280 directories. 122 00:08:33,280 --> 00:08:35,880 123 00:08:35,880 --> 00:08:41,069 And that's on the system utilizing SQL. 124 00:08:41,069 --> 00:08:43,913 125 00:08:43,913 --> 00:08:45,580 So it's kind of crazy that we get access 126 00:08:45,580 --> 00:08:48,040 to things that aren't necessarily about the database, 127 00:08:48,040 --> 00:08:49,330 through the database. 128 00:08:49,330 --> 00:08:55,520 129 00:08:55,520 --> 00:08:59,200 Another scanner that we can use is hashdump. 130 00:08:59,200 --> 00:09:08,085 So use auxiliary/scanner/msql and hashdump. 131 00:09:08,085 --> 00:09:13,050 If we run options, rhost is already 132 00:09:13,050 --> 00:09:16,190 set because it was set as a global variable. 133 00:09:16,190 --> 00:09:22,140 So we changed our module from this writable dirs to hashdump. 134 00:09:22,140 --> 00:09:22,920 It kept it. 135 00:09:22,920 --> 00:09:27,220 136 00:09:27,220 --> 00:09:31,680 We'll username to be root since we already 137 00:09:31,680 --> 00:09:35,250 saw that was vulnerable, and we'll set the password 138 00:09:35,250 --> 00:09:37,930 to be a null password. 139 00:09:37,930 --> 00:09:45,970 And even though in options it shows that it's empty, 140 00:09:45,970 --> 00:09:49,360 passing that empty value actually did 141 00:09:49,360 --> 00:09:52,058 give it something, ironically. 142 00:09:52,058 --> 00:09:55,200 143 00:09:55,200 --> 00:09:56,130 Delete. 144 00:09:56,130 --> 00:09:56,715 Type exploit. 145 00:09:56,715 --> 00:09:59,470 146 00:09:59,470 --> 00:10:04,900 And we get a whole bunch of hashes for different users. 147 00:10:04,900 --> 00:10:08,920 Add that to our list of things enumerated. 148 00:10:08,920 --> 00:10:10,180 It can be quite useful later. 149 00:10:10,180 --> 00:10:19,810 150 00:10:19,810 --> 00:10:23,730 And now leave Metasploit, and jump back into mysql. 151 00:10:23,730 --> 00:10:31,870 152 00:10:31,870 --> 00:10:38,140 So mysql dot h our IP and the user as root. 153 00:10:38,140 --> 00:10:42,060 154 00:10:42,060 --> 00:10:48,330 And what we'll do is select, and then we'll load file. 155 00:10:48,330 --> 00:10:54,370 And see if we have access to files on the system. 156 00:10:54,370 --> 00:10:56,010 And we did that enumeration before, 157 00:10:56,010 --> 00:10:59,475 so we should have some access. 158 00:10:59,475 --> 00:11:02,480 159 00:11:02,480 --> 00:11:02,980 And we do. 160 00:11:02,980 --> 00:11:05,335 We get the full etc shadow file. 161 00:11:05,335 --> 00:11:16,430 162 00:11:16,430 --> 00:11:20,250 Not in the prettiest output, but we 163 00:11:20,250 --> 00:11:25,270 can see what users and services are currently 164 00:11:25,270 --> 00:11:26,815 existing on the system. 165 00:11:26,815 --> 00:11:35,880 166 00:11:35,880 --> 00:11:39,000 We could use that to pull other files as well, especially 167 00:11:39,000 --> 00:11:40,050 if we have root access. 168 00:11:40,050 --> 00:11:43,860 169 00:11:43,860 --> 00:11:45,840 But currently we're just enumerating and seeing 170 00:11:45,840 --> 00:11:49,410 what we do have the ability to find. 171 00:11:49,410 --> 00:11:51,330 We'll return to our good friend nmap. 172 00:11:51,330 --> 00:11:55,530 173 00:11:55,530 --> 00:11:57,105 In this case, we'll run a script. 174 00:11:57,105 --> 00:12:01,820 175 00:12:01,820 --> 00:12:08,300 It will be the mysql empty password-- 176 00:12:08,300 --> 00:12:12,900 just see if there are any other accounts that can log in 177 00:12:12,900 --> 00:12:14,730 with an empty password. 