1
00:00:00,240 --> 00:00:03,950
Welcome to part one of this module.

2
00:00:04,120 --> 00:00:09,640
We're going to kick off this next section with a short one and it's going to be short because there

3
00:00:09,640 --> 00:00:15,240
isn't really a whole lot to say about hex or bass to call it up.

4
00:00:15,280 --> 00:00:24,450
We can either use the terminal and type in hex or bass or we can go to applications database assessment

5
00:00:25,740 --> 00:00:27,510
and clicking on hex or bass

6
00:00:31,970 --> 00:00:38,150
hex or bass is a database application designed for administering and auditing multiple database servers

7
00:00:38,180 --> 00:00:42,170
simultaneously from one centralized location.

8
00:00:42,380 --> 00:00:48,680
It is capable of performing Eskew QoL queries and brute force attacks against common database servers

9
00:00:49,220 --> 00:00:50,940
which you can see here.

10
00:00:51,140 --> 00:01:02,830
My sequel Oracle post CHRIS ASKEW Well Q light and Eskew l server for Microsoft the graphical user interface

11
00:01:02,890 --> 00:01:09,670
is pretty much as simple as they come in as a collection of several database servers where you can apply

12
00:01:09,670 --> 00:01:18,200
brute force attacks against a desired target The catch however is that you need an account with whatever

13
00:01:18,200 --> 00:01:20,560
it is you're trying to brute force.

14
00:01:20,660 --> 00:01:26,840
As always I'm going to be using the Met exploited able to virtual machine that I have running here in

15
00:01:26,840 --> 00:01:33,830
the office as my target never run this or any other tool against a target that you do not personally

16
00:01:33,860 --> 00:01:40,190
own or have written permission to penetration test or you could and you probably will be breaking the

17
00:01:40,190 --> 00:01:40,610
law.

18
00:01:40,970 --> 00:01:42,480
So just don't do it.

19
00:01:43,530 --> 00:01:52,800
So to begin we're going to enter the user name as root because our target will be the.

20
00:01:52,800 --> 00:02:01,740
My S Q Well database running on a split a two will leave the password field blank because there is no

21
00:02:01,740 --> 00:02:06,630
password in this particular case but if your account has a password.

22
00:02:06,630 --> 00:02:08,610
Obviously this is where you would supply it.

23
00:02:11,300 --> 00:02:14,710
We then click lock as default log in.

24
00:02:14,780 --> 00:02:22,340
Now hypothetically speaking you could click directly on the My rescue Q and supply the target and then

25
00:02:22,340 --> 00:02:23,570
log right in.

26
00:02:23,750 --> 00:02:29,810
But let's pretend that we don't already have a perfectly good admin credential and we'll see if we can't

27
00:02:29,810 --> 00:02:32,030
brute force something up.

28
00:02:32,030 --> 00:02:35,300
So we click on brute force database servers

29
00:02:38,440 --> 00:02:46,170
and we're presented with this screen for my S Q Well we make certain that the my s QoL radial button

30
00:02:46,170 --> 00:02:53,060
is selected and keep in mind this process that you're about to see works exactly the same for post press

31
00:02:53,120 --> 00:03:05,440
S Q Well M.S. S Q Well but Oracle requires an API key that is not included with this software so we

32
00:03:05,440 --> 00:03:13,440
supply a target which in this case is going to be the trustee met exploited by machine and we're going

33
00:03:13,440 --> 00:03:18,150
to use the default port which is 3 3 0 6

34
00:03:22,820 --> 00:03:26,570
and now we need to use two sets of word lists.

35
00:03:26,780 --> 00:03:35,450
These are text files which could be as short as a single character or as long as 100 dictionaries for

36
00:03:35,450 --> 00:03:36,650
simplicity's sake.

37
00:03:36,740 --> 00:03:41,170
I'm going to be using very short and simple word lists.

38
00:03:41,240 --> 00:03:48,140
There are many word lists for both usernames and passwords that come prepackaged with Cally Linux.

39
00:03:48,140 --> 00:03:51,080
Check out some of them in your met a spoil folder.

