that's going to take the service Apache to and start. It
starts that up. So now if I do and that's that
there's your auntie pay.
We have Port 80 listening. Port 80 is the typical port for Web servers, so that makes sense now. We have
beauty listening. Course we can stop. It is, well, same ways into Apache to stop.
We want to to stop it.
And while we're on the subject of networking, wonder what my I P addresses by the salt.
Callie will use D H cp, so it will automatically pull an I P address
from your rotter. So if you're on host only it would pull it from GM wears. Who's the only network you're on? Bridget will pull it from whatever router your computers using
Get an I P address. It'll act as though it's a completely different machine.
We do. I f convict as opposed to I p config
for Windows. Windows has to be different. But Mac and Linux action what Not all use I s can fake toe look at networking information. So if you get that backwards from time to time, you're in good company through no worries. So I ask in seg
and that will show us our networking information.
Who I have East Zero and I also have the local. So it's just gonna be my loot back. So
home probably seen the T shirt. There's no place like
127.0 dot zero that one. No place like home
but we're more interested in our actual
in her face that talks to the Internet. So my
network is one. Then she won't succeed. About one years may be different,
I am 0.77. My net mask is 255255
Pete's life. I've got zero unfamiliar with Net mash. I may not be as familiar with them as I think I am. Actually think I got that question wrong on my file examined networking. But basically what it means is
how many bits of the I P address belonged to the network
and how much are the actual host? So in this case,
so is my 1st 3 ox. It's
are going to belong to the network to 19 to 1 68.1 are all part of the network. That means everything on this network is going to be 1 91 68.1 and then everything from 0.1, which is probably the router. Although waited to 54 his 2 55 is the broadcast. So actually see that here
that's going to basically call out to everyone.
You know, I have all those I P addresses again between probably to use one's probably the router
and 2 54 that could be assigned in this case.
I'm 77 so this is a slash 24
so this would be 1 91 68 at 1.1 slash 24. It's just another way of representing this net mask.
So that's saying that
24 bits are going to be
part of the network, So Aid
You could also say Have a splash. 16. So that would be 25525500 and then only 192 and 168 would be part of the network. So then we could have
not one not two, not three, all the way too dark to 54
one through 2 54 on all those as well.
So a bit more space.
So again, certainly you can read networking books.
It's basically anything that you could learn about. Computer science is ultimately going to help you in pen testing. That's been way too much time looking at things from computer science that I didn't pay attention to, and I should have thinking I would never need them. So it's definitely if you do have a computer science background, it is worth it.
You know, if you want to spend your time reading that working manuals will only help you in the long run,
so you can also set the static I p address to invite a fault. It does used T H C p.
That is going too good to grab an I P address each time. But then your I P address might change,
so it probably won't from just day to day. But you know, might overtime to restart the m enough.
And certainly when you go to other locations you'll get a new life, the address.
we might not want that to happen. Like, for instance, if you're shooting a video for a class, you may want to have the same I p address all the time. But what I could do in Lenox for that is I can do
nano or B I slosh at sea to an edgy directory from root slash network
You just look a little bit different from mine. You're actually not gonna have this part.
So you should have I face eat zero on it and then D h cp. Whereas minds is static
in these three lines here, you won't have.
So that's just because yours is the A C. P. And I set mind ecstatic so my
appearances would always be the sames of my videos at least would be consistent.
So it was just changed. You see Peter Static and then given an address, reminds 1 91 Succeeded that one about 77. Whatever you get from D h c P. Just give it something in that range
and net mask again. Yours will probably be 255255255 That's your if you're at home.
Maybe if you're at a work network or some other enterprise, it might be different.
Slash aids and flush exchange all the time enterprises, but seems like most home networks. There was 24
That's probably not one is probably what your writers I p addresses
again. If your home could be anything in it. Enterprise.
Now I t. People have to have something to keep themselves busy, like messing with the network So you can do this or not do this. You don't have to. Certainly,
and we could do service networking Restart to restart that.
I didn't make any changes. Saw this. Leave it alone.
that's just a little bit about not working again. Probably a class on that working. You could take your book,
but just a little bit, really. I mean, as long as you could talk to other systems like
we did a ping. This is going to use ICMP echo.
It is going to talk to another system and see if it's alive. That said, a live system doesn't necessarily have to respond to Ping,
so just because it doesn't get anything back doesn't mean the system's not up. But say, if I went after 76 should be around.
The system's alive, so I'm able to talk to another system on my network
because I have Internet access because I'm using bridge. I can also make ping WW dot google dot com
and talk to another system on the Internet.
again, it doesn't necessarily have to respond to paying. In fact, when the newer window systems who have Windows Firewall on actually don't
by the fault. So just because it doesn't pain doesn't mean it's not there. We'll see that there are other ways we can see whether system is up or not.
