1
00:00:00,300 --> 00:00:04,890
OK, so the first thing that we're going to do before we get into searching for X is because this one

2
00:00:04,890 --> 00:00:10,200
doesn't really involve an expert, but it's very useful to know about.

3
00:00:10,230 --> 00:00:13,470
So we're going to take advantage of Telnet really quickly.

4
00:00:13,470 --> 00:00:19,050
So as a remote management service, as you know, that runs over Port 23, if you remember from that

5
00:00:19,060 --> 00:00:19,710
section.

6
00:00:20,130 --> 00:00:21,260
I also just brought it up.

7
00:00:21,600 --> 00:00:26,550
Anything over Tona is unencrypted and that's why they replaced it with Esses each.

8
00:00:27,510 --> 00:00:32,040
So it is used, you know, and I've seen this in, like, you know, corporate environments on, you

9
00:00:32,040 --> 00:00:34,470
know, different assessments that Tony did actually use.

10
00:00:34,740 --> 00:00:40,680
You can actually use a protocol analyzer to sniff the traffic because it's set in plain text.

11
00:00:40,680 --> 00:00:41,490
It's not encrypted.

12
00:00:41,490 --> 00:00:45,260
So we can actually read everything that's being sent over that port.

13
00:00:45,420 --> 00:00:50,780
So what we can use is an application that's called Wireshark Protocol Analyzer.

14
00:00:50,790 --> 00:00:56,620
It's going to allow us to sniff all the traffic on the network and be able to find exactly what we want.

15
00:00:56,760 --> 00:01:01,380
So let's go ahead and switch over to our VMS and, you know, get things going.

16
00:01:01,440 --> 00:01:03,720
OK, so we're back in a colonics machine.

17
00:01:03,960 --> 00:01:11,700
So what we're going to do now is we're going to try to use Wireshark to actually capture credentials

18
00:01:11,700 --> 00:01:15,000
being sent in plain text over Telnet.

19
00:01:15,810 --> 00:01:20,460
So I have my medicine portable machine running all summer windows, time machine running full later.

20
00:01:21,000 --> 00:01:22,350
This portable machine is running.

21
00:01:22,350 --> 00:01:23,540
I know the IP address.

22
00:01:23,910 --> 00:01:28,940
So what we're going to want to do is actually open up Wireshark.

23
00:01:28,950 --> 00:01:34,410
So it's going to be a pseudo wireshark and it should open up and ask for your password.

24
00:01:34,410 --> 00:01:42,960
So I know that the Ethernet connection for mine, for this network is one and you can confirm that on

25
00:01:42,960 --> 00:01:43,350
your own.

26
00:01:43,350 --> 00:01:47,820
Just go and do I have config command from the terminal and you'll be able to figure it out.

27
00:01:48,510 --> 00:01:51,030
So this is the interface of Wireshark.

28
00:01:51,040 --> 00:01:55,320
So what you're going to want to do, like I just said, is choose the interface that you want to listen

29
00:01:55,320 --> 00:01:55,650
over.

30
00:01:55,650 --> 00:01:57,480
We want to listen over this one.

31
00:01:57,480 --> 00:02:02,880
As you can see, that's the subnet right there on this 192000, one six eight five six subnet.

32
00:02:03,120 --> 00:02:07,280
That's subnet for my, you know, host only, you know, virtual box network.

33
00:02:07,440 --> 00:02:10,730
So I'm going to double click that one and choose the listen over it.

34
00:02:10,950 --> 00:02:16,320
So what are you going to do is going to start to Absher packets, you know, that are actually running

35
00:02:16,320 --> 00:02:17,170
over this network.

36
00:02:17,370 --> 00:02:23,860
So the one thing I will bring up is that with virtual box, there's some limitations with network capturing.

37
00:02:24,660 --> 00:02:30,780
So instead of having another device try to log into the midst of all of its own content and capturing

38
00:02:30,780 --> 00:02:38,130
it, what we're going to do is we're going to try to capture the traffic coming from this CALEIGH machine

39
00:02:38,130 --> 00:02:39,170
logging over into it.

40
00:02:39,350 --> 00:02:44,280
We do know the credentials, but it's going to be the same that you would see it if like this was like

41
00:02:44,280 --> 00:02:50,820
a regular network with actual machines, you would be able to see the traffic here as well.

42
00:02:51,540 --> 00:02:52,950
So I just wanted to let you guys know that.

43
00:02:53,190 --> 00:02:58,540
So we have Wireshark running, as you can see, is capturing packets and stuff, just capturing all

44
00:02:58,540 --> 00:03:01,290
the different little packets running across the network right now.

