All right, welcome to the next module in our medicinally class. And this portion of the course will be looking at ways to gather information about your target systems
that includes things like the operating system. I P addresses
ports there, listening on the banner grabs to get service information and so on.
There are a lot of ways to do this from within medicine point directly.
And we can also integrate other tools,
uh, to add extra detail. For instance, if you want to do a vulnerabilities scan, you probably want you something like Nexus.
If we're doing a simple ports game we can use and Matt
our back door a mess, for instance.
my, uh, since we ran that that post grass exploit before,
we should expect to see some information in the database Now,
uh, since I made a connection to the system that exploitable system, the databases automatically updated
to show me that, uh,
this system now exists. I can run the service's command to see what service's are known to my database.
The only service so far is the post rest service running on T. C. P. 5432
And we know this service exists because that was how we established her interpreter Shell.
However, what I what I want to do is
get rid of this host. I want to start with a clean slate
so that I can do a scan
and know that I've got
exactly what I what? I want to know that what I found in the scan is what's in the database.
You could certainly mix and match adding things to your database by using different tools. But I just wanted a clean everything out for right now.
uh, back to end map and map allows are you can run at an end. Maps can
the command line. If I do not mad Dash h, I can see all of my options within medicine ploy.
I get a different scan types,
no scans. I can control the speed of the scanning and so on.
Uh, generally, what I like to do as a first pass.
This isn't the stealthy a scan available, but it certainly gives a lot of good information. Is I like to do the dash a option
because this let's give me a lot of good information about the target
and gives me a clue as to what kind of service is running. It doesn't bother Bana Grams,
and we'll let this go. This might take a few minutes to run.
While that's well, that's running, we can talk about a couple of things so
and map as we're seeing it here,
we'll do the skin, but it doesn't actually add anything to the database.
And you might think, Well, what's the purpose of that? Then why wouldn't I want to keep in the database? Well, there's two different options when I can run the scan on something just to see what it's
characteristics are. But it may not want to store that information.
All right, so let's review the skin that completed fairly quickly.
All right, we can see that the host is up, of course,
977 closed ports. And then it tells me the ports that are open.
So we're running a running an FTP server v sftp.
We'll do some research and find out if that's vulnerable. There's an SS H surgery running on Port 22
I've got to tell night on 23
mail Mail transport. I'm poor 25. Ah, little bit of more information about the male configuration.
buying Deena's bind on Port 53. I've got a Web server running on Port 80. Looks like Apache 2 to 8. So I'm getting some good information from my banner grabs here.
I also have our PC buying running import 1 11 with a whole bunch of good information about the R P C info it and service. Is that air running on this box?
I'm also running some net bios
on 1 39 4 45 So any kind of samba related vulnerability should also be explored.
That looks like some kind of remote shall running a port 5 12
maybe 5 13 has a remote shell running as well. We're not sure what those are yet, but we'll find out
some kind of Java registry on portend 99. I've got
a minister little route shell on 15 24 that ports usually associated with
Oracle databases, but it might be there for some other reason.
And if s I've got another FTP server running pro FTP,
my sequel with some good information about the mice Equal implementation
Post grass, which is the the default credentials that we used to
I could have shown the credentials command and seen that that was in the database as well. We'll review that again later.
Looks like I have a DNC servers. Bring import 5900.
I've got X 11 windows.
Looks like an unreal server is running over IRC Self for unreal gaming servers. One of those was apparently installed, so have to check and see if this has any vulnerabilities.
Oh, there's an Apache, your job, a server
running. I've also got another Apache instance, running on Port 80 81 80 for Tomcat and Coyote.
Then, lastly, I get my Mac address. What the what the linens Colonel is.
And even though the distance over the network is one hop away
and finally, some envy T stat information like Work group and Net bios name.
So some great information, right?
But as I run hosts, you'll see there's nothing in there
because I could change this to D B, Underscore and Matt,
and this is available from the help screen. Of course, if you go check
a d b underscore, and Matt will now run the same skin again. But it'll pull all the data from the scan and populate the database with this so we can poke around and see what that looks like here in just a moment.
In the meantime, Thea, the other port scanners that are available within medicine Lloyd, are fairly new verse. We get a lot of different choices there,
so we see the output looks more or less the same as it did before.
However, now, if I run hosts, I see that I've got a host there.
I can run the service's command and see what service is it? Discover These are all the open ports
on that particular system
has some interesting features as well. You can add service is to the list.
You can delete them. We should. We saw earlier I can look at the given columns.
I could also maybe I only want to display service. Is there up right? So a scan might return
all the different ports with services that are expected to be there, but they're not running,
so I can filter. But luckily, the, uh, the
and map skin just showed me those things that are ups. Now, I've got nice, concise list
of things that I could go after to break into this system.
Could try running the grandiose demand.
The post crest exploit, if I were to use that one again, would populate this
area. In fact, let's do that.
And if I remember correctly, it was post crest payload.
So we will use post Crest payload
just to establish that the Kirk the credentials,
function works as I've explained,
notice that my remote host is set on a Mac because I did that set G earlier. The global setting for remote host you conglomerate set any,
any of these parameters that you see?
So we'll go ahead and do the exploit
and I've got my interpreter shelf,
and I can prove that I'm on
that system by running it if Confed
and there's the address 1 29
And we kind of reviewed some this earlier. But the great thing is, now I can
and exit out of my interpreter show
and I even exit out of the context of the post Crest Post Crest payload.
Now, if I look at my credentials,
user name and password were correct.
Well, it should have populate the database with my credentials. For some reason, that didn't work, but
we know the connection worked.