1 00:00:00,060 --> 00:00:06,630 Another tool that we can use for reconnaissance is known as Netcare now NEKE is actually known as the 2 00:00:06,630 --> 00:00:08,660 hacker Swiss Army Knife. 3 00:00:08,670 --> 00:00:09,990 That's how useful it is. 4 00:00:10,290 --> 00:00:16,170 So it is pretty essential for establishing remote connections to devices that we're going to exploit. 5 00:00:16,320 --> 00:00:20,910 You know, when you're actually conducting ethical, you know, hacking activities and you can also 6 00:00:20,910 --> 00:00:22,980 use it as a scanner in some scenarios. 7 00:00:23,190 --> 00:00:30,930 So Neka has the ability to allow you to either, you know, scan for like maybe open ports, but primarily 8 00:00:30,930 --> 00:00:37,370 it can be used to listen to connections as they come into your system or to other systems. 9 00:00:37,380 --> 00:00:41,440 So let's go over like some quick, you know, Netcare syntax and examples. 10 00:00:41,460 --> 00:00:47,190 So if you want to run the command, so all you have to do is type in and see right here. 11 00:00:47,190 --> 00:00:48,600 And that's going to call the program. 12 00:00:48,810 --> 00:00:54,130 And then there's dash envy and you just say, hey, run this scan in very verbose motorcycle. 13 00:00:54,240 --> 00:00:56,220 And map has the same type of verbose option. 14 00:00:56,490 --> 00:01:01,140 If you don't want to see the verbose output and just take that off, then we have a view that means, 15 00:01:01,140 --> 00:01:05,390 hey, time out until, you know, like a second pass and then you can move on. 16 00:01:05,400 --> 00:01:10,890 So you could just do that to see how long it like limit how long it actually take, because sometimes 17 00:01:10,890 --> 00:01:15,170 these scans can take a while, then you can do a dash Z to actually say, hey, no data transfer mode. 18 00:01:15,190 --> 00:01:17,160 So that's actually going to make it run a lot faster. 19 00:01:17,310 --> 00:01:23,030 And then we can have our target address right here, which is the metastable machine for us right now. 20 00:01:23,190 --> 00:01:29,370 And then let's say we have or it's one to one hundred so we can go ahead and do that and hit enter and 21 00:01:29,370 --> 00:01:31,590 it's going to spit out our results very, very fast. 22 00:01:31,740 --> 00:01:34,220 If you run this without the dash, there will be very slow. 23 00:01:34,740 --> 00:01:37,980 But as you can see, it tells us how can actually refuse, can actually refuse. 24 00:01:38,220 --> 00:01:43,070 Hey, Paradies open can actually refuse, can actually refuse and you can see what parts are open. 25 00:01:43,080 --> 00:01:45,690 This aligns perfectly with our map scans before. 26 00:01:45,730 --> 00:01:49,370 So you can use this as a viable, you know, scanning tool as well. 27 00:01:49,380 --> 00:01:52,220 So you see fifty four point fifty three is open. 28 00:01:52,230 --> 00:01:58,860 Let's see if it goes open right now as age ATP telling SMTP this is stuff that we're going to look at 29 00:01:58,860 --> 00:01:59,160 later. 30 00:01:59,160 --> 00:02:04,260 But this is just showing, you know, how you can actually use Netcare as a scanner. 31 00:02:04,380 --> 00:02:09,270 And just to note as well, if you wanted to, you can use as a scanner as well. 32 00:02:09,540 --> 00:02:15,600 You would have to add a dash you option like right here, and it'll actually, you know, scan the UDP 33 00:02:15,600 --> 00:02:15,990 force. 34 00:02:16,200 --> 00:02:18,720 So it might be a little bit slower when you're doing that. 35 00:02:18,720 --> 00:02:20,760 As you can see, it's kind of like just trickling through. 36 00:02:21,330 --> 00:02:24,960 It'll eventually get through the entire list and then we're pretty much good to go. 37 00:02:24,960 --> 00:02:28,470 And you'll probably see, I think only like we're 53 was open. 38 00:02:28,470 --> 00:02:29,310 I don't remember exactly. 39 00:02:29,730 --> 00:02:34,410 But, um, as you can see, you can use this for UDP scans as well. 40 00:02:34,620 --> 00:02:36,390 So it's a very versatile tool. 41 00:02:36,690 --> 00:02:43,560 OK, so another way that Netcare is very, very useful is that it allows us to actually listen on ports, 42 00:02:43,560 --> 00:02:48,870 either on remote computers or locally for any track that comes over that port to that computer or to 43 00:02:48,870 --> 00:02:49,650 our local computer. 