1 00:00:00,520 --> 00:00:05,290 In this video, we are going to learn an important topic, which is exploitation. 2 00:00:07,500 --> 00:00:08,700 SMB server message. 3 00:00:08,700 --> 00:00:14,700 Block protocol is a client server communication protocol used for sharing access to files, printers, 4 00:00:14,730 --> 00:00:17,310 serial ports and other resources on the network. 5 00:00:20,560 --> 00:00:23,020 To scan for SMB, we can use Nmap. 6 00:00:24,650 --> 00:00:28,760 Lesson by default runs on port one, three, nine and port four, four five. 7 00:00:33,220 --> 00:00:39,760 If SMB service is running, we can use a tool called ENUM for Linux that is used to enumerate SMB shares 8 00:00:39,760 --> 00:00:41,920 in both Windows and Linux systems. 9 00:00:42,220 --> 00:00:47,860 It is basically a wrapper around the tools in the samba package and makes it very easy to quickly extract 10 00:00:47,860 --> 00:00:50,560 information from the target pertaining to SMB. 11 00:00:51,160 --> 00:00:54,580 It is installed by default on Parrot and Kali Linux. 12 00:01:01,240 --> 00:01:07,870 Nmap also has a script that can be used to enumerate SMB, which is SMB OS Discovery module. 13 00:01:09,210 --> 00:01:16,700 You can use the command sudo and specify the script with script flag and use the script os discovery 14 00:01:16,710 --> 00:01:17,400 dot NSC. 15 00:01:20,670 --> 00:01:24,150 To gain access to the target machine, we can use SMB client. 16 00:01:24,690 --> 00:01:27,330 You can list all shares with Dash L flag. 17 00:01:29,270 --> 00:01:31,640 And you can specify a shade to access it. 18 00:01:34,640 --> 00:01:36,200 Now let's see the demonstration. 19 00:01:39,840 --> 00:01:43,080 So I will be using network services room from Tryhackme. 20 00:01:43,950 --> 00:01:49,110 And for this demonstration I will be using Kali Linux provided by Tryhackme in the browser. 21 00:01:50,790 --> 00:01:52,350 To start your Kali Linux. 22 00:01:58,370 --> 00:02:00,860 And let's just scroll down to SMB task. 23 00:02:04,470 --> 00:02:10,620 Try Hack Me first, explains SMB and provides very useful information about the basic functioning of 24 00:02:10,620 --> 00:02:11,370 the protocol. 25 00:02:13,830 --> 00:02:16,590 So the first question is what does SMB stand for? 26 00:02:19,680 --> 00:02:21,330 Which is server message block. 27 00:02:26,980 --> 00:02:29,650 The second question is what type of protocol is SMB? 28 00:02:30,160 --> 00:02:32,230 It is a response request protocol. 29 00:02:33,220 --> 00:02:38,140 The third question is how do clients connect to servers, which is TCP IP protocol? 30 00:02:39,740 --> 00:02:42,470 And the last question is what does Samba run on? 31 00:02:42,500 --> 00:02:45,290 Samba is a native Unix client. 32 00:02:46,590 --> 00:02:50,190 Now let's move on to the next task, which is about enumerating SMB. 33 00:02:50,670 --> 00:02:51,900 Now start your machine. 34 00:02:58,680 --> 00:03:01,020 So the first question is conduct an Nmap scan. 35 00:03:03,770 --> 00:03:05,680 So I want my Kali Linux. 36 00:03:07,690 --> 00:03:08,680 Open a new terminal. 37 00:03:14,130 --> 00:03:15,360 Lodge and Nmap scan. 38 00:03:20,920 --> 00:03:23,020 Dash is for style scan. 39 00:03:25,470 --> 00:03:27,540 For is to speed up the process. 40 00:03:28,920 --> 00:03:33,630 And the script world will check for default vulnerabilities on the target system. 41 00:03:36,590 --> 00:03:41,060 And we do have service running on Port one, three nine and Port 145. 42 00:03:45,950 --> 00:03:46,640 So back on. 43 00:03:46,640 --> 00:03:47,330 Try hack me. 44 00:03:48,640 --> 00:03:50,890 So there are three ports open on the target machine. 45 00:03:52,060 --> 00:03:56,050 And SMB is running on port one, three nine and port 445. 46 00:04:02,510 --> 00:04:04,820 Now let's launch enum for Linux. 47 00:04:07,850 --> 00:04:08,870 Open a new terminal. 48 00:04:11,150 --> 00:04:17,839 Use the command init for Linux Dash A is to get all information about the target and specify the IP 49 00:04:17,839 --> 00:04:18,529 address. 50 00:04:20,550 --> 00:04:22,410 An enum for Linux will start up. 51 00:04:23,100 --> 00:04:28,650 It will start gathering information about the target machine, including the workgroup name, the user 52 00:04:28,650 --> 00:04:30,600 names and the exposed shares. 53 00:04:31,350 --> 00:04:33,150 To the next question on Try hack Me. 54 00:04:34,340 --> 00:04:37,490 Is about the workgroup name, which is workgroup. 55 00:04:44,160 --> 00:04:46,590 The next question is about the machine name. 56 00:04:48,990 --> 00:04:55,410 You can use the output from Einar for Linux, but let's just use the Nmap script to launch a new Nmap 57 00:04:55,410 --> 00:04:58,980 scan and specify SMB OS discovery script. 58 00:05:01,450 --> 00:05:03,940 And we get the machine name, which is Polo SMB. 59 00:05:06,290 --> 00:05:10,670 The next question is what operating system version is running, which is 6.1. 60 00:05:11,530 --> 00:05:13,450 The next question asks for the interesting share. 61 00:05:15,150 --> 00:05:19,060 We have a profile share name, which may be interesting. 62 00:05:24,180 --> 00:05:27,120 Now let's move on to the next task and try to exploit it. 63 00:05:32,510 --> 00:05:38,720 The first question about exploitation is the command syntax, which is SMB client, the IP address and 64 00:05:38,720 --> 00:05:39,590 the share name. 65 00:05:41,940 --> 00:05:45,720 Now let's just connect to this profile, share and see what's in there. 66 00:05:50,310 --> 00:05:51,150 Open a terminal. 67 00:05:55,060 --> 00:05:56,830 Do the command SMB client. 68 00:05:58,300 --> 00:06:00,490 Specify the IP address and the share name. 69 00:06:02,680 --> 00:06:03,790 And we are connected. 70 00:06:04,770 --> 00:06:07,830 Use the command to list down all the contents of the folder. 71 00:06:08,970 --> 00:06:13,260 So this year allows the anonymous access and does not ask for the password. 72 00:06:17,520 --> 00:06:21,150 For as per the try hack me hint we have to look for interesting files. 73 00:06:21,720 --> 00:06:24,180 So we have a file name working from home. 74 00:06:27,660 --> 00:06:29,130 To sketch out its content. 75 00:06:31,940 --> 00:06:33,560 The cat command is not working. 76 00:06:35,410 --> 00:06:36,700 Does the command more? 77 00:06:43,540 --> 00:06:46,780 And we have a note to John Cactus from James. 78 00:06:51,490 --> 00:06:53,200 Answer the question to me. 79 00:06:53,470 --> 00:06:56,080 So this folder may belong to John Cactus. 80 00:06:57,530 --> 00:07:00,620 The note also says that service has been configured. 81 00:07:07,010 --> 00:07:10,450 So the second interesting directory in the folder is ssh. 82 00:07:13,780 --> 00:07:14,890 So browse to it. 83 00:07:19,630 --> 00:07:23,950 And we do have a private key in it called ID underscore RSA. 84 00:07:28,060 --> 00:07:30,130 You can download the key with get command. 85 00:07:35,230 --> 00:07:37,660 Now let's connect to the machine with SSH. 86 00:07:39,200 --> 00:07:42,530 To make the key work, you have to first of all, change the mode. 87 00:07:44,700 --> 00:07:48,630 Use the command chain mode 600 and specify the file name. 88 00:07:48,780 --> 00:07:51,960 You can also check the contents of the file with cat command. 89 00:07:53,840 --> 00:07:56,380 No connect to the target machine with ssh. 90 00:07:56,420 --> 00:07:58,460 Use the command ssh dash i. 91 00:07:58,490 --> 00:08:03,830 Specify the key name the username cactus and the IP address. 92 00:08:06,490 --> 00:08:08,580 And we are connected to the target machine. 93 00:08:08,590 --> 00:08:11,650 So there is a small text file in the current directory. 94 00:08:12,760 --> 00:08:14,590 Get out the contents with cat command. 95 00:08:18,320 --> 00:08:20,120 And we do have our flag. 96 00:08:21,470 --> 00:08:24,720 Just copy the flag and paste it on Tryhackme. 97 00:08:29,400 --> 00:08:32,730 So we have completed exploitation on network service. 98 00:08:32,730 --> 00:08:33,960 Roam on Tryhackme. 99 00:08:34,980 --> 00:08:38,429 I hope you like this lecture and see you in the next lecture.