Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:01
Hello, everybody. Welcome to the episode number 15 of the RCP course and my scripted enjoying
00:08
My name is Alejandro Gonna and I'll be your instructor for today's session.
00:12
The learning objectives of decision is to understand what is the eggman, scripting, enjoin and also use some. And my scripts are to help us gather information and exploit vulnerabilities. So let's get started.
00:28
Okay, so just a little about a little bit of background for you. Ah, the M I m. A prescriptive enjoin is one of the M ops most powerful, inflexible features. It allows users to write unsure simple scripts will not that simple to me
00:46
because I'm not familiar with this script and language, but, you know,
00:50
simple scripts to automate ah, lot of networking task.
00:54
You know, users can rely on the rowing and you know,
00:59
various strips that are already provider, but by n mop.
01:03
But they can also write their own scripts to meet their customs needs. For example, you want to
01:11
around in a specific script because your business or your company is actually using um,
01:18
Arrow. Slattery's O R. Room two or any specific operative system is not not actually using Windows of Maybe you want to create your own script for that purpose. So that's one of the many cases where you can, you know, actually,
01:37
use that
01:38
to help you get the specific information from your service from your servers, for example. Deacon, you know, uh,
01:48
perform tasks like Net network discovery. More sophisticated, babe version detection with the inability detection back there. Detections. Ah, bowling ability. Explosive A shin. You know, you can perform anything with this script.
02:02
Uh, this is groups are written in, um, scripting language called Lola
02:08
Do a programming language. You know, it supports the basic stuff we already know in other languages, like object oriented programming. Functional problem in, You know, that's a driven program and all the stuff that we know that we can do, For example, the python and pearl
02:27
we actually did here in the loo. A programming language.
02:29
It's a little bit limited, in my opinion, but, you know,
02:32
s o my someone might beg to differ, and I will be totally fine. Um, you know the script. It's activated by calling the dash dash script options. But first, let me show you were our description. How many there by default. I mean, it doesn't mean that you have to, um,
02:53
used only these ones. Are
02:55
that the ones that come with a map by the fall in Lenox and colonics?
03:02
But you can actually just google us new scripts
03:07
forcibly angle. Uh, am I stripped the name giant to perform any specific task. And it's probably, ah, script for that, even if it's not, you know, such a custom task eyes. Probably someone already created the script for that.
03:23
So you can google that and just save it here in this folder and or you can also just just that, even if you, you know,
03:31
for example, just just for reference. Remember that we're actually using our with those x p on just so do you remember? Um, I'm sorry
03:43
is, actually has quite a few ports open so we can test with them and, as you can see, has won 39 445 open for the S and P protocol. So we can just, for example, in previous you man, just great that
04:01
and see what which one contain isn't B. And it's quite a few, actually.
04:08
So you can use all of them to actually test Whatever you want to test. For example, maybe you don't You want to enumerates some ice and beat stuff? Remember that we in previous in the previous video with so how to enumerate the desperate Prague. Oh, you know, you can also use
04:26
the Emam scripting enjoying to do that.
04:28
So, yeah, quite a powerful option from them up tool, in my opinion. So let's use, um, the basic SEC
04:41
script here.
04:43
Let me just
04:45
can't that
04:53
it's not finding anything. Okay, I just got that
04:57
b s except
05:00
Ah,
05:02
as in B dash. Yes. Sec. Okay.
05:06
And as you can see, as I told you at the beginning, is not that simple. Scripting programming language. He actually has quite a few common lines that you can, you know, play with You can even change this as they are open sores. And maybe you want to execute this script.
05:25
But you will. I also like to execute additional stuff,
05:29
uh, automatically in this script so you can actually change that. But, you know,
05:34
uh, you know, it's a lot of information. Descript, this script implemented the remote process. Execution signals to the cyst. Internal spee es exact, too by the way. I'm not
05:47
a fine of the cyst. Internal stool. Yeah, I know. They make you know there's the seaside mean lives easier. But there, You know, I have used that a lot for my penetration testing exercises because they provide quite a quite a functionality,
06:05
so you can actually hacked system. So I know
06:08
this was probably made thinking on functionality, and you know how to make life easier for the seaside mints. But, you know, it also made life easier for us penetration testers and for the bad guys. Unfortunately, yeah. This this script executes the same the same functionality,
06:28
you know, allowing the user to run programs or commands in the remote machine and seeing the output.