44 00:02:49,800 --> 00:02:54,240 So what we're going to do right now is it's a very quick example of actually using that cat to listen 45 00:02:54,240 --> 00:02:54,720 on a port. 46 00:02:54,930 --> 00:03:00,870 So all you have to do is call an Cadigan with Nancy and then you put Dash NVP The L is going to put 47 00:03:00,870 --> 00:03:02,010 us in listening mode. 48 00:03:02,010 --> 00:03:07,990 The V is going to give us verbose output and the P is going to allow us to specify the port so we could 49 00:03:07,990 --> 00:03:12,900 put a target just here if we wanted to connect that to another port and listen, you know, over that 50 00:03:12,900 --> 00:03:14,360 port for traffic. 51 00:03:14,370 --> 00:03:15,900 But right now, we're just going to do this locally. 52 00:03:15,900 --> 00:03:16,890 So we're going to listen. 53 00:03:16,890 --> 00:03:20,520 Hey, if you know what connects to us over 480, you know, let me know what happens. 54 00:03:20,520 --> 00:03:21,840 That's pretty much what this is saying. 55 00:03:22,050 --> 00:03:23,580 Now we're listening up for eighty. 56 00:03:23,760 --> 00:03:27,360 We know the IP address here is one, two, seven. 57 00:03:27,540 --> 00:03:30,630 So let's actually go over to my Windows machine. 58 00:03:30,670 --> 00:03:35,430 I'm doing all this on and let's see what happens when we actually type in HDP. 59 00:03:36,320 --> 00:03:38,640 And then the IP address of my colonics machine. 60 00:03:38,720 --> 00:03:43,700 So as Jack is spinning, I don't have a Web server or anything close to it right now, all like that's 61 00:03:43,700 --> 00:03:44,630 pushing out stuff. 62 00:03:44,630 --> 00:03:46,650 So it's just going to spin and it's not going to do anything. 63 00:03:47,150 --> 00:03:47,690 All right. 64 00:03:48,010 --> 00:03:52,650 We go back to R. Kelly Linux machine and click back over here. 65 00:03:52,670 --> 00:03:53,450 Oh, hey. 66 00:03:53,840 --> 00:04:00,980 It says, hey, we got a connection request from one nine to one six eight five six that one. 67 00:04:01,190 --> 00:04:04,080 And it's giving us just different information. 68 00:04:04,080 --> 00:04:09,740 And this is just a header and it's just, you know, telling us this is very useful for catching connections 69 00:04:09,740 --> 00:04:14,520 and maybe, you know, also like viewing things, like potentially playing text that sent over. 70 00:04:14,520 --> 00:04:17,840 It does a lot of versatility that comes with this. 71 00:04:17,840 --> 00:04:22,710 So that's a couple of how you can use NPR to listen for connections in different traffic as such. 72 00:04:22,970 --> 00:04:27,470 Just quickly show you guys I went back and actually to show you that, you know, things that are posted 73 00:04:27,470 --> 00:04:30,950 to the euro can actually be seen over on a column. 74 00:04:31,400 --> 00:04:37,070 So this is just an example and maybe it's an insecure application and it passes stuff over plain text, 75 00:04:37,070 --> 00:04:45,320 like in the but you are also a user and and then a variable password pass that goes past to our politics 76 00:04:45,320 --> 00:04:49,130 machine will actually show us a right here. 77 00:04:50,100 --> 00:04:54,540 So it's pretty useful for catching information, so just keep that in mind. 78 00:04:54,690 --> 00:05:00,840 So one other thing, as you want to do when you're conducting, you know, your active reconnaissance 79 00:05:00,840 --> 00:05:02,800 is looking for SMB enumeration. 80 00:05:03,480 --> 00:05:05,190 This is server message block. 81 00:05:05,310 --> 00:05:08,940 And it's very key, like when it comes to corporate environments. 82 00:05:09,180 --> 00:05:11,240 So look for SMB vulnerabilities. 