1
00:00:00,090 --> 00:00:05,270
Now that taken some time to enumerate web pages on port 80 and four for three.

2
00:00:05,280 --> 00:00:11,200
We're gonna go ahead and shift our focus over to SMB on port one thirty nine.

3
00:00:11,280 --> 00:00:17,530
So if you are unfamiliar with what SMB is SMB is a file share.

4
00:00:17,550 --> 00:00:20,430
So think about your work environment.

5
00:00:20,430 --> 00:00:26,800
If you go to work and let's say that you have a drive you access that's not like your common drive a

6
00:00:26,800 --> 00:00:27,450
C drive.

7
00:00:27,480 --> 00:00:33,750
Maybe it's like a Z drive or a G drive and you access that that drive to get files and you can upload

8
00:00:33,750 --> 00:00:39,620
the files download the files and then maybe some of your co-workers can also see that file share.

9
00:00:39,780 --> 00:00:42,180
And that's why it's called a file share.

10
00:00:42,180 --> 00:00:49,380
Another example is say you have a scans folder and you go to your printer and you scan something and

11
00:00:49,380 --> 00:00:52,770
magically it appears in your scans folder on your computer.

12
00:00:52,770 --> 00:01:01,020
That's another example of SMB So S&amp;P is commonly used in work environments and internal environments.

13
00:01:01,020 --> 00:01:06,990
So when we see it we think internal and we think about all these exploits that I have mentioned in the

14
00:01:06,990 --> 00:01:14,610
past with especially with latest and greatest being M.S. 17 0 1 0 and even though it's 2 years old it

15
00:01:14,610 --> 00:01:18,660
still shows up and it's gonna show up again in this course later on.

16
00:01:18,660 --> 00:01:24,030
So we're gonna do is we're just gonna take a quick look at our scan and see what we have available to

17
00:01:24,030 --> 00:01:24,820
us.

18
00:01:24,860 --> 00:01:27,810
So on port one thirty nine here we see that.

19
00:01:28,260 --> 00:01:28,740
OK.

20
00:01:28,740 --> 00:01:31,660
Net bios SMB workgroup my group.

21
00:01:32,070 --> 00:01:38,490
Not really a lot of information we could scroll down and the great thing about the dash capital a that

22
00:01:38,490 --> 00:01:44,130
I had you run with this scan is that it does run script for us.

23
00:01:44,160 --> 00:01:49,500
So these scripts that we're running go out and do a little bit of a numerator iron or additional enumeration

24
00:01:49,510 --> 00:01:54,250
in here it came through and it's pulling down some information we could see that.

25
00:01:54,270 --> 00:01:55,030
Okay.

26
00:01:55,060 --> 00:01:57,180
The net bios theme of this is called Capture X..

27
00:01:57,180 --> 00:02:03,780
Well we already knew that but and we can see here that it's running SMB version too.

28
00:02:03,840 --> 00:02:07,860
We really don't know that for sure or what S&amp;P version it's running.

29
00:02:07,890 --> 00:02:09,250
Exactly.

30
00:02:09,270 --> 00:02:15,480
So that's really important because the type of SMB version that's running could potentially lead to

31
00:02:15,480 --> 00:02:19,200
an exploit and we need to know that kind of information.

32
00:02:19,230 --> 00:02:21,450
So we're gonna look for version information.

33
00:02:21,450 --> 00:02:24,570
The other thing is we're going to try to connect to this machine.

34
00:02:24,570 --> 00:02:27,170
We're going to see if there's any connections available to us.

35
00:02:27,600 --> 00:02:32,190
And if we can make that connection if we can get to the files on the share and see if there's anything

36
00:02:32,220 --> 00:02:35,730
potentially malicious or that we could do potentially malicious.

37
00:02:35,760 --> 00:02:43,980
So let's go ahead and let's get into a terminal and we're going to load up a tool that you're going

38
00:02:43,980 --> 00:02:45,690
to be intimately familiar with.

39
00:02:45,690 --> 00:02:51,270
By the time this course is over and that tool is called Meadows flight so to run that tool just go ahead

40
00:02:51,270 --> 00:02:56,190
and type an MSF console like this and hit enter.

41
00:02:56,420 --> 00:03:04,170
Now Meadows boy is a exploitation framework and it does a lot more than exploitation.

