1
00:00:00,350 --> 00:00:04,310
So I'll introduce you to the last example of compromising SNP.

2
00:00:04,880 --> 00:00:10,700
Let's try to grab the SNP configuration of the Cisco router using Metasploit framework.

3
00:00:11,550 --> 00:00:18,210
Metasploit project is the most used penetration testing framework of, well, the whole world.

4
00:00:18,240 --> 00:00:24,780
It can be used to test the vulnerability of computer systems or break into remote systems.

5
00:00:25,230 --> 00:00:29,850
Its best known sub project is the open source Metasploit framework.

6
00:00:30,570 --> 00:00:36,060
That's a tool for developing and executing exploit code against a remote target machine.

7
00:00:38,230 --> 00:00:41,770
So here we have our network prepared by Gns3.

8
00:00:41,830 --> 00:00:46,870
Again, we'll perform this demo on this network because look at that.

9
00:00:46,870 --> 00:00:47,710
It's right here.

10
00:00:48,600 --> 00:00:51,330
So go to Cali and open a terminal screen.

11
00:00:51,360 --> 00:00:59,310
Type MSF console and press enter to start Metasploit framework's console application.

12
00:01:01,330 --> 00:01:04,750
So now we have a shell like MSF environment.

13
00:01:04,989 --> 00:01:08,470
We can run the MSF console commands in this environment.

14
00:01:09,600 --> 00:01:14,930
Now because it's the subject of exploitation and post exploitation course that I did.

15
00:01:14,940 --> 00:01:22,200
I won't go into deep detail about Metasploit right now, but I will talk about some certain applicable

16
00:01:22,200 --> 00:01:23,040
points.

17
00:01:24,850 --> 00:01:28,480
We'll use a module to collect the configuration of the router.

18
00:01:28,900 --> 00:01:35,320
I don't remember the exact name of it, so why don't we search for Cisco and config keywords?

19
00:01:41,070 --> 00:01:43,110
We find an auxiliary module.

20
00:01:43,530 --> 00:01:50,130
Auxiliary modules are not to exploit a vulnerability, but to gather some information and to help the

21
00:01:50,130 --> 00:01:54,360
pentester figure out the systems and the vulnerabilities.

22
00:01:55,150 --> 00:01:59,980
So use the use keyword with the entire module name.

23
00:02:00,750 --> 00:02:03,870
Command prompt is changed as the module name now.

24
00:02:04,780 --> 00:02:10,270
Type show options to see the options we should set before running the module.

25
00:02:11,280 --> 00:02:16,110
The community option is required and is public by default.

26
00:02:16,500 --> 00:02:19,500
But let's set it as private.

27
00:02:20,690 --> 00:02:26,090
Set output directory option to save the results in a file.

28
00:02:26,330 --> 00:02:29,750
So I'll choose the desktop as the output directory.

29
00:02:31,160 --> 00:02:35,450
Now set the remote host the IP address of the target router.

30
00:02:38,700 --> 00:02:46,080
Our port is 161 by default, which is definitely okay with us and leave the other options with the default

31
00:02:46,080 --> 00:02:46,830
values.

32
00:02:46,860 --> 00:02:48,450
Now we're ready.

33
00:02:48,610 --> 00:02:51,450
Type run to run the module.

34
00:02:55,850 --> 00:03:02,240
Auxiliary module execution completed and the configuration file is saved to the output directory in

35
00:03:02,240 --> 00:03:04,790
this example, of course to the desktop.

36
00:03:05,960 --> 00:03:07,220
So here's the file.

37
00:03:07,250 --> 00:03:08,780
Double click it to open it.

38
00:03:09,080 --> 00:03:11,690
Welcome to the configuration of the router.

39
00:03:12,440 --> 00:03:16,940
We don't have any credential on our router yet, so let's close the file now.

40
00:03:16,970 --> 00:03:20,510
Go to the router console and create a user.

41
00:03:21,140 --> 00:03:28,040
Then collect the config file again and just see how a user is saved in the config file.

42
00:03:29,800 --> 00:03:36,070
So I'm in the Gns3 emulator and my host system, which is a mac, and I'll go to the console of the

43
00:03:36,070 --> 00:03:38,290
router and just create a user.

44
00:03:41,980 --> 00:03:45,500
Of course we need to enter the configure terminal mode first.

45
00:03:45,520 --> 00:03:47,110
So type username.

46
00:03:48,130 --> 00:03:52,270
Well, to understand the command, I'll put a question mark at the end of each word.

47
00:03:52,780 --> 00:03:54,820
The user name is expected.

48
00:03:55,150 --> 00:03:57,460
Let's give it an exceptional username.

49
00:03:57,700 --> 00:03:59,470
How about Cisco?

50
00:04:00,380 --> 00:04:01,040
Question mark.

51
00:04:01,040 --> 00:04:04,310
Once again, these are the next options.

52
00:04:04,700 --> 00:04:13,100
Okay, We want to specify a password for the user so we can use either password or secret as the keywords

53
00:04:13,100 --> 00:04:14,480
to set a password.

54
00:04:14,990 --> 00:04:20,570
I'll tell you their differences soon, but let's just use password as a keyword for now.

55
00:04:21,290 --> 00:04:21,740
Yeah.

56
00:04:21,740 --> 00:04:23,830
Let's just keep the password simple for now.

57
00:04:23,840 --> 00:04:25,190
One, two, three, four, five.

58
00:04:25,430 --> 00:04:28,220
Or wait, maybe that's just too popular.

59
00:04:28,970 --> 00:04:30,830
In any event, just press enter.

60
00:04:32,260 --> 00:04:38,260
Now to identify the privileges of the user type username Cisco.

61
00:04:39,630 --> 00:04:45,150
Privilege 15 where 15 stands for the complete control over the router.

62
00:04:46,120 --> 00:04:50,500
Okay, now let's go to Cali and run the auxiliary module again.

63
00:04:56,330 --> 00:04:59,840
So it's all finished and the output file is created.

64
00:05:00,380 --> 00:05:03,560
If there's a file with the same name, it's overwritten.

65
00:05:03,560 --> 00:05:04,790
So just be aware of that.

66
00:05:05,240 --> 00:05:09,650
Double click on the file and look at the configuration of the router again.

67
00:05:11,600 --> 00:05:12,500
And look at that.

68
00:05:12,710 --> 00:05:17,690
The entire configuration of the router and look at the rows more carefully.

69
00:05:18,320 --> 00:05:18,680
Yep.

70
00:05:18,680 --> 00:05:19,380
There it is.

71
00:05:19,400 --> 00:05:22,400
The credential we created just a couple of minutes ago.

72
00:05:22,670 --> 00:05:25,160
So as you see, the password is saved.

73
00:05:25,160 --> 00:05:30,470
As clear text and as hackers, we learned the username and password remotely.

74
00:05:32,660 --> 00:05:35,050
Now, does it have to be like this?

75
00:05:35,090 --> 00:05:42,050
I mean, are the credentials of the users always stored as clear text in the Cisco config?

76
00:05:42,080 --> 00:05:45,200
The answer is of course not.

77
00:05:45,530 --> 00:05:49,820
So I'm going to show you the ways to keep the password data secure.

78
00:05:49,910 --> 00:05:51,200
Better pay attention.