83 00:05:11,250 --> 00:05:15,540 They're very common and they're not too difficult to exploit as well. 84 00:05:15,840 --> 00:05:22,320 So if you don't know server messages, block or SMB is use for file transfer and Istana ports one three 85 00:05:22,320 --> 00:05:24,270 nine and four, four or five. 86 00:05:24,270 --> 00:05:29,640 And like I said, easy to explain most of the time on some devices, you know, if you can exploit it, 87 00:05:29,640 --> 00:05:34,500 you can actually own the entire system or your access to all kinds of stuff and be able to get like 88 00:05:34,500 --> 00:05:36,300 a router account like almost immediately. 89 00:05:36,540 --> 00:05:42,570 And SMB enumeration can be done with a variety of tools where we're going to focus like right now on 90 00:05:42,570 --> 00:05:44,730 using and map, but as other tools as well. 91 00:05:44,800 --> 00:05:47,250 OK, so we're going to call Linux machine. 92 00:05:47,250 --> 00:05:51,510 So let's say we want to find out about some SMB, all what we have. 93 00:05:51,550 --> 00:05:54,270 We just do our simple map command. 94 00:05:54,550 --> 00:06:00,150 And then for this we're going to ask for verbose output because we want to see stuff as it's happening 95 00:06:00,150 --> 00:06:00,870 is pretty cool. 96 00:06:01,170 --> 00:06:06,740 We've got to do a dash P to actually specify the point and then we're going to say one three nine and 97 00:06:06,780 --> 00:06:11,310 four four five, because we know that, you know, those are the ports that somebody runs over. 98 00:06:11,850 --> 00:06:23,160 And let's say that we want to output the file to like SMB dot t and then we want to put the target. 99 00:06:23,280 --> 00:06:27,760 So one on two to one six eight, five, six, one or four. 100 00:06:27,780 --> 00:06:29,370 This is the metastable machine. 101 00:06:29,520 --> 00:06:33,450 We're going to go ahead and actually run this command. 102 00:06:35,470 --> 00:06:41,320 And then now, OK, hey, if those ports are actually open, so one of the neat thing we can do with 103 00:06:41,590 --> 00:06:45,100 a map is that we can actually specify ranges. 104 00:06:45,310 --> 00:06:53,110 So let's say we wanted to do one, two, two, five, four, just for example, it'll scan everything 105 00:06:53,110 --> 00:06:54,970 on this subnet, pretty much so. 106 00:06:54,970 --> 00:06:58,060 And look for those ports that are being open and put it into this file. 107 00:06:58,240 --> 00:06:59,440 So let's go ahead and run that. 108 00:07:00,070 --> 00:07:04,630 You might need to give a little bit of time, but it's going to give us a full report, you know, for 109 00:07:04,630 --> 00:07:10,570 each system, each address that we found and actually tell us, hey, you know, they're closed on this 110 00:07:10,570 --> 00:07:11,980 one oh seven device. 111 00:07:12,160 --> 00:07:14,220 I believe that's my colonics machine. 112 00:07:14,420 --> 00:07:15,070 Let's see. 113 00:07:15,070 --> 00:07:16,720 There is to it on here. 114 00:07:16,720 --> 00:07:17,980 It's open on one of four. 115 00:07:17,980 --> 00:07:18,850 As we know. 116 00:07:19,000 --> 00:07:20,230 It's filtered there. 117 00:07:20,230 --> 00:07:25,580 It's open over here on the twenty, which is actually the domains are the main domain controller. 118 00:07:25,750 --> 00:07:29,220 And it also open, let's see to do OK. 119 00:07:29,230 --> 00:07:32,110 And it's open locally because I allow that to happen. 120 00:07:32,110 --> 00:07:37,270 So and that's a good way to figure out, you know, if SMB is something that you will be able to exploit 121 00:07:37,450 --> 00:07:45,100 so you can actually take this a step further and actually run like a zombie like winnability group. 122 00:07:45,280 --> 00:07:59,010 So we could just do less users to share such and that and then slash scripts, slash SMB dash for you 123 00:07:59,020 --> 00:08:05,880 L and you just put a star and it's going to give us all of the different like SMB vulnerability's scripts. 124 00:08:05,890 --> 00:08:13,780 So these scripts actually go through and check if a specific system is vulnerable to, you know, these 125 00:08:13,780 --> 00:08:18,640 specific vulnerabilities and you can just call it with the dash dash script command. 126 00:08:18,910 --> 00:08:21,220 So let's say let's just test it out. 127 00:08:21,220 --> 00:08:23,860 I'm not sure if it's actually going to work, if it'll actually be vulnerable. 