Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. Welcome to episode number 40 Tree offer penetration testing, simulation, module reconnaissance, amble, Inability, identification. My name is Leon Dragnea, and I'll be instructor for today's session. Learning argue tips of the session is to understand the main steps need to follow during a penetration testing process.
00:20
Now apply the techniques techniques to successfully perform
00:24
a penetration test. So let's get down to business, shall we?
00:29
Uh, first, as we saw before, being trip is processes off thinking, you know, an entire range off network theatrics is to find out which ones are alive or a mind. So let's just executed full in command.
00:45
And we can, you know, see what what
00:49
eyepiece are actually alive in the system. So as you can see, we already got the results from it. But, you know, it's kind of messy, So let me just ah, another command. So we can actually gripped the output to a more readable out.
01:07
And, as you can see, where
01:08
0.8.
01:11
So
01:11
it seems that this this one's actually replying. So as you can imagine right now, we have to proceed to actually see if we can find the person's off. The service is running.
01:27
So let's see what is return. Okay, so it is a port 20 two's open,
01:34
and we really got the person diversion open. Shh. You want to, you know, port 6666 which is used for Internet relay chat. Um, we can actually start, you know, we can actually see. Ah,
01:49
I really good practice because I have been involved in those situations. Is that this command? We only is candid, well known port.
01:59
But, you know, sometimes low hanging fruit is actually hidden in a in a higher port that, you know, this command might miss. So it's a good idea to actually check all the ports to see, You know, we can find something alive in the system. So, uh, for that, just have to do that map. You know,
02:17
Dash P dash, too. You know, it's kind of all the ports and then, you know, maybe at a t Ford for for speed or threaten on, then
02:29
just maybe
02:34
this could take a while. I didn't Okay. Just so that in the first in her first scan, we got only poor 22. Important. 6667 But in this case, we got the same reports. But we already have another port alive. So
02:50
Ah, we and you know, we might test this may receive. If
02:53
if it is that whip bait or something like that, there will be a good idea. But, you know, at this point, we can just at this and, you know, 22. Just double check. 6667 And you know, the higher court.
03:09
And, you know, changed is to SP to get the version in the dash A to get no more information about the operative system or something like that. This could take you well, because he's actually figure in Britain, the operator resistant to say we can find some other information. So by this time, we'll really have
03:28
one. You know, we really know what
03:30
What's running in this service up in a sage. We can enumerate that. For example. Remember that in the previous. Okay, it'll refinished. So we have a sage, and, you know, this seems to be http. Yeah. Apache eyes in about your service. So we can actually go to this web page and see if we can find something useful there.
03:50
But Leon, it's it's are in order
03:53
scans. That is the limits operative system. So, yeah,
03:58
good information. We already have this information. Let me start by saying that it's a good idea to actually you know my ideas down to another. You know, maybe they're software dedicated to actually take notes. Like, for example, I don't want to see a new brand, but, for example, one note from Microsoft, Or maybe ever note
04:15
I seek actually linked Aled your General Ordell devices
04:19
and take notes. And you can always, you know, install. Ah,
04:24
you know, taking application specialized for penetration testers. Believe me, there's a bunch of the of them You can just google that Andi will give you a lot off, you know, options you can choose from. Uh, yeah, you have to write down everything. And when I say everything I mean everything, take notes say OK, This is the result from this command
04:44
and boom.
04:45
Just copy paste where the results is or something like that. You have to writing down because at the end you might know most of the time, like 100% percent of the time you will go down, Robert holds, and then you realize that maybe it exploit was really easy to perform. But you know all of your conspiracy theories
05:04
on your head, lady to believe that. Exploit what? Something
05:09
somewhere else. Yeah, right. It ready down everything that you can. And maybe later in the end, you're penetration pressing path. You will find that information useful. And it will be especially useful for you when you're actually presenting the report for your customers. So yeah, write it down.
05:27
So in this case, I will next. That already did. But, you know, um,
05:30
you can write everything down well of a server. Okay. Cool name. Well, apiece. Okay. Ah, you know, Apache diversion. And you know, by this point, we can start maybe enumerating
05:43
the SS service. Remember that you can't. We can liberate, you know, with the egg map. Spring the script. We have ah, media dedicated to that. Ah, a scripted, inane Jain. So let me just go ahead and refresh your head a little bit on You can go to the location
06:00
where this and lips are.
06:02
I'm sorry. This is scripts allocated script, and, you know, for simple Shh and just hit the top and we can see some off the Al Britain's we can actually use to anu married that you know, we can also use, uh, concern to the Medicis played framework
06:23
MSF counsel
06:27
on We can use, for example,
06:30
at the axillary modules for simple use of Shilla Re. And you knows Connor maybe s age
06:40
example. And, you know, just see all these informations. For example, Let's just the S h and M users sage in our producers, If I go to options,
06:53
you can see that you request me a user file or a username. And at this point, I don't have it. I mean, I I can clearly assume that route
07:01
might be 11 user that is actually allowed to do that. For example,
07:08
let me just set
07:09
every little host.
