Hello, everybody, and welcome to the episode number 14
off the RCP course and admiration.
My name is Alejandro Gina, and I'll be instructor for today's session.
The learning objectivity or decision is to understand some anima rations techniques
and also understand some basic and admiration tools and commence.
So let's get down to business.
Uh, you know, we can start by first is still, you know, using and map Thio discover the operating system, for example. That's just our when those Xbox victim
the Shays, the option two's now run some scripts and discovered the operating system
All cover. Ah, the end. My script in enjoying Later in the course
As you can see, this will take a while. Us It's actually fingerprint. And the result and, you know, actually get into the operating system and trying to Maxygen specific person off the signature that of its that cast and map. So this might take a while.
But you know why we wait while we wait?
Remember that? Just a pin. You
operates system had, um,
these sports opened. So it had 25 male. 131351391 Terry nine. And for four or 54
S and B, for example, and has remote this stuck up on this? Well, so, uh, just so we can get for Miral me, that with that. And if I don't have this, it will say that it was almost done, but yeah, this will take a while, and it be wildly. No, I see.
Because it started to is trying to fingerprint the operating system to see what's the result, but well, we'll wait for that.
Let me just fire up another man here. Ah, let's start by using and B
This command is used to query the nap bias names, um uh, and mapped them to an I P address in the network. Using that bias artistic P i p. Queries.
The options allow tch the name queries to be directed at a particular I p. You know, in broadcast i p Broca's area or to a particular machine. I mean, you can do that in the command are quarries are done over, you tippy toe boy. No noise. And actually,
most of the time you end up using you to be with the S and P Protocol.
So let's see. Okay, Still not done. So yeah, this is how long it will take to actually map
on and, you know, discover the operating system of machine. But let's start with Andy. Look up the thing. The simplest option is to dash a
and just breathe a p.
And as you can see, it came back with some really useful results
As you can see, we're actually getting that from a sing Bookman and simple query.
But, you know, the point is that
you can actually use other. For example, let me just give you another tool. I again there so many tools to actually ah enumerated the S and P Protocol that just once shows you one command for tool. I'm sorry, that one, remember, tool, so you can actually get that get to know the tools.
And at the end, any church, it or any
Google search it will do that stuff. So, yeah,
T scan, which is this tool. This command utility tries to scan again the net by his name servers up and in a local remote network. Um,
and you know, the first step is trying to find open shares
is created on the functionality of the windows, the standard tool MBT MBT start.
And I know it works on a whole sub net instead of individual i p So I will have to put
Is that the end? It works in a whole sub net. So, yeah, we have B box, as you can see here we have the my book prop That's That's the one using. And we have older piece there are actually sharing information. Ah, as you can tell. Yeah.
Ah, this, by the way, is not the Michael itself. It's actually, uh
ah. The hyper visor is using puddles with Mac
predictable. We have another tool and s and the map. Um, it's me. Map allows users to enumerate some mushers sure drives across an entire domain. You know, this sure drives right? Permissions. Sure. Contents upload and download our functionality
you know, discovery and matching on even execute remote commands. I mean, it's on the map. It's quite the tool.
Uh, not the one that I'm used. Ah, but, you know, to a numerator list. But, you know, this is really, really helpful for Just let me give you an example.
and I just type dash age
and it will tell me Well,
will reveal the name. I'm sorry, the operating system. Which, by the way, are we going here? Okay.
Wow. A lot of information.
Okay. It's just support and return. Really useful information.
Okay. Remember that way. So Ah, it's empty. People will see instant p and admiration as well about Jeff.
You can see a lot of information. Windows, the version and the version is windows expect professional. But as you can see, we already found out really fast with the S and B A mop tool.
Another tool is as it declined. Ah,
you know, I should be clients acclaimed that can actually talk to the S and B server. So it offers, you know, uh, capabilities, like, kind of an ape. If the P program you can upload, download or files and execute commands, it can talk to an SUV server. So let me just go ahead and
And what routes? Spies work? Uh, I don't know.
I remember the bodies were four hits and be sure but educated idea are busy. Client is another. Ah, tools. You can use our particular insight Utility initially developed to test M S R P C functionality in south by itself, you know, has it has undergone several changes.
So now you can use this.
It can be used as a tool to enumerate and authenticate against an S and B A server, for example, Let me see if I can actually execute. Ah, a new sessional again. RPC declined.
Ah, that's you for the user. I don't have a user. So no dash an and,
uh, no good at connecting servers
Okay, so I cannot use new sessions to actually look into this server. So, as you can see, uh,
you can actually execute several you several tools to enumerate, but the one that I like the most. I'm not trying to be bias here, you guys, but the one that I like the boast and the word that I use the most is an heirloom for Lennox. And one for Lennox is a tool to enumerated to numerator information about window samba systems.
Ah, you know, it's written in Pearl is basically a grasshopper around December. Tools that we saw as a client RPC client
and then Bill, a cop. You know, a lot of tools are there wrapped in these one single tool. And maybe that's that's why I like I like this tool most, but let them again. Uh, I'm not trying to be bias here, you guys, and you can use whatever tool works works best for you.
let me just show you the magic behind this. Um, sorry.
And them for Linus and with the dash A I'm just telling to run off the scripts or all the options. You have a list of options you can execute to maybe find specific users or maybe just find users. Baby, you're not interested in the shares. But Marty is interested in the users.