06:32
So this is quite quite quite
06:35
the script to use, So lets executed. Well, what do you need? You basically need ah, administrator on any straighter account. We already got that, um,
06:47
the TCP ports open. We also get that. You know, if you have administrator, you probably have the ability to create service's or execute commands in the remote machine. So
06:59
we're going that so the command will be and Matt, we need to specify the board of course,
07:09
We also need to invoke the script,
07:13
as in bee,
07:15
uh, Dash B s. Except that an essay
07:21
bash, Dash scripts, script
07:25
arcs
07:26
for the arguments
07:30
and S and B user equals means try ever
07:36
and as in be pass equals. Don't judge me, guys. I was actually playing with this machine a little bit, so
07:46
I West, you know,
07:47
I didn't have any password in mind at the time, and I just used his one. Um Well, yeah, we just
07:55
executed and Okay, what will happen now? Targets. Oh, my God. Look at me.
08:03
Okay. Did you go? And as you can see, nothing obvious happen. Because at the end,
08:09
I'm not specifying the last and most important, Bart for this script. Which is what command or what task do I need to actually execute? Okay, it execute, You know, the common poor scanning task. But I didn't
08:28
I didn't get any information, but that's that makes sense. Was at the end.
08:33
We're not actually given this script. Any task to perform on the other side will not tell him. You know what? I want to perform this command or these up for the service. Whatever. I'm telling it. So, uh, it of course they don't return anything.
08:50
And by the way, if you don't, if you don't actually, uh, no. Um,
08:56
what you sir, you need to be using. Or maybe you don't know the password. You can combine these with Asim Bey brute,
09:05
uh, script. Something like this you you created already created That said, you just need to s and B,
09:13
Dash,
09:13
Groot and comma. And you separate this with like that and just passes the options to these do. This is scripts,
09:22
in case you don't know this and the user or the s and B positive.
09:28
Um, but that's that. So as you can see it, it's again, nothing happened. And you need to modify the s and B B s a sec script or, you know, the
09:39
the options you pas or the arguments you passed to to this A script. But this options are located in a different location.
09:48
Let me just go to the location here. Yes, sir. Sure.
10:03
Okay. Here some options. You have some commands. For example, a bagger. Let's just cat does.
10:11
We're back to er
10:13
Let's just use the cat command to see what's happening inside and okay, Net user pas worked at and you will know a password. Doesn't seem like a backdoor to me. You know, I'm not
10:28
specifying anything.
10:31
Let's use that as an example in any way. You can also create your own script. Just have to follow this exact same, um,
10:39
stuff. For example. Let me just copy this
10:43
so we can justice alone. Just around a little bit. Copy to the exact same location.
10:54
I know. I know I should
10:56
I should write this on my arm, but will be lazy. Ah, Sai. Bury that, Lou.
11:05
And if we go to
11:07
Liz, this should be separated. The Lewis and we're here. And there you go.
11:11
Okay. So what happens if we actually change it?
11:16
Oh, several of the s h O. That the singly since. Oh, it's because
11:20
don't get me again. Oh, my God. What's happening with me today?
11:26
And my
11:28
and a sleeve
11:31
data?
11:33
Yes, except
11:35
savory.
11:39
And we can actually override this.
11:41
For example, What can we tell you? What happens if,
11:48
um what? What do you want, Dude? You guys, maybe at ah local group or administration to a local group. I don't know. We can do stuffs here, adding account. I didn't use your account username net. Use her name by the word. Ah,
12:11
let's see here.
12:16
We can actually let me see *** actually modified these.
12:24
Our test is used her name and password, this one to treat that
12:33
that should have done.
12:35
Let me see if we can just running late at
12:37
so once we have the script of the stuff you wanted to execute in this case, Really simple. If that doesn't work, you can, you know, just Google stuff and specific commands to you, maybe. Or if you already have a net cat executed vil on the other side. In this case and Windows,
12:56
you can actually great a real backdoor
12:58
and actually get a reversal back to you are actually greater buying shell so you can connect to that so that there's that mean. And you can also use, you know, other, uh, Lou, uh,
13:13
script. I'm sort of configuration and you can actually download Ah, bunch of conf. You're ations from the Internet. I mean, you can just go. Ah, don't be s exact, uh, networks were thinking giant configuration files and I can assure you you will find a bunch that will be helpful to you. I mean,
13:31
whatever is worse for you or again, you can create as you. As you can see, it's not that hard
13:37
to actually create a modified this, um structure And this options to for major needs. So we can now
13:46
execute the command again. The miss effect confined is just going up. Oh, yeah. There you go. And you can after that after deposit deposit work. You know, you can just add a coma here.
