Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,960 --> 00:00:03,850
All right I hope we've been having fun hacking so far.
2
00:00:04,470 --> 00:00:09,540
So far we managed to get through access to our target machine purely on information based on the end
3
00:00:09,600 --> 00:00:15,180
maps can and this video we're going to see how we're going to utilize information provided to us by
4
00:00:15,180 --> 00:00:18,530
the NSA scanner to get truth access yet again.
5
00:00:19,420 --> 00:00:25,210
And I'm going to be looking here at the very first vulnerability reported by Nessus title D-B an open
6
00:00:25,210 --> 00:00:29,860
S-sh open SSL package a random number generator weakness.
7
00:00:29,920 --> 00:00:35,910
And as we've seen before Nessus tells us what poit and what protocol is affected.
8
00:00:36,190 --> 00:00:43,390
Obviously also the IP address and some reference information which can be the ideal CV and so on.
9
00:00:43,390 --> 00:00:49,060
These are particular references if we want to get more information about the vulnerability itself.
10
00:00:49,930 --> 00:00:56,640
So for example CVP 2008 0 166 is the partic. number assigned to this vulnerability.
11
00:00:56,740 --> 00:01:02,440
So if I go and look up this number I can find more information about this particular vulnerability and
12
00:01:02,440 --> 00:01:03,870
I'm going to do just that.
13
00:01:03,880 --> 00:01:11,170
I went and looked it up and I tested a few options without thinking you through the entire process which
14
00:01:11,170 --> 00:01:14,870
by the way as penetration or as an ethical hacker you should be doing.
15
00:01:14,920 --> 00:01:19,210
So what I've done is I went through some of these links here.
16
00:01:19,270 --> 00:01:20,230
I read through them.
17
00:01:20,230 --> 00:01:26,320
I tried out a few tools and eventually I decided on one that I thought would work and that particular
18
00:01:26,320 --> 00:01:32,650
one is a good hub link that has collected a number of different exploits for this particular vulnerability
19
00:01:32,710 --> 00:01:34,480
as you can see here.
20
00:01:34,480 --> 00:01:39,020
I'm going to choose the path and one obviously can choose any one you wish.
21
00:01:39,280 --> 00:01:44,050
And the reason I chose this particular expert not just because it didn't Python but because the person
22
00:01:44,050 --> 00:01:49,060
that wrote this exploit has written some detailed instructions on how to use it which makes things a
23
00:01:49,060 --> 00:01:50,750
lot more easier.
24
00:01:51,190 --> 00:01:56,530
So as you can see here there are three different steps to executing or running this exploit.
25
00:01:56,530 --> 00:02:01,550
The first step is we have to download a particular file and then we extract these files.
26
00:02:01,630 --> 00:02:05,810
And then lastly we execute or we run the exploit.
27
00:02:05,820 --> 00:02:10,500
So let's start with the first that the very first thing I want to do is I want to download the exploit
28
00:02:10,500 --> 00:02:13,880
file or this python file that you're looking at right now.
29
00:02:14,760 --> 00:02:19,740
And to do that there's a download link on the export database page.
30
00:02:19,870 --> 00:02:25,630
I'm going to copy this link and using that to get which we've seen already I'm going to download the
31
00:02:25,630 --> 00:02:28,250
script on my machine.
32
00:02:28,350 --> 00:02:34,100
I'm going to try it out very quickly just to make sure that the script late and to run Python scripts
33
00:02:34,140 --> 00:02:38,200
all you need to do is type python and the script name.
34
00:02:38,280 --> 00:02:41,100
And here we go it looks like it's working perfectly.
35
00:02:41,100 --> 00:02:46,110
It gives us some output that tells us how to use the script which is something standard that you see
36
00:02:46,110 --> 00:02:47,820
in most of these clips.
37
00:02:48,210 --> 00:02:50,560
So now we start by following the instructions.
38
00:02:50,910 --> 00:02:56,700
I want to download one of these two files that the expert try to ask us to download.
39
00:02:57,470 --> 00:03:03,050
I'm going with the second one before I do actually let me explain very briefly about what this vulnerability
40
00:03:03,050 --> 00:03:04,970
is and how it works.
