1
00:00:00,060 --> 00:00:06,630
Another tool that we can use for reconnaissance is known as Netcare now NEKE is actually known as the

2
00:00:06,630 --> 00:00:08,660
hacker Swiss Army Knife.

3
00:00:08,670 --> 00:00:09,990
That's how useful it is.

4
00:00:10,290 --> 00:00:16,170
So it is pretty essential for establishing remote connections to devices that we're going to exploit.

5
00:00:16,320 --> 00:00:20,910
You know, when you're actually conducting ethical, you know, hacking activities and you can also

6
00:00:20,910 --> 00:00:22,980
use it as a scanner in some scenarios.

7
00:00:23,190 --> 00:00:30,930
So Neka has the ability to allow you to either, you know, scan for like maybe open ports, but primarily

8
00:00:30,930 --> 00:00:37,370
it can be used to listen to connections as they come into your system or to other systems.

9
00:00:37,380 --> 00:00:41,440
So let's go over like some quick, you know, Netcare syntax and examples.

10
00:00:41,460 --> 00:00:47,190
So if you want to run the command, so all you have to do is type in and see right here.

11
00:00:47,190 --> 00:00:48,600
And that's going to call the program.

12
00:00:48,810 --> 00:00:54,130
And then there's dash envy and you just say, hey, run this scan in very verbose motorcycle.

13
00:00:54,240 --> 00:00:56,220
And map has the same type of verbose option.

14
00:00:56,490 --> 00:01:01,140
If you don't want to see the verbose output and just take that off, then we have a view that means,

15
00:01:01,140 --> 00:01:05,390
hey, time out until, you know, like a second pass and then you can move on.

16
00:01:05,400 --> 00:01:10,890
So you could just do that to see how long it like limit how long it actually take, because sometimes

17
00:01:10,890 --> 00:01:15,170
these scans can take a while, then you can do a dash Z to actually say, hey, no data transfer mode.

18
00:01:15,190 --> 00:01:17,160
So that's actually going to make it run a lot faster.

19
00:01:17,310 --> 00:01:23,030
And then we can have our target address right here, which is the metastable machine for us right now.

20
00:01:23,190 --> 00:01:29,370
And then let's say we have or it's one to one hundred so we can go ahead and do that and hit enter and

21
00:01:29,370 --> 00:01:31,590
it's going to spit out our results very, very fast.

22
00:01:31,740 --> 00:01:34,220
If you run this without the dash, there will be very slow.

23
00:01:34,740 --> 00:01:37,980
But as you can see, it tells us how can actually refuse, can actually refuse.

24
00:01:38,220 --> 00:01:43,070
Hey, Paradies open can actually refuse, can actually refuse and you can see what parts are open.

25
00:01:43,080 --> 00:01:45,690
This aligns perfectly with our map scans before.

26
00:01:45,730 --> 00:01:49,370
So you can use this as a viable, you know, scanning tool as well.

27
00:01:49,380 --> 00:01:52,220
So you see fifty four point fifty three is open.

28
00:01:52,230 --> 00:01:58,860
Let's see if it goes open right now as age ATP telling SMTP this is stuff that we're going to look at

29
00:01:58,860 --> 00:01:59,160
later.

30
00:01:59,160 --> 00:02:04,260
But this is just showing, you know, how you can actually use Netcare as a scanner.

31
00:02:04,380 --> 00:02:09,270
And just to note as well, if you wanted to, you can use as a scanner as well.

32
00:02:09,540 --> 00:02:15,600
You would have to add a dash you option like right here, and it'll actually, you know, scan the UDP

33
00:02:15,600 --> 00:02:15,990
force.

34
00:02:16,200 --> 00:02:18,720
So it might be a little bit slower when you're doing that.

35
00:02:18,720 --> 00:02:20,760
As you can see, it's kind of like just trickling through.

36
00:02:21,330 --> 00:02:24,960
It'll eventually get through the entire list and then we're pretty much good to go.

37
00:02:24,960 --> 00:02:28,470
And you'll probably see, I think only like we're 53 was open.

38
00:02:28,470 --> 00:02:29,310
I don't remember exactly.

39
00:02:29,730 --> 00:02:34,410
But, um, as you can see, you can use this for UDP scans as well.

40
00:02:34,620 --> 00:02:36,390
So it's a very versatile tool.

41
00:02:36,690 --> 00:02:43,560
OK, so another way that Netcare is very, very useful is that it allows us to actually listen on ports,

42
00:02:43,560 --> 00:02:48,870
either on remote computers or locally for any track that comes over that port to that computer or to

43
00:02:48,870 --> 00:02:49,650
our local computer.

44
00:02:49,800 --> 00:02:54,240
So what we're going to do right now is it's a very quick example of actually using that cat to listen

45
00:02:54,240 --> 00:02:54,720
on a port.

46
00:02:54,930 --> 00:03:00,870
So all you have to do is call an Cadigan with Nancy and then you put Dash NVP The L is going to put

47
00:03:00,870 --> 00:03:02,010
us in listening mode.

48
00:03:02,010 --> 00:03:07,990
The V is going to give us verbose output and the P is going to allow us to specify the port so we could

49
00:03:07,990 --> 00:03:12,900
put a target just here if we wanted to connect that to another port and listen, you know, over that

50
00:03:12,900 --> 00:03:14,360
port for traffic.

51
00:03:14,370 --> 00:03:15,900
But right now, we're just going to do this locally.

52
00:03:15,900 --> 00:03:16,890
So we're going to listen.

53
00:03:16,890 --> 00:03:20,520
Hey, if you know what connects to us over 480, you know, let me know what happens.

54
00:03:20,520 --> 00:03:21,840
That's pretty much what this is saying.

55
00:03:22,050 --> 00:03:23,580
Now we're listening up for eighty.

56
00:03:23,760 --> 00:03:27,360
We know the IP address here is one, two, seven.

57
00:03:27,540 --> 00:03:30,630
So let's actually go over to my Windows machine.

58
00:03:30,670 --> 00:03:35,430
I'm doing all this on and let's see what happens when we actually type in HDP.

59
00:03:36,320 --> 00:03:38,640
And then the IP address of my colonics machine.

60
00:03:38,720 --> 00:03:43,700
So as Jack is spinning, I don't have a Web server or anything close to it right now, all like that's

61
00:03:43,700 --> 00:03:44,630
pushing out stuff.

62
00:03:44,630 --> 00:03:46,650
So it's just going to spin and it's not going to do anything.

63
00:03:47,150 --> 00:03:47,690
All right.

64
00:03:48,010 --> 00:03:52,650
We go back to R. Kelly Linux machine and click back over here.

65
00:03:52,670 --> 00:03:53,450
Oh, hey.

66
00:03:53,840 --> 00:04:00,980
It says, hey, we got a connection request from one nine to one six eight five six that one.

67
00:04:01,190 --> 00:04:04,080
And it's giving us just different information.

68
00:04:04,080 --> 00:04:09,740
And this is just a header and it's just, you know, telling us this is very useful for catching connections

69
00:04:09,740 --> 00:04:14,520
and maybe, you know, also like viewing things, like potentially playing text that sent over.

70
00:04:14,520 --> 00:04:17,840
It does a lot of versatility that comes with this.

71
00:04:17,840 --> 00:04:22,710
So that's a couple of how you can use NPR to listen for connections in different traffic as such.

72
00:04:22,970 --> 00:04:27,470
Just quickly show you guys I went back and actually to show you that, you know, things that are posted

73
00:04:27,470 --> 00:04:30,950
to the euro can actually be seen over on a column.

74
00:04:31,400 --> 00:04:37,070
So this is just an example and maybe it's an insecure application and it passes stuff over plain text,

75
00:04:37,070 --> 00:04:45,320
like in the but you are also a user and and then a variable password pass that goes past to our politics

76
00:04:45,320 --> 00:04:49,130
machine will actually show us a right here.

77
00:04:50,100 --> 00:04:54,540
So it's pretty useful for catching information, so just keep that in mind.

78
00:04:54,690 --> 00:05:00,840
So one other thing, as you want to do when you're conducting, you know, your active reconnaissance

79
00:05:00,840 --> 00:05:02,800
is looking for SMB enumeration.

80
00:05:03,480 --> 00:05:05,190
This is server message block.

81
00:05:05,310 --> 00:05:08,940
And it's very key, like when it comes to corporate environments.

82
00:05:09,180 --> 00:05:11,240
So look for SMB vulnerabilities.

83
00:05:11,250 --> 00:05:15,540
They're very common and they're not too difficult to exploit as well.

84
00:05:15,840 --> 00:05:22,320
So if you don't know server messages, block or SMB is use for file transfer and Istana ports one three

85
00:05:22,320 --> 00:05:24,270
nine and four, four or five.

86
00:05:24,270 --> 00:05:29,640
And like I said, easy to explain most of the time on some devices, you know, if you can exploit it,

87
00:05:29,640 --> 00:05:34,500
you can actually own the entire system or your access to all kinds of stuff and be able to get like

88
00:05:34,500 --> 00:05:36,300
a router account like almost immediately.

89
00:05:36,540 --> 00:05:42,570
And SMB enumeration can be done with a variety of tools where we're going to focus like right now on

90
00:05:42,570 --> 00:05:44,730
using and map, but as other tools as well.

91
00:05:44,800 --> 00:05:47,250
OK, so we're going to call Linux machine.

92
00:05:47,250 --> 00:05:51,510
So let's say we want to find out about some SMB, all what we have.

93
00:05:51,550 --> 00:05:54,270
We just do our simple map command.

94
00:05:54,550 --> 00:06:00,150
And then for this we're going to ask for verbose output because we want to see stuff as it's happening

95
00:06:00,150 --> 00:06:00,870
is pretty cool.

96
00:06:01,170 --> 00:06:06,740
We've got to do a dash P to actually specify the point and then we're going to say one three nine and

97
00:06:06,780 --> 00:06:11,310
four four five, because we know that, you know, those are the ports that somebody runs over.

98
00:06:11,850 --> 00:06:23,160
And let's say that we want to output the file to like SMB dot t and then we want to put the target.

99
00:06:23,280 --> 00:06:27,760
So one on two to one six eight, five, six, one or four.

100
00:06:27,780 --> 00:06:29,370
This is the metastable machine.

101
00:06:29,520 --> 00:06:33,450
We're going to go ahead and actually run this command.

102
00:06:35,470 --> 00:06:41,320
And then now, OK, hey, if those ports are actually open, so one of the neat thing we can do with

103
00:06:41,590 --> 00:06:45,100
a map is that we can actually specify ranges.

104
00:06:45,310 --> 00:06:53,110
So let's say we wanted to do one, two, two, five, four, just for example, it'll scan everything

105
00:06:53,110 --> 00:06:54,970
on this subnet, pretty much so.

106
00:06:54,970 --> 00:06:58,060
And look for those ports that are being open and put it into this file.

107
00:06:58,240 --> 00:06:59,440
So let's go ahead and run that.

108
00:07:00,070 --> 00:07:04,630
You might need to give a little bit of time, but it's going to give us a full report, you know, for

109
00:07:04,630 --> 00:07:10,570
each system, each address that we found and actually tell us, hey, you know, they're closed on this

110
00:07:10,570 --> 00:07:11,980
one oh seven device.

111
00:07:12,160 --> 00:07:14,220
I believe that's my colonics machine.

112
00:07:14,420 --> 00:07:15,070
Let's see.

113
00:07:15,070 --> 00:07:16,720
There is to it on here.

114
00:07:16,720 --> 00:07:17,980
It's open on one of four.

115
00:07:17,980 --> 00:07:18,850
As we know.

116
00:07:19,000 --> 00:07:20,230
It's filtered there.

117
00:07:20,230 --> 00:07:25,580
It's open over here on the twenty, which is actually the domains are the main domain controller.

118
00:07:25,750 --> 00:07:29,220
And it also open, let's see to do OK.

119
00:07:29,230 --> 00:07:32,110
And it's open locally because I allow that to happen.

120
00:07:32,110 --> 00:07:37,270
So and that's a good way to figure out, you know, if SMB is something that you will be able to exploit

121
00:07:37,450 --> 00:07:45,100
so you can actually take this a step further and actually run like a zombie like winnability group.

122
00:07:45,280 --> 00:07:59,010
So we could just do less users to share such and that and then slash scripts, slash SMB dash for you

123
00:07:59,020 --> 00:08:05,880
L and you just put a star and it's going to give us all of the different like SMB vulnerability's scripts.

124
00:08:05,890 --> 00:08:13,780
So these scripts actually go through and check if a specific system is vulnerable to, you know, these

125
00:08:13,780 --> 00:08:18,640
specific vulnerabilities and you can just call it with the dash dash script command.

126
00:08:18,910 --> 00:08:21,220
So let's say let's just test it out.

127
00:08:21,220 --> 00:08:23,860
I'm not sure if it's actually going to work, if it'll actually be vulnerable.

128
00:08:23,860 --> 00:08:27,460
Let's try this on the Windows server that we have.

129
00:08:27,460 --> 00:08:28,600
So let's see.

130
00:08:28,630 --> 00:08:32,290
Let's do a map, a C Dash V for verbals.

131
00:08:32,500 --> 00:08:35,800
Let's do a dash dash script.

132
00:08:37,110 --> 00:08:42,150
Equals and then let's actually just base one of these, because these are like the Microsoft Windows

133
00:08:42,150 --> 00:08:45,150
ones, because you never know good work, just scripts.

134
00:08:46,000 --> 00:08:48,600
And then we could just copy this over.

135
00:08:50,150 --> 00:08:50,650
Uh.

136
00:08:51,630 --> 00:08:53,410
We get a copy this down there.

137
00:08:53,460 --> 00:08:54,810
So a selection.

138
00:08:55,980 --> 00:08:58,050
And then it's actually going to run this script.

139
00:08:59,180 --> 00:09:07,170
Didn't put the I.P. address one or two to one six, eight, five, six, dot 20, so happens so that

140
00:09:07,170 --> 00:09:15,260
she can go ahead and run on that map and is going to go through and actually run this script for us

141
00:09:15,260 --> 00:09:15,810
as well.

142
00:09:16,310 --> 00:09:23,000
OK, so our script ended up finishing a ran the vulnerability script on after it did end mapped scan

143
00:09:23,840 --> 00:09:30,920
and saying, hey, it's vulnerable, it's potentially vulnerable to remote code execution because sambi

144
00:09:30,920 --> 00:09:32,120
version one being used.

145
00:09:32,270 --> 00:09:33,380
So it's pretty big.

146
00:09:33,380 --> 00:09:37,350
So if you like this and you know where you'll be able to exploit this pretty easily and we'll get to

147
00:09:37,350 --> 00:09:39,520
this later and actually clarify if this is real or not.

148
00:09:39,620 --> 00:09:42,150
As you can see, you can check out these other sources as well.

149
00:09:42,170 --> 00:09:46,940
But as you can see, EMAP is very versatile and allow you to find, you know, vulnerabilities like

150
00:09:46,940 --> 00:09:47,450
this right here.

151
00:09:47,810 --> 00:09:52,700
Some people in our military, another type of renumeration that we want to do during our active reconnaissance

152
00:09:53,000 --> 00:09:57,590
is actually Innovest Enumerations and Staniford Network file sharing.

153
00:09:57,650 --> 00:09:58,850
It's another thing as key.

154
00:09:58,850 --> 00:10:05,960
You know, we're doing this active reconnaissance or so Neff's runs over Report 111, and it's typically

155
00:10:05,960 --> 00:10:09,790
used to mount network shares that can potentially be exploited.

156
00:10:09,950 --> 00:10:15,300
You know, it's set up incorrectly so we can actually numerary Innovest information using.

157
00:10:15,300 --> 00:10:19,280
And so I'm going to go ahead and show you how to do that or packing Archaia Linux machine.

158
00:10:19,290 --> 00:10:21,130
So we have a map command set up.

159
00:10:21,140 --> 00:10:27,350
So right now, set to where it's going to do a service scan and figure out the version of it with this

160
00:10:27,590 --> 00:10:28,760
dash ASV right here.

161
00:10:28,880 --> 00:10:31,810
And then we have Dasch, we're looking at Port 111.

162
00:10:32,000 --> 00:10:37,670
So we're trying to see, you know, are there any devices that have power 111 open?

163
00:10:37,790 --> 00:10:41,960
And then I put in a very verbose Mosso actually shows us, you know, what's happening, what's happening,

164
00:10:41,960 --> 00:10:44,750
because it's pretty cool that we have our target right here.

165
00:10:44,900 --> 00:10:51,860
And if we want to do the manifest enumeration, you can actually just do dash dash script.

166
00:10:53,000 --> 00:10:58,530
And then equals and then what we're going to do is our PC info.

167
00:10:58,640 --> 00:11:04,070
OK, so we could just go ahead, run that and then let's wait a minute and check out the results.

168
00:11:04,070 --> 00:11:06,440
So we're going to go ahead and run this command right here.

169
00:11:06,470 --> 00:11:10,520
So it was just a simple and my command is going to do a service version scan.

170
00:11:10,660 --> 00:11:12,650
It's going to scan for 111.

171
00:11:12,650 --> 00:11:15,800
And we're putting in a very verbose mode.

172
00:11:15,980 --> 00:11:17,570
This is going to be a target.

173
00:11:17,600 --> 00:11:18,260
As you'll see.

174
00:11:18,260 --> 00:11:19,900
This is our kind of Linux machine.

175
00:11:19,940 --> 00:11:27,740
So what I did was I went ahead and set up an NFL server locally on this just to show you how this works

176
00:11:27,890 --> 00:11:30,110
and all inclusive instructions for you guys.

177
00:11:30,470 --> 00:11:35,840
Actually, go ahead and set up an investor locally as well so that you can actually practice it and

178
00:11:35,840 --> 00:11:36,860
try it on your own.

179
00:11:37,490 --> 00:11:39,260
You'll probably find that in the research section.

180
00:11:39,470 --> 00:11:42,580
So the script that we're going to use right now is RBC Info.

181
00:11:42,680 --> 00:11:47,420
So pretty much what this is going to do is it's going to allow us to see which devices are actually

182
00:11:47,420 --> 00:11:49,850
registered with PC Vyn.

183
00:11:49,850 --> 00:11:54,050
And that's going to tell us, like, you know, if it points to, like, an offense or not.

184
00:11:54,560 --> 00:11:59,600
So we can go ahead and run this one and just give it a second to finish so I can finish.

185
00:11:59,600 --> 00:12:05,060
And hey, it said Port 111 is open, our PC bond is running on it.

186
00:12:05,450 --> 00:12:08,240
And hey, we found this.

187
00:12:08,240 --> 00:12:15,050
And right here, slash amante slash hacking share and has these files inside of it.

188
00:12:15,050 --> 00:12:16,400
You can ignore those first two.

189
00:12:16,670 --> 00:12:22,660
But what's interesting here is the super secret password text, huh?

190
00:12:22,910 --> 00:12:23,870
So that's pretty neat.

191
00:12:23,870 --> 00:12:25,420
We know what we know.

192
00:12:25,460 --> 00:12:28,990
That's probably a follow that we want to know, like what's inside of it.

193
00:12:29,100 --> 00:12:33,100
Let's look a little bit more some of the more information of some of the information that she gave us.

194
00:12:33,320 --> 00:12:38,480
So we see that Mount is actually accessible to anyone that's on the subnet.

195
00:12:38,480 --> 00:12:42,740
And hey, we broke into the network technically, so we're on the same network.

196
00:12:42,740 --> 00:12:46,640
So we should be able to gain access to it so we don't have any restrictions there.

197
00:12:46,850 --> 00:12:52,940
And it's just a little bit more information, you know, about the end US share as well.

198
00:12:53,090 --> 00:12:59,390
So we can take this a step further and actually try to see if we can mount it to our system, to where

199
00:12:59,390 --> 00:13:00,620
we can access.

200
00:13:00,620 --> 00:13:02,470
And we do that with a mount in.

201
00:13:02,660 --> 00:13:06,560
So I've already done this, but I'm going to show you guys the mount.

202
00:13:06,560 --> 00:13:15,290
So just now, followed by the IP address of where the NFL shares and in and then the NFL share and then

203
00:13:15,290 --> 00:13:16,270
our own folder.

204
00:13:16,370 --> 00:13:20,780
So I made a folder called Manifest in these folder.

205
00:13:20,990 --> 00:13:27,550
So what we can do is we can create such amante my NFC.

206
00:13:28,970 --> 00:13:36,350
And we could do a and hey, it actually synchronized, you know, it actually went and mounted the manifest

207
00:13:36,350 --> 00:13:37,800
here locally here.

208
00:13:38,030 --> 00:13:40,060
Now I can access this file right here.

209
00:13:40,070 --> 00:13:44,660
So if I wanted to, I can do a V supersecret password, sex.

210
00:13:44,810 --> 00:13:46,620
And hey, I have read access to it.

211
00:13:46,630 --> 00:13:47,470
That's pretty crazy.

212
00:13:47,810 --> 00:13:53,920
I can also if I wanted to, I could do Cat Super Secret password and it'll cat it out.

213
00:13:53,940 --> 00:13:56,180
So now I have a super secret password, so that's pretty neat.

214
00:13:56,210 --> 00:14:02,360
So now you see kind of how, you know, antifascists enumeration can be very valuable.

215
00:14:02,360 --> 00:14:06,950
You can find some up permissions usually on most Internet networks if you look for this.