40
00:03:51,080 --> 00:03:53,080
If you're looking for some good ones.

41
00:03:53,090 --> 00:03:59,810
Alternatively you can download word lists online and a bit later we'll be looking at how to generate

42
00:03:59,960 --> 00:04:09,980
our own word lists that are more suited to a specific target using applications like cup and cool will

43
00:04:09,980 --> 00:04:13,540
also be clicking on the use blank password option.

44
00:04:13,580 --> 00:04:20,210
Which means the program will attempt to use no password for each user name before it attempts anything

45
00:04:20,210 --> 00:04:21,860
in the password file.

46
00:04:21,860 --> 00:04:25,730
However we're not going to do this on the first run so we click.

47
00:04:25,730 --> 00:04:30,410
User lists and in my case it's on the desktop.

48
00:04:30,570 --> 00:04:36,030
I've simply named the file user and then we click word lists.

49
00:04:36,030 --> 00:04:43,800
This is for the passwords and again in my case it's on the desktop I've named it passwords and we can

50
00:04:43,800 --> 00:04:51,360
see the file names that have been selected underneath these buttons we have our target information set

51
00:04:53,220 --> 00:04:55,830
and now we just need to click launch the attack

52
00:05:00,500 --> 00:05:01,060
all right.

53
00:05:01,140 --> 00:05:05,200
Of course how long this takes depends on a lot of different factors.

54
00:05:05,250 --> 00:05:07,160
Your word list complexity.

55
00:05:07,290 --> 00:05:13,160
The security of the target the speed of your machine your connection and so on and so forth.

56
00:05:13,320 --> 00:05:20,610
It goes without saying that this process is not in any way shape or form stealthy and without taking

57
00:05:20,610 --> 00:05:23,150
additional steps to ensure anonymity.

58
00:05:23,190 --> 00:05:30,360
Someone attempting this sort of attack would be easily visible to both their ISP and the system administrator

59
00:05:30,360 --> 00:05:34,970
of the target please see the module covering techniques of anonymity.

60
00:05:34,980 --> 00:05:44,210
If this is a consideration so when I first go we can see that it's stopped on MSF ad men MSF ad men

61
00:05:44,570 --> 00:05:46,950
for the user name and password.

62
00:05:47,060 --> 00:05:48,380
Easy peasy.

63
00:05:48,530 --> 00:05:56,510
Now we're going to scan again but this time we're going to check attempt blank password because we know

64
00:05:56,510 --> 00:06:06,830
that there is one other account that uses a blank password will launch the attack.

65
00:06:06,860 --> 00:06:13,940
Now we can see that it found a user name route and password blank.

66
00:06:14,130 --> 00:06:15,350
We already knew that.

67
00:06:15,480 --> 00:06:21,570
But that is what it would look like if any other user names or passwords apart from the primary admin

68
00:06:21,570 --> 00:06:23,680
account had been found.

69
00:06:23,820 --> 00:06:27,810
You would see them listed out in the read out one by one

70
00:06:31,310 --> 00:06:33,730
this time will run the same process.

71
00:06:33,740 --> 00:06:36,140
But we're going to have a look at post grass

72
00:06:39,600 --> 00:06:44,880
so we select the post crest radio button and supply our target

73
00:06:48,720 --> 00:06:49,410
and report

74
00:06:53,340 --> 00:06:54,840
and our user lists

75
00:06:58,840 --> 00:07:01,470
and or word list for our password.

76
00:07:01,470 --> 00:07:02,110
Attack

77
00:07:04,760 --> 00:07:10,120
and we will attempt blank passwords on this try and we will launch the attack

78
00:07:13,350 --> 00:07:14,250
the attack is running.

79
00:07:14,250 --> 00:07:17,370
This may take just a moment.

80
00:07:17,890 --> 00:07:19,530
Again against a real target.

81
00:07:19,540 --> 00:07:26,670
This is going to take a lot longer think days or weeks depending.

82
00:07:26,690 --> 00:07:27,270
All right.

83
00:07:27,270 --> 00:07:34,500
And now we can see that MSF admin MSF admin is still the primary user account but we can also see that

84
00:07:34,500 --> 00:07:43,490
it found user name post grass password post grass so let's go ahead and use those.

85
00:07:43,490 --> 00:07:45,210
We'll close out of here.

86
00:07:45,230 --> 00:07:49,880
We'll click on post grass askew El we'll give it our target.

87
00:07:51,910 --> 00:07:53,380
Oh pardon me.

88
00:07:53,440 --> 00:07:56,080
First we need to change this.

89
00:07:56,080 --> 00:07:57,940
We will unlock the default

90
00:08:00,820 --> 00:08:09,480
post aggressively username progress for the password we'll lock the default again and now

91
00:08:14,460 --> 00:08:17,280
give it our target and we give it our port

92
00:08:19,970 --> 00:08:21,120
click Okay.

93
00:08:23,500 --> 00:08:24,480
And there we go

94
00:08:27,990 --> 00:08:35,400
now from this database interaction window you can execute any rescue l scripts that you might like or

95
00:08:35,400 --> 00:08:42,720
perform whenever other miscellaneous shenanigans that are relevant to your penetration test.

96
00:08:43,020 --> 00:08:44,680
So I'm going to close the connection

97
00:08:48,070 --> 00:08:57,340
and we can also go into the password manager and from here we can add entire sets of log in credentials.

98
00:08:57,360 --> 00:09:04,170
This is really just to make it easier to switch back and forth on the fly so we click insert new log

99
00:09:04,170 --> 00:09:12,060
and credential and we might try route routes if we know already that this is valid

100
00:09:15,180 --> 00:09:15,750
route

101
00:09:18,500 --> 00:09:19,610
password

102
00:09:22,710 --> 00:09:28,920
admin admin and so on and then you would click save changes.

103
00:09:29,030 --> 00:09:35,990
You can also select which credentials you wish to use from the pre-existing list that you create using

104
00:09:35,990 --> 00:09:41,390
this method just by clicking the use selected credentials and you can delete the credentials which I

105
00:09:41,390 --> 00:09:42,050
will do now

106
00:09:48,150 --> 00:09:49,130
right then.

107
00:09:49,440 --> 00:09:55,560
It doesn't get much more straightforward than this but don't be fooled by how quickly this went the

108
00:09:55,560 --> 00:10:03,960
word lists used in this demonstration were quite short and obviously I knew what the passwords were

109
00:10:03,960 --> 00:10:12,330
going to be brute forcing a real target in the real world is going to be painfully slow and should always

110
00:10:12,330 --> 00:10:14,800
be the approach of last resort.

111
00:10:14,910 --> 00:10:19,770
It's noisy time consuming and you will fail a lot.

112
00:10:19,800 --> 00:10:25,680
The paradox of brute forcing is that if your target has security practices that are strong enough to

113
00:10:25,680 --> 00:10:31,800
resist better more subtle approaches chances are they're well-prepared to deal with this sort of an

114
00:10:31,800 --> 00:10:35,670
attack nevertheless against all logic.

115
00:10:35,670 --> 00:10:41,280
This approach still manages to work too often for anyone's comfort.

116
00:10:43,410 --> 00:10:51,040
Hex or bass comes prepackaged with Kelly 2.0 and it will run on just about any version of Linux.

117
00:10:51,050 --> 00:10:53,330
There's also a Windows version.

118
00:10:53,330 --> 00:10:59,830
Keep in mind that it requires updated Python libraries to run although this should not be a problem.

119
00:10:59,840 --> 00:11:05,690
If you're calling installation is up to date for those seeking this program for other operating systems

120
00:11:05,750 --> 00:11:08,660
the source code can be found on github.

121
00:11:08,660 --> 00:11:12,350
I hope you found this helpful and that this tool is of use to you.

122
00:11:12,350 --> 00:11:17,840
Although I hope that you enjoy so much success with your more subtle approaches that you never have

123
00:11:17,840 --> 00:11:21,930
to use this blunt force instrument thank you.