41
00:03:05,030 --> 00:03:10,850
You've seen in a previous video how we set up the S-sh server and you've also seen that the S-sh server
42
00:03:11,090 --> 00:03:17,480
requires certain encryption keys for us to log in without going into the details of encryption and how
43
00:03:17,480 --> 00:03:18,520
it works.
44
00:03:18,530 --> 00:03:22,690
Think of the security as some kind of a password that locks you in.
45
00:03:22,700 --> 00:03:25,610
Not exactly but think about it like this for now.
46
00:03:25,610 --> 00:03:31,570
Just wanna and in certain older versions of Debian there's been an issue in generating the skees.
47
00:03:31,730 --> 00:03:37,550
If you remember when we set up our S-sh server on Kally I recommended that you guys change the keys
48
00:03:38,120 --> 00:03:43,320
because sometimes if you download a ready made image you'll have preset keys that somebody could guess.
49
00:03:43,580 --> 00:03:48,500
So in that particular version of Debian what happens is if you generate these skees there's a certain
50
00:03:48,500 --> 00:03:52,990
bug that limits the number of generated keys to everybody.
51
00:03:53,270 --> 00:03:56,130
So sort of having millions or billions of possibilities.
52
00:03:56,210 --> 00:03:59,360
That makes it impossible for somebody to guess your key.
53
00:03:59,360 --> 00:04:05,980
There was a bug that made the number of games generated very limited meaning that somebody could write
54
00:04:05,980 --> 00:04:11,450
the script and try to guess your key because the number of guesses will be limited.
55
00:04:11,770 --> 00:04:14,720
And this is the expert that we're going to be running now.
56
00:04:14,950 --> 00:04:20,530
This particular file that we're going to be downloading here is the set of possible keys that can be
57
00:04:20,530 --> 00:04:22,520
tried.
58
00:04:22,620 --> 00:04:27,750
So one of the skis that we're going to be downloading is going to be the successful key that allows
59
00:04:27,750 --> 00:04:31,290
us to log in into S-sh to download this file.
60
00:04:31,290 --> 00:04:32,990
I'm going to copy the link.
61
00:04:33,360 --> 00:04:38,960
And again using Dobry get I'm going to download it on my machine.
62
00:04:38,960 --> 00:04:42,920
Now notice that this is a hard not be easy to find.
63
00:04:42,920 --> 00:04:48,320
We talked about compression in earlier videos but just for the sake of this video I'm going to assume
64
00:04:48,320 --> 00:04:52,130
that we have no idea what this file is or how we can uncompress it.
65
00:04:52,400 --> 00:04:56,660
So I'm going to be using some of the tips that I told you about before.
66
00:04:56,750 --> 00:05:02,150
The first thing I'm going to do is type file and the name of the file and this will tell me that this
67
00:05:02,150 --> 00:05:05,920
is a ABC to compress data file.
68
00:05:05,960 --> 00:05:10,740
So now I know that these two or these two stands for Zip two.
69
00:05:11,120 --> 00:05:17,090
And to find out what can I use to deal with that file I'll type I propose it to
70
00:05:20,780 --> 00:05:23,190
see that there are a number of options.
71
00:05:23,260 --> 00:05:27,970
The one that seems the most probable is the visit to Tool.
72
00:05:28,030 --> 00:05:32,900
So I'm just going to use that with the minus minus help option to see what can I do with it.
73
00:05:34,490 --> 00:05:39,480
And you can immediately know this and the second option that D-minus the decompresses the file.
74
00:05:39,730 --> 00:05:43,630
So I'm going to go with the minus the option and follow that with the filename.
75
00:05:44,850 --> 00:05:47,540
It takes awhile for the file to decompress.
76
00:05:47,850 --> 00:05:51,200
And now I have a tie file of Tifa.
77
00:05:51,600 --> 00:05:55,560
Again we went to Todd files and explain how you can untied files.
78
00:05:55,560 --> 00:06:01,470
But assuming that we have no idea what Todd file is we can still follow the same process and type file
79
00:06:02,100 --> 00:06:03,590
the file name the type.
