Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody, and welcome to the episode number 14
00:04
off the RCP course and admiration.
00:07
My name is Alejandro Gina, and I'll be instructor for today's session.
00:11
The learning objectivity or decision is to understand some anima rations techniques
00:16
and also understand some basic and admiration tools and commence.
00:20
So let's get down to business.
00:23
Uh, you know, we can start by first is still, you know, using and map Thio discover the operating system, for example. That's just our when those Xbox victim
00:36
dash a
00:39
the Shays, the option two's now run some scripts and discovered the operating system
00:46
All cover. Ah, the end. My script in enjoying Later in the course
00:52
dash.
00:58
As you can see, this will take a while. Us It's actually fingerprint. And the result and, you know, actually get into the operating system and trying to Maxygen specific person off the signature that of its that cast and map. So this might take a while.
01:17
But you know why we wait while we wait?
01:19
Remember that? Just a pin. You
01:23
remember that this,
01:26
um,
01:29
operates system had, um,
01:32
these sports opened. So it had 25 male. 131351391 Terry nine. And for four or 54
01:45
S and B, for example, and has remote this stuck up on this? Well, so, uh, just so we can get for Miral me, that with that. And if I don't have this, it will say that it was almost done, but yeah, this will take a while, and it be wildly. No, I see.
02:01
Because it started to is trying to fingerprint the operating system to see what's the result, but well, we'll wait for that.
02:09
Let me just fire up another man here. Ah, let's start by using and B
02:17
and B
02:21
the cup.
02:22
This command is used to query the nap bias names, um uh, and mapped them to an I P address in the network. Using that bias artistic P i p. Queries.
02:34
The options allow tch the name queries to be directed at a particular I p. You know, in broadcast i p Broca's area or to a particular machine. I mean, you can do that in the command are quarries are done over, you tippy toe boy. No noise. And actually,
02:52
most of the time you end up using you to be with the S and P Protocol.
02:55
So let's see. Okay, Still not done. So yeah, this is how long it will take to actually map
03:00
on and, you know, discover the operating system of machine. But let's start with Andy. Look up the thing. The simplest option is to dash a
03:13
ah,
03:15
and just breathe a p.
03:19
And as you can see, it came back with some really useful results
03:23
here on.
03:27
As you can see, we're actually getting that from a sing Bookman and simple query.
03:35
But, you know, the point is that
03:38
you can actually use other. For example, let me just give you another tool. I again there so many tools to actually ah enumerated the S and P Protocol that just once shows you one command for tool. I'm sorry, that one, remember, tool, so you can actually get that get to know the tools.
03:55
And at the end, any church, it or any
03:58
Google search it will do that stuff. So, yeah,
04:01
we have the n b A.
04:03
T scan, which is this tool. This command utility tries to scan again the net by his name servers up and in a local remote network. Um,
04:15
and you know, the first step is trying to find open shares
04:19
is created on the functionality of the windows, the standard tool MBT MBT start.
04:28
And I know it works on a whole sub net instead of individual i p So I will have to put
04:40
Is that the end? It works in a whole sub net. So, yeah, we have B box, as you can see here we have the my book prop That's That's the one using. And we have older piece there are actually sharing information. Ah, as you can tell. Yeah.
04:59
Ah, this, by the way, is not the Michael itself. It's actually, uh
05:03
ah. The hyper visor is using puddles with Mac
05:09
predictable. We have another tool and s and the map. Um, it's me. Map allows users to enumerate some mushers sure drives across an entire domain. You know, this sure drives right? Permissions. Sure. Contents upload and download our functionality
05:29
file name? Ah,
05:30
you know, discovery and matching on even execute remote commands. I mean, it's on the map. It's quite the tool.
05:38
Uh, not the one that I'm used. Ah, but, you know, to a numerator list. But, you know, this is really, really helpful for Just let me give you an example.
05:46
A zombie map
05:49
and I just type dash age
05:53
Chanda
05:57
and it will tell me Well,
06:00
will reveal the name. I'm sorry, the operating system. Which, by the way, are we going here? Okay.
06:06
Wow. A lot of information.
06:09
Okay. It's just support and return. Really useful information.
06:15
Okay. Remember that way. So Ah, it's empty. People will see instant p and admiration as well about Jeff.
06:24
You can see a lot of information. Windows, the version and the version is windows expect professional. But as you can see, we already found out really fast with the S and B A mop tool.
06:35
Another tool is as it declined. Ah,
06:40
you know, I should be clients acclaimed that can actually talk to the S and B server. So it offers, you know, uh, capabilities, like, kind of an ape. If the P program you can upload, download or files and execute commands, it can talk to an SUV server. So let me just go ahead and
06:57
is it declined
07:00
and dash l
07:01
I'm sorry.
07:06
And what routes? Spies work? Uh, I don't know.
07:13
I remember the bodies were four hits and be sure but educated idea are busy. Client is another. Ah, tools. You can use our particular insight Utility initially developed to test M S R P C functionality in south by itself, you know, has it has undergone several changes.
07:31
So now you can use this.
07:33
It can be used as a tool to enumerate and authenticate against an S and B A server, for example, Let me see if I can actually execute. Ah, a new sessional again. RPC declined.
07:48
Ah, that's you for the user. I don't have a user. So no dash an and,
07:58
uh, no good at connecting servers
08:00
invited Panama.
08:01
Okay, so I cannot use new sessions to actually look into this server. So, as you can see, uh,
08:11
you can actually execute several you several tools to enumerate, but the one that I like the most. I'm not trying to be bias here, you guys, but the one that I like the boast and the word that I use the most is an heirloom for Lennox. And one for Lennox is a tool to enumerated to numerator information about window samba systems.
08:30
Ah, you know, it's written in Pearl is basically a grasshopper around December. Tools that we saw as a client RPC client
08:37
and then Bill, a cop. You know, a lot of tools are there wrapped in these one single tool. And maybe that's that's why I like I like this tool most, but let them again. Uh, I'm not trying to be bias here, you guys, and you can use whatever tool works works best for you.
08:58
But
08:58
let me just show you the magic behind this. Um, sorry.
09:03
And them for Linus and with the dash A I'm just telling to run off the scripts or all the options. You have a list of options you can execute to maybe find specific users or maybe just find users. Baby, you're not interested in the shares. But Marty is interested in the users.
09:22
You have an option to do that. But, you know, for this video will just show you
09:24
the results from running entire options. And as you can see, he has a lot of information that you can gather from this.
09:33
Ah, the shares and everything,
09:37
you know? Yeah, that's the point. I like that because at the end, he wraps around several tools that you can actually use to numerator as and B servers.
09:46
Let's Jim two s and M P c. A single simple network management protocol
09:54
for that. You also have several tools.
09:58
Um, but, you know, uh,
10:01
1 61 eyes, the one that I used to enumerate.
10:07
But let me just give you the tools. When sister wants a tool that can actually be used to brute force as an MP community strings, for example, let me just
10:16
copy and paste this command.
10:26
Then he sexually in Yuma rating. Um,
10:28
these community strings, you know you can also, we can also use this tool check is a specific community. String it, Caesar. Not, for example, the tea for public string is existent or not
10:41
in this server.
10:48
And it seems that way. Yeah, we actually had
10:52
way. Can't you see a lot of strings?
10:54
And you hear a lot of information? That's the point. You guys you're trying to numerator. Let me see if I can get information from a prepaid strength
11:05
and then, yeah, we can sew way we can get out to sea. We can actually see that seven people. This one is s and s and M p walk. I'm sorry. Didn't tell. Just switch.
11:16
Ah, yeah, but yes, this is another tool you can use. For example, let me just trying to attack. Unless an MP service scenes we already gather enough information, for example. That's just S and m p walk to extract the s and P data on displayed on the terminal for Let me just come in Basic man here.
11:39
This command will help you to do that. I mean, private string.
11:45
Oh, my God. So no security, you guys
11:48
and I was done when those x b
11:52
Ah, and you know,
11:58
if the S and M P service is miss configure
12:01
with the read and write off the recession on Attacker King Actually, uh,
12:09
changed that. A modified That s o b. Said utility, for example. Let me just
12:13
execute this command and these will,
12:16
if you know about isn't a pedis will differently scare you.
12:22
That is a base here. And I'm just tending to hacked.
12:26
Ah, simple said that sound and
12:30
that you go boom. It's actually come figure as reading right for everybody. So
12:35
wow.
12:37
And you know what's the Crips part about that? Yeah, I consulted that again in fact, the creepiest part about that is that let me just change back to the normal value
12:48
is that if not so many people is aware of this. But if you can actually hacked this community strings, you can actually perform any activity or task or command over your S and P devices, routers, switches or whatever that support as an MP
13:05
operator systems. Whatever supports a destiny of your particle,
13:09
so they should scare you.
13:11
Ah, so, yeah, you just got to change the default SNP community string names and buzz words. And don't put it as reading, right? If possible.
13:22
Did you get the idea Why?
13:22
So, yeah, it's a champion admiration.
13:24
But we have yet another tool that is mostly used. Well, yeah, it's only used for http and admiration.
13:33
Uh, which is there there, Buster, Are there be? You can use any of that
13:39
any of this man's and your buster segment line and based tool for tu brute force directories based on a world list on national TV. Remember that we have that in a really cool tool called portrait.
13:56
Yeah, you can do this important fit as well. But you know, again, I always try to go with the non graphic user interface options whenever I can. I know there's cases where you cannot avoid using graphic user interface. But, you know, in this case, if you can go to that with non easier interfaith options,
14:16
that's good for you.
14:18
S O, for example, would let's try the default war Lis Wiehl search. Ah, I can't remember the exact number, but I think it's 4000. Ah,
14:33
4000 I guess more than 4000 words
14:37
for for, um,
14:39
to search for the u. R l. You can also change. You can, of course, change that. Uh, let me just first run the first
14:48
command. I'll be using a different machine. Which is that Davey A machine? Because Windows expertise in half. And they were server. Ah, and as you can see is executing Ah, lot of man's. I just stop that. But, you know, you can see that there's not mean here a page with Paige. Um
15:09
ah. CSS classes, images. Yeah, you can see that
15:15
There's an ad me look in on you. See if we can
15:18
go here and face that
15:22
Oh, paste and go and yeah, There you go.
15:26
So Ah, there, Buster is to get that information. It's quite noisy. S o maybe.
15:33
Do you actually let me just em up?
15:37
S v remembered you guys before four
15:39
dash p for port is before version,
15:43
um,
15:46
to see what, uh,
15:48
and service actually running on that remote host.
15:52
Is that the end? This word? Yeah, they're 13.
15:56
Okay, Is Apache eso we are? We can go to the directory. Were the World list
16:03
were the specific word list for specific servers are located, for example. Uh, sir,
16:11
sure, Dear Buster are dirty.
16:15
Um, we're list
16:18
and bones.
16:19
As you can see, there's quite a few Apaches here called Fusion. Ah, no, J Bas Oracle.
16:29
Ah, the old These are preloaded Tomcat, for example. West Fear from IBM. All these are preloaded on Kali. So, for example, if you're just going to use Apache for the specific servers as we saw his Apache,
16:44
which is
16:45
but that I mean, put the the l and then the path to the building up to that,
16:52
you know, it will be executed at 30 words, and it just fine. You found that incited service status. So maybe we didn't find that in her previews scan, I mean Oh, yeah, we did find it,
17:06
but that's the point. You can fire to find specific, um,
17:11
directories in a webpage by executing that specific man.
17:18
So post assessment questions is this information gathering technique considered passive for active, active again? You guys, whatever. It interacts that with the victim server, it's active
17:32
what is performed by the command and then be look up, dash A in the I p. Well, it's actually just ah,
17:40
met bias information gathering from the enemy. Look up, Command. But that's it.
17:47
Ah, what's performer the command and be deputies. Can I pee range? Remember, Everything's kind is just as an entity Look up, for example, But he wars on Leon I p ranges. It will try to scan. I get the net bias name servers to gather information about the S and P protocol.
18:07
Uh, this video we saw the most common enumeration options to gather information. We executed salmon admiration tools and commands to see the results.
18:18
Any supplemental materials. Will any enumeration cheated? You confined? That's it.
18:23
Ah, And in the next video, looking forward will cover the Emma a scripting enjoying well, that's it for today, folks. I hope you enjoyed the video and talk to you soon

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor