1 1 00:00:00,147 --> 00:00:01,223 So the first thing we want to do 2 2 00:00:01,223 --> 00:00:02,527 is we want to learn what the IP address 3 3 00:00:02,527 --> 00:00:03,536 of our culling machine is since 4 4 00:00:03,536 --> 00:00:05,939 we've just plugged it into our victim network. 5 5 00:00:05,939 --> 00:00:08,189 So let's go to the Terminal 6 6 00:00:09,564 --> 00:00:10,797 and because this is a Linux machine, 7 7 00:00:10,797 --> 00:00:12,964 we're gonna use IF Config. 8 8 00:00:14,482 --> 00:00:16,594 You can see here that we've got the IP address 9 9 00:00:16,594 --> 00:00:18,094 of 192.168.56.102, 10 10 00:00:21,047 --> 00:00:22,151 now the network mask is 11 11 00:00:22,151 --> 00:00:25,963 255.255.255.0 which tells me that the scope 12 12 00:00:25,963 --> 00:00:30,549 on this network, is a class C with 254 IP addresses. 13 13 00:00:30,549 --> 00:00:33,467 So it goes from 192.168.56.1 14 14 00:00:33,467 --> 00:00:35,300 through 192.168.56.254 15 15 00:00:38,091 --> 00:00:41,197 with the broadcast being reserved at 255. 16 16 00:00:41,197 --> 00:00:43,414 That's good information to know as we move forward. 17 17 00:00:43,414 --> 00:00:44,628 So the next thing we want to do is we want to 18 18 00:00:44,628 --> 00:00:46,083 bring up zenmap and to do that, 19 19 00:00:46,083 --> 00:00:47,678 you're simply gonna type in zenmap 20 20 00:00:47,678 --> 00:00:50,551 from the command prompt and to make sure 21 21 00:00:50,551 --> 00:00:51,941 my command prompt is still available for me 22 22 00:00:51,941 --> 00:00:53,811 to use afterwards, I'm gonna hit the 'and' sign 23 23 00:00:53,811 --> 00:00:57,728 which means its gonna run it in the background. 24 24 00:00:59,651 --> 00:01:02,957 So now zenmap pops up and we can start doing our scans. 25 25 00:01:02,957 --> 00:01:05,110 The first scan we want to do is the least intrusive 26 26 00:01:05,110 --> 00:01:07,491 so we can figure out what machines are on this network. 27 27 00:01:07,491 --> 00:01:09,068 To do that, we're gonna do a ping scan. 28 28 00:01:09,068 --> 00:01:11,864 Our target for this network is gonna be the entire network. 29 29 00:01:11,864 --> 00:01:15,447 So I'm gonna use 192.168.56.0/24 30 30 00:01:20,051 --> 00:01:23,097 that will tell me that I want that entire subnet. 31 31 00:01:23,097 --> 00:01:25,114 Now, another way you could write this, 32 32 00:01:25,114 --> 00:01:28,522 is we could actually say 0-254 which would be 33 33 00:01:28,522 --> 00:01:30,437 all of those addresses as well. 34 34 00:01:30,437 --> 00:01:32,326 But in our case, I would like to use the cidr 35 35 00:01:32,326 --> 00:01:34,704 notation of /24. 36 36 00:01:34,704 --> 00:01:36,655 Now you'll notice here in zenmap that we actually 37 37 00:01:36,655 --> 00:01:39,523 get the command line syntax for nmap, 38 38 00:01:39,523 --> 00:01:41,079 right here shown for us. 39 39 00:01:41,079 --> 00:01:43,787 So zenmap is gonna use nmap to do the work for us, 40 40 00:01:43,787 --> 00:01:45,101 but then its gonna take that detail 41 41 00:01:45,101 --> 00:01:47,698 and bring it back to us in a graphical format. 42 42 00:01:47,698 --> 00:01:50,063 Now right now, our profile selected is the intense scan 43 43 00:01:50,063 --> 00:01:51,452 and that's gonna be way too intensive 44 44 00:01:51,452 --> 00:01:52,702 for what we're trying to do. 45 45 00:01:52,702 --> 00:01:56,718 So we're gonna go down and select a Ping scan instead. 46 46 00:01:56,718 --> 00:01:59,509 Notice that the Ping scan is just -sn 47 47 00:01:59,509 --> 00:02:02,125 and the IP address range that you want. 48 48 00:02:02,125 --> 00:02:04,208 Now I'm gonna click scan. 49 49 00:02:05,094 --> 00:02:07,261 Now here in this main tab, 50 50 00:02:09,331 --> 00:02:11,128 I'm gonna make this larger for us. 51 51 00:02:11,128 --> 00:02:13,471 Now here in this main tab, what you'll notice is 52 52 00:02:13,471 --> 00:02:16,558 you're gonna see the result that nmap would provide you. 53 53 00:02:16,558 --> 00:02:18,263 In our case, all we did was a Ping scan, 54 54 00:02:18,263 --> 00:02:21,422 so it searched 256 IP addresses 55 55 00:02:21,422 --> 00:02:23,456 and it found four of them that were up. 56 56 00:02:23,456 --> 00:02:27,623 Those four is the server, the dhcp server we set up, 57 57 00:02:28,914 --> 00:02:32,381 one of our virtual machines, our second virtual machine 58 58 00:02:32,381 --> 00:02:34,800 and then our Kali Linux box ourself. 59 59 00:02:34,800 --> 00:02:36,079 Now we don't necessarily know what 60 60 00:02:36,079 --> 00:02:37,479 these two Machines are at this point, 61 61 00:02:37,479 --> 00:02:40,198 we just know that they're up and taking requests. 62 62 00:02:40,198 --> 00:02:42,826 But since we do know that one of the two is our own machine, 63 63 00:02:42,826 --> 00:02:44,809 we don't need to scan that one any more 64 64 00:02:44,809 --> 00:02:46,278 because we don't need to attack it. 65 65 00:02:46,278 --> 00:02:48,364 We want to attack these other two machines. 66 66 00:02:48,364 --> 00:02:50,354 So what we're gonna do is we're gonna take it a step further 67 67 00:02:50,354 --> 00:02:52,512 and we're gonna start doing different scans 68 68 00:02:52,512 --> 00:02:54,557 as we can gather different information. 69 69 00:02:54,557 --> 00:02:56,986 Now if you notice, if I click on the ports and hosts tab, 70 70 00:02:56,986 --> 00:02:59,956 there's no ports yet because we haven't scanned any ports. 71 71 00:02:59,956 --> 00:03:03,197 We've only done 'Is this machine up or down?' 72 72 00:03:03,197 --> 00:03:06,462 but here we can see in the Topology our network 73 73 00:03:06,462 --> 00:03:09,078 and you'll see that there are four hosts connected 74 74 00:03:09,078 --> 00:03:10,070 and we can also do a fish-eye that makes 75 75 00:03:10,070 --> 00:03:11,496 it a little bit easier to see. 76 76 00:03:11,496 --> 00:03:13,873 You can see that we do have four hosts on the network. 77 77 00:03:13,873 --> 00:03:17,440 We have the three machines, plus the one dhcp server. 78 78 00:03:17,440 --> 00:03:19,683 Now if we look at host details, 79 79 00:03:19,683 --> 00:03:21,878 all we know is the status that it's up. 80 80 00:03:21,878 --> 00:03:23,958 The only reason we know that is because it did a ping, 81 81 00:03:23,958 --> 00:03:25,793 we haven't scanned any ports yet. 82 82 00:03:25,793 --> 00:03:27,541 This is important to realize. 83 83 00:03:27,541 --> 00:03:30,192 So, lets go ahead and go back to our nmap output. 84 84 00:03:30,192 --> 00:03:33,246 Let's try a more intensive scan, but only targeting it 85 85 00:03:33,246 --> 00:03:35,322 to the two machines that we want to look at, 86 86 00:03:35,322 --> 00:03:38,572 which were 101, excuse me, 100 and 101. 87 87 00:03:44,938 --> 00:03:48,197 From here, we're gonna do what's called a quick scan. 88 88 00:03:48,197 --> 00:03:51,186 Now if you notice here, the quick scan is gonna do 89 89 00:03:51,186 --> 00:03:53,939 some of the most common ports for us 90 90 00:03:53,939 --> 00:03:55,932 and find what information we can about this 91 91 00:03:55,932 --> 00:03:59,099 so let's go ahead and do a quick scan. 92 92 00:04:03,360 --> 00:04:05,117 So here is what nmap would have given you 93 93 00:04:05,117 --> 00:04:06,772 if you were doing this in the command prompt. 94 94 00:04:06,772 --> 00:04:10,605 The scan report for 101 and if we look at 101, 95 95 00:04:11,627 --> 00:04:14,340 you'll see all of these ports are open. 96 96 00:04:14,340 --> 00:04:16,603 That is a lot of open holes that may be vulnerable 97 97 00:04:16,603 --> 00:04:18,972 for us to do exploitation later. 