80
00:06:03,600 --> 00:06:06,040
This tells me that this is a tight archive.
81
00:06:07,230 --> 00:06:12,860
And I type I propose time which gives me a number of options.
82
00:06:13,030 --> 00:06:18,930
I'll go with the tide option and without going through the help options we've seen this already it's
83
00:06:18,940 --> 00:06:23,270
extract be verbose and the filename.
84
00:06:23,620 --> 00:06:30,050
And as you can see here all of these are possibilities that we're going to be trying against our target.
85
00:06:30,070 --> 00:06:32,850
And one of them hopefully will work.
86
00:06:32,860 --> 00:06:36,220
Now we took two steps to decompress and anti-this fine.
87
00:06:36,370 --> 00:06:37,920
So we used the basic tool.
88
00:06:37,990 --> 00:06:39,810
And then we use the time 2.
89
00:06:40,030 --> 00:06:41,290
However we could have done that.
90
00:06:41,290 --> 00:06:43,680
And one quick step using the TOD.
91
00:06:43,710 --> 00:06:44,570
XXVII.
92
00:06:44,590 --> 00:06:45,160
J.
93
00:06:45,160 --> 00:06:48,990
F option J deals with the Bizet files.
94
00:06:49,300 --> 00:06:54,660
Let me delete that and let me quickly list the contents of the directories just to double check that
95
00:06:54,660 --> 00:06:57,190
everything is that perfect.
96
00:06:57,210 --> 00:07:01,990
Now I can run the script let me run it again.
97
00:07:03,740 --> 00:07:10,460
And as you can see here in the output example this tells me that I need to run the script with a directory
98
00:07:10,490 --> 00:07:17,570
where I have extracted the keys then followed with the host IP which is my target IP then followed with
99
00:07:17,570 --> 00:07:18,880
the port number.
100
00:07:19,130 --> 00:07:25,010
And this is why it's extremely important to do what scanning because as we've seen before we had different
101
00:07:25,010 --> 00:07:27,830
FTB servers running on different ports.
102
00:07:27,890 --> 00:07:32,980
I cannot just assume automatically that this is going to be running on port 22.
103
00:07:33,230 --> 00:07:35,210
In most cases yes it is.
104
00:07:35,600 --> 00:07:41,740
But in case the target had a different server running on another port let's say 22:22.
105
00:07:41,750 --> 00:07:47,500
Then why attack would have failed if I just automatically assume that it's on port 22 only.
106
00:07:47,600 --> 00:07:50,870
Here it is on 4:22 so I'm going to go ahead with that.
107
00:07:50,870 --> 00:07:54,690
And then the last option that I need to specify is the number of threads.
108
00:07:54,830 --> 00:08:00,490
That basically means the number of connections that I'm going to make simultaneously to the S-sh server.
109
00:08:00,800 --> 00:08:04,150
So how many keys am I trying at the same time.
110
00:08:04,400 --> 00:08:08,210
I can go with a big number like 100 or 50.
111
00:08:08,360 --> 00:08:12,800
However that might overwhelm the SH server and it might have dropped the connection.
112
00:08:12,800 --> 00:08:16,630
So even if the key is correct I would fail to detect it.
113
00:08:16,730 --> 00:08:22,320
So I'm going to keep it on the low end and go with 10 only this is going to take a while.
114
00:08:22,330 --> 00:08:24,030
So I'm going to speed up the video
115
00:08:26,940 --> 00:08:27,830
as you can see here.
116
00:08:27,840 --> 00:08:33,920
It's still going so I stopped recording so I don't keep you guys waiting for the whole guessing process
117
00:08:34,840 --> 00:08:39,570
but now I have an output from the strip that says a key is found.
118
00:08:39,940 --> 00:08:44,920
And the expert writer or the script writer was kind enough to tell us exactly what command we need to
119
00:08:44,920 --> 00:08:48,450
execute to use this key and log into the target.
120
00:08:48,850 --> 00:08:49,890
And here's the command.
121
00:08:49,900 --> 00:08:54,330
It's S-sh minus l route which says use the username route.
