BSWJ: Braa

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

15 minutes
Video Transcription
Hello, everyone. And welcome back to breaking stuff, Joe, I, as always in your host, Joe Perry and I has always thrilled to have you here. Now, for those of you have never had never seen a breaking stuff Joe video before. We're gonna really go with format of this. Siri's breaking stuff With Joe is a series of 30 minutes or less videos
focusing each video focuses on its own tool in the security world.
A lot of our tools are red team pen testing style tools. Today's gonna be one of them, but a lot of them are also books. Some things like reverse engineering or malware analysis or any sort of, you know, dev ups any sort of security focused or security
centric concept in this world. So all of our videos about a different tool you can kind of scan through by the time this one's up, we're gonna have a least about 10 others so you can feel free to scan through. We've got a bunch for coming down the pipe, and we're gonna make sure that we find just about every valuable toe in the cybersecurity world. Talk about today's video. We're gonna be talking about the SNP scanning tool, Brad,
and we're gonna talk about not only that tool itself.
We're going back about the protocol of S and P and why it's such a wonderful, useful tool for pen tester. Why, It's kind of a pen. Destin best friend if things go right, So we're gonna talk about incident. People understand how it works, what its for what it does, then the last little bit of the video. We're gonna actually do the tool demo like with a lot of tools, feature here on breaking stuff. Joe,
The complex part isn't really in the execution. It's not really in the running of the tool.
There's just a few kind of a handful of options. What's really valuable to understand here is what S and M p is and why it's valuable for attacking. Now Those of you who are familiar with this world we're familiar with pen testing may be wondering Why didn't you check? Why don't you try SNP walk? Why didn't try any other asset of the scanners?
The real reason is that again, the value of a lot of this is just understanding the underlying protocol
and what's great about Brad, and the reason why I like it and use it most often is because it is incredibly fast. It is lightning fast for analyzing huge amounts of S and M P targets for finding huge numbers of 70 addresses. So it's a really, really useful tool. I find it valuable in my everyday life well, and I ever did work.
And hopefully you will as well. So thanks for tuning in and let's get started.
As I said in the introduction, our first objective for this video for sort of gold for today's tutorial is to understand S and m p what it does, what it's for, how we use it. And so we're gonna go ahead. We're gonna examine that before we do anything in our bm.
So looking at this S and M P stands for the Simple Network Management Protocol. It is one of the oldest protocols, one of the oldest sort of agreed upon standards in computing. It first came out in 1989 which may not seem incredibly older. Some of our viewers and may seem obscenely old, the others
As of now, that means this protocol, right around 30 years old,
it's gone through three generations, but even version three is actually pretty old by modern standards. For that we're looking at about 20 years ago, around 1998 90 99 s. Oh, there are three primary versions SNP won is still probably used more often than the others, which is terrifying to consider.
Uh, you know that they came out 10 years later and it's still not fully
adopted, but that's that's the sort of the nature of security. One of the great ways to get access to systems is just taking advantage of fact that they use really old protocols all the time.
So S and P version one had no implement security. What it was actually designed to do is just to provide sort of a universal network management or a universal way of interacting with network devices. So you can see here on this diagram on the right. We're gonna go over in just a second. This is designed to basically provide an identification methodology
every possible device that can connect to the network. You know, we go all the way from ice soda or two D O. D. To the Internet and Internet is four layers deep on this particle. That's to give you a frame of reference for just how expansive it isn't just how many different things that could possibly cover.
So S and M. P. I said it, I said just a minute ago. I'll say it again. It's a protocol that exists primarily for managing network devices, and one of the things that it uses to do that is it assigns a unique I d to every single network device. Every single network device gets its own I d. That way it can be addressed
pretty much universally across us.
You can apply specific rules. You can apply specific policies or procedures to each of these devices. You can directly manage them based on their i. D. You just have the ability to gain so much information access just by using the single protocol. And as I started to say, S and M P version one had no security. Everything is plain text, no passwords, no user name. Well,
there is a user name, but that using it was passed in plain text. So
nothing truly secure or security minded. SNP Version two introduced 75 hashed passwords, so you would actually have to, you know, communicate with a password to get access to the system
That said, that really isn't much security. Once that password was accepted, you could still you were still passing everything in plain text, so it didn't really matter terribly. Anyone sniffing your network could pretty easily gain access to your S and M p traffic. And then additionally S and M p version three the most recent version that, as I mentioned, came out about 10 years after the 1st 1
It implemented password hashing with shot or empty five. It's optional between the two, which one you use,
and it has the option. You have to enable it to transmit your data encrypted with debts, which is the data encryption standard. Now this is a nightmare from a defensive perspective, the clear text, the lack of legitimate hat you're using an MP five hash for a password is just incredibly outmoded and very easily broken.