45
00:03:01,690 --> 00:03:05,160
Not really too important, like, you know, what's going on right now.

46
00:03:05,350 --> 00:03:13,260
So what we want to do is actually initiate like a tunnel connection over to our midst political machine.

47
00:03:13,410 --> 00:03:18,450
And when we do that, we'll be able to come to Wireshark and play with some filters and actually be

48
00:03:18,450 --> 00:03:20,280
able to see what happens.

49
00:03:20,310 --> 00:03:25,830
So what we want to do is actually go over here and we're going to use the Tonette command.

50
00:03:25,980 --> 00:03:32,260
If you don't have it installed, you could just do a quick pseudo install on it and install it.

51
00:03:32,310 --> 00:03:34,260
I didn't have it on here for some odd reason.

52
00:03:34,260 --> 00:03:35,490
I thought it came by default.

53
00:03:35,580 --> 00:03:42,600
So we're going to be one of two down one six, eight, five, six to one or four, because I know that

54
00:03:42,600 --> 00:03:45,660
that is my disposable box and I'm going to put a port number.

55
00:03:45,870 --> 00:03:47,890
So we want to connect over Port 23.

56
00:03:48,180 --> 00:03:52,710
So now we're getting the login screen, as we can see, and has asked me for a long answer.

57
00:03:52,710 --> 00:03:57,390
I myself am in and then password MSF.

58
00:03:57,620 --> 00:04:00,270
And now, of course, you wouldn't be doing this on an assessment.

59
00:04:01,620 --> 00:04:03,660
You would be capturing somebody else logging in.

60
00:04:04,260 --> 00:04:07,440
But like I said, network limitations with virtual box.

61
00:04:07,440 --> 00:04:11,160
But this is the same thing if you are like on an actual network, which it was.

62
00:04:11,310 --> 00:04:17,010
So let's say like, you know, I'm an administrator on this network and I just logged in here and,

63
00:04:17,010 --> 00:04:18,560
you know, I'm doing stuff cool.

64
00:04:18,990 --> 00:04:24,770
So if we go back over to our Wireshark, we're going to see heightism telnet traffic right here.

65
00:04:24,990 --> 00:04:27,420
So what we can do is actually use this filter.

66
00:04:27,420 --> 00:04:29,460
And there's a lot of different filters that you can do here.

67
00:04:29,460 --> 00:04:38,160
Like you can do like you can search my IP address and only show, you know, things that have that IP

68
00:04:38,160 --> 00:04:40,650
address as a destination or source.

69
00:04:40,650 --> 00:04:44,100
You can support what we're going to do just 10 minutes on it.

70
00:04:44,910 --> 00:04:50,440
And now it's going to actually show us all the Tonet package that is actually captured right now.

71
00:04:51,150 --> 00:04:58,110
So what we're going to want to do is actually look for the once you see, like, this gobbledygook down

72
00:04:58,110 --> 00:04:59,580
here, so.

73
00:04:59,780 --> 00:05:04,400
What we are going to do is scroll through these packets and look for the one that says password, it

74
00:05:04,400 --> 00:05:09,010
might take you a second, but you usually will typically find it is a pass.

75
00:05:09,020 --> 00:05:11,030
Judgment passes that I want this password right there.

76
00:05:11,360 --> 00:05:14,540
So when we find that one, we're just going to.

77
00:05:14,540 --> 00:05:14,740
Right.

78
00:05:14,750 --> 00:05:19,560
Click it to follow and then the TCP stream and then bam.

79
00:05:19,580 --> 00:05:21,960
Now it's actually showing us everything.

80
00:05:21,960 --> 00:05:23,660
Now sit over in plain text.

81
00:05:23,870 --> 00:05:29,660
So as you can see it saying the log and it's a little bit misconstrued, I believe it has something

82
00:05:29,660 --> 00:05:30,560
to do with virtual box.

83
00:05:31,220 --> 00:05:35,510
It has MSF admin that has the password right here as members of.

84
00:05:35,890 --> 00:05:38,270
So we just found some credentials in plain text.

85
00:05:38,270 --> 00:05:43,450
So now you can actually go, oh, we know it works, but you can actually go and actually log in now

86
00:05:43,790 --> 00:05:45,920
to that machine using those credentials.

87
00:05:46,160 --> 00:05:50,930
And now, you know, you've officially, technically launched your first attack on a machine.

88
00:05:51,110 --> 00:05:53,040
So that'll get you in there.

89
00:05:53,060 --> 00:05:56,360
So when you are in assessment, you should look out for tonight.

90
00:05:56,390 --> 00:06:01,700
So now let's get into searching for understanding some actual exploits.