Part 1.3 Scanners

Video Activity

In this final video in the series on scanners, Dean provides some examples of using scanners to collect info on databases installed on a target. Again, a broad, top down approach is taken where the type of database and its version are initially gathered. From there, the scanning progresses to a more detailed level where actual exploits are attempte...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Description

In this final video in the series on scanners, Dean provides some examples of using scanners to collect info on databases installed on a target. Again, a broad, top down approach is taken where the type of database and its version are initially gathered. From there, the scanning progresses to a more detailed level where actual exploits are attempted such as generic queries, dumping credentials, and obtaining the database schema.

Video Transcription
00:04
Okay, so
00:07
let's let's move on to, uh, another method of gathering information from
00:12
our target host. So we saw that we were running my sequel database
00:19
as part of the scan I shot. Could just see that easier
00:23
go back to service is
00:29
it's thinking about it.
00:34
All right, so now
00:35
the service is that are closed or showing up.
00:38
So what up again? I will try my command line option.
00:43
I can say Service's dash You That's just shows me the ones that are up
00:47
and
00:50
my sequel. Here we go
00:54
and it automatically came back and did the banner Graham and showed me my version number. But I could also try to get this in different ways. For instance, I could
01:04
do a search for my sequel, see what's available.
01:11
Something simple, like the version number here ago.
01:15
Auxiliary scanner. My sequel in my sequel version.
01:26
All right, Mouse is misbehaving a little bit there.
01:30
Here we go.
01:34
I already have this information just proving the point that it actually does work
01:40
as a standalone tool by our host. Value is set
01:45
and I can just run, exploit.
01:49
All right, good. It matches up 5051 eh?
01:55
I've got other things to liken. There's an excellent, uh,
01:57
exploit for my sequel. Payload.
02:01
There's lots of other things to think about here,
02:05
huh?
02:06
Engineer queries. So trying to do some kind of arbitrary query on a system trying to log into the my sequel Instance. If you could gather credentials for that, that would be a good
02:17
a good find.
02:21
So you have other options inside for things like databases. So we know we also have a post rest database on this system
02:30
so I can do a search for Post Crest.
02:34
I want to gather some more information about that database.
02:42
Should give me a bunch of things to consider.
02:45
All right. So I've got some
02:47
administrative, uh,
02:51
modules here also have some skinners,
02:55
so I could start with something simple. Start with something simple, like the version. Even though I have this information just proving that you can get it in other ways.
03:06
Back out of that.
03:07
And I want to use post press version
03:16
now. I already know what the password is, so I could set that here,
03:23
and I think I will so set password
03:27
post GREss.
03:30
I can run the exploit and see what it gives me.
03:34
So I get a really nice, detailed in from a bit of information about,
03:38
uh, this particular database.
03:40
What else can I do?
03:43
Uh, let's see if I can do a hash dump
03:47
now. It's only gonna
03:50
probably give me the
03:53
well. Not probably will give me the the hashes of passwords that I'm out that I'm allowed to see with my privilege level.
04:00
So let's see what that gets us.
04:05
Show my options again. Always getting a habit of doing this so you don't leave something out. All right again, I can see that I want to send my password.
04:15
This is the danger of having default configurations.
04:18
This system could be running for years like this without anybody knowing that this default passport is a big vulnerability.
04:29
All right, so now I've been able to get the hash
04:32
for the post crest user.
04:36
What else can I get since I have credentials,
04:42
uh, scheme a dump? That looks interesting. We'll see if that works.
04:47
I know what the scheme it looks like now. I can
04:50
certainly have more opportunities for
04:55
interacting with that database, changing it or doing other things which may be
04:59
to the advantage of the Manchester.
05:02
All right again, I have to set my password.
05:10
Everything else looks to be correct,
05:14
so I'll run the exploit.
05:17
All right. So ridiculous scheme about that. Looks like the database is just very simple. Maybe one table or something. Very basic. If it was more complicated than I would see more tables being shown,
05:29
but you get some idea of what's possible here.
Up Next