Part 2 - Discovering Exploits

Video Activity

In this video we begin looking at how exploits are uncovered. Dean provides an example of examining a target running MS Windows. With information gathered in a previous step, he then knows to look for services specific to a Windows host such as MSSQL Server. Some of the exploits targeting MSSQL Server are hash dumps, privilege escalation, and launc...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Description

In this video we begin looking at how exploits are uncovered. Dean provides an example of examining a target running MS Windows. With information gathered in a previous step, he then knows to look for services specific to a Windows host such as MSSQL Server. Some of the exploits targeting MSSQL Server are hash dumps, privilege escalation, and launching an XP command shell. This fits into the strategy of enumerating services on the target and then methodically probing them for vulnerabilities.

Video Transcription
00:03
>> Now, I happen to know that this target
00:03
is a Linux system but,
00:03
it doesn't mean that you wouldn't be searching
00:03
for Microsoft systems as well.
00:03
We may introduce a Microsoft
00:03
>> target later in the course.
00:03
>> If I search for MS SQL,
00:03
now I've got SQL Server considerations.
00:03
I've got scares like you'd expect.
00:03
I can try to do a ping to see if the server's running,
00:03
I can try to do hash dumps,
00:03
I can try login.
00:03
There's other auxiliary modules for doing
00:03
things like escalating the database owner
00:03
to a higher privilege level.
00:03
That can be really interesting.
00:03
Trying to use XP command shell.
00:03
This is a dangerous feature of MS SQL.
00:03
We are allowed to pass
00:03
instructions to a command shell which
00:03
runs on the underlying operating system
00:03
of that database server.
00:03
It's pretty fascinating stuff if you
00:03
find a system that's got that enabled.
00:03
There's also things like login utilities,
00:03
some very specific things like the slammer worm
00:03
or hello overflows, and so on.
00:03
A lot of things to explore here.
00:03
The idea though is to again,
00:03
look at the services,
00:03
that you discovered and
00:03
methodically probe them one by one
00:03
to see what might be possible FTP right at the top,
00:03
we can do a quick search.
00:03
See if I have anything for VSFTPD directly and I do.
00:03
There's a command execution for VSFTPD.
00:03
I know there's at least one
00:03
vulnerability someone's written,
00:03
a module four and there might be others.
00:03
We can do some searching on
00:03
that we might get a little bit further along.
Up Next