07:13
Let me see if I can run it just like that. It will probably fail because I'm okay. Yeah, actually, module. No police Populate, username or use her file. Let's see, You use your name
07:26
and would you know I know this exist for sure. And yeah, use use a root. Found the messages,
07:32
tests, for example. I don't know something like that.
07:35
It will. Yeah. You'll show. Tell me that it's not found we can, actually, you know, set. Ah! Ah, A list of user names. Remember that Peavy in the previous video resell cool and other tools to actually generate your own list. We can actually go to the webpage and see if we can actually get the wars
07:56
from the Web page. I mean, there's a lot of avenues you can pursue
07:59
to actually penetrate your systems. Are the system trying to pants, right? You will definitely have to go to the previous video you forgot about, You know, the techniques we saw. But yeah, you know, I'm just kidding. I'm just I'm just trying to give you ideas or where to put that technique or where to use it. You know,
08:18
it's up to you to actually,
08:20
uh, go through all the cars and all the tedious and apply the techniques in the correct order. But in this case, let me just quit.
08:28
We call us. We can also go to our famous exploited, be
08:33
flowed to be.
08:35
And, you know, we can just go here and a CZ we already have. Um
08:41
um
08:41
let me just go here. We already have the version that this is running on which is up in this age. For example, You just copy that and see if there's an exploit available for death.
08:56
And we crossed this and yeah, they're sending you Marais Shin exploit. We can actually downloaded and see if we can. We can actually ran it. Uh, at the end,
09:07
we're trying to in Yuma rate it was going to straight to downloads. So let me just
09:11
go to my terminal again. And maybe for several
09:16
python ah,
09:18
route
09:20
downloads and, you know, it was called 40 something. Okay, that's you for the use of list. And by the way, we have a lot of you, sir.
09:31
Name you should just her name files or just a name list that you can use for someone will just this one us, You know, she's located in the magic split framework. In this case, I already know it's a unique system. I will just units, users or something. I think you know, there's a bunch of user use her name lists
09:50
they're in that location that you can actually use.
09:54
So let me just hit that and you know, he will execute,
09:56
you know, getting baseline. And he will try all the possible combinations. You know,
10:03
he's a really cool exploit. I just I just, you know,
10:07
ended the execution, but you get the idea. Ah, then we can UMA rate a little bit more deport, you know? Hi. Airport board that we actually contain the webpage. Which waas Let me just go here. You check it again. Okay. Copy that.
10:24
Oops.
10:26
That's copy died. And let's go to that web page.
10:35
Okay, Proxy, it seems that I'm actually using a proxy, so let me see if I can disable that
10:41
networking broke Seok seven's Okay, No proxy. And I want to use any proxies up.
10:48
Okay. Again. Oh, holy moly. This good. This guy wants me glad. Moved to a different ports. I could work more sexually as well. No security by obscurity. Stairway to go. Yeah, really funny. Wallaby. Whatever. That.
11:03
However, How that was his pelt.
11:05
Ah, yeah. No security by of security or security. True of security's. Actually, You know, trying to hide some something in plain sight is like living your home and live your kiss Your home under the under the carpet from in front of your door. So yeah, it will not work by at all
11:24
s Oh, yeah. You know, we can perform something. Mix here like we can execute some commands.
11:31
Let me just show you the commands in here. Like we can just do buster for that.
11:37
Say, for example,
11:41
we can actually go here and pays the high port. Let me just
11:46
actually copy Paste this one up
11:52
and
11:52
boom
11:54
investor is actually executing all of this. You know, we know that there's, you know, something called index speech be JavaScript status. And, you know, we can get really useful information from that. And we can actually use Nick to as well,
12:11
this next to my failed because we're, you know, not defining.
12:15
Uh, report.
12:16
Um,
12:18
so, yeah, we can actually, you know, enumerated this way or enumerate other, other way possible. Mito is kinda fat vulnerability scanner. I don't know where you know how to define NATO.
12:31
Nikto can be sometimes really helpful and sometimes really led you into rabbit holes. I don't know how to define it.
12:39
I have a, you know, conflict week make doing how to use it. But you know, in this time it's my be proving that it's actually, you know, really, really useful because he's telling us that, too. How how this attack is named you guys, or how can we know?
12:56
What's the name of this attack? Remember, we saw that in the previous video.
12:58
It's actually local filing collusion or, you know, directory Traverse a ll again. The difference between one of them. I will not give you this video. You have to go back and check the previous view way
13:13
we created before s Oh, yeah, this is telling me that he's actually, you know, vulnerable to two.
