1
00:00:00,430 --> 00:00:03,760
In this lecture, we are going to learn talent, exploitation.

2
00:00:05,790 --> 00:00:11,100
Telnet is an application protocol which allows you with the use of a Telnet client to connect to and

3
00:00:11,100 --> 00:00:15,030
execute commands on a remote machine that is hosting a talent server.

4
00:00:15,660 --> 00:00:18,480
The Telnet client will establish a connection with the server.

5
00:00:18,780 --> 00:00:23,430
The client will then become a virtual terminal, allowing you to interact with the remote host.

6
00:00:23,790 --> 00:00:28,320
Telnet sends all commands in clear text and has no specific security mechanisms.

7
00:00:29,300 --> 00:00:34,850
Thus, in many applications and services, Telnet has been replaced by SSH in most implementations.

8
00:00:38,790 --> 00:00:40,110
To scan for telnet ports.

9
00:00:40,110 --> 00:00:41,490
You can use Nmap.

10
00:00:42,330 --> 00:00:45,330
Normally the Telnet is running on port 23.

11
00:00:45,780 --> 00:00:49,140
However, it is always the best practice to scan for all ports.

12
00:00:52,150 --> 00:00:54,100
Connecting with Telnet is very easy.

13
00:00:54,550 --> 00:01:00,340
You can use the command Telnet IP address of the machine and the port number to connect to the machine.

14
00:01:00,850 --> 00:01:04,690
Telnet is often used to connect to back doors from the attacker's machine.

15
00:01:05,870 --> 00:01:07,550
Now let's see the demonstration.

16
00:01:08,780 --> 00:01:14,300
I'm using the services room from Tryhackme, which is a very good room for learning exploiting network

17
00:01:14,300 --> 00:01:15,080
services.

18
00:01:16,190 --> 00:01:19,220
Let's first answer some basic questions about Telnet.

19
00:01:19,250 --> 00:01:20,960
To understand the protocol better.

20
00:01:21,110 --> 00:01:23,120
So the first question is what is Telnet?

21
00:01:24,460 --> 00:01:26,470
Telnet is an application protocol.

22
00:01:29,030 --> 00:01:32,060
So the second question is what has slowly replaced Telnet?

23
00:01:32,210 --> 00:01:33,950
SSH has replaced Telnet.

24
00:01:35,060 --> 00:01:39,350
The next question is how to connect to a Telnet server with a given IP and port number.

25
00:01:39,770 --> 00:01:44,000
You can use simple Telnet command, specify the IP and port number.

26
00:01:45,280 --> 00:01:48,940
So the lack of word means that alternate communication is in plain text.

27
00:01:48,970 --> 00:01:50,680
So there is no encryption.

28
00:01:55,590 --> 00:01:56,880
Now start your machine.

29
00:02:02,700 --> 00:02:04,350
Once you get the IP address.

30
00:02:07,900 --> 00:02:09,370
Launch your Nmap scan.

31
00:02:09,669 --> 00:02:10,780
Use SS.

32
00:02:11,930 --> 00:02:14,720
Coastal scan for version enumeration.

33
00:02:14,910 --> 00:02:17,300
Dash O is for OS fingerprinting.

34
00:02:21,590 --> 00:02:23,660
And we do not have any port open.

35
00:02:24,710 --> 00:02:28,610
Nmap default scan scans for only 12,000 ports.

36
00:02:30,880 --> 00:02:34,690
Now let's just rerun the scan on all ports.

37
00:02:38,410 --> 00:02:40,180
So relaunch the scan with the flag.

38
00:02:40,180 --> 00:02:40,480
Dash.

39
00:02:40,690 --> 00:02:41,380
Dash.

40
00:02:47,420 --> 00:02:49,070
And now we get some results.

41
00:02:52,900 --> 00:02:55,240
So there is Port 801 to open.

42
00:02:56,990 --> 00:02:59,060
And it seems some kind of a back door.

43
00:02:59,090 --> 00:03:01,730
Which kid is back door as a label?

44
00:03:03,920 --> 00:03:05,780
So let's just answer the questions.