42
00:03:04,190 --> 00:03:12,020
As you could see down here you could see that it does exploits what are called auxiliary modules now

43
00:03:12,020 --> 00:03:18,620
auxiliary modules is like scanning an enumeration so we can actually do port scanning we can do all

44
00:03:18,620 --> 00:03:22,660
kinds of information gathering with these auxiliary modules.

45
00:03:22,670 --> 00:03:23,310
They're awesome.

46
00:03:23,310 --> 00:03:25,140
We're gonna go through one right now.

47
00:03:25,160 --> 00:03:28,300
There's also these post modules which do post exploitation.

48
00:03:28,310 --> 00:03:32,980
So say we get a a shell on a machine which means we've exploded a machine.

49
00:03:32,990 --> 00:03:35,270
We can do some things in post.

50
00:03:35,410 --> 00:03:39,920
There's all different types of payloads which are going to cover when we get into the exploit section

51
00:03:39,950 --> 00:03:43,970
and then the rest of this you'll have to worry about that for the scope of this course but we will be

52
00:03:43,970 --> 00:03:50,240
seeing another tool by that display which is MSF venom later in the exploit development section of the

53
00:03:50,240 --> 00:03:56,560
course because we're going to utilize that to build payloads out for our own shells.

54
00:03:56,600 --> 00:04:00,590
So what we're gonna do for now is we're just going to introduce this slowly.

55
00:04:00,590 --> 00:04:02,150
Don't feel overwhelmed.

56
00:04:02,150 --> 00:04:06,620
It's just a little bit of a learning curve when it comes to learning all the features that it has available

57
00:04:06,860 --> 00:04:11,420
but it's second nature once you learn it and it's gonna be one of the most commonly used tools that

58
00:04:11,420 --> 00:04:13,700
you use as a tester in the field.

59
00:04:13,700 --> 00:04:19,280
So we're gonna go ahead and just search for SMB here and I'm going to do this the terrible way we're

60
00:04:19,280 --> 00:04:24,260
just going to search SMB and you could see that there's one hundred and twenty one results.

61
00:04:24,260 --> 00:04:31,010
Now that's going to be quite a pain to sift through but what we're after and say we we didn't know much

62
00:04:31,100 --> 00:04:36,040
but we were we're trying to see if hey maybe does medicinally have any kind of modules.

63
00:04:36,050 --> 00:04:39,590
I don't know for SMB enumeration.

64
00:04:39,620 --> 00:04:44,690
Well we know auxiliary modules are enumeration and we can look right here in the front and see what

65
00:04:44,690 --> 00:04:46,240
type of module it is.

66
00:04:46,250 --> 00:04:50,650
So you see this is a post module and you see if you could scroll up we're going through exploits now

67
00:04:50,650 --> 00:04:53,390
we're gonna go up into auxiliary.

68
00:04:53,390 --> 00:05:02,240
Now the second part of this is the type of of action it's doing so you could see auxiliary denial service

69
00:05:02,360 --> 00:05:10,180
auxiliary fuzzing auxiliary scanning gathering and we're going to utilize this to our advantage.

70
00:05:10,190 --> 00:05:12,100
We're going to take a look at the syntax.

71
00:05:12,170 --> 00:05:16,130
Now what we are after is SMP version information.

72
00:05:16,130 --> 00:05:21,330
And if we look kind of through this we can come down a scanner here and you can see it's looking S&amp;P

73
00:05:21,340 --> 00:05:28,750
1 to GBP which we're going to talk about MH 17 0 1 0 which we've talked about.

74
00:05:28,790 --> 00:05:33,350
You have an auxiliary scanner to see if there's anything out there with that vulnerability.

75
00:05:33,590 --> 00:05:40,820
And if we look right here on number 60 auxiliary scanner SMB SMB version.

76
00:05:41,100 --> 00:05:44,910
Now this is a bit of a long convoluted way to do this.

77
00:05:44,910 --> 00:05:50,310
Go ahead and copy this by the way or memorize your number I'll give you two options.

78
00:05:50,340 --> 00:05:54,960
This is a long way to do it but I wanted to show you this way of doing it because you're going to get

79
00:05:54,960 --> 00:06:01,170
better at it but you know when you see something on a scan results and you don't know a lot about the

80
00:06:01,170 --> 00:06:06,770
tool the best thing that you can do is just say hey you know I know medicinally does things like this.

81
00:06:06,840 --> 00:06:10,490
Let me see if maybe they have any sort of enumeration or exploitation.

82
00:06:10,490 --> 00:06:15,500
It never hurts to use a search feature to try to look up items and learn about them.

83
00:06:15,540 --> 00:06:18,050
So let's say we've never used this before.

84
00:06:18,240 --> 00:06:22,620
We're gonna go ahead and just say use and then we're gonna paste this module in here.

85
00:06:22,620 --> 00:06:26,370
Your other option is instead of pasting this module you can put the number that you had.

86
00:06:26,370 --> 00:06:31,570
So like for example 60 you could say use 60 and it will also love this model.

87
00:06:31,590 --> 00:06:38,790
So go ahead it hit enter for that and you can see here that it says now we're an auxiliary module of

88
00:06:38,800 --> 00:06:40,060
scanner S&amp;P.

89
00:06:40,060 --> 00:06:48,970
S&amp;P underscore version so from here it's always good to type out info and see what info is available

90
00:06:49,390 --> 00:06:53,920
and just tells you a little bit about the module that you're running so here you see that this is going

91
00:06:53,920 --> 00:06:56,680
to display version information about each system.

92
00:06:56,830 --> 00:06:57,250
Perfect.

93
00:06:57,250 --> 00:06:59,110
It's an S&amp;P version detection.

94
00:06:59,110 --> 00:07:01,180
That's really what we're after right now.

95
00:07:01,240 --> 00:07:02,520
So this is great.

96
00:07:02,680 --> 00:07:03,760
And we have options here.

97
00:07:03,760 --> 00:07:04,800
These basic options.

98
00:07:04,810 --> 00:07:06,680
Now you're going to see me do this a lot.

99
00:07:06,700 --> 00:07:12,100
You can go right into options by just typing options and just see that instead of printing out all the

100
00:07:12,100 --> 00:07:14,230
long stuff if you don't want to.

101
00:07:14,230 --> 00:07:16,800
So our options were presented with some items.

102
00:07:16,900 --> 00:07:18,390
We've got something called our hosts.

103
00:07:18,400 --> 00:07:21,560
Now our hosts are what stands for remote hosts.

104
00:07:21,580 --> 00:07:25,500
You're also going to see an el host later on which chance for local hosts.

105
00:07:25,570 --> 00:07:27,520
Our host is always the victim.

106
00:07:27,520 --> 00:07:28,750
That's who we are attacking.

107
00:07:28,750 --> 00:07:30,520
This is the target address.

108
00:07:30,670 --> 00:07:34,370
You might see our host or our hosts plural.

109
00:07:34,630 --> 00:07:40,260
Our hosts means you can only import one host if we have our hosts plural.

110
00:07:40,270 --> 00:07:46,780
We can use cyber notation mean that we can put slash twenty four and try to sweep a range for example.

111
00:07:46,780 --> 00:07:50,140
But in this instance we're only attacking one machine anyway.

112
00:07:50,230 --> 00:07:57,760
The rest of these SMB domain password and user if we knew the domain password and user in this instance

113
00:07:57,790 --> 00:08:00,660
we could fill it out and try to get a little bit more information.

114
00:08:00,790 --> 00:08:02,530
But we are an authenticated.

115
00:08:02,530 --> 00:08:07,840
We have no credentials at this point so we're just gonna go ahead and just put in our hosts which is

116
00:08:07,840 --> 00:08:11,950
required and not feel any of the non required fields here.

117
00:08:11,950 --> 00:08:16,480
And what we're gonna do is we're just gonna say set our hosts and this is in case sensitive.

118
00:08:16,480 --> 00:08:18,150
I'd just like to type it out of case sensitive.

119
00:08:18,670 --> 00:08:22,990
And then the IP address of the machine that you're going to scan.

120
00:08:23,140 --> 00:08:33,450
So we're gonna say 1 9 2 1 6 8 minus 5 7 dot 1 3 9 and then I'm just gonna type in run give you a second

121
00:08:33,450 --> 00:08:37,940
to catch up and run okay.

122
00:08:37,960 --> 00:08:44,380
I totally lied my IP address is one thirty nine the machine I'm after is one thirty four and run your

123
00:08:44,380 --> 00:08:49,900
screen should look something like this I'm over here instead of copying pasting trying to memorize so

124
00:08:49,930 --> 00:08:53,040
hopefully you can see that I make mistakes too.

125
00:08:53,170 --> 00:08:55,290
So here we are.

126
00:08:55,300 --> 00:09:01,150
We see a little bit more information and it might not look like a lot right now but knowing this samba

127
00:09:01,180 --> 00:09:06,700
to point to point one A is very specific and this is going to help us out quite a bit.

128
00:09:06,730 --> 00:09:13,720
So let's just copy this guy and let's open up that text editor we've had going and let's just come in

129
00:09:13,720 --> 00:09:18,340
here and maybe make some notes or just put it in here and say something like SMB and then we can just

130
00:09:18,340 --> 00:09:25,540
put paste that we know the version now and this is going to become important when we start doing research

131
00:09:25,600 --> 00:09:27,020
on what we've found.

132
00:09:27,070 --> 00:09:33,880
So we found all these different type of versions running up here and we're and do research on exploitations

133
00:09:33,880 --> 00:09:38,800
against them but we're also going to do research on this and exploitations against this.

134
00:09:38,800 --> 00:09:41,380
So as much detail as we can get.

135
00:09:41,560 --> 00:09:47,350
That's what's important and what's going to set you apart from other hackers or other people even trying

136
00:09:47,350 --> 00:09:53,140
to break into the field is your ability to information gather and your ability to enumerate if you can

137
00:09:53,140 --> 00:09:54,370
do both of those.

138
00:09:54,370 --> 00:09:56,320
The exploitation is actually the easy part.

139
00:09:56,320 --> 00:09:57,270
In my opinion.

140
00:09:57,970 --> 00:10:01,810
So we've got the virgin information that's great.

141
00:10:01,810 --> 00:10:03,510
We're going to use a new tool now.

142
00:10:03,520 --> 00:10:12,170
So go ahead and go file new tab and I'm going to go ahead and show you a tool called SMB client now

143
00:10:12,190 --> 00:10:17,380
SMB client is going to attempt to connect to the file share that's out there.

144
00:10:17,380 --> 00:10:23,260
Now if we have the ability to connect to the file share with anonymous access what that will do is we

145
00:10:23,260 --> 00:10:26,260
can get in there and we could potentially see files.

146
00:10:26,290 --> 00:10:32,200
Now these files might give us an inkling of what's going on the network or they may even be you know

147
00:10:32,230 --> 00:10:33,220
valuable to us.

148
00:10:33,220 --> 00:10:37,270
They may be something like a backup file or password stored in a text file.

149
00:10:37,270 --> 00:10:40,810
You never know what you're going to find until you actually look.

150
00:10:40,810 --> 00:10:46,900
So what I'm going to go ahead and do is do a dash L and that's going to be to list out the files and

151
00:10:46,900 --> 00:10:48,960
then the syntax looks something like this.

152
00:10:48,970 --> 00:10:51,740
You can do two back slashes.

153
00:10:51,940 --> 00:10:52,840
I'd like to do four.

154
00:10:52,840 --> 00:10:54,330
It really doesn't matter.

155
00:10:54,400 --> 00:10:59,170
And then you just type in the IP address of the machine that you want to try to connect to.

156
00:10:59,170 --> 00:11:03,760
So 1 9 2 1 6 8 fifty seven one thirty four for me.

157
00:11:03,760 --> 00:11:08,830
And then two more slashes like that if you're running it with just two slashes you don't have to put

158
00:11:08,830 --> 00:11:09,780
any there.

159
00:11:09,790 --> 00:11:12,960
So this is just character escaping because we're in Linux.

160
00:11:13,090 --> 00:11:20,230
So go ahead and hit enter and you see that the server does not support extended security.

161
00:11:20,250 --> 00:11:20,640
OK.

162
00:11:20,640 --> 00:11:22,860
Don't worry about that anonymous log and successful.

163
00:11:22,860 --> 00:11:25,820
Go ahead and hit enter and root password as we don't know it.

164
00:11:26,190 --> 00:11:30,000
And you could see that we did list out a file share.

165
00:11:30,450 --> 00:11:34,560
So let's go ahead and try to connect a different way.

166
00:11:36,170 --> 00:11:43,180
Let's tab up and let's delete this dash shell and we see that there's two file shares.

167
00:11:43,180 --> 00:11:48,100
There is an IP see dollar sign in an AB and dollar sign.

168
00:11:48,380 --> 00:11:54,110
The IPC is not really usually valuable to us but to AB and would be really valuable if we could connect

169
00:11:54,110 --> 00:11:54,470
to that.

170
00:11:54,530 --> 00:11:54,960
Let's go ahead.

171
00:11:54,960 --> 00:11:58,890
Just paste that in here and see if we can get that connection.

172
00:11:58,930 --> 00:12:00,090
OK let's try this.

173
00:12:00,100 --> 00:12:02,380
Hit enter and you could see we have.

174
00:12:02,380 --> 00:12:03,580
Wrong password.

175
00:12:03,850 --> 00:12:06,830
So it's not going to let us connect to this.

176
00:12:06,850 --> 00:12:09,530
Share with anonymous access.

177
00:12:09,910 --> 00:12:11,080
So that's unfortunate.

178
00:12:11,080 --> 00:12:12,160
We could also try.

179
00:12:12,160 --> 00:12:19,270
Proof of concept to see if IPC works hit enter on that and you can see now we're actually in this in.

180
00:12:19,300 --> 00:12:20,800
This is interesting.

181
00:12:20,800 --> 00:12:23,830
So we could say help to see the list of commands.

182
00:12:24,010 --> 00:12:26,740
And it's very similar to being inside of a Linux machine.

183
00:12:26,740 --> 00:12:32,410
Now we can do something like l asked to list the files and we're actually access denied here.

184
00:12:32,440 --> 00:12:34,960
So this is what we call a dead end.

185
00:12:34,990 --> 00:12:36,510
We can't really access this.

186
00:12:36,540 --> 00:12:39,460
So we don't have any information extra gathered.

187
00:12:39,520 --> 00:12:43,120
We're going to come back to this time and time again with SMB client.

188
00:12:43,120 --> 00:12:45,740
This isn't the last time you're going to see it in the course.

189
00:12:45,910 --> 00:12:50,860
But I want you to know that it exists in the reason behind what we're doing here and this is some of

190
00:12:50,920 --> 00:12:53,560
where the information's coming from in our scan.

191
00:12:53,560 --> 00:12:54,630
We're trying to connect out.

192
00:12:54,640 --> 00:12:56,500
We see the server names cap tricks.

193
00:12:56,530 --> 00:13:01,990
There's a comment that it's a samba server and we're going to try to come in here and connect to a file

194
00:13:01,990 --> 00:13:03,050
and maybe get lucky.

195
00:13:03,100 --> 00:13:05,170
But this time we didn't get lucky.

196
00:13:05,170 --> 00:13:11,220
So we're just gonna go ahead and x out so that's all you need to know right now for S&amp;P.

197
00:13:11,220 --> 00:13:16,560
S&amp;P is an amazing protocol when I see S&amp;P I get very happy.

198
00:13:16,680 --> 00:13:23,100
But we're going to focus on that very heavily when we get into the internal part of the Active Directory

199
00:13:23,100 --> 00:13:26,520
portion of this course because that's when things get really juicy.

200
00:13:26,520 --> 00:13:28,160
Right now we're just going to do.

201
00:13:28,230 --> 00:13:30,480
Keep it simple stupid on a lot of this stuff.

202
00:13:30,480 --> 00:13:34,570
It might feel really easy or very very straightforward depending.

203
00:13:34,620 --> 00:13:39,720
But I promise this is just going to keep building and building and building until we have a pretty big

204
00:13:39,720 --> 00:13:40,760
understanding on this.

205
00:13:40,770 --> 00:13:44,130
And there's going to be a lot of repetition and a lot of practice and I think that's the best way to

206
00:13:44,130 --> 00:13:44,460
learn.

207
00:13:45,120 --> 00:13:52,770
So from here I'm going to do a brief enumeration on SSA and how we can do enumeration with SSA age and

208
00:13:52,770 --> 00:13:57,440
then we're going to talk other items of enumeration and talk research.

209
00:13:57,540 --> 00:13:58,410
What are we doing.

210
00:13:58,410 --> 00:14:02,450
We've been collecting all this information and putting it into a text document.

211
00:14:02,460 --> 00:14:03,940
You're probably like so what.

212
00:14:04,050 --> 00:14:05,150
What can we do with it.

213
00:14:05,160 --> 00:14:09,770
And that's where things get exciting and that's how we start to lead into exploitation.

214
00:14:09,960 --> 00:14:13,290
But we've got do a little bit more research first before we can get there.

215
00:14:13,290 --> 00:14:15,040
So that's it for this video.

216
00:14:15,090 --> 00:14:18,750
I'll catch you over in the next video when we are a Newman rating SS age.