122
00:08:54,340 --> 00:09:02,860
Please log in as root minus B-22 which you should have guessed by now is port 22 minus ise specifies
123
00:09:02,890 --> 00:09:04,680
what key I'm going to be using.
124
00:09:04,840 --> 00:09:08,620
And towards the end is the IP address of when I want to log into.
125
00:09:08,920 --> 00:09:14,040
So I'm going to copy paste this run it.
126
00:09:14,550 --> 00:09:15,680
And here we go.
127
00:09:15,690 --> 00:09:18,080
I'm logged in as root.
128
00:09:18,090 --> 00:09:18,620
Perfect.
129
00:09:18,660 --> 00:09:25,630
So that's another way we managed to get into our target as it was to terminate the S-sh connection.
130
00:09:25,650 --> 00:09:27,930
I'm going to type exit.
131
00:09:27,960 --> 00:09:33,390
Now here's the thing I want to copy these keys and keep them in a separate directory because the ones
132
00:09:33,390 --> 00:09:38,150
that already end there's thousands of other keys and I don't want all of that.
133
00:09:38,190 --> 00:09:42,210
I just want to keep this piece that worked so I can use them later on.
134
00:09:42,390 --> 00:09:46,840
But how am I going to find these keys among tens of thousands of other keys.
135
00:09:47,010 --> 00:09:50,950
We're going to be using simple tricks that we learned in previous videos.
136
00:09:51,000 --> 00:09:54,120
So let me copy the first few characters of the name
137
00:09:57,260 --> 00:10:00,130
and then I'm going to create a directory called it kids.
138
00:10:00,140 --> 00:10:02,610
This is what I'm going to be saving these keys.
139
00:10:06,520 --> 00:10:12,810
Now if I do as itis a slash 2048 look at that.
140
00:10:12,810 --> 00:10:15,550
There are thousands of keys in this directory.
141
00:10:15,930 --> 00:10:24,770
So what I'm going to do now to find the exact name of the key is to type and to grab and the first few
142
00:10:24,770 --> 00:10:31,760
characters now the L S gave me the exact names of the keys that I need to copy it ignore the rest and
143
00:10:31,760 --> 00:10:34,600
the grepped only the keys that I want.
144
00:10:34,640 --> 00:10:37,270
So now I know what the name of the key is.
145
00:10:38,680 --> 00:10:44,250
And all I have to do now is copy this name and it should copy command from the target for that to the
146
00:10:44,260 --> 00:10:49,250
destination for the because there are two keys.
147
00:10:49,250 --> 00:10:51,660
I'm going to be using a wildcard again.
148
00:10:52,280 --> 00:10:58,430
And now if I do an S on the keys directory my keys have been copied and I can use them later on.
149
00:10:59,210 --> 00:11:00,010
Perfect.
150
00:11:01,660 --> 00:11:03,250
So go ahead and give that a try.
151
00:11:03,250 --> 00:11:06,360
And when you're done here's your mission for the section.
152
00:11:06,520 --> 00:11:10,050
We just finished attacking the service on port 22.
153
00:11:10,420 --> 00:11:13,900
There's another service on port 23.
154
00:11:13,900 --> 00:11:17,770
See if you can attack it and get access to the system through it.
155
00:11:18,750 --> 00:11:21,900
And notice you get truth access or not.
156
00:11:21,900 --> 00:11:26,840
If not can you still execute commands as root.
157
00:11:26,850 --> 00:11:34,020
So even if you logged in but not as root can that particular users run or execute commands as root when
158
00:11:34,020 --> 00:11:36,360
you're done with 4:23.
159
00:11:36,420 --> 00:11:39,720
Go ahead and try port 5 1 3.
160
00:11:39,850 --> 00:11:45,930
And the question here will be did you use the same commands to connect to both ports 23 and 5:01 3.
161
00:11:45,970 --> 00:11:47,770
Or did you use different commands.
162
00:11:49,410 --> 00:11:53,420
And lastly what about Board 1 5 2 4.
163
00:11:53,430 --> 00:11:55,060
Try that board as well.
164
00:11:56,030 --> 00:11:58,740
When you're done let's move on to the next video.
17428
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.