Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,960 --> 00:00:03,850 All right I hope we've been having fun hacking so far. 2 00:00:04,470 --> 00:00:09,540 So far we managed to get through access to our target machine purely on information based on the end 3 00:00:09,600 --> 00:00:15,180 maps can and this video we're going to see how we're going to utilize information provided to us by 4 00:00:15,180 --> 00:00:18,530 the NSA scanner to get truth access yet again. 5 00:00:19,420 --> 00:00:25,210 And I'm going to be looking here at the very first vulnerability reported by Nessus title D-B an open 6 00:00:25,210 --> 00:00:29,860 S-sh open SSL package a random number generator weakness. 7 00:00:29,920 --> 00:00:35,910 And as we've seen before Nessus tells us what poit and what protocol is affected. 8 00:00:36,190 --> 00:00:43,390 Obviously also the IP address and some reference information which can be the ideal CV and so on. 9 00:00:43,390 --> 00:00:49,060 These are particular references if we want to get more information about the vulnerability itself. 10 00:00:49,930 --> 00:00:56,640 So for example CVP 2008 0 166 is the partic. number assigned to this vulnerability. 11 00:00:56,740 --> 00:01:02,440 So if I go and look up this number I can find more information about this particular vulnerability and 12 00:01:02,440 --> 00:01:03,870 I'm going to do just that. 13 00:01:03,880 --> 00:01:11,170 I went and looked it up and I tested a few options without thinking you through the entire process which 14 00:01:11,170 --> 00:01:14,870 by the way as penetration or as an ethical hacker you should be doing. 15 00:01:14,920 --> 00:01:19,210 So what I've done is I went through some of these links here. 16 00:01:19,270 --> 00:01:20,230 I read through them. 17 00:01:20,230 --> 00:01:26,320 I tried out a few tools and eventually I decided on one that I thought would work and that particular 18 00:01:26,320 --> 00:01:32,650 one is a good hub link that has collected a number of different exploits for this particular vulnerability 19 00:01:32,710 --> 00:01:34,480 as you can see here. 20 00:01:34,480 --> 00:01:39,020 I'm going to choose the path and one obviously can choose any one you wish. 21 00:01:39,280 --> 00:01:44,050 And the reason I chose this particular expert not just because it didn't Python but because the person 22 00:01:44,050 --> 00:01:49,060 that wrote this exploit has written some detailed instructions on how to use it which makes things a 23 00:01:49,060 --> 00:01:50,750 lot more easier. 24 00:01:51,190 --> 00:01:56,530 So as you can see here there are three different steps to executing or running this exploit. 25 00:01:56,530 --> 00:02:01,550 The first step is we have to download a particular file and then we extract these files. 26 00:02:01,630 --> 00:02:05,810 And then lastly we execute or we run the exploit. 27 00:02:05,820 --> 00:02:10,500 So let's start with the first that the very first thing I want to do is I want to download the exploit 28 00:02:10,500 --> 00:02:13,880 file or this python file that you're looking at right now. 29 00:02:14,760 --> 00:02:19,740 And to do that there's a download link on the export database page. 30 00:02:19,870 --> 00:02:25,630 I'm going to copy this link and using that to get which we've seen already I'm going to download the 31 00:02:25,630 --> 00:02:28,250 script on my machine. 32 00:02:28,350 --> 00:02:34,100 I'm going to try it out very quickly just to make sure that the script late and to run Python scripts 33 00:02:34,140 --> 00:02:38,200 all you need to do is type python and the script name. 34 00:02:38,280 --> 00:02:41,100 And here we go it looks like it's working perfectly. 35 00:02:41,100 --> 00:02:46,110 It gives us some output that tells us how to use the script which is something standard that you see 36 00:02:46,110 --> 00:02:47,820 in most of these clips. 37 00:02:48,210 --> 00:02:50,560 So now we start by following the instructions. 38 00:02:50,910 --> 00:02:56,700 I want to download one of these two files that the expert try to ask us to download. 39 00:02:57,470 --> 00:03:03,050 I'm going with the second one before I do actually let me explain very briefly about what this vulnerability 40 00:03:03,050 --> 00:03:04,970 is and how it works. 41 00:03:05,030 --> 00:03:10,850 You've seen in a previous video how we set up the S-sh server and you've also seen that the S-sh server 42 00:03:11,090 --> 00:03:17,480 requires certain encryption keys for us to log in without going into the details of encryption and how 43 00:03:17,480 --> 00:03:18,520 it works. 44 00:03:18,530 --> 00:03:22,690 Think of the security as some kind of a password that locks you in. 45 00:03:22,700 --> 00:03:25,610 Not exactly but think about it like this for now. 46 00:03:25,610 --> 00:03:31,570 Just wanna and in certain older versions of Debian there's been an issue in generating the skees. 47 00:03:31,730 --> 00:03:37,550 If you remember when we set up our S-sh server on Kally I recommended that you guys change the keys 48 00:03:38,120 --> 00:03:43,320 because sometimes if you download a ready made image you'll have preset keys that somebody could guess. 49 00:03:43,580 --> 00:03:48,500 So in that particular version of Debian what happens is if you generate these skees there's a certain 50 00:03:48,500 --> 00:03:52,990 bug that limits the number of generated keys to everybody. 51 00:03:53,270 --> 00:03:56,130 So sort of having millions or billions of possibilities. 52 00:03:56,210 --> 00:03:59,360 That makes it impossible for somebody to guess your key. 53 00:03:59,360 --> 00:04:05,980 There was a bug that made the number of games generated very limited meaning that somebody could write 54 00:04:05,980 --> 00:04:11,450 the script and try to guess your key because the number of guesses will be limited. 55 00:04:11,770 --> 00:04:14,720 And this is the expert that we're going to be running now. 56 00:04:14,950 --> 00:04:20,530 This particular file that we're going to be downloading here is the set of possible keys that can be 57 00:04:20,530 --> 00:04:22,520 tried. 58 00:04:22,620 --> 00:04:27,750 So one of the skis that we're going to be downloading is going to be the successful key that allows 59 00:04:27,750 --> 00:04:31,290 us to log in into S-sh to download this file. 60 00:04:31,290 --> 00:04:32,990 I'm going to copy the link. 61 00:04:33,360 --> 00:04:38,960 And again using Dobry get I'm going to download it on my machine. 62 00:04:38,960 --> 00:04:42,920 Now notice that this is a hard not be easy to find. 63 00:04:42,920 --> 00:04:48,320 We talked about compression in earlier videos but just for the sake of this video I'm going to assume 64 00:04:48,320 --> 00:04:52,130 that we have no idea what this file is or how we can uncompress it. 65 00:04:52,400 --> 00:04:56,660 So I'm going to be using some of the tips that I told you about before. 66 00:04:56,750 --> 00:05:02,150 The first thing I'm going to do is type file and the name of the file and this will tell me that this 67 00:05:02,150 --> 00:05:05,920 is a ABC to compress data file. 68 00:05:05,960 --> 00:05:10,740 So now I know that these two or these two stands for Zip two. 69 00:05:11,120 --> 00:05:17,090 And to find out what can I use to deal with that file I'll type I propose it to 70 00:05:20,780 --> 00:05:23,190 see that there are a number of options. 71 00:05:23,260 --> 00:05:27,970 The one that seems the most probable is the visit to Tool. 72 00:05:28,030 --> 00:05:32,900 So I'm just going to use that with the minus minus help option to see what can I do with it. 73 00:05:34,490 --> 00:05:39,480 And you can immediately know this and the second option that D-minus the decompresses the file. 74 00:05:39,730 --> 00:05:43,630 So I'm going to go with the minus the option and follow that with the filename. 75 00:05:44,850 --> 00:05:47,540 It takes awhile for the file to decompress. 