178 00:12:14,730 --> 00:12:17,490 And it remains to be just root. 179 00:12:17,490 --> 00:12:19,110 If we had run this first-- 180 00:12:19,110 --> 00:12:23,278 once we saw that we had mysql ran the empty password, 181 00:12:23,278 --> 00:12:24,570 we would have gotten that root. 182 00:12:24,570 --> 00:12:26,237 We would have gotten the empty password, 183 00:12:26,237 --> 00:12:29,580 and that's how we were able to do all the other scans we've 184 00:12:29,580 --> 00:12:30,210 done so far. 185 00:12:30,210 --> 00:12:32,970 186 00:12:32,970 --> 00:12:37,770 We want more information on the database. 187 00:12:37,770 --> 00:12:42,945 We can run the msql info command. 188 00:12:42,945 --> 00:12:49,610 189 00:12:49,610 --> 00:12:51,760 And this, again, gets is our version number. 190 00:12:51,760 --> 00:12:57,850 We can see that we've got this interactive client, which 191 00:12:57,850 --> 00:13:01,330 is going to allow us access to the system 192 00:13:01,330 --> 00:13:04,468 through mysql, which is never good. 193 00:13:04,468 --> 00:13:06,010 That's something that they would want 194 00:13:06,010 --> 00:13:08,140 to fix in the configuration, but they left for us. 195 00:13:08,140 --> 00:13:12,850 196 00:13:12,850 --> 00:13:16,180 Another thing we can look at is users. 197 00:13:16,180 --> 00:13:19,300 And for this, we need to pass some arguments. 198 00:13:19,300 --> 00:13:29,010 199 00:13:29,010 --> 00:13:30,450 We will pass it-- 200 00:13:30,450 --> 00:13:39,215 a user of root and the password of null. 201 00:13:39,215 --> 00:13:45,970 202 00:13:45,970 --> 00:13:48,190 I see we do have root-- 203 00:13:48,190 --> 00:13:53,890 also got udadmin, sysadmin, ultra. 204 00:13:53,890 --> 00:13:57,430 And there is a guest account on there. 205 00:13:57,430 --> 00:14:00,560 206 00:14:00,560 --> 00:14:02,780 And we want to add all of these to our list-- 207 00:14:02,780 --> 00:14:09,740 208 00:14:09,740 --> 00:14:14,980 another great command if you didn't want to try logging in 209 00:14:14,980 --> 00:14:22,170 or weren't sure if you could log in the databases 210 00:14:22,170 --> 00:14:24,945 with that same root and null password. 211 00:14:24,945 --> 00:14:32,280 212 00:14:32,280 --> 00:14:39,732 And we get those same databases that we found at the beginning. 213 00:14:39,732 --> 00:14:44,360 214 00:14:44,360 --> 00:14:51,620 For more access, we can also look at mysql variables. 215 00:14:51,620 --> 00:14:54,890 216 00:14:54,890 --> 00:15:00,610 Since it's a database, knowing how to interact with it 217 00:15:00,610 --> 00:15:01,510 can be quite useful. 218 00:15:01,510 --> 00:15:07,120 219 00:15:07,120 --> 00:15:10,570 What's most useful is the data directory. 220 00:15:10,570 --> 00:15:14,380 221 00:15:14,380 --> 00:15:15,630 Where is all this been stored? 222 00:15:15,630 --> 00:15:18,980 223 00:15:18,980 --> 00:15:20,870 Where are all the variables being stored? 