14:01
I will probably. Oh,
14:03
because if this works and just type convict and put it like this cyber eri
14:11
Doc Ula
14:13
and just see that the i p. And
14:16
okay, I didn't use her account Easter name. Where were required arguments? You soon password were given,
14:24
please. Uh
14:28
Okay, let me see.
14:35
Okay. Let me see if I can modify that
14:37
because I don't wanna be asking me for a password.
14:41
Ah,
14:43
looking more modules. All right. It doesn't seem that it seems that it's asking for Bob's workers. It's bearable. Here,
14:52
let me just eliminate this
14:54
control, okay?
14:56
Eliminated tighter line and creating user name
15:03
test.
15:05
And that's going to treat that.
15:07
That should do the job, right?
15:11
Let me see if I can execute it again.
15:13
And it's not Seems it seems that it is not executing anything. Let me see if I can. Windows were ready. We had actually created that.
15:24
Well, the point is that you can all let me just give you another example. What? What happens if I actually,
15:30
um,
15:33
execute here
15:33
And
15:35
Baxter
15:39
that Lola?
15:41
Okay. Script in arcs, but already passed that. I mean, user name. Let me just
15:48
blasted right here. So it stops complaining.
15:50
Uh,
15:52
as in bee user rain,
15:56
it's equals test
15:58
and
16:00
Bhai's word is equals test.
16:03
Want to treat that?
16:07
And
16:07
And if you look it supposed to be working, it's not saying it's not displaying any output back to me. So
16:17
I'm gonna Yes. Study, work.
16:18
What happens if I connect to two
16:22
thio the remote? This Stop, Stop.
16:27
That's you Test.
16:30
Um,
16:37
okay.
16:37
See if this actually worked.
16:45
I love you. Make sure you use the name. The main are correct. The tiger possible again.
16:51
Okay. I now have no work.
16:56
Educate the point. You guys, uh, this how you can actually, uh,
17:00
perform or execute the arguments or the task here. Uh,
17:07
you can actually do a lot more stuff, like, get an I p can peek or something like that and you know,
17:12
that's that. And if it doesn't work, if anything doesn't work, and you're actually
17:19
I want to find kind of a Hail Mary approach here, you can actually use the command. I show you a couple of babies ago, which is just passing that through a loop, for example, Were first we're listing all the scripts.
17:37
That's it. Then we're printing on Lee the last part of the script, because at the end, it will print entire, um,
17:45
been tired up path of a script. But we want only the names. Then we pass that to a filter. And we went to say, Well, on Lee Won hasn't bee. And we, you know, live out the brute food print because we don't wanna actually
18:00
with force anything. When when? What? When I flew anything went on a print and information.
18:06
And then for h of these results, remember, this is inside of a loop,
18:12
afford. Here we do an em up for the port. This and the script. This and the i p. I know we're not passing any arguments, and this will probably not the word for most of the scripts, for some of them will bring back some good information. Uh,
18:32
in these are off course Will take a while
18:34
because we're actually excuse several scripts, but you get the idea. This is kind of a Hail Mary approach, you guys. I mean, this is when you're run out of options and you're just wanted to call it a day and find something so you can present in your report.
18:51
And that happens. You guys don't get frustrated in Vietnam finds,
18:55
you know, findings. By the way, um, in your in your penetration test in process,
19:06
oppose assessment questions. Is this information gathering technique consider passive or active? Well, it's considered active itself. I mean, yeah, you're actually playing and with with the victim systems in a kind of faith face to face up minor.
19:22
What am I options that you used to call the scripts? Ah,
19:26
do you just type dash, dash script and you can call scripts.
19:30
What's crippling, which is used? Thio Create a mob scripts. Well, it's called Lou a programming language and its inscription language. Not that easy to me. But you know, people say that it is actually,
19:47
uh, this video. We saw some Emma's scripts to perform various destiny up Intestine task, and we executed is up some em up scripts to understand How can they help us interpret inspiration, testing process?
20:00
Superman's materials are what? There's no better options than the M Bob guide. Just go to de link and you will find all the options. All that you know. How can you use it? Ah, the computer ation files. You will find everything. So yeah, that that's the go to for this video.
20:19
Looking forward in the next video, we'll cover sump item and Pearl scripts. Well, that's it for today. Faults, I hope in your video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor