Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,000 --> 00:00:05,467 2 00:00:05,467 --> 00:00:09,950 [MUSIC LOGO] 3 00:00:09,950 --> 00:00:14,390 You might be noticing a trend on these protocols of either port 4 00:00:14,390 --> 00:00:18,020 passwords or port configuration. 5 00:00:18,020 --> 00:00:22,693 That's a lot of what we're looking for in a pen test. 6 00:00:22,693 --> 00:00:24,110 It's definitely what we're looking 7 00:00:24,110 --> 00:00:25,940 for in the enumeration part. 8 00:00:25,940 --> 00:00:31,372 And if you want to understand what the adversary is doing, 9 00:00:31,372 --> 00:00:32,580 they're doing the same thing. 10 00:00:32,580 --> 00:00:35,370 They are enumerating your network 11 00:00:35,370 --> 00:00:39,340 to see what services they can take advantage of. 12 00:00:39,340 --> 00:00:43,380 Let's dig in a little more on SSH 13 00:00:43,380 --> 00:00:49,310 and see how we could, again, get around some authentication. 14 00:00:49,310 --> 00:00:53,870 15 00:00:53,870 --> 00:00:55,805 First, we'll check our IP address. 16 00:00:55,805 --> 00:00:58,730 17 00:00:58,730 --> 00:01:06,170 And we're the 192.141.55.2. 18 00:01:06,170 --> 00:01:08,000 Let's ping our victim, the .3. 19 00:01:08,000 --> 00:01:11,180 20 00:01:11,180 --> 00:01:14,220 Getting good returns. 21 00:01:14,220 --> 00:01:15,845 Let's do an nmap. 22 00:01:15,845 --> 00:01:23,660 23 00:01:23,660 --> 00:01:34,690 Let's run that same nmap with a service on 422. 24 00:01:34,690 --> 00:01:36,320 And that seems to be working, where 25 00:01:36,320 --> 00:01:41,912 we've got open SSH running Ubuntu as the operating 26 00:01:41,912 --> 00:01:42,870 system on that machine. 27 00:01:42,870 --> 00:01:45,400 28 00:01:45,400 --> 00:01:49,800 Now, what we'll take advantage of, and we've done it before, 29 00:01:49,800 --> 00:01:52,350 and we'll use it again and again, 30 00:01:52,350 --> 00:01:55,440 is the wordlist for rockyou. 31 00:01:55,440 --> 00:02:00,760 32 00:02:00,760 --> 00:02:04,360 And we will plug that into hydra. 33 00:02:04,360 --> 00:02:08,410 Let's start with the username student. 34 00:02:08,410 --> 00:02:11,110 We'll pretend like we knew to expect that. 35 00:02:11,110 --> 00:02:16,690 36 00:02:16,690 --> 00:02:19,690 And we will use that rockyou wordlist. 37 00:02:19,690 --> 00:02:23,740 38 00:02:23,740 --> 00:02:28,870 [INAUDIBLE] IP and then the protocol ssh. 39 00:02:28,870 --> 00:02:34,330 And so with the user of student, try all the passwords 40 00:02:34,330 --> 00:02:37,060 from rockyou. 41 00:02:37,060 --> 00:02:41,080 We have our scan back, and we see for student, 42 00:02:41,080 --> 00:02:42,640 we have the password of friend. 43 00:02:42,640 --> 00:02:45,510 44 00:02:45,510 --> 00:02:46,380 We could use that. 45 00:02:46,380 --> 00:02:54,285 We could ssh as student at our target. 46 00:02:54,285 --> 00:03:01,820 47 00:03:01,820 --> 00:03:02,390 Yes. 48 00:03:02,390 --> 00:03:06,195 And then put in friend, and we're in. 49 00:03:06,195 --> 00:03:08,713 50 00:03:08,713 --> 00:03:10,630 And it doesn't seem like they have much there. 51 00:03:10,630 --> 00:03:13,675 So maybe student isn't the most useful. 52 00:03:13,675 --> 00:03:16,280 53 00:03:16,280 --> 00:03:19,420 So what we could look for is maybe administrator. 54 00:03:19,420 --> 00:03:27,120 55 00:03:27,120 --> 00:03:41,870 And now, let's check for a login utilizing administrator. 56 00:03:41,870 --> 00:03:45,350 So we're going to use a script. 57 00:03:45,350 --> 00:03:50,480 As you should expect, it's going to be the ssh-brute script. 58 00:03:50,480 --> 00:03:52,880 And it takes some arguments. 59 00:03:52,880 --> 00:03:56,660 60 00:03:56,660 --> 00:04:01,820 Our arguments are going to be a user database 61 00:04:01,820 --> 00:04:09,720 because even though it is just one line, 62 00:04:09,720 --> 00:04:12,150 we still want to use that single line. 63 00:04:12,150 --> 00:04:16,899 64 00:04:16,899 --> 00:04:20,269 And then, it's got its own wordlist. 65 00:04:20,269 --> 00:04:24,335 And it will run until it finds the right word. 66 00:04:24,335 --> 00:04:26,917 67 00:04:26,917 --> 00:04:28,000 That didn't take too long. 68 00:04:28,000 --> 00:04:29,200 It came across sunshine. 69 00:04:29,200 --> 00:04:30,835 So administrator and sunshine. 70 00:04:30,835 --> 00:04:36,450 71 00:04:36,450 --> 00:04:38,840 But what about the root password? 72 00:04:38,840 --> 00:04:41,160 We can go about this one other way-- 73 00:04:41,160 --> 00:04:41,880 msfconsole. 