224 00:15:20,870 --> 00:15:23,850 225 00:15:23,850 --> 00:15:25,082 [INAUDIBLE] 226 00:15:25,082 --> 00:15:37,490 227 00:15:37,490 --> 00:15:47,108 This datadir, data directory, a var/lib/mysql, 228 00:15:47,108 --> 00:15:48,275 that has its potential uses. 229 00:15:48,275 --> 00:15:55,800 230 00:15:55,800 --> 00:16:04,310 After variables, let's run the mysql audit 231 00:16:04,310 --> 00:16:16,460 again with an null password, but also with an audit file name. 232 00:16:16,460 --> 00:16:24,635 So instead of mysql user, we want mysql audit dot user. 233 00:16:24,635 --> 00:16:40,130 234 00:16:40,130 --> 00:16:44,120 A lot of these scripts, you have to go 235 00:16:44,120 --> 00:16:47,300 into the script on your file to see 236 00:16:47,300 --> 00:17:05,359 what they want for arguments, which initially 237 00:17:05,359 --> 00:17:07,099 can be a lot of work. 238 00:17:07,099 --> 00:17:12,730 But as you get a lot of this down 239 00:17:12,730 --> 00:17:15,400 and you create your own tool list, 240 00:17:15,400 --> 00:17:17,900 you'll just put all these commands into a file. 241 00:17:17,900 --> 00:17:22,510 And when you come across MySQL, or "Mis-QL," database, 242 00:17:22,510 --> 00:17:24,369 you can just grab the commands you want. 243 00:17:24,369 --> 00:17:27,819 Pop them in, and you already have mostly built out for you. 244 00:17:27,819 --> 00:17:30,530 You can just change the things that you find. 245 00:17:30,530 --> 00:17:32,080 For example, maybe, it's not root. 246 00:17:32,080 --> 00:17:33,170 Maybe, it's another user. 247 00:17:33,170 --> 00:17:37,480 So you run that initial nmap scan for any empty passwords, 248 00:17:37,480 --> 00:17:43,135 and then you can use that to do the rest of your enumeration. 249 00:17:43,135 --> 00:17:44,510 So all the rest of these scripts, 250 00:17:44,510 --> 00:17:46,550 you would just change that little part. 251 00:17:46,550 --> 00:17:58,700 252 00:17:58,700 --> 00:18:02,130 The nselib is where a lot of this is kept. 253 00:18:02,130 --> 00:18:27,970 254 00:18:27,970 --> 00:18:30,760 This one is quite a script, so double 255 00:18:30,760 --> 00:18:37,170 check that I wrote it right, mysql audit. 256 00:18:37,170 --> 00:18:56,925 No tab completion here, there it is and my variable name. 257 00:18:56,925 --> 00:18:59,860 258 00:18:59,860 --> 00:19:04,550 And I feel bad showing you this, but it's normal to have typos 259 00:19:04,550 --> 00:19:06,770 and to mess things up every once in a while. 260 00:19:06,770 --> 00:19:14,730 261 00:19:14,730 --> 00:19:16,425 And we go through this whole audit. 262 00:19:16,425 --> 00:19:25,720 263 00:19:25,720 --> 00:19:26,518 Something's passed. 264 00:19:26,518 --> 00:19:27,310 Something's failed. 265 00:19:27,310 --> 00:19:30,477 266 00:19:30,477 --> 00:19:32,310 As a developer, this would be a useful thing 267 00:19:32,310 --> 00:19:39,510 to run on your own system to see what shows up, if you've 268 00:19:39,510 --> 00:19:40,920 configured things correctly. 269 00:19:40,920 --> 00:19:44,250 270 00:19:44,250 --> 00:19:47,130 And it does not grant privileges to non-admin users, 271 00:19:47,130 --> 00:19:50,170 so it passed the audit. 272 00:19:50,170 --> 00:20:00,180 So it would have to be an admin user to get privileges. 273 00:20:00,180 --> 00:20:06,380 274 00:20:06,380 --> 00:20:08,560 I'll reuse this variables. 275 00:20:08,560 --> 00:20:11,310 276 00:20:11,310 --> 00:20:12,870 That's here from earlier. 277 00:20:12,870 --> 00:20:17,310 Replace variables with dump-hashes. 278 00:20:17,310 --> 00:20:19,455 We used the Metasploit dump-hashes earlier. 279 00:20:19,455 --> 00:20:28,830 280 00:20:28,830 --> 00:20:30,570 Change by variables again. 281 00:20:30,570 --> 00:20:32,010 Username is root. 282 00:20:32,010 --> 00:20:37,270 283 00:20:37,270 --> 00:20:39,180 And password is empty. 284 00:20:39,180 --> 00:20:45,040 285 00:20:45,040 --> 00:20:47,250 Then we get the hashes for all of those. 286 00:20:47,250 --> 00:20:50,280 287 00:20:50,280 --> 00:20:53,745 We can also use nmap to run a query. 288 00:20:53,745 --> 00:20:56,990 289 00:20:56,990 --> 00:20:59,990 When we logged into the database earlier, what we did 290 00:20:59,990 --> 00:21:01,100 is we ran a query. 291 00:21:01,100 --> 00:21:04,130 292 00:21:04,130 --> 00:21:07,370 So this query is going to be what we actually 293 00:21:07,370 --> 00:21:08,600 want to ask it. 294 00:21:08,600 --> 00:21:13,170 295 00:21:13,170 --> 00:21:15,705 We'll replace that. 296 00:21:15,705 --> 00:21:18,730 297 00:21:18,730 --> 00:21:26,310 So we'll do that select count of all the things, all the rows, 298 00:21:26,310 --> 00:21:36,810 really, from books.authors with a semicolon and a single quote. 299 00:21:36,810 --> 00:21:40,680 Now we use the username of root and password of empty. 300 00:21:40,680 --> 00:21:44,880 301 00:21:44,880 --> 00:21:51,180 And we see that there are 10 items, 10 rows in the database. 302 00:21:51,180 --> 00:21:53,980 That's some basic enumeration from MySQL. 303 00:21:53,980 --> 00:21:56,970 304 00:21:56,970 --> 00:21:59,850 It was a bit-- it was a lot. 305 00:21:59,850 --> 00:22:02,640 Knowing these commands, having them written down somewhere, 306 00:22:02,640 --> 00:22:04,290 can be quite helpful because later when 307 00:22:04,290 --> 00:22:06,000 you come across something, then you'll 308 00:22:06,000 --> 00:22:09,600 want to use your toolset, your cheat sheet. 309 00:22:09,600 --> 00:22:11,430 Creating your own cheat sheet is helpful 310 00:22:11,430 --> 00:22:13,500 because it's what you're comfortable running. 311 00:22:13,500 --> 00:22:14,980 It's what you get used to. 312 00:22:14,980 --> 00:22:18,990 And if something changes, then you can adapt to that. 313 00:22:18,990 --> 00:22:22,470 Knowing what tools are out there, gives you the option. 314 00:22:22,470 --> 00:22:25,510 If your tools aren't working, you can try something else. 315 00:22:25,510 --> 00:22:28,590 But when we're pen testing, when you're 316 00:22:28,590 --> 00:22:32,910 auditing your own system, or thinking like the attacker, 317 00:22:32,910 --> 00:22:35,040 if they're trying to find ways in, 318 00:22:35,040 --> 00:22:38,990 they're trying to enumerate your system, 319 00:22:38,990 --> 00:22:42,350 this is how you would go about it. 320 00:22:42,350 --> 00:22:45,290 MySQL or just SQL databases in general 321 00:22:45,290 --> 00:22:47,450 have the potential of being very vulnerable 322 00:22:47,450 --> 00:22:50,600 and allowing a lot of access to a machine 323 00:22:50,600 --> 00:22:53,540 without you knowing it. 324 00:22:53,540 --> 00:22:58,370 By default, they just have a lot that's vulnerable. 325 00:22:58,370 --> 00:23:01,940 So if you have these databases, you want to lock them down. 326 00:23:01,940 --> 00:23:03,670 And if you come across them, then you 327 00:23:03,670 --> 00:23:05,900 want to find out how vulnerable they are. 328 00:23:05,900 --> 00:23:09,220 And if you-- as a pen tester or as the auditor, 329 00:23:09,220 --> 00:23:12,558 if there's anything that can be locked down on that. 330 00:23:12,558 --> 00:23:13,058 22173