And the fact that the data transmission is on Lee secured with Dez,
which is an ancient encryption standard that has been completely completely sundown because it's just no longer legitimately useful. It's too easy to break too easy to get past. So S and M P is a great tool for the security practitioner. The reason why I said it was sort of the pen testers best friend
is because of the fact that fundamentally it is an incredibly insecure protocol. Now they're our methodologies put in place. They're keying algorithms, they're being used.
Try and advance the security on us and and be. But just fundamentally, it introduces vulnerabilities faster than almost any other protocol in the world. Short of maybe S and B s and M P is responsible for an incredible number of vulnerabilities. So I mentioned before that S and P is used. You have every device its own unique I d. And we're gonna examine how that happens.
First, we start
with this diagram. We can see here at the top. We have this route authority. This is just every device starts at, so there's not really there's not a number assigned to it the way it is with other devices. But generally speaking, the way you're going to address, or the way you often see S and M P addresses started is actually with a period instead of with the first number
and to some extent that is designed to identify that it starts at work.
From there, the most common number you're going to see is one which is I S O.
After that, you're usually going to see three, which is order
six, which is D o D.
And one, which is Internet. Now. Those together form probably the most commonly known number in s end of year, certainly by far the most commonly used number. And that number is 1361 That is an extremely common.
I don't know that I've ever seen a device that didn't start with those four numbers. From there, you're often going to see it go to four private. That's by far the most common. That's really referencing any device or any network device that is created by a private entity. Whether that's an enterprise, whether that's an individual,
just anything basically not created by,
as you saw over here that the basically that people who originally built and run the Internet or people who are performing experiments for the for the advancement of Internet most of the time it's gonna be with a four,
So that's how you're going to get those 1st 5 numbers on your I d. You could have 13614 And then after that, you're gonna have based on the different manufacturer based on the purpose of the device based on you know what it's actually being used for in the network. Based on all sorts of information, you're gonna add the rest of that number.
And that's one of the important things to understand here is that these unique I. D. S are associating with management information basis or with basically the these tables that are designed in this tree that you can see what you can see in our diagram back here a little bit. Just gonna skip back a few steps.
All of these things are managed in this tree like structure, and you can go down with every number you ad. You're just adding more notes. So these, eh, my bees are these. These management information bases are explicitly there so you can identify unique identified devices with similar functions. And that's another reason why this is a useful tool. Why, this is a useful pen testing tool,
because if you know about S and M P and you know how to identify their howto
read the identifying numbers. You're able to look at this and say, OK, based on this number, I know it's made by this company. It's in this group. It's used for this purpose, and you're able to really quickly iron out exactly what potential vulnerabilities see. And so from that we're gonna go ahead. We're gonna jump into R V M, and we're gonna actually see this tool in use. Like said, it's not gonna be a super long
but it is definitely worth taking the time to examine it, actually working
inside of our VM here, we're gonna do one thing that's important to set up. You may note, as in a couple of the more recent videos, I'm working out of my Tally BM instead of my mom to be M. That's because, as I mentioned in the introduction here, a lot of our videos, a lot of the tools that were focused on for the next several videos are going to be pen testing tools you can find in Cowes.
So it's just a little bit easier to show them all in the same place and demonstrate their use it from here.
So what we're gonna do before we actually get started and show the tools we're gonna start our S and M P service on this BM Now it's often gonna be, you know, it might be on by default on different operating systems are on different devices, But often you're going to see that it's not actually enabled on, for example, of mission like Callie that is built with security in mind.
I'm very security conscious networks. It's generally not going to be enabled because, as I said earlier
S and M P just potentially introduces an incredible number of an incredible array of that being said, It's a pretty easy service to start on our network. All we're gonna do here on our system, Rather, all we're gonna do here is from the Cali VM not start with, say, service S and M p d
d for Damon, and we're gonna say start
and it should spit out absolutely nothing that will tell us that it has successfully started. We can double check that, of course, by typing status,
and you can see the news in fact, running.
