1 00:00:00,300 --> 00:00:04,890 OK, so the first thing that we're going to do before we get into searching for X is because this one 2 00:00:04,890 --> 00:00:10,200 doesn't really involve an expert, but it's very useful to know about. 3 00:00:10,230 --> 00:00:13,470 So we're going to take advantage of Telnet really quickly. 4 00:00:13,470 --> 00:00:19,050 So as a remote management service, as you know, that runs over Port 23, if you remember from that 5 00:00:19,060 --> 00:00:19,710 section. 6 00:00:20,130 --> 00:00:21,260 I also just brought it up. 7 00:00:21,600 --> 00:00:26,550 Anything over Tona is unencrypted and that's why they replaced it with Esses each. 8 00:00:27,510 --> 00:00:32,040 So it is used, you know, and I've seen this in, like, you know, corporate environments on, you 9 00:00:32,040 --> 00:00:34,470 know, different assessments that Tony did actually use. 10 00:00:34,740 --> 00:00:40,680 You can actually use a protocol analyzer to sniff the traffic because it's set in plain text. 11 00:00:40,680 --> 00:00:41,490 It's not encrypted. 12 00:00:41,490 --> 00:00:45,260 So we can actually read everything that's being sent over that port. 13 00:00:45,420 --> 00:00:50,780 So what we can use is an application that's called Wireshark Protocol Analyzer. 14 00:00:50,790 --> 00:00:56,620 It's going to allow us to sniff all the traffic on the network and be able to find exactly what we want. 15 00:00:56,760 --> 00:01:01,380 So let's go ahead and switch over to our VMS and, you know, get things going. 16 00:01:01,440 --> 00:01:03,720 OK, so we're back in a colonics machine. 17 00:01:03,960 --> 00:01:11,700 So what we're going to do now is we're going to try to use Wireshark to actually capture credentials 18 00:01:11,700 --> 00:01:15,000 being sent in plain text over Telnet. 19 00:01:15,810 --> 00:01:20,460 So I have my medicine portable machine running all summer windows, time machine running full later. 20 00:01:21,000 --> 00:01:22,350 This portable machine is running. 21 00:01:22,350 --> 00:01:23,540 I know the IP address. 22 00:01:23,910 --> 00:01:28,940 So what we're going to want to do is actually open up Wireshark. 23 00:01:28,950 --> 00:01:34,410 So it's going to be a pseudo wireshark and it should open up and ask for your password. 24 00:01:34,410 --> 00:01:42,960 So I know that the Ethernet connection for mine, for this network is one and you can confirm that on 25 00:01:42,960 --> 00:01:43,350 your own. 26 00:01:43,350 --> 00:01:47,820 Just go and do I have config command from the terminal and you'll be able to figure it out. 27 00:01:48,510 --> 00:01:51,030 So this is the interface of Wireshark. 28 00:01:51,040 --> 00:01:55,320 So what you're going to want to do, like I just said, is choose the interface that you want to listen 29 00:01:55,320 --> 00:01:55,650 over. 30 00:01:55,650 --> 00:01:57,480 We want to listen over this one. 31 00:01:57,480 --> 00:02:02,880 As you can see, that's the subnet right there on this 192000, one six eight five six subnet. 32 00:02:03,120 --> 00:02:07,280 That's subnet for my, you know, host only, you know, virtual box network. 33 00:02:07,440 --> 00:02:10,730 So I'm going to double click that one and choose the listen over it. 34 00:02:10,950 --> 00:02:16,320 So what are you going to do is going to start to Absher packets, you know, that are actually running 35 00:02:16,320 --> 00:02:17,170 over this network. 36 00:02:17,370 --> 00:02:23,860 So the one thing I will bring up is that with virtual box, there's some limitations with network capturing. 37 00:02:24,660 --> 00:02:30,780 So instead of having another device try to log into the midst of all of its own content and capturing 38 00:02:30,780 --> 00:02:38,130 it, what we're going to do is we're going to try to capture the traffic coming from this CALEIGH machine 39 00:02:38,130 --> 00:02:39,170 logging over into it. 40 00:02:39,350 --> 00:02:44,280 We do know the credentials, but it's going to be the same that you would see it if like this was like 41 00:02:44,280 --> 00:02:50,820 a regular network with actual machines, you would be able to see the traffic here as well. 42 00:02:51,540 --> 00:02:52,950 So I just wanted to let you guys know that. 43 00:02:53,190 --> 00:02:58,540 So we have Wireshark running, as you can see, is capturing packets and stuff, just capturing all 44 00:02:58,540 --> 00:03:01,290 the different little packets running across the network right now. 45 00:03:01,690 --> 00:03:05,160 Not really too important, like, you know, what's going on right now. 46 00:03:05,350 --> 00:03:13,260 So what we want to do is actually initiate like a tunnel connection over to our midst political machine. 47 00:03:13,410 --> 00:03:18,450 And when we do that, we'll be able to come to Wireshark and play with some filters and actually be 48 00:03:18,450 --> 00:03:20,280 able to see what happens. 49 00:03:20,310 --> 00:03:25,830 So what we want to do is actually go over here and we're going to use the Tonette command. 50 00:03:25,980 --> 00:03:32,260 If you don't have it installed, you could just do a quick pseudo install on it and install it. 51 00:03:32,310 --> 00:03:34,260 I didn't have it on here for some odd reason. 52 00:03:34,260 --> 00:03:35,490 I thought it came by default. 53 00:03:35,580 --> 00:03:42,600 So we're going to be one of two down one six, eight, five, six to one or four, because I know that 54 00:03:42,600 --> 00:03:45,660 that is my disposable box and I'm going to put a port number. 55 00:03:45,870 --> 00:03:47,890 So we want to connect over Port 23. 56 00:03:48,180 --> 00:03:52,710 So now we're getting the login screen, as we can see, and has asked me for a long answer. 57 00:03:52,710 --> 00:03:57,390 I myself am in and then password MSF. 58 00:03:57,620 --> 00:04:00,270 And now, of course, you wouldn't be doing this on an assessment. 59 00:04:01,620 --> 00:04:03,660 You would be capturing somebody else logging in. 60 00:04:04,260 --> 00:04:07,440 But like I said, network limitations with virtual box. 61 00:04:07,440 --> 00:04:11,160 But this is the same thing if you are like on an actual network, which it was. 62 00:04:11,310 --> 00:04:17,010 So let's say like, you know, I'm an administrator on this network and I just logged in here and, 63 00:04:17,010 --> 00:04:18,560 you know, I'm doing stuff cool. 64 00:04:18,990 --> 00:04:24,770 So if we go back over to our Wireshark, we're going to see heightism telnet traffic right here. 65 00:04:24,990 --> 00:04:27,420 So what we can do is actually use this filter. 66 00:04:27,420 --> 00:04:29,460 And there's a lot of different filters that you can do here. 67 00:04:29,460 --> 00:04:38,160 Like you can do like you can search my IP address and only show, you know, things that have that IP 68 00:04:38,160 --> 00:04:40,650 address as a destination or source. 69 00:04:40,650 --> 00:04:44,100 You can support what we're going to do just 10 minutes on it. 70 00:04:44,910 --> 00:04:50,440 And now it's going to actually show us all the Tonet package that is actually captured right now. 71 00:04:51,150 --> 00:04:58,110 So what we're going to want to do is actually look for the once you see, like, this gobbledygook down 72 00:04:58,110 --> 00:04:59,580 here, so. 73 00:04:59,780 --> 00:05:04,400 What we are going to do is scroll through these packets and look for the one that says password, it 74 00:05:04,400 --> 00:05:09,010 might take you a second, but you usually will typically find it is a pass. 75 00:05:09,020 --> 00:05:11,030 Judgment passes that I want this password right there. 76 00:05:11,360 --> 00:05:14,540 So when we find that one, we're just going to. 77 00:05:14,540 --> 00:05:14,740 Right. 78 00:05:14,750 --> 00:05:19,560 Click it to follow and then the TCP stream and then bam. 79 00:05:19,580 --> 00:05:21,960 Now it's actually showing us everything. 80 00:05:21,960 --> 00:05:23,660 Now sit over in plain text. 81 00:05:23,870 --> 00:05:29,660 So as you can see it saying the log and it's a little bit misconstrued, I believe it has something 82 00:05:29,660 --> 00:05:30,560 to do with virtual box. 83 00:05:31,220 --> 00:05:35,510 It has MSF admin that has the password right here as members of. 84 00:05:35,890 --> 00:05:38,270 So we just found some credentials in plain text. 85 00:05:38,270 --> 00:05:43,450 So now you can actually go, oh, we know it works, but you can actually go and actually log in now 86 00:05:43,790 --> 00:05:45,920 to that machine using those credentials. 87 00:05:46,160 --> 00:05:50,930 And now, you know, you've officially, technically launched your first attack on a machine. 88 00:05:51,110 --> 00:05:53,040 So that'll get you in there. 89 00:05:53,060 --> 00:05:56,360 So when you are in assessment, you should look out for tonight. 90 00:05:56,390 --> 00:06:01,700 So now let's get into searching for understanding some actual exploits.