76 00:05:47,850 --> 00:05:51,200 And now I have a tie file of Tifa. 77 00:05:51,600 --> 00:05:55,560 Again we went to Todd files and explain how you can untied files. 78 00:05:55,560 --> 00:06:01,470 But assuming that we have no idea what Todd file is we can still follow the same process and type file 79 00:06:02,100 --> 00:06:03,590 the file name the type. 80 00:06:03,600 --> 00:06:06,040 This tells me that this is a tight archive. 81 00:06:07,230 --> 00:06:12,860 And I type I propose time which gives me a number of options. 82 00:06:13,030 --> 00:06:18,930 I'll go with the tide option and without going through the help options we've seen this already it's 83 00:06:18,940 --> 00:06:23,270 extract be verbose and the filename. 84 00:06:23,620 --> 00:06:30,050 And as you can see here all of these are possibilities that we're going to be trying against our target. 85 00:06:30,070 --> 00:06:32,850 And one of them hopefully will work. 86 00:06:32,860 --> 00:06:36,220 Now we took two steps to decompress and anti-this fine. 87 00:06:36,370 --> 00:06:37,920 So we used the basic tool. 88 00:06:37,990 --> 00:06:39,810 And then we use the time 2. 89 00:06:40,030 --> 00:06:41,290 However we could have done that. 90 00:06:41,290 --> 00:06:43,680 And one quick step using the TOD. 91 00:06:43,710 --> 00:06:44,570 XXVII. 92 00:06:44,590 --> 00:06:45,160 J. 93 00:06:45,160 --> 00:06:48,990 F option J deals with the Bizet files. 94 00:06:49,300 --> 00:06:54,660 Let me delete that and let me quickly list the contents of the directories just to double check that 95 00:06:54,660 --> 00:06:57,190 everything is that perfect. 96 00:06:57,210 --> 00:07:01,990 Now I can run the script let me run it again. 97 00:07:03,740 --> 00:07:10,460 And as you can see here in the output example this tells me that I need to run the script with a directory 98 00:07:10,490 --> 00:07:17,570 where I have extracted the keys then followed with the host IP which is my target IP then followed with 99 00:07:17,570 --> 00:07:18,880 the port number. 100 00:07:19,130 --> 00:07:25,010 And this is why it's extremely important to do what scanning because as we've seen before we had different 101 00:07:25,010 --> 00:07:27,830 FTB servers running on different ports. 102 00:07:27,890 --> 00:07:32,980 I cannot just assume automatically that this is going to be running on port 22. 103 00:07:33,230 --> 00:07:35,210 In most cases yes it is. 104 00:07:35,600 --> 00:07:41,740 But in case the target had a different server running on another port let's say 22:22. 105 00:07:41,750 --> 00:07:47,500 Then why attack would have failed if I just automatically assume that it's on port 22 only. 106 00:07:47,600 --> 00:07:50,870 Here it is on 4:22 so I'm going to go ahead with that. 107 00:07:50,870 --> 00:07:54,690 And then the last option that I need to specify is the number of threads. 108 00:07:54,830 --> 00:08:00,490 That basically means the number of connections that I'm going to make simultaneously to the S-sh server. 109 00:08:00,800 --> 00:08:04,150 So how many keys am I trying at the same time. 110 00:08:04,400 --> 00:08:08,210 I can go with a big number like 100 or 50. 111 00:08:08,360 --> 00:08:12,800 However that might overwhelm the SH server and it might have dropped the connection. 112 00:08:12,800 --> 00:08:16,630 So even if the key is correct I would fail to detect it. 113 00:08:16,730 --> 00:08:22,320 So I'm going to keep it on the low end and go with 10 only this is going to take a while. 114 00:08:22,330 --> 00:08:24,030 So I'm going to speed up the video 115 00:08:26,940 --> 00:08:27,830 as you can see here. 116 00:08:27,840 --> 00:08:33,920 It's still going so I stopped recording so I don't keep you guys waiting for the whole guessing process 117 00:08:34,840 --> 00:08:39,570 but now I have an output from the strip that says a key is found. 118 00:08:39,940 --> 00:08:44,920 And the expert writer or the script writer was kind enough to tell us exactly what command we need to 119 00:08:44,920 --> 00:08:48,450 execute to use this key and log into the target. 