13:20
Um,
13:22
look, I'm sort of local, full inclusion, but another thing to do is Thio. Always take the page doors. Okay. Styling alignment at once. Bubble laugh and still miss. Something here is telling the others. You know, maybe this script can contain something useful. Oh, are not mean.
13:41
The point is that you have to actually, uh,
13:45
tried to gather as much information as possible. But in this case, this seems like a solid page two to actually pursue. So let me see what happens if I just copy paste that into a web page
13:58
and,
14:01
you know, index password and it actually worked. Wow, that's amazing. Okay, We can actually perform directory. Traverse a ll on. We can actually try Thio. No kind of list
14:16
what's in there. If I already know that there's, you know, something wrong with this page.
14:20
I can just use their buster again and see if I can actually find another page that is not named.
14:30
I don't know.
14:31
See if I can find something else in this. For example, Copy Paste this command, which is, you know, dear Buster. And I'm just putting the doing the u R l to that vulnerable variable and then using this wordless so I can actually, you know, maybe see if I can find something useful in this case
14:50
generating war list, and he still means something. Okay. Blacklist.
14:54
Okay. It seems that these guys actually may be blocking me. Or maybe let's see what this contains. Unfortunately, you will have to do this, Uh, you know, by hand, most of the time. And, uh, you know,
15:11
Ban is home. Ford. No, you are so predictable. One. Get the machine like this. I can see your every move on your I p. Okay.
15:20
This sounds like a challenge to me. Contact. Maybe we can find something useful here.
15:26
Let me. Just
15:28
check this out. Unfortunately, Yeah, we will have to do that Occur. Contact me a wallaby. Well, he seems to be one of the users, and yeah,
15:37
maybe go to Mailer. This sounds interesting.
15:43
Go here and see what happens. Mailer.
15:46
Coming soon, guys. Okay, this seems like the only Let me see.
15:52
There's something hidden in the Pacers. Okay. Same thing
15:58
saying Oh, no.
15:58
Here, look, It says it says page mail server mailed this a male valuable message goes here while the message goes here. Okay, this seems interested.
16:14
Uh, what will happen if I use that? Um,
16:18
let me see.
16:19
So I have this ups Oops. Oops. Oops. Malar Malar An because there's a bearable and mail is equals.
16:32
I don't know
16:33
your list.
16:37
Oh, yeah,
16:38
It seems that I can actually execute commands, which is variable. So I was able to introduce a directory traverse all attacking. This is this decide and this, you know, bearable. But I'm able to actually execute commands. And thanks to this, actually checking the source goes off this. I'll sell what, You actually do that?
16:59
Yeah. This is how you you know, a basic version of how do you actually
17:03
check full, you know their reconnaissance process and, you know, ports kind. And obviously, if you're actually performing for poor performing, a patrician test from scratch on may be outside the network. You will have to conduct maybe like a performer, Google hacks
17:22
and find out as much information as possible
17:23
from your customer. No available information without actually in engaging with the customer system. But you know, if you have any questions or any doubts or off how to actually execute at this techniques or disk amends, you can go back always to the previous video. In the previous models
17:42
that we saw, the main techniques to apply reconnaissance are, you know,
17:47
proving for for for Service's are getting the service's information or, you know, trying to get as much a cz much information as possible at the end. You guys, this is arguably the most important part of the penetration test. If you have one week to perform a penetration test, I highly recommend you to spend like five,
18:07
four, maybe five days.
18:07
Actually, you know, getting as much information as possible so you can actually see all the information available and see, You know
18:18
how could you actually penetrate the system? Because most of the time you will end up going in rabbit holes. If you don't have the entire picture.
18:30
What is performing? The command question mark Page equals in all those dot dot For was last that. That for was lash.
18:38
Well, that's actually a local file inclusion Tak, also known as directory reversal The difference between local filing collusion in Directorate Reversal is director of the vessel.
18:49
You will not execute anything. You'll just read information and local find inclusion. You will actually execute things.
18:57
What is performed by the command? Emma Dash T Dash Dash T Ford in the I P dash T dash, it means that you will pour all the port it will scan. I'm sorry, All the ports, meaning that it will not just can They will know portables can off them.
19:15
T Ford means that he has to go quickly
19:18
35 in the top on and you know they're piece just a P.
19:23
In this video, we learned one important step. You have to perform therein your penetration testing process and we apply some techniques that will have plus perform apprentice successfully
19:34
are supplemental materials. That's always the book advance penetration, testing, hacking the worst, most secure networks.
19:41
And looking forward in an Expedia will cover explosive ation. Well, that's it for today, folks. I hope you enjoyed the video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor