1
00:00:00,750 --> 00:00:07,600
Now in the previous lecture we had the quick look on the map and how it can be used to gather information.

2
00:00:07,830 --> 00:00:10,840
So in this lecture we'll build up on that.

3
00:00:10,980 --> 00:00:16,010
The main scan that I want to show you right now is the quick scan class.

4
00:00:17,610 --> 00:00:19,990
This scan takes the quick scan.

5
00:00:20,100 --> 00:00:21,390
Why step further.

6
00:00:21,510 --> 00:00:27,900
So first of all it'll be slower but it's going to show us even more information.

7
00:00:27,900 --> 00:00:34,420
So first we're going to be able to see the Operating System running on the Discover devices.

8
00:00:35,190 --> 00:00:41,400
We will also be able to see the device type whether it's a phone or a laptop or a router.

9
00:00:41,730 --> 00:00:49,460
And we'll be able to discover the program and the program version running on the Discover reports.

10
00:00:49,470 --> 00:00:56,430
So before for example we were able to discover a port 80 is open but we didn't know what program is

11
00:00:56,430 --> 00:01:00,030
running on this port or what version of this program.

12
00:01:00,030 --> 00:01:06,480
Getting the exact program version is really helpful when we get to the gaining access section and you'll

13
00:01:06,480 --> 00:01:14,600
see then how we can use that to exploit vulnerable services and gain full control over the computers

14
00:01:14,640 --> 00:01:17,070
that have these services installed.

15
00:01:18,980 --> 00:01:24,320
Now straight away when you look at the results you'll see that we got much more information than all

16
00:01:24,320 --> 00:01:26,580
of this comes around so far.

17
00:01:26,990 --> 00:01:34,440
So the first thing you'll notice is the icons beside the IP is of the Discover devices these icons represent

18
00:01:34,490 --> 00:01:38,090
the Operating System running on these devices.

19
00:01:38,090 --> 00:01:43,700
So right now we have the operating system for all of the connected devices and now it's still not the

20
00:01:43,700 --> 00:01:50,070
programs running on each of the discovery reports and the visions of these programs.

21
00:01:50,390 --> 00:01:56,510
So for example if we look at the 190 were 6 8 12 the Apple device on the lasker and we knew that for

22
00:01:56,570 --> 00:01:59,580
20 to open and we knew that SSA is running on it.

23
00:01:59,720 --> 00:02:02,870
What we don't know what original SS who was running.

24
00:02:03,260 --> 00:02:05,240
Right now we can see that it's running open.

25
00:02:05,240 --> 00:02:07,940
SS Hage rogier six point one.

26
00:02:08,390 --> 00:02:14,990
So we can go on Google and look for exploit and on vulnerabilities in this specific version and we might

27
00:02:14,990 --> 00:02:20,340
actually find something we'll actually talk more about that in beginning access section.

28
00:02:21,280 --> 00:02:25,930
Now if you look at the device type you can see that it's a media device.

29
00:02:25,960 --> 00:02:26,850
It's a phone.

30
00:02:27,010 --> 00:02:33,370
So before we knew this is an Apple device but we didn't know whether it's a tablet a phone or a Mac.

31
00:02:33,610 --> 00:02:36,010
Right now we know that it is a phone.

32
00:02:36,430 --> 00:02:38,690
It's also discovering that it's running uphill.

33
00:02:38,820 --> 00:02:40,690
As for five or six.

34
00:02:40,780 --> 00:02:43,290
Now it's actually running a version of voice.

35
00:02:43,330 --> 00:02:44,480
I'm not entirely sure.

36
00:02:44,500 --> 00:02:47,730
I think nine or 10 but still it's close enough.

37
00:02:47,740 --> 00:02:52,380
It's getting me it's telling me that it's an apple is selling me that so far and it's running.

38
00:02:52,380 --> 00:02:53,250
I'm all ears.

39
00:02:53,350 --> 00:02:55,260
So this is really really good.

40
00:02:56,660 --> 00:03:00,870
Now if we go to the next device here the one to us six eight one twenty.

41
00:03:00,890 --> 00:03:02,600
This is a Linux Device.

42
00:03:02,600 --> 00:03:10,410
And when we run the quick scan we were able to identify port 80 and it for 9 1 5 to open.

43
00:03:10,430 --> 00:03:15,980
But again we didn't know the program running or the cerebus version running on this port.

44
00:03:16,040 --> 00:03:19,190
So right now we know it's partly hishe TTP.

45
00:03:19,310 --> 00:03:23,310
Two point two point twenty two it's running one two or so ago.

46
00:03:23,330 --> 00:03:29,720
Now we have the operating system the exact version of the service running so we can go and look for

47
00:03:29,720 --> 00:03:34,680
weaknesses and exploits in this specific version and this port.

48
00:03:34,700 --> 00:03:37,340
We didn't even know what cerberus was running on it.

49
00:03:37,490 --> 00:03:44,480
Right now we know it would say pmp Service and the server is media Tom beaupré MP we have that exact

50
00:03:44,480 --> 00:03:45,630
version again.

51
00:03:45,680 --> 00:03:52,130
So again we can go ahead and look for exploits in these specific provisions and if we discover any We'll

52
00:03:52,130 --> 00:04:00,440
be able to gain full control on this computer again if we go down to the 1 9 2 1 6 8 1 to any to 2 million

53
00:04:00,680 --> 00:04:07,230
we can see that it's running a Microsoft tissot gtp a pier for it's 5 3 5 7.

54
00:04:09,260 --> 00:04:15,920
You can also browse by the services so from here on the left if you click on services you'll be able

55
00:04:16,010 --> 00:04:20,570
to categorize the discovered clients based on the services.

56
00:04:20,570 --> 00:04:25,820
So if you click on haish TTP we'll see all the clients that harbour city service running.

57
00:04:25,970 --> 00:04:29,340
If you click on SSA we can see the Apple device here.

58
00:04:29,520 --> 00:04:32,910
It's the ONDI device that has a cessation service running.

59
00:04:34,040 --> 00:04:37,010
So let me actually show you a quick and find example.

60
00:04:37,130 --> 00:04:44,550
If we go back here to the hosts and go back to the Apple device the 1 9 2 1 6 8 1 12 as we see it.

61
00:04:44,570 --> 00:04:46,470
As I said we know it's a phone.

62
00:04:46,520 --> 00:04:47,900
We know it's an Apple phone.

63
00:04:47,900 --> 00:04:53,180
We know that it has an associate Service installed on it running on port 22.

64
00:04:53,270 --> 00:05:01,310
And we know that SS here which is a service that allows you to remotely execute system commands on the

65
00:05:01,340 --> 00:05:05,530
computer to that that has the SAS hate Service installed.

66
00:05:05,840 --> 00:05:11,100
Now obviously before you can use the service you have to use a user name and a password.

67
00:05:11,180 --> 00:05:18,350
Once you authenticate it'll allow you to execute system commands remotely on that computer or on that

68
00:05:18,350 --> 00:05:19,000
phone.

69
00:05:19,750 --> 00:05:24,800
Now by default you as devices do not have an SSA server.

70
00:05:24,910 --> 00:05:32,430
Usually when you jailbreak the phone or the device it'll automatically install an SSA server and the

71
00:05:32,440 --> 00:05:37,210
password for that server is to Alpine by default.

72
00:05:37,360 --> 00:05:39,600
That's a l i n e.

73
00:05:39,970 --> 00:05:46,060
Now since we know that this is an iPhone and it has portway to open with open SSA server we know that

74
00:05:46,060 --> 00:05:49,990
this phone has been broken now since the phone has just broken.

75
00:05:49,990 --> 00:05:55,550
We know the password to log in to SS Hage is Alpine unless the user changed it.

76
00:05:55,900 --> 00:06:02,200
Now most users do not even know about this and even the ones that know about this like myself are too

77
00:06:02,200 --> 00:06:08,640
lazy to change it so it's always worth a try if you discover a phone like this in the same network.

78
00:06:08,830 --> 00:06:13,440
It's always worth a try to go and try to connect it with the default password.

79
00:06:13,780 --> 00:06:20,260
So I'm just going to go to my terminal and I'm going to try to connect to this phone using a stage so

80
00:06:20,260 --> 00:06:27,280
I'm going to type SS hitch route which is the user name for the admin clinics.

81
00:06:27,340 --> 00:06:29,640
1 9 2 6 8 112.

82
00:06:29,650 --> 00:06:32,060
This is the IP of the phone.

83
00:06:32,450 --> 00:06:33,670
I'm going to hit enter.

84
00:06:33,670 --> 00:06:38,950
It's asking me if I should trust this connection I'm going to say yes and now it is asking me for the

85
00:06:38,950 --> 00:06:39,700
password.

86
00:06:39,830 --> 00:06:44,680
And like I said when the phone is Joe broken the password is set to Alpine.

87
00:06:44,980 --> 00:06:48,450
So I'm going to type a l p r n e.

88
00:06:48,790 --> 00:06:54,540
I'm going to hit enter and as you can see I logged in as the root.

89
00:06:54,610 --> 00:07:01,340
So right now I have the highest privileges on the phone and I can do whatever I want on the system.

90
00:07:01,740 --> 00:07:06,160
And now we can use system command to completely controlled the phone.

91
00:07:07,410 --> 00:07:09,690
Now this is a little bit ahead of time.

92
00:07:09,720 --> 00:07:12,070
We are still in the a kayaking section.

93
00:07:12,120 --> 00:07:17,320
So don't worry too much about this we'll talk more about it in the gaining access section.

94
00:07:17,490 --> 00:07:24,180
But just a quick example that I want to show you of how powerful information gathering is because we

95
00:07:24,180 --> 00:07:26,850
literally did not exploit anything right here.

96
00:07:26,850 --> 00:07:33,210
We just relied on the information we gathered and we were able to hire an iPhone that is connected to

97
00:07:33,210 --> 00:07:34,700
the same network as us.

98
00:07:36,640 --> 00:07:39,940
Now like I said map is a huge tool.

99
00:07:39,970 --> 00:07:45,490
I highly recommend you go ahead then try the other profiles in here and like I said was done with the

100
00:07:45,490 --> 00:07:46,030
chorus.

101
00:07:46,030 --> 00:07:49,970
I think the anmar book would be a really really good read.

102
00:07:49,990 --> 00:07:55,420
Will also use up much more in the gain access section and we'll see how we can use this information

103
00:07:55,660 --> 00:08:01,500
to gain full control over the computers using code execution vulnerabilities and so on.

104
00:08:01,870 --> 00:08:07,330
Well in this lecture I just wanted to give you a quick overview and we'll build up on this as we go

105
00:08:07,330 --> 00:08:08,360
through the chorus.