Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,090 --> 00:00:07,930 In a previous video we discussed SS H and that it's really not always that much of a low hanging fruit. 2 00:00:08,100 --> 00:00:13,250 So we've got SS h here and say we want to attack it. 3 00:00:13,260 --> 00:00:19,220 Now there are three reasons we're going to do this and this is from a realistic perspective. 4 00:00:20,090 --> 00:00:26,930 If we see SS H on an assessment we're going to try to brute force against it or use weak or default 5 00:00:26,930 --> 00:00:34,450 credentials and we're going to do that because one we're going to test password strength too we're going 6 00:00:34,450 --> 00:00:39,960 to see if we can get in with a weak password or default password. 7 00:00:40,150 --> 00:00:49,780 And if we can also attest to password strength correct and 3 we're going to see how well the blue team 8 00:00:49,780 --> 00:00:51,160 performs. 9 00:00:51,370 --> 00:00:52,480 Do they catch us. 10 00:00:52,480 --> 00:00:59,570 Do they see us brute forcing this should be something that should alert when is being performed. 11 00:00:59,740 --> 00:01:02,380 But you would be surprised how often it does not. 12 00:01:02,740 --> 00:01:05,830 So during a pen test I am as loud as possible. 13 00:01:05,830 --> 00:01:09,130 This is not a red team assessment where we're trying to be quiet. 14 00:01:09,160 --> 00:01:15,730 This is a pen test where we are as loud as possible and we are hoping to be caught. 15 00:01:15,730 --> 00:01:20,410 Sometimes just it or just told to tone it down a little bit you know hey we're seeing you. 16 00:01:20,410 --> 00:01:22,090 Can you be more quiet. 17 00:01:22,300 --> 00:01:27,790 And we just want to be caught some time so we can give kudos in a report and say Hey you saw scanning 18 00:01:27,790 --> 00:01:32,620 here and here and kudos to you but you didn't see a scanning here in here. 19 00:01:32,680 --> 00:01:38,290 So this is how we really help fine tune a blue team and help fine tune a client as well is being loud 20 00:01:38,290 --> 00:01:39,290 sometimes. 21 00:01:39,310 --> 00:01:44,200 So we're going to practice being loud today and we're also going to practice brute force attacks and 22 00:01:44,200 --> 00:01:48,960 we have the perfect opportunity to do that with an essay sage port being open on this machine. 23 00:01:49,600 --> 00:01:54,180 So what we're gonna do is we're going to use a tool called the Hydra and then I'll show you the Midas 24 00:01:54,180 --> 00:01:55,270 plate way as well. 25 00:01:55,570 --> 00:01:57,840 So Hydra is a brute force tool. 26 00:01:58,330 --> 00:02:00,970 So the syntax for Hydra is going to be this. 27 00:02:00,990 --> 00:02:06,910 We're gonna say a Hydra and then we're going to give a dash L for the user that we're going to be utilizing 28 00:02:07,270 --> 00:02:07,980 in this case. 29 00:02:07,990 --> 00:02:13,600 I want to attack root and then we're going to give a capital P for the password list. 30 00:02:13,630 --> 00:02:18,820 So if we want to use a password list with L we can just say capital L but here we're going to say capital 31 00:02:18,820 --> 00:02:30,580 P for the password list and then we're just gonna say user share wordless Metis ploy. 32 00:02:31,630 --> 00:02:37,370 And I'm just going to double tab in this folder so you can see how many words are actually in here. 33 00:02:38,490 --> 00:02:44,670 There's quite a bit of wordless and you can space space and it has wordless for all different kinds 34 00:02:44,670 --> 00:02:46,990 of things built in and these are all over Cally. 35 00:02:47,010 --> 00:02:53,430 So it's good to know your folder locations but user shareware list is one that will use quite a bit. 36 00:02:53,430 --> 00:03:01,080 And what we're going to do is we're going to utilize an attack with these Unix passwords here. 37 00:03:01,110 --> 00:03:03,510 We have a Unix users in Unix passwords. 38 00:03:03,630 --> 00:03:07,830 We're going to utilize the Unix password list and just try to brute force with that. 39 00:03:08,520 --> 00:03:15,170 So we'll say Unix passwords something like that and then we're going to need to specify what we're attacking. 40 00:03:15,170 --> 00:03:28,250 So we are attacking SS h like this and our IP address of our machine or attacking port 22 and then we 41 00:03:28,250 --> 00:03:35,210 need to have a certain amount of attempts or threads at once and we're going to limit that to four and 42 00:03:35,210 --> 00:03:41,390 then I'm going to do a capital V for verbosity just because I want to see the user attempts flow through 43 00:03:41,390 --> 00:03:44,000 so that we can actually see what's going on here. 44 00:03:44,000 --> 00:03:51,690 So once you got the syntax ready to go go ahead and hit enter and you're going to see that it's starting 45 00:03:51,690 --> 00:04:00,120 to attempt root log in password with all these weak passwords here and hopefully it might find something. 46 00:04:00,330 --> 00:04:04,950 But let's go ahead and open up a a new terminal here. 47 00:04:05,160 --> 00:04:12,330 And we're going to use make this a little bigger and I'm going to load up Mets played as well. 48 00:04:13,040 --> 00:04:18,720 Yeah we're gonna run the same exact thing in Mets point but I think it's good to know multiple frameworks 49 00:04:18,720 --> 00:04:21,620 and multiple tools to perform the same task. 50 00:04:21,660 --> 00:04:28,320 So here we're going to search for something like SSD age and this is going to be an auxiliary module 51 00:04:28,320 --> 00:04:35,910 so we'll just scroll up and we're going to look for something like SSA to log in perfect log in and 52 00:04:35,910 --> 00:04:40,420 check scanner and make sure we don't have anything else. 53 00:04:40,440 --> 00:04:41,620 And it looks good to me. 54 00:04:41,680 --> 00:04:51,630 Let's go ahead and take this SSA log in and we're gonna go ahead and say use options 55 00:04:54,180 --> 00:04:56,970 and now we have kind of our brute force options here. 56 00:04:57,000 --> 00:05:02,220 Let me make this a little bigger sense prettier so we've got a brute force speed from zero to five five 57 00:05:02,220 --> 00:05:05,370 being the fastest dribbling passwords. 58 00:05:05,370 --> 00:05:06,420 No no no. 59 00:05:06,450 --> 00:05:10,080 We can set a hard password and we could set a hard user name. 60 00:05:10,110 --> 00:05:18,350 We could set a user and password file a user pass user as password file again. 61 00:05:18,360 --> 00:05:21,090 We can have a password file as well. 62 00:05:21,090 --> 00:05:27,520 So we have a lot of different options here that we can utilize but we're gonna go ahead and do the same 63 00:05:27,520 --> 00:05:35,820 kind of thing we're going to say set user name and we're just gonna say room and then we're going to 64 00:05:35,820 --> 00:05:41,010 say set pass file and similar to what we just use. 65 00:05:41,010 --> 00:05:51,870 We're gonna say user share wordless Meadows flight and then we're going to say lyrics 66 00:05:54,220 --> 00:06:02,100 unique sorry Unix passwords and that should set the pass file and then we just seen our host as well 67 00:06:02,100 --> 00:06:13,950 set our host and we'll say 1 9 2 1 6 8 5 7 1 3 4 say options one more time and you can see that we've 68 00:06:13,950 --> 00:06:21,480 got our password file set we've got our our host set we've got our our port on twenty two threads is 69 00:06:21,480 --> 00:06:27,870 one username route and we should be good to go now we can set multiple threads here we could set threads 70 00:06:27,870 --> 00:06:33,180 to like 10 this is really going to amp it up I mean this should be detected in a second but we're gonna 71 00:06:33,180 --> 00:06:39,240 try to run it and we could set actually let me control see let's set verbose to true as well just so 72 00:06:39,240 --> 00:06:47,830 you could see that it's actually working set verbose to true and then we're gonna run this and then 73 00:06:48,460 --> 00:06:56,260 it's going to attempt different credentials here and it'll say Hey I found it in the light up green 74 00:06:56,320 --> 00:06:57,880 and then we'll know it's good. 75 00:06:58,210 --> 00:07:04,030 So this is actually going kind of slow surprisingly and you can see here that we are at attempt 112 76 00:07:04,060 --> 00:07:05,190 116. 77 00:07:05,380 --> 00:07:12,760 So this is out also going slow and we do not have a successful attempt or a log in I actually don't 78 00:07:12,760 --> 00:07:18,040 believe there's going to be one but you never know. 79 00:07:18,040 --> 00:07:22,240 I believe I remember taking this off line and trying to crack the password and wasn't any kind of weak 80 00:07:22,240 --> 00:07:22,830 password. 81 00:07:22,860 --> 00:07:28,000 So you can let your brute brute force run if you want to go with it but I'm going to go ahead and kill 82 00:07:28,000 --> 00:07:32,430 mine and that's it for this video. 83 00:07:32,440 --> 00:07:38,560 So from here we're going to talk about a similar methodology called credential stuffing which we've 84 00:07:38,650 --> 00:07:45,910 already talked about before except we're not brute forcing but we're using common knowledge to our advantage. 85 00:07:45,910 --> 00:07:48,400 So we'll talk about a little bit of Chris stuffing in the next video. 9692