So right as long as we're able to talk on the network when we get on the network who want to be able to talk to other systems if we're doing pin dust thing. So I really just need to know enough networking to troubleshoot if you're not getting an I P address at your client location.
So that could be rather embarrassing if it's something really simple that you couldn't figure out so just a little bit of networking necessary.
I'm going to look at a tool called Net catch,
which is abbreviated, as in See that cat for two. A man and see
called itself the TCP such i p Swiss Army knife and in fact, you could say indeed it is that cat is
really awesome at making to shi fi I pre connections
going cue to get out of the man. Paige.
So we have a lot of different things we can do with Net cat. Um, we can
listen on a port so that cat dash l for listen,
we can listen. Proposed plea on ports.
Who's gonna listen on a port from incoming connection? If I open up another terminal window?
This case I'm just working with two different terminals on the same system. I could do this between systems as well. If you want to pull up your bunch, you system your target that you download it. That also has not cat on it by the salt. So you could actually, with the i p addresses, work between the two
with this one. Let's do a net cat. And instead of going into listen mode with the dash l let's actively connect.
So we actually have basically two ways of dealing with this. Well, see this more. When we look more independent, testing, particularly in medicine, boy will see bind on reverse shells. So will
with the reverse shell.
Well, listen locally equivalent of our listening. That cat with a buying shells will listen for an incoming connection.
That would be two ways of making connections. Either we wait for someone to come to us or we actively go to them.
Really? Just no three ways about it, just those two.
So this time we're going to actively call back in particular, we're going to call back to this guy again on the same system.
Well, it's Net. Cat 2192.168 At wonder What's my I P address? I forgot
1 77 neck out. Didn't see 192.168 That wound up 77. So I'm really just talking to myself.
And then I want port 1234 not cat I P Address and poor.
We don't get anything on this end. But if we come here, we did get a connection
because I used that dash V for Bos
That does tell us with the connection.
So I say Hi, George.
Over here, with our connection, it comes back over here.
a little chat program. She will very primitive chat program. But Certainly we can do better, right? Certainly we could do better. All right, So let's do a control. See
till it. So once we kill one, the other one will close as well.
Once again Open up our listener. So I could just do the up arrow to grab the last command I had
again I'm gonna open up a listener,
But this time I'm gonna do Dash E at the end for execute Tell it I want to execute been badge. So that's actually going to be our command interpreter when I open up my terminal.
Well, I'm dropping into is a bash shells. That's the underlying thing that is
taking our text. And now we want to do if it knows what ch mod means. What l s means. What Grete means for what we're doing here is setting up a listener on port 1234
And then when someone connects, it's going to execute. Been bash was actually going to give someone a terminal
awesome for remote administration. Maybe not so awesome for security If we just have a root shell lying around,
if we start this as root, whoever attaches to it will have privileges whoever starts the program
except what the privileges are. So whoever attaches to it will have privileges and thus will be able to destroy the file system, read all the files, including sensitive data and make changes.
So maybe not a good idea from a security perspective, But
and again on our other terminal weekend to the up era to connect,
begin our actors connection
Unless he doesn't have a prompt simple, it will give a prompt.
He depends on what kind of shell you're using. You can use different things besides that cat, like some of the things that medicine. But it will give you a prompt. Something's blown. It really just depends if I can run commands here
we do it. L s again. It's in the same directory as we are here. Is that we're still in home. Georgia.
So do l. S. It shows me the contents of short is home directory.
Cat out at sea. Password P A s s W d. Do you I know? What's an Etsy password?
for more information about them.
There aren't any passwords of password. Hash is here so it's kind of unfortunate, right? But it has, like, information about like it uses been bashed.
It was like that. Groups use your I. D. S.
He's like that. So who's Georgia and James down here is a home directory using
what kind of shell they use user I d s,
but no password hazards. That's no good. But what about since we have privileges? What about Etc. Shadow within the shadow file.
Guessed it password. Hodges. We confined password Hodges on any of our targets in the
Lennox Systems might be able to use a password cracker to reverse thes we know their password, but
so a bit more interesting when we actually have a program on the other end. Such is the terminal.
But then when you do a control, see,
one more thing, we could do it. We're gonna actually using that cat piss and files. So if you're on
network and you're trying to
upload a file or download a file and you're not having any success with any other way of doing it, which is probably unlikely since when access w get there's a few different ways to do it in Windows as well.
Um, well, see that a bit later on. We do post exploitation. I mean, moving files around us.
Rather interesting thing. But we could do in that cat if we have it. So again we could do our
neck cat. Listen, But this time, let's do
whatever comes in. Let's out Put it into my file three.
let's do let me just create a file on the root directory called my Father for
on input. So we know that the greater than Zahn is output. We could do a less stands on for input. Pipe it into
parking man show. I'll give it my file for