You have an option to do that. But, you know, for this video will just show you
the results from running entire options. And as you can see, he has a lot of information that you can gather from this.
Ah, the shares and everything,
you know? Yeah, that's the point. I like that because at the end, he wraps around several tools that you can actually use to numerator as and B servers.
Let's Jim two s and M P c. A single simple network management protocol
for that. You also have several tools.
Um, but, you know, uh,
1 61 eyes, the one that I used to enumerate.
But let me just give you the tools. When sister wants a tool that can actually be used to brute force as an MP community strings, for example, let me just
copy and paste this command.
Then he sexually in Yuma rating. Um,
these community strings, you know you can also, we can also use this tool check is a specific community. String it, Caesar. Not, for example, the tea for public string is existent or not
And it seems that way. Yeah, we actually had
way. Can't you see a lot of strings?
And you hear a lot of information? That's the point. You guys you're trying to numerator. Let me see if I can get information from a prepaid strength
and then, yeah, we can sew way we can get out to sea. We can actually see that seven people. This one is s and s and M p walk. I'm sorry. Didn't tell. Just switch.
Ah, yeah, but yes, this is another tool you can use. For example, let me just trying to attack. Unless an MP service scenes we already gather enough information, for example. That's just S and m p walk to extract the s and P data on displayed on the terminal for Let me just come in Basic man here.
This command will help you to do that. I mean, private string.
Oh, my God. So no security, you guys
and I was done when those x b
if the S and M P service is miss configure
with the read and write off the recession on Attacker King Actually, uh,
changed that. A modified That s o b. Said utility, for example. Let me just
execute this command and these will,
if you know about isn't a pedis will differently scare you.
That is a base here. And I'm just tending to hacked.
Ah, simple said that sound and
that you go boom. It's actually come figure as reading right for everybody. So
And you know what's the Crips part about that? Yeah, I consulted that again in fact, the creepiest part about that is that let me just change back to the normal value
is that if not so many people is aware of this. But if you can actually hacked this community strings, you can actually perform any activity or task or command over your S and P devices, routers, switches or whatever that support as an MP
operator systems. Whatever supports a destiny of your particle,
so they should scare you.
Ah, so, yeah, you just got to change the default SNP community string names and buzz words. And don't put it as reading, right? If possible.
Did you get the idea Why?
So, yeah, it's a champion admiration.
But we have yet another tool that is mostly used. Well, yeah, it's only used for http and admiration.
Uh, which is there there, Buster, Are there be? You can use any of that
any of this man's and your buster segment line and based tool for tu brute force directories based on a world list on national TV. Remember that we have that in a really cool tool called portrait.
Yeah, you can do this important fit as well. But you know, again, I always try to go with the non graphic user interface options whenever I can. I know there's cases where you cannot avoid using graphic user interface. But, you know, in this case, if you can go to that with non easier interfaith options,
that's good for you.
S O, for example, would let's try the default war Lis Wiehl search. Ah, I can't remember the exact number, but I think it's 4000. Ah,
4000 I guess more than 4000 words
to search for the u. R l. You can also change. You can, of course, change that. Uh, let me just first run the first
command. I'll be using a different machine. Which is that Davey A machine? Because Windows expertise in half. And they were server. Ah, and as you can see is executing Ah, lot of man's. I just stop that. But, you know, you can see that there's not mean here a page with Paige. Um
ah. CSS classes, images. Yeah, you can see that
There's an ad me look in on you. See if we can
go here and face that
Oh, paste and go and yeah, There you go.
So Ah, there, Buster is to get that information. It's quite noisy. S o maybe.
Do you actually let me just em up?
S v remembered you guys before four
dash p for port is before version,
and service actually running on that remote host.
Is that the end? This word? Yeah, they're 13.
Okay, Is Apache eso we are? We can go to the directory. Were the World list
were the specific word list for specific servers are located, for example. Uh, sir,
sure, Dear Buster are dirty.
As you can see, there's quite a few Apaches here called Fusion. Ah, no, J Bas Oracle.
Ah, the old These are preloaded Tomcat, for example. West Fear from IBM. All these are preloaded on Kali. So, for example, if you're just going to use Apache for the specific servers as we saw his Apache,
but that I mean, put the the l and then the path to the building up to that,
you know, it will be executed at 30 words, and it just fine. You found that incited service status. So maybe we didn't find that in her previews scan, I mean Oh, yeah, we did find it,
but that's the point. You can fire to find specific, um,
directories in a webpage by executing that specific man.
So post assessment questions is this information gathering technique considered passive for active, active again? You guys, whatever. It interacts that with the victim server, it's active
what is performed by the command and then be look up, dash A in the I p. Well, it's actually just ah,
met bias information gathering from the enemy. Look up, Command. But that's it.
Ah, what's performer the command and be deputies. Can I pee range? Remember, Everything's kind is just as an entity Look up, for example, But he wars on Leon I p ranges. It will try to scan. I get the net bias name servers to gather information about the S and P protocol.
Uh, this video we saw the most common enumeration options to gather information. We executed salmon admiration tools and commands to see the results.
Any supplemental materials. Will any enumeration cheated? You confined? That's it.
Ah, And in the next video, looking forward will cover the Emma a scripting enjoying well, that's it for today, folks. I hope you enjoyed the video and talk to you soon