7 hours 1 minute
So, first of all, we know that it's running, telling that, um
and since I'm in the script folder, I'm gonna go ahead and do it.
They are on all the
tone that related
attacks or exploits that we can run in and map against telling that
devices tell that enabled devices. All right, so there's a tone, that brute
So we'll go ahead and run on and map
dash a script.
Tell him that
And actually, this isn't true
brute force attack that tries every combination of letters and numbers and special characters. It's really a dictionary attack,
in other words, that uses a list of
And because of that, it actually runs a little bit faster than a brute force attack would,
especially given the fact that
were having to provide a user name and password.
I didn't adjust the timing on this attack, so
it'll take a little bit of time
in the future. I'll probably just the timing just to make it go a little bit faster.
Okay, there's the results, as you all know, running, telling that on any modern device is a terrible idea.
somebody, if any half decent
network administrator is listening on traffic.
Tell him that
user names and passwords are sent in plain text and
really, without any script arguments at all, and not very much time.
This discovered the user name here and password for that device at 1.2.
granted, it's not extremely complicated username and password, but
this is it right here.
just to prove that it works, I'll clear the screen. It's the user name of admin in a pastor of Trust. No, in the number one
clear the screen will do it. Tell him that of 1 92.1 68 that 1.2
And I'm in
the Sisko switch.
And I got in with just a simple NSC script,
so running the Vulnerability scan showed us what the vulnerability Waas and I ran on exploit using the telling that brute script
I'll get out of that Cisco switch,
clear the screen.
Another one of the vulnerabilities had to do with http since a GP was open
and that was a good run,
I'll do a D. I. R. Of
all the IGP attacks that we can run against this device
and there's a ton of, um,
the one I'm most interested in is the default accounts
and that is
going. Highlight it.
Clear screen and we'll d'oh! Um, I'll do a script help first
gives us a ton of detail about how it works and
what arguments you can pass to it and where you get more information about it.
Really good information. So we'll do and map
paste it again
against the same target.
Oh, and actually, I'm gonna adjust the timing too.
We'll make it out
35 which is insane
should go a little bit faster.
Okay, so this
right here shows me the default accounts.
It's a user name and password of Cisco.
it's, you know, it's Port 80.
So we'll go ahead and open up our favorite browser,
which is Internet Explorer.
and we'll navigate to that
All right, so the user name
provided in that NSC scripture with Cisco
password with Cisco.
OK, and we're in.
these this device is vulnerable.
I'm not gonna act like it isn't
has some obvious flaws as a default user name and password enabled
as a very weak
telling that password.
it was pretty easy to break in using standard NSC scripts. And that's the main point.
We saw the vulnerabilities, we saw how to attack it and usernames and passwords. And so all right, now I'm gonna minimize this, actually, and I want to go over one more exploit,
and that is one that is actually very common out there.
And don't do this against, uh,
a device or ah, target that
uh, that you don't own or that you don't have a written contract for
and that is the slow Loris attack.
And so we're gonna do Ah,
slow lowers. It should be slow, Loris. I'll do the timing of t five.
In this case, it really matters because this is a denial of service attack.
We'll do it against that same target,
and I'm pretty sure that this one continues to run. I don't think that it has a time out. And so while this runs,
it's running against the same device that were just on.
All right, So here's the device. I'm gonna do a refresh on this device and, well, you can already see it's taken it down. So the slow Loris attack, the denial of service attack.
You can look at the details about how it works, but
is basically opening up so many connections against this Web server that it can't keep up.
and and I'm not even running it from multiple host. So it's not a sophisticated denial of service attack in the sense that it's not using a baht net.
We're not. It's not distributed. It's not a reflective or, um,
It's a simple
Cisco Switch, which really could affect production if you're, you know, in ah Enterprise Network.
Uh, and even still, I'm refreshing. And
at least the Web interface is completely down right now,
so I'll go ahead and hit control C
and stop that
and it might take a second. I'll minimize the end map
scan and I'll do a refresh,
and eventually the device should
catch up and be able to respond.
So I encourage you to look into that soul Loris attack. Um,
in the main point is,
try it against your networks,
potentially vulnerable devices and see if they can handle it
do a script help and go to the u R L provided and learn more about it.
hope this is really helpful for you. And I appreciate you going through this lesson on map scripting engine,
and I'll see you in the next video.
In this lesson, we answer the questions of what is and map scripting engine, and how does it work?
Next we examined how the and map scripting engine gives us the ability to perform advanced scanning.
Then we went through a lab that demonstrates its use as a vulnerability scanner and exploitation tool.
Thanks so much for going through this lesson with me, and I'll see you in the next one.
Offensive Penetration Testing
As a pentester, you need to understand the methods of real-life attackers and use the ...
22 CEU/CPE Hours Available
Certificate of Completion Offered
Scanning and Mapping Networks
Students will use Zenmap to scan a network segment in order to create an updated ...