21 hours 43 minutes
We have one learning objective here and that's to describe some high level tips when it comes to hacking protocols.
So we learned a lot about all these different protocols and services and all the typical ports that we find them on. You know, we know Ssh is port 22 FTp esport 21. But if you notice, I also said that I hide port 22 a lot of other people hide port 22
from would be Attackers.
So that is not on a well known port.
As we saw in the FTP lab. I didn't have FTP running on port 21. I'm running on port 21 21 which will also see later. So just because the port is on a particular or a services on a particular port or we see a particular port open, I should say,
don't assume that's what that service is. HDP has a whole bunch of different ports.
If we know Http it might be on 80, it might be on 80, 80, it might be on 8888.
So that's to say let's use our tools, let's use End Map. Let's scan every single port.
Because if you're thinking like someone who's making oh SCP,
you know how these tools work, You know how end map works? You know what, what typical ports and map scans? Why wouldn't you want to be clever and crafty and hide your whatever service on a port that you know, end Map is not going to be able to scan. So that's why I like to scan every single port because you can never assume
that just because n map does a default port scan of of well known
reports that is going to find all the different open ports when it's test day.
So that's why we do the SV flag and the sc flag and end map because I like to know what the version is. And we saw even with End Map when we looked at the SMTP demo,
it didn't even recognize the service, We didn't know the service until we used and cat and we manually enumerated it.
So that's where you're starting to build your skills, you're starting to say well,
if n map doesn't work for me, maybe I go to End Cat or Net Cat or maybe mass scan is the right tool here.
Um so it's knowing which tools to use when things fail, when things fail you, the best hackers are able to manually enumerate things and don't rely on a particular tool. They have a bunch of tools in their tool belt like batman.
Alright. Also keep these things in mind. Can you log in without credentials? We saw SMB with these null sessions or guest sessions where you know it prompts you for a password. You just hit enter and you have access to shares.
Also ftp, with anonymous log in, you just enter anonymous and you log in. What do you have access to? And that's where you need to think about.
And that's why I showed you that enumeration with end map
and and all the other tools. Can you not only read something, can you also? Right?
Can you pull down files? Can you upload files? Can you download files?
The other thing you realize is if you have access to the entire machine, it's a little bit like information overload, where do I start looking what is out of place?
And that's why I stress that it's important to do labs.
It's important to keep doing things like hack the box and cts over and over again because the more the more boxes you enumerate, the more you realize like, hey, that's not a particular service I've seen, normally, maybe that's, you know, there's a vulnerability there or I know which particular files to look at in Lenox
to tell me more about the configuration of that machine. And it just comes with
more and more reps. So, you know, don't assume that, you know, because you are, you're new to this, that, you know, you're not going to be good at it. It just, it takes a long time to do it. That's why people spend months preparing for Oh, SCP, because you need to get those reps down to become familiar with how boxes are laid out.
Also, can you brute force logins
we saw, you know, we can assume maybe there's a root user on Lenox, Maybe we can find the password for that.
Um, you know, even with FTP, even with a google search we found that the default credentials for admin is password and that worked for us. You know, maybe we could only have been have to brute force, maybe it's just some googling and you find what the default credentials are for or for a particular service
and like I mentioned before, you know, figure out what you can do when you log in. We saw the anonymous user and FTP couldn't put things on the server, but we saw that when we log in with the admin user we could put things on the server so figure out what you can do once you log into these services.
Also use your hacker mindset,
think around the problem if you keep hitting a wall, stop hitting your head against the wall and think laterally think with agility.
so use your hacker mindset just because a protocol doesn't let you execute a file, where else can you put it? And that's why you saw when I put that that s P shell on that machine, I couldn't execute it directly from FTP,
but I could put it in the web root because I knew where the webroot was and luckily we had access to it.
So think like that, you know, just because you can't execute something with a particular service, what other vulnerabilities are there? And we can change vulnerabilities together
and that's why it's important to pay attention
when we do web app attacks because for example, if we can't put something in the web root, but we could put it in the temporary directory. In temp,
um where there's globally readable writable execute permissions
if there's local file inclusion, that means you can go all the way back from from the browser to the temporary directory and that's where you can execute your shell from.
So that's what makes very good hackers are people who can think like that, who think, well, you know,
I know that this service I can't execute something but what other vulnerabilities can I look at and look for that will help me get a shell on this machine.
So in summary now, hopefully you understand some high level tips when it comes to hacking protocols.
When we get to the lab relax. You know, you're not supposed to get a shell on this lab. It's just a Familiarization lab. Okay, So just become familiar with the different protocols, interact with a different protocols and like I said, it just takes reps of doing this over and over and over again. So no pressure on the lab.
Just enjoy it.