98 98 00:04:18,972 --> 00:04:22,055 Now if you notice that 192.168.56.100 99 99 00:04:23,806 --> 00:04:26,209 all the ports were filtered. 100 100 00:04:26,209 --> 00:04:27,162 That's interesting to know because 101 101 00:04:27,162 --> 00:04:28,882 that one was actually our Windows machine 102 102 00:04:28,882 --> 00:04:29,715 so we're gonna have to take a look 103 103 00:04:29,715 --> 00:04:31,822 at that machine later as we go forward. 104 104 00:04:31,822 --> 00:04:33,644 But with the quick scan, we have identified 105 105 00:04:33,644 --> 00:04:36,496 that this 101 is a very vulnerable box. 106 106 00:04:36,496 --> 00:04:38,880 That was our Metasploitable machine. 107 107 00:04:38,880 --> 00:04:39,960 Now, if we look through it, 108 108 00:04:39,960 --> 00:04:41,694 we're gonna see some port numbers 109 109 00:04:41,694 --> 00:04:42,962 and those ports are gonna be important 110 110 00:04:42,962 --> 00:04:45,314 to help us identify what this machine is. 111 111 00:04:45,314 --> 00:04:46,612 So as I look through it, I see we have 112 112 00:04:46,612 --> 00:04:48,750 ftp and ssh and telnet. 113 113 00:04:48,750 --> 00:04:51,095 Those are common in Windows and Linux, 114 114 00:04:51,095 --> 00:04:55,262 but the ones that aren't are things like rpcbind 111. 115 115 00:04:56,279 --> 00:04:59,751 This 139 and 445, those are common of 116 116 00:04:59,751 --> 00:05:01,477 Microsoft and Windows machines. 117 117 00:05:01,477 --> 00:05:03,842 Notice though that there's not a 135 118 118 00:05:03,842 --> 00:05:05,771 which is another netbio port that is 119 119 00:05:05,771 --> 00:05:07,367 commonly seen on Microsoft. 120 120 00:05:07,367 --> 00:05:08,508 So what this is telling me is that 121 121 00:05:08,508 --> 00:05:10,452 this machine which I think is Linux 122 122 00:05:10,452 --> 00:05:12,412 is running some Microsoft services 123 123 00:05:12,412 --> 00:05:13,763 and they're probably running Samba 124 124 00:05:13,763 --> 00:05:15,839 to do file sharing with Microsoft. 125 125 00:05:15,839 --> 00:05:19,195 If it had 135, 139 and 445, I would assume 126 126 00:05:19,195 --> 00:05:20,354 it's a Windows Machine. 127 127 00:05:20,354 --> 00:05:21,542 But we're gonna be able to determine that later 128 128 00:05:21,542 --> 00:05:23,317 when we do our numeration. 129 129 00:05:23,317 --> 00:05:25,478 As we keep going on, we'll see the login and the shell again 130 130 00:05:25,478 --> 00:05:28,776 very common Linux things, we also have nysql. 131 131 00:05:28,776 --> 00:05:30,819 We have a vnc player and x11. 132 132 00:05:30,819 --> 00:05:32,912 X11 is an extremely common Linux thing 133 133 00:05:32,912 --> 00:05:34,472 so that again is one of those things 134 134 00:05:34,472 --> 00:05:36,246 that tells us it's probably Linux. 135 135 00:05:36,246 --> 00:05:37,958 Now if we click on the port and hosts tab, 136 136 00:05:37,958 --> 00:05:41,875 there's actually an easier way to see all this information. 137 137 00:05:41,875 --> 00:05:44,120 So if I click on the host I want to look at 138 138 00:05:44,120 --> 00:05:47,370 and I click on the port and hosts, 101, 139 139 00:05:49,563 --> 00:05:51,942 you'll see that I have open and closed states 140 140 00:05:51,942 --> 00:05:53,547 in this case all these were open ports 141 141 00:05:53,547 --> 00:05:54,520 that we're looking at. 142 142 00:05:54,520 --> 00:05:56,581 The port number and the ftp so it makes it very easy 143 143 00:05:56,581 --> 00:05:58,866 to see graphical representation. 144 144 00:05:58,866 --> 00:06:00,565 Now if I click on host details, 145 145 00:06:00,565 --> 00:06:02,824 it doesn't know what type of host this is yet, 146 146 00:06:02,824 --> 00:06:05,549 but it did find that there was 82 closed ports 147 147 00:06:05,549 --> 00:06:08,441 and 18 open ports and we did look at 100 ports 148 148 00:06:08,441 --> 00:06:10,858 which was pretty noisy of us. 149 149 00:06:12,996 --> 00:06:14,528 You can see under Scans, this is the history 150 150 00:06:14,528 --> 00:06:15,977 of the scans we've done before. 151 151 00:06:15,977 --> 00:06:18,964 We've done our Ping scan and now we've done our Quick scan. 152 152 00:06:18,964 --> 00:06:20,988 Now if we want to get a little more intrusive, 153 153 00:06:20,988 --> 00:06:24,924 we can do what's called an intense scan. 154 154 00:06:24,924 --> 00:06:29,136 What we're gonna do is do an intense scan 155 155 00:06:29,136 --> 00:06:31,517 and then we're gonna hit scan. 156 156 00:06:31,517 --> 00:06:33,294 Now, the intense scan is gonna look 157 157 00:06:33,294 --> 00:06:35,221 at the open ports and the closed ports 158 158 00:06:35,221 --> 00:06:37,811 and its also gonna try do some basic enumeration for us. 159 159 00:06:37,811 --> 00:06:41,758 So try to figure out what this machine is or isn't. 160 160 00:06:41,758 --> 00:06:43,434 So in our case, we're looking at it. 161 161 00:06:43,434 --> 00:06:47,601 We're doing a stealth scan right now, you can see that. 162 162 00:06:50,564 --> 00:06:52,254 This scan will take us a little bit longer 163 163 00:06:52,254 --> 00:06:56,171 because its going through a lot of information. 164 164 00:06:59,411 --> 00:07:00,392 One of the things it does try do 165 165 00:07:00,392 --> 00:07:02,319 is it tries to do an OS detection. 166 166 00:07:02,319 --> 00:07:06,486 It was unable to do an OS detection of the .100 system. 167 167 00:07:29,739 --> 00:07:31,116 Again, with the text-based information, 168 168 00:07:31,116 --> 00:07:33,016 it's gonna give you a lot of information. 169 169 00:07:33,016 --> 00:07:35,391 We can go through each of this individually if we want 170 170 00:07:35,391 --> 00:07:36,613 but all of this is gonna be shown 171 171 00:07:36,613 --> 00:07:38,355 in a much more graphical format 172 172 00:07:38,355 --> 00:07:40,256 for us to use as we move forward. 173 173 00:07:40,256 --> 00:07:42,493 So let's go ahead and go over here to the ports 174 174 00:07:42,493 --> 00:07:43,613 and then click on the host. 175 175 00:07:43,613 --> 00:07:45,147 If you notice over here, our OS changed 176 176 00:07:45,147 --> 00:07:49,623 on the .101 machine, that metasploitable machine. 177 177 00:07:49,623 --> 00:07:54,047 If you'll notice, we have a little Linux icon here. 178 178 00:07:54,047 --> 00:07:56,086 We now see all of the open ports again. 179 179 00:07:56,086 --> 00:07:57,836 But notice the difference here from before. 180 180 00:07:57,836 --> 00:07:59,755 Not only is it ftp but we know that 181 181 00:07:59,755 --> 00:08:01,922 it's vsftpd version 2.3.4. 182 182 00:08:03,412 --> 00:08:05,206 This is an enumeration piece. 183 183 00:08:05,206 --> 00:08:08,859 You'll see that our Apache is version 2.2.8. 184 184 00:08:08,859 --> 00:08:10,134 You'll see that they were running Samba 185 185 00:08:10,134 --> 00:08:14,805 which again, Samba Debian is a Linux version of file sharing 186 186 00:08:14,805 --> 00:08:18,118 to allow it to share with Windows work group users. 187 187 00:08:18,118 --> 00:08:19,646 So our guess at this being a Linux machine 188 188 00:08:19,646 --> 00:08:21,575 did pan out to be right. 189 189 00:08:21,575 --> 00:08:25,075 In this case, we have MySQL version 5.0.51 190 190 00:08:26,023 --> 00:08:27,538 and again, these are all important to know 191 191 00:08:27,538 --> 00:08:28,981 because we can take this information 192 192 00:08:28,981 --> 00:08:32,093 and search the cve database and be able to find out 193 193 00:08:32,093 --> 00:08:35,342 what known exploits there are for these particular services 194 194 00:08:35,342 --> 00:08:37,726 so this is all part of that information gathering stage 195 195 00:08:37,726 --> 00:08:40,272 for us to plan our attack. 