All right. So let's take a look at medicine food again. Show should do. My share is
medicine. Ludie start. Well, I guess it's gonna strike up the database first. Always don't do this because I never really used the ministry database.
In fact, the image I used to use for clusters it was broken.
Consul, open up medicine, Lloyd, And look at some really skating and medicine. Boy showed you nah auxiliary module in the menace plate section that we certainly have many other auxiliary models. Besides the example that we looked at about the named pipes so we can use medicine boy to do some vulnerability scanning as well.
we're gonna take a look at another auxiliary module.
And we'll also look at something called the cheque function that we have on some but not all, of the exploit modules that will actually allow us to check whether a vulnerability exists
without actually running it. I mean, in some cases, there's really no way to do this. Exploiting it is really the only way
in some cases we will have
Of course your surgery go do something else this is actually going to pop up. I probably should have turned it on before I turned on the video.
This isn't always what happens. I end up here
Marcie. Like I said, we were gonna do something else.
Here's your bun, too. Don't really have anything to do. Honor bound to remind you
seven's off. There's extra
anonymous of counsel. You have no excuses.
It shouldn't be that slow. I guess I could give it more memory. I'm not sure how much it has been assault honestly, but if you have the memory despair, you certainly give your virtual machines more memory.
All right, so we've already seen how use medicine. Later, you go back to the medicine plea sections. That's what Model number three,
if you need to see it again. So we want to show you use
on the example was gonna be another auxiliary do scanner and FTP anonymous
Oh, what could actually use this to test other credentials as well. So really, it should be ftp too long ago. And I guess I don't know,
does it? We could just change this to be real credentials, but
FTP seizures Anonymous and then supposed to have your
password be your email address or just use this move zealot example dot com Our port by default. 21.
That's gonna be correct. In some cases, you might find a fiend like 2121 depending on the platform.
But we know how to change that. You set our port 2121
at most. We're gonna run this against two systems, so one thread will be perfectly fine. Can't, of course, make it multi threaded.
Ohh! That is our host,
we have our output from in maps. If we have one of the graspable imagine. See what I've got here
like your class can dot g and maps. We kept that out.
This isn't really useful again for two hos, but this is incredibly useful if you have a lot of them. And we learned how to do this pretty much earlier if we went through the Lenox section,
so what we can do. So here's the cat out of the G in map. This is why I like G and my abdomen is not very nice to read, but, as the name implies is great for gripping.
Well, let's she lets
grip for the word up every time a host is alive, we get this status up here.
We got that again. In this case, there's only two not that exciting, but could be much, much larger. I do regularly a dupe in test that are 5 10,000 Who's even more.
Let's do that cut again. We learned cut
Lennox section There are other ways of doing that. Look, I know people use off to do this or you're in said I, like cut
easy from here. Remember this in tax for it.
I'm gonna make the DL emitter of space time. Until that I want field. I want just the i p address, so I won't feel too
like it's me just r i p addresses
again necessary in this case, but short them uniquely I mean, just in case you never know where you're getting your output from. Always a good idea to short you, Nathalie.
All right, put that into a live Whose text?
Well, then, what we can do here in medicine boy
again. It would have been easier just to type in the two hosts. But when you're doing against a lot of them, anything command line consume you like is certainly worth it Was our host to file Colon
then this isn't the root directory,
and live pushed, not text, so it will pull the data from life. Oh, stop text to do this scan.
All right, so we don't need a payload, since this is just an auxiliary. So go ahead and type, run
or extra weight. I usually just end up saying exploit
instead of runs. It works everywhere.
So we do have anonymous read access.
So we saw that one of those
window system looks like that'll be pretty interesting have been called passwords. Stop text
might be worth grabbing.
So again, I encourage you to spend some time looking at different auxiliaries on his medicine is still a bit shaky. Go back and look at the medical section. I definitely think there's really nothing you could learn that would benefit you more than medicine. Boy's medicine. Boyd is really
the de facto over pin testing. It was definitely worth knowing.
All right, so let's look at one more thing with medicine, because again we can use
our auxiliary is for
vulnerability scanning. But we can also
we go back to our exploit Windows s and B M S O h underscore. 067
We saw that necessary phone that.
But I always again like to get at least two things saying that it's true if exploitation is allowed. If you're doing a pin test, then you can certainly just exploited to find out. But if you're just doing vulnerability work, you might just need to do a manual check is possible. This is there
some cases There may be no manual check. It's exploited or nothing, so I may not always be able to figure it out. But I always try and get at least two things saying that it's true.
So if we show our options, we should remember this. We want our hose to be
and as it be, pipe is correct. As browser. Remember, there is an auxiliary for that. We saw that in our
we can do the automatic targeting instead of setting a payload
on doing exploit, what I'm gonna do is use the cheque function again. Not all men displayed exploit modules have this. In some cases, it's just not possible to check. And even if it is,
there's no requirement that the developer of the module implement the cheque function.
There's as the target is vulnerable.
That's something we can exploit. Of course, we already knew that we already tried it
as our example exploit in a previous module.
But on our pin chess that would let us know that, yes, indeed, we have confirmation from two sources that this is
probably a good one to try and exploit, based on either previous knowledge or research will find. The in Miss Soto 67
is a really good one to try and exploit. If it's available, it's pretty steady. Unlikely to bring the service down. It does give you system level access, and
interestingly enough, you can exploit it over and over again, which makes it a really good one for class where we might have
do things wrong and killer sessions.
So that's one we will
again. Not everything's gonna have the checks functions