120 00:08:48,850 --> 00:08:49,890 And here's the command. 121 00:08:49,900 --> 00:08:54,330 It's S-sh minus l route which says use the username route. 122 00:08:54,340 --> 00:09:02,860 Please log in as root minus B-22 which you should have guessed by now is port 22 minus ise specifies 123 00:09:02,890 --> 00:09:04,680 what key I'm going to be using. 124 00:09:04,840 --> 00:09:08,620 And towards the end is the IP address of when I want to log into. 125 00:09:08,920 --> 00:09:14,040 So I'm going to copy paste this run it. 126 00:09:14,550 --> 00:09:15,680 And here we go. 127 00:09:15,690 --> 00:09:18,080 I'm logged in as root. 128 00:09:18,090 --> 00:09:18,620 Perfect. 129 00:09:18,660 --> 00:09:25,630 So that's another way we managed to get into our target as it was to terminate the S-sh connection. 130 00:09:25,650 --> 00:09:27,930 I'm going to type exit. 131 00:09:27,960 --> 00:09:33,390 Now here's the thing I want to copy these keys and keep them in a separate directory because the ones 132 00:09:33,390 --> 00:09:38,150 that already end there's thousands of other keys and I don't want all of that. 133 00:09:38,190 --> 00:09:42,210 I just want to keep this piece that worked so I can use them later on. 134 00:09:42,390 --> 00:09:46,840 But how am I going to find these keys among tens of thousands of other keys. 135 00:09:47,010 --> 00:09:50,950 We're going to be using simple tricks that we learned in previous videos. 136 00:09:51,000 --> 00:09:54,120 So let me copy the first few characters of the name 137 00:09:57,260 --> 00:10:00,130 and then I'm going to create a directory called it kids. 138 00:10:00,140 --> 00:10:02,610 This is what I'm going to be saving these keys. 139 00:10:06,520 --> 00:10:12,810 Now if I do as itis a slash 2048 look at that. 140 00:10:12,810 --> 00:10:15,550 There are thousands of keys in this directory. 141 00:10:15,930 --> 00:10:24,770 So what I'm going to do now to find the exact name of the key is to type and to grab and the first few 142 00:10:24,770 --> 00:10:31,760 characters now the L S gave me the exact names of the keys that I need to copy it ignore the rest and 143 00:10:31,760 --> 00:10:34,600 the grepped only the keys that I want. 144 00:10:34,640 --> 00:10:37,270 So now I know what the name of the key is. 145 00:10:38,680 --> 00:10:44,250 And all I have to do now is copy this name and it should copy command from the target for that to the 146 00:10:44,260 --> 00:10:49,250 destination for the because there are two keys. 147 00:10:49,250 --> 00:10:51,660 I'm going to be using a wildcard again. 148 00:10:52,280 --> 00:10:58,430 And now if I do an S on the keys directory my keys have been copied and I can use them later on. 149 00:10:59,210 --> 00:11:00,010 Perfect. 150 00:11:01,660 --> 00:11:03,250 So go ahead and give that a try. 151 00:11:03,250 --> 00:11:06,360 And when you're done here's your mission for the section. 152 00:11:06,520 --> 00:11:10,050 We just finished attacking the service on port 22. 153 00:11:10,420 --> 00:11:13,900 There's another service on port 23. 154 00:11:13,900 --> 00:11:17,770 See if you can attack it and get access to the system through it. 155 00:11:18,750 --> 00:11:21,900 And notice you get truth access or not. 156 00:11:21,900 --> 00:11:26,840 If not can you still execute commands as root. 157 00:11:26,850 --> 00:11:34,020 So even if you logged in but not as root can that particular users run or execute commands as root when 158 00:11:34,020 --> 00:11:36,360 you're done with 4:23. 159 00:11:36,420 --> 00:11:39,720 Go ahead and try port 5 1 3. 160 00:11:39,850 --> 00:11:45,930 And the question here will be did you use the same commands to connect to both ports 23 and 5:01 3. 161 00:11:45,970 --> 00:11:47,770 Or did you use different commands. 162 00:11:49,410 --> 00:11:53,420 And lastly what about Board 1 5 2 4. 163 00:11:53,430 --> 00:11:55,060 Try that board as well. 164 00:11:56,030 --> 00:11:58,740 When you're done let's move on to the next video. 17428