45
00:03:09,340 --> 00:03:11,800
So there is only one port open on the target machine.

46
00:03:13,140 --> 00:03:14,850
It is 8012.

47
00:03:22,290 --> 00:03:27,600
So based on the data returned to us, what do we think this port could be used for, which is a back

48
00:03:27,600 --> 00:03:28,140
door?

49
00:03:30,430 --> 00:03:32,890
And we have already seen a possible username.

50
00:03:36,380 --> 00:03:37,070
Which is good.

51
00:03:41,570 --> 00:03:42,800
Now complete the task.

52
00:03:49,490 --> 00:03:51,350
Now let's just connect to this back door.

53
00:03:53,870 --> 00:03:58,220
Through the command Telnet specify your machine IP and the port number.

54
00:04:03,360 --> 00:04:04,650
And we are connected.

55
00:04:05,720 --> 00:04:08,720
So we can run different commands on a target machine.

56
00:04:09,020 --> 00:04:14,780
Let's first of all start a tcpdump listener on our attacker's machine to check whether we can ping our

57
00:04:14,780 --> 00:04:17,480
attacker's machine from the target machine.

58
00:04:17,620 --> 00:04:24,620
Use the command sudo tcpdump IP protocol ICMP and specify the interface with a flag.

59
00:04:26,580 --> 00:04:28,410
No connect to the target machine.

60
00:04:31,030 --> 00:04:33,330
Use dot help to view all commands.

61
00:04:39,080 --> 00:04:43,580
Then use the command dot run and try to ping the attacker's machine.

62
00:04:49,710 --> 00:04:52,560
So we do receive the ping from the target machine.

63
00:04:58,160 --> 00:05:00,010
To answer the same on Try hack Me.

64
00:05:05,260 --> 00:05:10,210
So in the next task, we will try to achieve a reverse shell with MSF banner.

65
00:05:12,320 --> 00:05:13,580
On your attacker's machine.

66
00:05:13,580 --> 00:05:19,520
Use the command MSF venom to list all payloads and filter for netcat payloads.

67
00:05:23,350 --> 00:05:26,300
So we have a command UNIX reverse netcat payload.

68
00:05:27,390 --> 00:05:28,110
To use it.

69
00:05:28,110 --> 00:05:34,440
Use the command dash P, specify the payload, specify the IP address of the Kali machine and the port

70
00:05:34,470 --> 00:05:36,930
number and your payload will be generated.

71
00:05:37,350 --> 00:05:38,160
Copy it.

72
00:05:41,980 --> 00:05:48,340
Now start the Netcat listener on your attacker machine with NC dash triple for command.

73
00:05:50,660 --> 00:05:54,380
Now back on the target machine, Try to run it with run command.

74
00:05:58,060 --> 00:05:59,590
And we do get a reverse shell.

75
00:06:00,610 --> 00:06:05,920
Use to list down the contents of the current directory and we have a flag dot text file.

76
00:06:08,140 --> 00:06:09,640
And we are actually root.

77
00:06:11,100 --> 00:06:14,340
Get out the contents of this flag file with cat command.

78
00:06:14,370 --> 00:06:16,020
And we do have a flag.

79
00:06:17,300 --> 00:06:18,200
Copy the flag.

80
00:06:20,230 --> 00:06:22,660
Now let's just answer the questions on Tryhackme.

81
00:06:24,740 --> 00:06:26,630
Paste your flag and submit it.

82
00:06:28,100 --> 00:06:32,150
Try Hack Me also asks for the command that we use to start our listener.

83
00:06:32,840 --> 00:06:37,310
So we use Netcat Lvbp command to start the listener.

84
00:06:38,740 --> 00:06:42,070
The next question is what word does the generated payload start with?

85
00:06:45,370 --> 00:06:46,720
It is mkfifo.

86
00:06:53,140 --> 00:06:58,150
So in this video, we have learned how we can use Telnet to exploit a target machine.

87
00:06:59,730 --> 00:07:03,030
I hope you liked this lecture and see you in the next lecture.