196 196 00:08:40,272 --> 00:08:43,225 Then we're gonna move further down 197 197 00:08:43,225 --> 00:08:46,133 you'll see here we have a metasploitable root shell, 198 198 00:08:46,133 --> 00:08:49,391 we have irc channel, Unreal irc debian 199 199 00:08:49,391 --> 00:08:53,841 and again http with a Tomcat/Coyote JSP engine on a Apatche. 200 200 00:08:53,841 --> 00:08:56,977 So we also have another ftp up here on port 2121 201 201 00:08:56,977 --> 00:08:58,901 so lots of different things that we can go after 202 202 00:08:58,901 --> 00:09:01,123 as we start attacking this machine later on. 203 203 00:09:01,123 --> 00:09:05,041 Now let's take a look at that Windows machine we had. 204 204 00:09:05,041 --> 00:09:07,958 You can see here no ports were identified. 205 205 00:09:07,958 --> 00:09:09,435 If we click on host details, 206 206 00:09:09,435 --> 00:09:11,804 it was unable to identify the fact that this was Windows 207 207 00:09:11,804 --> 00:09:13,613 and if we go to Linux, you'll see that 208 208 00:09:13,613 --> 00:09:15,801 this not only was able to figure out that it was Linux 209 209 00:09:15,801 --> 00:09:18,482 but that it's most likely Linux 2.6, 210 210 00:09:18,482 --> 00:09:21,962 somewhere between version nine and version 33. 211 211 00:09:21,962 --> 00:09:24,190 That's gonna ... And it gives us an accuracy used 212 212 00:09:24,190 --> 00:09:26,473 based on the ports that it saw. 213 213 00:09:26,473 --> 00:09:28,281 So based on what ports it had 214 214 00:09:28,281 --> 00:09:30,600 and the responses it received from those, 215 215 00:09:30,600 --> 00:09:33,095 it's able to tell us with 100% accuracy 216 216 00:09:33,095 --> 00:09:35,012 that this is Linux 2.6. 217 217 00:09:37,005 --> 00:09:40,080 It also does this based on tcp sequencing, 218 218 00:09:40,080 --> 00:09:42,496 in our case it didn't do a very good job of it. 219 219 00:09:42,496 --> 00:09:45,370 It also can do this based on IP sequencing, 220 220 00:09:45,370 --> 00:09:48,227 our case it didn't collect any of that. 221 221 00:09:48,227 --> 00:09:52,394 Again, more tcp sequencing and then we have some comments 222 222 00:09:53,393 --> 00:09:54,433 that we can locate at the bottom, 223 223 00:09:54,433 --> 00:09:56,350 there were no comments. 224 224 00:09:59,988 --> 00:10:03,623 So, based on the ports used and the way that it responds 225 225 00:10:03,623 --> 00:10:06,762 it understood that this was Linux with 100% accuracy. 226 226 00:10:06,762 --> 00:10:09,681 So it did a lot of that enumeration for us. 227 227 00:10:09,681 --> 00:10:11,912 Now, Windows has not been responding. 228 228 00:10:11,912 --> 00:10:13,483 Let's go take a look at our Windows machine 229 229 00:10:13,483 --> 00:10:15,150 and see why that is. 230 230 00:10:19,733 --> 00:10:21,432 Let's go into our Control Panel, 231 231 00:10:21,432 --> 00:10:24,300 we'll go to our security center, 232 232 00:10:24,300 --> 00:10:26,232 so you'll notice the Windows firewall is on. 233 233 00:10:26,232 --> 00:10:27,855 We're gonna go take a look at the Windows firewall 234 234 00:10:27,855 --> 00:10:32,437 and see if that's the reason why its not responding to us. 235 235 00:10:32,437 --> 00:10:35,941 So, in this case, we have the firewall on 236 236 00:10:35,941 --> 00:10:39,104 and the only exceptions are the ones in the exceptions tab. 237 237 00:10:39,104 --> 00:10:42,404 If we look here, there wasn't a whole lot of exceptions. 238 238 00:10:42,404 --> 00:10:45,819 If you notice, File and Print Sharing was not an exception. 239 239 00:10:45,819 --> 00:10:47,200 Let's go ahead and let that be an exception right now 240 240 00:10:47,200 --> 00:10:49,799 because most home networks only use file and print sharing 241 241 00:10:49,799 --> 00:10:53,274 to be able to share files and printers across their network. 