128 00:08:23,860 --> 00:08:27,460 Let's try this on the Windows server that we have. 129 00:08:27,460 --> 00:08:28,600 So let's see. 130 00:08:28,630 --> 00:08:32,290 Let's do a map, a C Dash V for verbals. 131 00:08:32,500 --> 00:08:35,800 Let's do a dash dash script. 132 00:08:37,110 --> 00:08:42,150 Equals and then let's actually just base one of these, because these are like the Microsoft Windows 133 00:08:42,150 --> 00:08:45,150 ones, because you never know good work, just scripts. 134 00:08:46,000 --> 00:08:48,600 And then we could just copy this over. 135 00:08:50,150 --> 00:08:50,650 Uh. 136 00:08:51,630 --> 00:08:53,410 We get a copy this down there. 137 00:08:53,460 --> 00:08:54,810 So a selection. 138 00:08:55,980 --> 00:08:58,050 And then it's actually going to run this script. 139 00:08:59,180 --> 00:09:07,170 Didn't put the I.P. address one or two to one six, eight, five, six, dot 20, so happens so that 140 00:09:07,170 --> 00:09:15,260 she can go ahead and run on that map and is going to go through and actually run this script for us 141 00:09:15,260 --> 00:09:15,810 as well. 142 00:09:16,310 --> 00:09:23,000 OK, so our script ended up finishing a ran the vulnerability script on after it did end mapped scan 143 00:09:23,840 --> 00:09:30,920 and saying, hey, it's vulnerable, it's potentially vulnerable to remote code execution because sambi 144 00:09:30,920 --> 00:09:32,120 version one being used. 145 00:09:32,270 --> 00:09:33,380 So it's pretty big. 146 00:09:33,380 --> 00:09:37,350 So if you like this and you know where you'll be able to exploit this pretty easily and we'll get to 147 00:09:37,350 --> 00:09:39,520 this later and actually clarify if this is real or not. 148 00:09:39,620 --> 00:09:42,150 As you can see, you can check out these other sources as well. 149 00:09:42,170 --> 00:09:46,940 But as you can see, EMAP is very versatile and allow you to find, you know, vulnerabilities like 150 00:09:46,940 --> 00:09:47,450 this right here. 151 00:09:47,810 --> 00:09:52,700 Some people in our military, another type of renumeration that we want to do during our active reconnaissance 152 00:09:53,000 --> 00:09:57,590 is actually Innovest Enumerations and Staniford Network file sharing. 153 00:09:57,650 --> 00:09:58,850 It's another thing as key. 154 00:09:58,850 --> 00:10:05,960 You know, we're doing this active reconnaissance or so Neff's runs over Report 111, and it's typically 155 00:10:05,960 --> 00:10:09,790 used to mount network shares that can potentially be exploited. 156 00:10:09,950 --> 00:10:15,300 You know, it's set up incorrectly so we can actually numerary Innovest information using. 157 00:10:15,300 --> 00:10:19,280 And so I'm going to go ahead and show you how to do that or packing Archaia Linux machine. 158 00:10:19,290 --> 00:10:21,130 So we have a map command set up. 159 00:10:21,140 --> 00:10:27,350 So right now, set to where it's going to do a service scan and figure out the version of it with this 160 00:10:27,590 --> 00:10:28,760 dash ASV right here. 161 00:10:28,880 --> 00:10:31,810 And then we have Dasch, we're looking at Port 111. 162 00:10:32,000 --> 00:10:37,670 So we're trying to see, you know, are there any devices that have power 111 open? 163 00:10:37,790 --> 00:10:41,960 And then I put in a very verbose Mosso actually shows us, you know, what's happening, what's happening, 164 00:10:41,960 --> 00:10:44,750 because it's pretty cool that we have our target right here. 165 00:10:44,900 --> 00:10:51,860 And if we want to do the manifest enumeration, you can actually just do dash dash script. 166 00:10:53,000 --> 00:10:58,530 And then equals and then what we're going to do is our PC info. 167 00:10:58,640 --> 00:11:04,070 OK, so we could just go ahead, run that and then let's wait a minute and check out the results. 168 00:11:04,070 --> 00:11:06,440 So we're going to go ahead and run this command right here. 169 00:11:06,470 --> 00:11:10,520 So it was just a simple and my command is going to do a service version scan. 170 00:11:10,660 --> 00:11:12,650 It's going to scan for 111. 171 00:11:12,650 --> 00:11:15,800 And we're putting in a very verbose mode. 172 00:11:15,980 --> 00:11:17,570 This is going to be a target. 173 00:11:17,600 --> 00:11:18,260 As you'll see. 174 00:11:18,260 --> 00:11:19,900 This is our kind of Linux machine. 175 00:11:19,940 --> 00:11:27,740 So what I did was I went ahead and set up an NFL server locally on this just to show you how this works 176 00:11:27,890 --> 00:11:30,110 and all inclusive instructions for you guys. 177 00:11:30,470 --> 00:11:35,840 Actually, go ahead and set up an investor locally as well so that you can actually practice it and 178 00:11:35,840 --> 00:11:36,860 try it on your own. 179 00:11:37,490 --> 00:11:39,260 You'll probably find that in the research section. 180 00:11:39,470 --> 00:11:42,580 So the script that we're going to use right now is RBC Info. 181 00:11:42,680 --> 00:11:47,420 So pretty much what this is going to do is it's going to allow us to see which devices are actually 182 00:11:47,420 --> 00:11:49,850 registered with PC Vyn. 183 00:11:49,850 --> 00:11:54,050 And that's going to tell us, like, you know, if it points to, like, an offense or not. 184 00:11:54,560 --> 00:11:59,600 So we can go ahead and run this one and just give it a second to finish so I can finish. 185 00:11:59,600 --> 00:12:05,060 And hey, it said Port 111 is open, our PC bond is running on it. 186 00:12:05,450 --> 00:12:08,240 And hey, we found this. 187 00:12:08,240 --> 00:12:15,050 And right here, slash amante slash hacking share and has these files inside of it. 188 00:12:15,050 --> 00:12:16,400 You can ignore those first two. 189 00:12:16,670 --> 00:12:22,660 But what's interesting here is the super secret password text, huh? 190 00:12:22,910 --> 00:12:23,870 So that's pretty neat. 191 00:12:23,870 --> 00:12:25,420 We know what we know. 192 00:12:25,460 --> 00:12:28,990 That's probably a follow that we want to know, like what's inside of it. 193 00:12:29,100 --> 00:12:33,100 Let's look a little bit more some of the more information of some of the information that she gave us. 194 00:12:33,320 --> 00:12:38,480 So we see that Mount is actually accessible to anyone that's on the subnet. 195 00:12:38,480 --> 00:12:42,740 And hey, we broke into the network technically, so we're on the same network. 196 00:12:42,740 --> 00:12:46,640 So we should be able to gain access to it so we don't have any restrictions there. 197 00:12:46,850 --> 00:12:52,940 And it's just a little bit more information, you know, about the end US share as well. 198 00:12:53,090 --> 00:12:59,390 So we can take this a step further and actually try to see if we can mount it to our system, to where 199 00:12:59,390 --> 00:13:00,620 we can access. 200 00:13:00,620 --> 00:13:02,470 And we do that with a mount in. 201 00:13:02,660 --> 00:13:06,560 So I've already done this, but I'm going to show you guys the mount. 202 00:13:06,560 --> 00:13:15,290 So just now, followed by the IP address of where the NFL shares and in and then the NFL share and then 203 00:13:15,290 --> 00:13:16,270 our own folder. 204 00:13:16,370 --> 00:13:20,780 So I made a folder called Manifest in these folder. 205 00:13:20,990 --> 00:13:27,550 So what we can do is we can create such amante my NFC. 206 00:13:28,970 --> 00:13:36,350 And we could do a and hey, it actually synchronized, you know, it actually went and mounted the manifest 207 00:13:36,350 --> 00:13:37,800 here locally here. 208 00:13:38,030 --> 00:13:40,060 Now I can access this file right here. 209 00:13:40,070 --> 00:13:44,660 So if I wanted to, I can do a V supersecret password, sex. 210 00:13:44,810 --> 00:13:46,620 And hey, I have read access to it. 211 00:13:46,630 --> 00:13:47,470 That's pretty crazy. 212 00:13:47,810 --> 00:13:53,920 I can also if I wanted to, I could do Cat Super Secret password and it'll cat it out. 213 00:13:53,940 --> 00:13:56,180 So now I have a super secret password, so that's pretty neat. 214 00:13:56,210 --> 00:14:02,360 So now you see kind of how, you know, antifascists enumeration can be very valuable. 215 00:14:02,360 --> 00:14:06,950 You can find some up permissions usually on most Internet networks if you look for this.