NSE, Vulnerability Testing & Exploitation - NM

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
7 hours 1 minute
Difficulty
Beginner
CEU/CPE
7
Video Transcription
00:00
So, first of all, we know that it's running, telling that, um
00:04
and since I'm in the script folder, I'm gonna go ahead and do it.
00:08
They are on all the
00:12
tone that related
00:15
attacks or exploits that we can run in and map against telling that
00:24
devices tell that enabled devices. All right, so there's a tone, that brute
00:29
script,
00:31
So we'll go ahead and run on and map
00:38
dash a script.
00:39
Tell him that
00:41
brute
00:42
against
00:44
that target.
00:59
And actually, this isn't true
01:03
brute force attack that tries every combination of letters and numbers and special characters. It's really a dictionary attack,
01:11
in other words, that uses a list of
01:15
credentials.
01:18
And because of that, it actually runs a little bit faster than a brute force attack would,
01:23
especially given the fact that
01:26
were having to provide a user name and password.
01:36
I didn't adjust the timing on this attack, so
01:41
it'll take a little bit of time
01:42
in the future. I'll probably just the timing just to make it go a little bit faster.
01:53
Okay, there's the results, as you all know, running, telling that on any modern device is a terrible idea.
02:00
Um, if
02:01
somebody, if any half decent
02:06
hacker or
02:07
network administrator is listening on traffic.
02:13
Tell him that
02:15
user names and passwords are sent in plain text and
02:17
really, without any script arguments at all, and not very much time.
02:23
This discovered the user name here and password for that device at 1.2.
02:30
And
02:31
granted, it's not extremely complicated username and password, but
02:36
this is it right here.
02:38
So
02:38
just to prove that it works, I'll clear the screen. It's the user name of admin in a pastor of Trust. No, in the number one
02:49
clear the screen will do it. Tell him that of 1 92.1 68 that 1.2
02:55
user name
02:57
admin,
02:59
password
03:00
Trust
03:01
no
03:02
Number one.
03:05
And I'm in
03:07
the Sisko switch.
03:10
And I got in with just a simple NSC script,
03:15
so running the Vulnerability scan showed us what the vulnerability Waas and I ran on exploit using the telling that brute script
03:24
right? So
03:25
I'll get out of that Cisco switch,
03:30
clear the screen.
03:30
Another one of the vulnerabilities had to do with http since a GP was open
03:37
and that was a good run,
03:40
I'll do a D. I. R. Of
03:45
all the IGP attacks that we can run against this device
03:52
and there's a ton of, um,
03:53
the one I'm most interested in is the default accounts
04:00
script,
04:02
and that is
04:06
right here
04:09
going. Highlight it.
04:11
Copy it,
04:15
Clear screen and we'll d'oh! Um, I'll do a script help first
04:28
gives us a ton of detail about how it works and
04:32
what arguments you can pass to it and where you get more information about it.
04:44
Really good information. So we'll do and map
04:46
script,
04:49
paste it again
04:51
against the same target.
04:58
Oh, and actually, I'm gonna adjust the timing too.
05:01
We'll make it out
05:04
35 which is insane
05:09
Hit. Enter
05:11
should go a little bit faster.
05:18
Okay, so this
05:20
right here shows me the default accounts.
05:25
It's a user name and password of Cisco.
05:28
So
05:30
it's, you know, it's Port 80.
05:31
So we'll go ahead and open up our favorite browser,
05:35
which is Internet Explorer.
05:38
I'm kidding,
05:42
and we'll navigate to that
05:45
address.
05:48
All right, so the user name
05:50
provided in that NSC scripture with Cisco
05:57
password with Cisco.
06:09
OK, and we're in.
06:15
Okay, so
06:16
granted
06:17
these this device is vulnerable.
06:20
I'm not gonna act like it isn't
06:24
has some obvious flaws as a default user name and password enabled
06:30
as a very weak
06:30
telling that password.
06:33
But
06:34
nevertheless,
06:38
it was pretty easy to break in using standard NSC scripts. And that's the main point.
06:44
We saw the vulnerabilities, we saw how to attack it and usernames and passwords. And so all right, now I'm gonna minimize this, actually, and I want to go over one more exploit,
06:59
and that is one that is actually very common out there.
07:03
And don't do this against, uh,
07:08
a device or ah, target that
07:11
you're not,
07:13
uh, that you don't own or that you don't have a written contract for
07:17
and that is the slow Loris attack.
07:19
And so we're gonna do Ah,
07:21
and map
07:32
slow lowers. It should be slow, Loris. I'll do the timing of t five.
07:38
In this case, it really matters because this is a denial of service attack.
07:42
We'll do it against that same target,
07:48
and I'm pretty sure that this one continues to run. I don't think that it has a time out. And so while this runs,
07:56
it's running against the same device that were just on.
08:01
All right, So here's the device. I'm gonna do a refresh on this device and, well, you can already see it's taken it down. So the slow Loris attack, the denial of service attack.
08:15
You can look at the details about how it works, but
08:18
is basically opening up so many connections against this Web server that it can't keep up.
08:24
Um,
08:24
and and I'm not even running it from multiple host. So it's not a sophisticated denial of service attack in the sense that it's not using a baht net.
08:35
We're not. It's not distributed. It's not a reflective or, um,
08:41
amplified attack.
08:43
It's a simple
08:45
attack against
08:48
Cisco Switch, which really could affect production if you're, you know, in ah Enterprise Network.
08:56
Uh, and even still, I'm refreshing. And
09:01
at least the Web interface is completely down right now,
09:07
so I'll go ahead and hit control C
09:09
and stop that
09:11
and it might take a second. I'll minimize the end map
09:18
scan and I'll do a refresh,
09:22
and eventually the device should
09:24
catch up and be able to respond.
09:31
So I encourage you to look into that soul Loris attack. Um,
09:35
in the main point is,
09:37
try it against your networks,
09:41
potentially vulnerable devices and see if they can handle it
09:43
and then
09:46
do a script help and go to the u R L provided and learn more about it.
09:50
Um,
09:52
hope this is really helpful for you. And I appreciate you going through this lesson on map scripting engine,
09:58
and I'll see you in the next video.
10:01
In this lesson, we answer the questions of what is and map scripting engine, and how does it work?
10:07
Next we examined how the and map scripting engine gives us the ability to perform advanced scanning.
10:13
Then we went through a lab that demonstrates its use as a vulnerability scanner and exploitation tool.
10:18
Thanks so much for going through this lesson with me, and I'll see you in the next one.
Up Next