242 242 00:10:53,274 --> 00:10:54,941 Then, lets hit okay. 243 243 00:10:56,158 --> 00:10:58,585 Now let's go back and try our scan again. 244 244 00:10:58,585 --> 00:11:00,654 So now that we've set the exception and the firewall, 245 245 00:11:00,654 --> 00:11:02,227 we're gonna scan the Windows machine again 246 246 00:11:02,227 --> 00:11:04,002 using that quick scan. 247 247 00:11:04,002 --> 00:11:06,368 That's gonna do the 100 most common ports. 248 248 00:11:06,368 --> 00:11:11,087 So we'll scan that machine and you can see now, 249 249 00:11:11,087 --> 00:11:12,994 because we've opened the Windows file sharing 250 250 00:11:12,994 --> 00:11:14,179 and allowed that exception, 251 251 00:11:14,179 --> 00:11:17,546 that we can now identify port 139 and port 445 252 252 00:11:17,546 --> 00:11:19,638 as part of that machine. 253 253 00:11:19,638 --> 00:11:20,954 Now if we go to the host details, 254 254 00:11:20,954 --> 00:11:22,479 let's see if we can figure that out. 255 255 00:11:22,479 --> 00:11:24,245 We still can't figure that out yet, 256 256 00:11:24,245 --> 00:11:27,033 so we're gonna have to do a more intensive scan. 257 257 00:11:27,033 --> 00:11:30,494 We'll go back here and do an intense scan on 100, 258 258 00:11:30,494 --> 00:11:33,994 just the one machine and we'll scan again. 259 259 00:11:35,761 --> 00:11:39,810 Now, it's discovering the open ports on 139 and 445, 260 260 00:11:39,810 --> 00:11:41,631 it's gonna do a syn stealth scan 261 261 00:11:41,631 --> 00:11:43,351 to try to be a little bit sneaky for us 262 262 00:11:43,351 --> 00:11:46,158 as it goes through 1,000 commonly looked at ports. 263 263 00:11:46,158 --> 00:11:48,133 Now if they happen to be looking at this network traffic, 264 264 00:11:48,133 --> 00:11:51,083 they're probably gonna see this, because going port one, 265 265 00:11:51,083 --> 00:11:53,346 port two, port three, port four, going all the way down, 266 266 00:11:53,346 --> 00:11:55,470 you're gonna end up seeing something. 267 267 00:11:55,470 --> 00:11:58,004 The other thing, because this is an intense scan, 268 268 00:11:58,004 --> 00:12:00,833 it's actually using 138 specific scripts 269 269 00:12:00,833 --> 00:12:02,231 as it goes through and does this. 270 270 00:12:02,231 --> 00:12:03,486 This is how it's able to do things 271 271 00:12:03,486 --> 00:12:04,848 like the enumeration for us. 272 272 00:12:04,848 --> 00:12:07,547 Figuring out what ports were open is fairly easy 273 273 00:12:07,547 --> 00:12:09,274 with the scan but now it's actually using 274 274 00:12:09,274 --> 00:12:10,338 those different scripts. 275 275 00:12:10,338 --> 00:12:12,219 It's gonna see those open ports and based on the way 276 276 00:12:12,219 --> 00:12:13,824 it responded from each of those ports, 277 277 00:12:13,824 --> 00:12:15,500 we're gonna be able to determine what version 278 278 00:12:15,500 --> 00:12:17,348 of the operating system it's using. 279 279 00:12:17,348 --> 00:12:19,149 So as we scroll up here in our text, 280 280 00:12:19,149 --> 00:12:22,241 we can see some information that was found from the script. 281 281 00:12:22,241 --> 00:12:25,668 Again, port 135 and 445, we believe it's Windows XP 282 282 00:12:25,668 --> 00:12:27,695 based on the way it responded. 