74 00:04:41,880 --> 00:04:49,430 75 00:04:49,430 --> 00:04:51,320 Just want to give you a taste and a feel 76 00:04:51,320 --> 00:04:54,810 for what these tools can do. 77 00:04:54,810 --> 00:05:01,180 We're going to use the auxiliary scanner 78 00:05:01,180 --> 00:05:04,600 for ssh, called ssh_login. 79 00:05:04,600 --> 00:05:09,140 80 00:05:09,140 --> 00:05:10,265 We can always show options. 81 00:05:10,265 --> 00:05:13,100 82 00:05:13,100 --> 00:05:16,040 And it shows what needs to be filled in. 83 00:05:16,040 --> 00:05:17,435 We're missing our hosts. 84 00:05:17,435 --> 00:05:19,960 85 00:05:19,960 --> 00:05:24,520 There is a username and password available. 86 00:05:24,520 --> 00:05:25,980 So let's set up what we need. 87 00:05:25,980 --> 00:05:31,965 Set our hosts, and tab completion works great there. 88 00:05:31,965 --> 00:05:36,470 89 00:05:36,470 --> 00:05:41,480 And then we'll set a userpass_file, 90 00:05:41,480 --> 00:05:43,330 and we use rockyou. 91 00:05:43,330 --> 00:05:43,830 No. 92 00:05:43,830 --> 00:05:47,160 We use the metasploit root user passwords. 93 00:05:47,160 --> 00:05:49,456 So usr/share/wordli sts/metasploit/r 94 00:05:49,456 --> 00:05:50,500 oot_userpass.txt. 95 00:05:50,500 --> 00:06:01,670 96 00:06:01,670 --> 00:06:04,140 We want it to stop when it finds a thing. 97 00:06:04,140 --> 00:06:06,530 So STOP_ON_SUCCESS is going to be set to true. 98 00:06:06,530 --> 00:06:10,440 99 00:06:10,440 --> 00:06:13,350 And then, set verbose, true. 100 00:06:13,350 --> 00:06:18,550 101 00:06:18,550 --> 00:06:23,770 And now, another look at options. 102 00:06:23,770 --> 00:06:27,130 The wordlist screws up very much. 103 00:06:27,130 --> 00:06:29,350 We've got the right IP address. 104 00:06:29,350 --> 00:06:31,330 We've got the wordlist. 105 00:06:31,330 --> 00:06:34,810 And we've got verbose on, all things that we wanted. 106 00:06:34,810 --> 00:06:37,060 And STOP_ON_SUCCESS. 107 00:06:37,060 --> 00:06:41,890 That way, it doesn't keep going, even if it finds what we want. 108 00:06:41,890 --> 00:06:46,345 Since it is only one username, it should only be one password. 109 00:06:46,345 --> 00:06:50,470 110 00:06:50,470 --> 00:06:51,580 And we say run. 111 00:06:51,580 --> 00:06:57,700 112 00:06:57,700 --> 00:06:59,180 And it's going to try a few things. 113 00:06:59,180 --> 00:07:06,280 114 00:07:06,280 --> 00:07:08,010 And it came with root attack. 115 00:07:08,010 --> 00:07:13,440 116 00:07:13,440 --> 00:07:15,395 So we could exit msf. 117 00:07:15,395 --> 00:07:24,110 118 00:07:24,110 --> 00:07:29,240 And then ssh root @ our IP. 119 00:07:29,240 --> 00:07:33,640 120 00:07:33,640 --> 00:07:35,230 And it will ask us some things. 121 00:07:35,230 --> 00:07:37,375 And we will say attack. 122 00:07:37,375 --> 00:07:41,890 123 00:07:41,890 --> 00:07:42,850 And we are in. 124 00:07:42,850 --> 00:07:52,250 125 00:07:52,250 --> 00:07:54,500 So we utilized hydra. 126 00:07:54,500 --> 00:08:00,680 We utilized nmap, and we utilized msfconsole, 127 00:08:00,680 --> 00:08:04,280 all in order to brute force a dictionary 128 00:08:04,280 --> 00:08:06,650 and see if we could find passwords. 129 00:08:06,650 --> 00:08:11,980 130 00:08:11,980 --> 00:08:14,390 This may seem elementary, but it's fairly common. 131 00:08:14,390 --> 00:08:18,070 This is what we will be doing a lot, especially in enumeration 132 00:08:18,070 --> 00:08:23,140 is taking passwords, taking potential usernames, 133 00:08:23,140 --> 00:08:25,840 and throwing them at a service to see if they stick, 134 00:08:25,840 --> 00:08:27,550 to see if they work. 135 00:08:27,550 --> 00:08:30,730 Things that do work, things that work that we don't even use, 136 00:08:30,730 --> 00:08:32,020 we want to save all that. 137 00:08:32,020 --> 00:08:34,419 We want to record it and use it somewhere else. 138 00:08:34,419 --> 00:08:36,164 If you are auditing your own network, 139 00:08:36,164 --> 00:08:38,289 these are all important things that you should then 140 00:08:38,289 --> 00:08:39,490 track down. 141 00:08:39,490 --> 00:08:41,530 Then, you try to find the answers 142 00:08:41,530 --> 00:08:43,278 to if you're doing a pen test. 143 00:08:43,278 --> 00:08:45,070 Then, you're going to write these things up 144 00:08:45,070 --> 00:08:46,420 for your client. 145 00:08:46,420 --> 00:08:49,300 If you're just thinking like the adversary, 146 00:08:49,300 --> 00:08:51,800 they're doing the exact same thing. 147 00:08:51,800 --> 00:08:55,240 Cybercriminals out there are doing these exact same steps 148 00:08:55,240 --> 00:08:58,440 in order to take advantage of your network. 9248