1
00:00:05,990 --> 00:00:11,160
Melville see how easy it is to take over a remote computer.

2
00:00:11,310 --> 00:00:14,530
We're in the same local network as the victim.

3
00:00:14,620 --> 00:00:19,570
That's why we've managed to bypass the demilitarized zone firewalls of the network that normally block

4
00:00:19,570 --> 00:00:25,070
ports the majority of attacks are local attacks

5
00:00:29,230 --> 00:00:32,450
the attack unfolds as follows.

6
00:00:32,570 --> 00:00:38,360
We have a computer that will be the victim and the attackers computer will start up the a split environment.

7
00:00:41,260 --> 00:00:48,490
This framework is automatically installed in the back check five Linux The Met a split framework includes

8
00:00:48,490 --> 00:00:52,040
tools for scanning remote computers.

9
00:00:52,200 --> 00:00:57,450
The results of the scan will automatically be saved in the database.

10
00:00:57,520 --> 00:01:00,780
The specific tool we use is and map which we already know.

11
00:01:03,610 --> 00:01:08,230
We're using the information stored in the database to conduct the attack that will exploit vulnerabilities

12
00:01:08,230 --> 00:01:13,750
found in other computers that have already been scanned.

13
00:01:13,770 --> 00:01:16,240
Let's check to see if we're connected to the database.

14
00:01:18,960 --> 00:01:22,200
Right now we're using POST grid as well.

15
00:01:22,200 --> 00:01:29,920
However other databases such as my YOU school can be used to we would like to see the results from the

16
00:01:29,920 --> 00:01:31,420
scan in the database.

17
00:01:32,780 --> 00:01:35,770
We invoke the D.B and Napp command.

18
00:01:35,840 --> 00:01:42,020
From now on the basic end maps text will be supported.

19
00:01:42,040 --> 00:01:48,510
Now we'll examine routes to the computers we're trying to infiltrate.

20
00:01:48,600 --> 00:01:53,370
This will help us discover which machines are in the same network bazars and which are two or three

21
00:01:53,370 --> 00:01:54,220
routers away

22
00:01:58,060 --> 00:02:03,970
because we're discussing the fourth layer of the overside model will now take some time to discuss the

23
00:02:03,970 --> 00:02:06,670
TCAP and UDP scanning mechanisms.

24
00:02:08,090 --> 00:02:14,870
As the attacker would not like to be discovered until now we have avoided this by hiding our IP address

25
00:02:14,900 --> 00:02:16,770
among many others.

26
00:02:16,790 --> 00:02:19,690
We can also try packet fragmentation.

27
00:02:19,880 --> 00:02:24,560
This means to use one packet to send so much data that they can't fit in the frame of a lower layer

28
00:02:24,560 --> 00:02:25,920
protocol.

29
00:02:26,240 --> 00:02:30,600
What part of this data will be sent and one IP packet and the rest in the next one.

30
00:02:30,890 --> 00:02:35,390
This won't affect the delivery because the receiver will assemble the fragments back together into one

31
00:02:35,390 --> 00:02:36,310
packet.

32
00:02:38,740 --> 00:02:45,580
However if someone tries to intercept the packets being sent they may not be able to assemble them.

33
00:02:45,690 --> 00:02:48,310
They will not manage to reproduce the whole session.

34
00:02:51,880 --> 00:02:57,060
We'll send the night packet and use the parameter f option to force the packet fragmentation into eight

35
00:02:57,080 --> 00:02:58,010
byte Pardes

36
00:03:02,580 --> 00:03:06,090
will also detect the operating system and perform a stealth scan.

37
00:03:08,800 --> 00:03:15,840
Finally we must type the IP addresses or names of the computers we're going to scan to make the attack

38
00:03:15,840 --> 00:03:17,420
less noticeable.

39
00:03:17,430 --> 00:03:24,840
We'll scan the computers one at a time starting from the first one we'll use random IP change.

40
00:03:24,870 --> 00:03:28,910
This is to deceive intrusion detection systems looking for certain patterns

41
00:03:32,710 --> 00:03:42,250
the information we will scan is identified by IP 1 9 2 1 6 8 0 1 1 5.

42
00:03:42,410 --> 00:03:48,200
And the second by IP 1 9 2 1 6 8 0 1 2 5

43
00:03:51,140 --> 00:03:55,210
you know you can see the complete command executing all of the above operations

44
00:03:59,760 --> 00:04:03,120
rescanning local and that were computers so it shouldn't take much time.

45
00:04:04,320 --> 00:04:05,530
Let's look at the result.

46
00:04:06,640 --> 00:04:14,300
One host is online GCP ports 1 3 5 and 4 4 5 are open.

47
00:04:14,410 --> 00:04:17,100
We can see the port 1 3:9 is open as well.

48
00:04:20,010 --> 00:04:25,310
This information tells us that there is a Windows 2000 or XP operating system running on the computer

49
00:04:26,370 --> 00:04:29,950
because these systems have the above mentioned ports open by default.

50
00:04:31,270 --> 00:04:36,370
And that managed to precisely determine the operating system including the service pack version installed

51
00:04:39,000 --> 00:04:46,820
the computer is only one hop away which means it belongs to the same local network.

52
00:04:46,820 --> 00:04:51,590
Now let's check the data stored in the database.

53
00:04:51,630 --> 00:04:55,180
It contains the records about two computers.

54
00:04:55,330 --> 00:05:00,130
The first one is the result of the scan we've just performed.

55
00:05:00,150 --> 00:05:04,490
We can also learn that services are running on these computers.

56
00:05:04,590 --> 00:05:07,530
We could list our potential vulnerabilities of these services

57
00:05:10,210 --> 00:05:10,880
instead of there.

58
00:05:10,900 --> 00:05:18,470
Let's try to exploit them to conduct an automated attack the information you can gather from the fourth

59
00:05:18,470 --> 00:05:23,970
layer of the us-I model is enough to take control over a remote computer with security issues.