283 283 00:12:27,695 --> 00:12:29,687 We also got the MAC address and based on that MAC address 284 284 00:12:29,687 --> 00:12:31,826 we know it's a virtual box. 285 285 00:12:31,826 --> 00:12:34,673 In this case we also can see the operating system scan 286 286 00:12:34,673 --> 00:12:36,660 was unreliable because they couldn't find at least 287 287 00:12:36,660 --> 00:12:38,058 one open and one closed port, 288 288 00:12:38,058 --> 00:12:39,616 they only found those open ports, 289 289 00:12:39,616 --> 00:12:41,893 the firewall blocked the rest of the ports from us. 290 290 00:12:41,893 --> 00:12:44,705 But they believe that it's Microsoft 2000 or XP. 291 291 00:12:44,705 --> 00:12:46,707 Now why would it be 2000 or XP? 292 292 00:12:46,707 --> 00:12:49,773 Well, Microsoft XP and Microsoft 2000 293 293 00:12:49,773 --> 00:12:53,955 share a common code base, just like Windows Vista and 2003 294 294 00:12:53,955 --> 00:12:55,242 share a common code base. 295 295 00:12:55,242 --> 00:12:58,669 Windows 7 and 2008 both share a common code base. 296 296 00:12:58,669 --> 00:13:02,105 2012 and Windows 8 also share a common code base 297 297 00:13:02,105 --> 00:13:03,476 so as they move forward in these, 298 298 00:13:03,476 --> 00:13:05,349 you can start seeing this overlap 299 299 00:13:05,349 --> 00:13:08,126 and you a lot of times get one where it thinks 300 300 00:13:08,126 --> 00:13:09,833 its one or the other or both. 301 301 00:13:09,833 --> 00:13:11,386 In this case, it did a fairly good job. 302 302 00:13:11,386 --> 00:13:12,973 It realized it's either Windows XP, 303 303 00:13:12,973 --> 00:13:14,682 service pack two or service pack three. 304 304 00:13:14,682 --> 00:13:17,926 Or Windows 2000, service pack four. 305 305 00:13:17,926 --> 00:13:19,757 In this case, it wasn't able to do the prediction 306 306 00:13:19,757 --> 00:13:22,455 through tcp sequence, but it can do it based on 307 307 00:13:22,455 --> 00:13:24,360 the information we see from the port scans. 308 308 00:13:24,360 --> 00:13:27,132 Now as we scroll down, we had some enumerations run as well. 309 309 00:13:27,132 --> 00:13:29,231 In this case, it did a netbios check, 310 310 00:13:29,231 --> 00:13:30,538 it found the name of the computer, 311 311 00:13:30,538 --> 00:13:32,855 the name of the computer is John's PC. 312 312 00:13:32,855 --> 00:13:33,918 It also gave us the fact that 313 313 00:13:33,918 --> 00:13:37,037 he's in a work group not in domain. 314 314 00:13:37,037 --> 00:13:38,590 We also know the fact that we're still, again, 315 315 00:13:38,590 --> 00:13:42,495 using Windows XP based on snb that we found. 316 316 00:13:42,495 --> 00:13:44,745 Snb being the file sharing. 317 317 00:13:48,012 --> 00:13:49,922 Then it did a trace route, in our case the trace route 318 318 00:13:49,922 --> 00:13:52,927 goes immediately there because we're on the same network. 319 319 00:13:52,927 --> 00:13:55,485 After it did all the scanning, it runs through a couple 320 320 00:13:55,485 --> 00:13:57,694 other different reports and scripts, 321 321 00:13:57,694 --> 00:13:59,564 tries to find as much information as it can, 322 322 00:13:59,564 --> 00:14:01,284 and it did all of that scanning in about 323 323 00:14:01,284 --> 00:14:02,929 50 seconds for one host. 324 324 00:14:02,929 --> 00:14:04,512 This is important to know because if you're doing 325 325 00:14:04,512 --> 00:14:06,563 an intensive scan, it does take some time. 326 326 00:14:06,563 --> 00:14:09,221 This was on a network that was on the same network 327 327 00:14:09,221 --> 00:14:11,052 on the same machine, meaning it was very quick. 328 328 00:14:11,052 --> 00:14:12,562 If I had to go all the way across the internet 329 329 00:14:12,562 --> 00:14:15,645 to another host and I was getting numerous hosts, 330 330 00:14:15,645 --> 00:14:18,096 that time goes up, the more time you're spending, 331 331 00:14:18,096 --> 00:14:19,382 the more packets that you're sending, 332 332 00:14:19,382 --> 00:14:20,784 the more likely you are to get caught. 