So with that up and running, we're gonna go, and we're gonna have a look at the tool. Now, Brad is an interesting name for a tool, as far as I've been able to find, it doesn't seem to be an acronym. Just a just a name.
Anyway, we're gonna run that command. And because my father is a little large on me. A little bit. Little bit tricky to read. That's okay. We'll work with it.
All right. So you can see here. Maybe.
You know what? Let's do it this way.
A little bit. Easier to read. There we go.
So we're going to start right up here. Top. We're gonna see that the usage is the command. We just invoked the tool that we do it most. The options and then our queries on it's pretty cool. One of the nice things about this rule is you do multiple queries at a time.
The options that are available obviously your help. Men, you can claim to be an S and S and M p to agent. You've got a few different options here for waiting for responses or waiting in between sending packets as you as you may have seen in one of our previous videos are talking about application mapping. It is actually a pretty good idea. When you're
trying to reform searchers like this trying to map,
it's worth waiting a certain amount of time, and that's gonna depend on which network how long it's gonna be. But it's worth waiting that time to avoid getting busted by PS, PS or a Bee products. A lot of them were based on how many requests they're getting for second, and if they seem like a dangerous number, it might shut you out. It might silently just drop your packets. A lot of bad things might potentially happen. So
it is pretty important if you're targeting system, you know, is being monitored
kind of space out your attack and make it look just a little bit more.
But then down here, one of the nice things about this tools that it actually gives us some sample usage right past area. So example uses you can see here that you're gonna give it public. This string right here is often the Republic. What that is essentially is just the user name that you're going to be addressing these by so whatever the S and P
Service is
accepting a lot of times, by default, this public is gonna be enabled. A lot of people don't change the default credentials on SNP enabled devices don't don't enable or change rather the S and P credentials. They might remember to change the username logged in. But oftentimes they'll leave these configurations as their default, which is one of the many reasons that such a dangerous protocol
and then you can see here, we're going to put at
and then it's gonna be whatever the starting I P is, they're going to start searching the range on. In this case, I'm just going to be performing against this local hosts. That's why we started S and P. D. Just a minute ago, and we're gonna go ahead. We're going to see that the command we're gonna run It's pretty straightforward
at 127.0 won the local host
or the loop back address, and they were just going to do one. Not one, not three,
not six
dot star
and what this is doing, Is it saying everything that meets those 1st 3 numbers that were positive exist, And then
that way, we see in basically every device, and we're actually even including things that are just Internet. We're looking at anything that falls under those Anything that we're able to see on this address or this range of addresses in this case is just one address on this address
with those 1st 3 digits. So basically any S and M P device, we're gonna go ahead. We're gonna run this command and pretty quickly it's gonna start spitting out. You can see it gave us back a bunch of different options you can see here. It gives you the I. P address that I found it on how long it took to reply 20 milliseconds in no time at all.
And then it gave you the actual device numbers and information.
so pretty straightforward. Not a terribly complex tool. Use not a terribly complex concept, but S and M. P s aside, repeated a couple of times in the video is a devastatingly horrible protocol. If it's not carefully security implemented, which means that as a pen tester is your best friend in the world.
So I am gonna recommend you have another look, a bra on your own and you play around with it in some of our labs and some of your sandboxes.
If the Kelly
sandbox isn't up just yet, have patients. It's gonna be very, very soon over in the process of putting that up on the site even as I'm recording this video. So we're gonna go ahead and we're gonna end this here and give you the chance to go play around with it yourself. Have a look at some of our supplemental material used the cheat sheets. Get familiar with this tool. And hopefully
like me, you will find it a very valuable asset in your pen testing.
So again, thank you all for watching. I really appreciate it being able to do these videos. I love that we have students were able to find a benefit and learning about these tools work. So please continue to watch the breaking stuff with Joe Siri's. And please recommend to us different tools or different concepts you'd like us to explore in this series or even in other videos on cyber.
And that's gonna lead us to our final note for this video.
Cy Berry is a primarily CROWDSOURCED endeavor. The vast majority of the material on this website comes from people like you who came here to learn and found out that they have something valuable to teach themselves. So I really, really recommend if there's something you'd like to see on the site. Don't just recommend that we get it up. Don't just send us feedback,
but offer or try to create it yourself and join our content
creation community because we're changing the way people learn about cyber security. And we're thrilled to have people come on board and help us do that. That's gonna be the end of this video. Thank you all for watching breaking stuff, Joe. I always have your host and I hope you back here on cyber eri on demand.