333 333 00:14:20,784 --> 00:14:24,633 In our case, we sent out 2,035 packets, 334 334 00:14:24,633 --> 00:14:27,344 but we only received 15 back 335 335 00:14:27,344 --> 00:14:28,974 so the chances of us getting seen 336 336 00:14:28,974 --> 00:14:32,578 was 2,035 times that we sent information to them. 337 337 00:14:32,578 --> 00:14:34,354 There are ways we can be a little bit more sneaky 338 338 00:14:34,354 --> 00:14:37,123 with these tools, it just depends on the profiles we use 339 339 00:14:37,123 --> 00:14:39,151 and the way we configure them. 340 340 00:14:39,151 --> 00:14:40,907 Now as we go into ports and hosts, 341 341 00:14:40,907 --> 00:14:43,152 we click on our Windows tab here. 342 342 00:14:43,152 --> 00:14:44,598 The .100 machine. 343 343 00:14:44,598 --> 00:14:48,127 You'll see the fact, again, based on that text output we had 344 344 00:14:48,127 --> 00:14:50,419 in a nice graphical format that we can see. 345 345 00:14:50,419 --> 00:14:52,922 We then go into Topology and we now see 346 346 00:14:52,922 --> 00:14:55,188 that there is some sort of a lock on this, 347 347 00:14:55,188 --> 00:14:58,026 meaning there was a firewall of some sort. 348 348 00:14:58,026 --> 00:14:59,528 Then we're gonna go here to the host 349 349 00:14:59,528 --> 00:15:02,866 and here we can see that we scanned 1,000 ports 350 350 00:15:02,866 --> 00:15:07,309 and of those, only two were open and 998 were filtered. 351 351 00:15:07,309 --> 00:15:10,252 Filtered means that there was some sort 352 352 00:15:10,252 --> 00:15:13,343 of firewall there blocking us. 353 353 00:15:13,343 --> 00:15:16,409 Again, the accuracy, the fact that we are Windows 2000 354 354 00:15:16,409 --> 00:15:18,192 are very accurate in this case 355 355 00:15:18,192 --> 00:15:20,245 and they do that based on the port that they saw, 356 356 00:15:20,245 --> 00:15:22,461 the one they made their decision on was 139 357 357 00:15:22,461 --> 00:15:25,128 which was a netbio file sharing. 358 358 00:15:26,578 --> 00:15:29,021 The class is Windows 2000 and as I said before, 359 359 00:15:29,021 --> 00:15:32,191 Windows 2000 and Windows XP share a common code base 360 360 00:15:32,191 --> 00:15:33,311 that interact the same way, 361 361 00:15:33,311 --> 00:15:35,492 so they look very similar in traffic. 362 362 00:15:35,492 --> 00:15:38,189 So, as you can see, we can be very invasive 363 363 00:15:38,189 --> 00:15:40,219 or very quiet in our scanning techniques, 364 364 00:15:40,219 --> 00:15:41,534 it really depends on the level of information 365 365 00:15:41,534 --> 00:15:42,685 that we're trying to gather. 366 366 00:15:42,685 --> 00:15:44,075 The question now becomes, 367 367 00:15:44,075 --> 00:15:45,992 how quiet do you want to be in your hack? 368 368 00:15:45,992 --> 00:15:48,228 Well, that's gonna depend on why you were hired 369 369 00:15:48,228 --> 00:15:49,958 by the organization in the first place. 370 370 00:15:49,958 --> 00:15:51,712 Are they looking for a realistic hack 371 371 00:15:51,712 --> 00:15:54,130 to challenge their defenders and find their weaknesses? 372 372 00:15:54,130 --> 00:15:56,522 If so, then you would want to be very, very quiet 373 373 00:15:56,522 --> 00:15:58,200 to get that realistic threat. 374 374 00:15:58,200 --> 00:15:59,860 But, if you're tasked to provide the defenders 375 375 00:15:59,860 --> 00:16:02,954 a simple emulation of an adversary of a script kiddy, 376 376 00:16:02,954 --> 00:16:04,556 you'd want to be really noisy 377 377 00:16:04,556 --> 00:16:07,570 and that way they can find you quickly and take you down. 378 378 00:16:07,570 --> 00:16:09,608 It really depends on the intent of the assessment. 379 379 00:16:09,608 --> 00:16:11,698 Again, these tools can be used very sneakily, 380 380 00:16:11,698 --> 00:16:14,236 do the customization, or very loudly, 381 381 00:16:14,236 --> 00:16:16,551 it all depends on how well you understand your tool set, 382 382 00:16:16,551 --> 00:16:19,460 your intent and your method during the hack.