1
00:00:00,090 --> 00:00:07,930
In a previous video we discussed SS H and that it's really not always that much of a low hanging fruit.

2
00:00:08,100 --> 00:00:13,250
So we've got SS h here and say we want to attack it.

3
00:00:13,260 --> 00:00:19,220
Now there are three reasons we're going to do this and this is from a realistic perspective.

4
00:00:20,090 --> 00:00:26,930
If we see SS H on an assessment we're going to try to brute force against it or use weak or default

5
00:00:26,930 --> 00:00:34,450
credentials and we're going to do that because one we're going to test password strength too we're going

6
00:00:34,450 --> 00:00:39,960
to see if we can get in with a weak password or default password.

7
00:00:40,150 --> 00:00:49,780
And if we can also attest to password strength correct and 3 we're going to see how well the blue team

8
00:00:49,780 --> 00:00:51,160
performs.

9
00:00:51,370 --> 00:00:52,480
Do they catch us.

10
00:00:52,480 --> 00:00:59,570
Do they see us brute forcing this should be something that should alert when is being performed.

11
00:00:59,740 --> 00:01:02,380
But you would be surprised how often it does not.

12
00:01:02,740 --> 00:01:05,830
So during a pen test I am as loud as possible.

13
00:01:05,830 --> 00:01:09,130
This is not a red team assessment where we're trying to be quiet.

14
00:01:09,160 --> 00:01:15,730
This is a pen test where we are as loud as possible and we are hoping to be caught.

15
00:01:15,730 --> 00:01:20,410
Sometimes just it or just told to tone it down a little bit you know hey we're seeing you.

16
00:01:20,410 --> 00:01:22,090
Can you be more quiet.

17
00:01:22,300 --> 00:01:27,790
And we just want to be caught some time so we can give kudos in a report and say Hey you saw scanning

18
00:01:27,790 --> 00:01:32,620
here and here and kudos to you but you didn't see a scanning here in here.

19
00:01:32,680 --> 00:01:38,290
So this is how we really help fine tune a blue team and help fine tune a client as well is being loud

20
00:01:38,290 --> 00:01:39,290
sometimes.

21
00:01:39,310 --> 00:01:44,200
So we're going to practice being loud today and we're also going to practice brute force attacks and

22
00:01:44,200 --> 00:01:48,960
we have the perfect opportunity to do that with an essay sage port being open on this machine.

23
00:01:49,600 --> 00:01:54,180
So what we're gonna do is we're going to use a tool called the Hydra and then I'll show you the Midas

24
00:01:54,180 --> 00:01:55,270
plate way as well.

25
00:01:55,570 --> 00:01:57,840
So Hydra is a brute force tool.

26
00:01:58,330 --> 00:02:00,970
So the syntax for Hydra is going to be this.

27
00:02:00,990 --> 00:02:06,910
We're gonna say a Hydra and then we're going to give a dash L for the user that we're going to be utilizing

28
00:02:07,270 --> 00:02:07,980
in this case.

29
00:02:07,990 --> 00:02:13,600
I want to attack root and then we're going to give a capital P for the password list.

30
00:02:13,630 --> 00:02:18,820
So if we want to use a password list with L we can just say capital L but here we're going to say capital

31
00:02:18,820 --> 00:02:30,580
P for the password list and then we're just gonna say user share wordless Metis ploy.

32
00:02:31,630 --> 00:02:37,370
And I'm just going to double tab in this folder so you can see how many words are actually in here.

33
00:02:38,490 --> 00:02:44,670
There's quite a bit of wordless and you can space space and it has wordless for all different kinds

34
00:02:44,670 --> 00:02:46,990
of things built in and these are all over Cally.

35
00:02:47,010 --> 00:02:53,430
So it's good to know your folder locations but user shareware list is one that will use quite a bit.

36
00:02:53,430 --> 00:03:01,080
And what we're going to do is we're going to utilize an attack with these Unix passwords here.

37
00:03:01,110 --> 00:03:03,510
We have a Unix users in Unix passwords.

38
00:03:03,630 --> 00:03:07,830
We're going to utilize the Unix password list and just try to brute force with that.

39
00:03:08,520 --> 00:03:15,170
So we'll say Unix passwords something like that and then we're going to need to specify what we're attacking.

40
00:03:15,170 --> 00:03:28,250
So we are attacking SS h like this and our IP address of our machine or attacking port 22 and then we

41
00:03:28,250 --> 00:03:35,210
need to have a certain amount of attempts or threads at once and we're going to limit that to four and

42
00:03:35,210 --> 00:03:41,390
then I'm going to do a capital V for verbosity just because I want to see the user attempts flow through

43
00:03:41,390 --> 00:03:44,000
so that we can actually see what's going on here.

44
00:03:44,000 --> 00:03:51,690
So once you got the syntax ready to go go ahead and hit enter and you're going to see that it's starting

45
00:03:51,690 --> 00:04:00,120
to attempt root log in password with all these weak passwords here and hopefully it might find something.

46
00:04:00,330 --> 00:04:04,950
But let's go ahead and open up a a new terminal here.

47
00:04:05,160 --> 00:04:12,330
And we're going to use make this a little bigger and I'm going to load up Mets played as well.

48
00:04:13,040 --> 00:04:18,720
Yeah we're gonna run the same exact thing in Mets point but I think it's good to know multiple frameworks

49
00:04:18,720 --> 00:04:21,620
and multiple tools to perform the same task.

50
00:04:21,660 --> 00:04:28,320
So here we're going to search for something like SSD age and this is going to be an auxiliary module

51
00:04:28,320 --> 00:04:35,910
so we'll just scroll up and we're going to look for something like SSA to log in perfect log in and

52
00:04:35,910 --> 00:04:40,420
check scanner and make sure we don't have anything else.

53
00:04:40,440 --> 00:04:41,620
And it looks good to me.

54
00:04:41,680 --> 00:04:51,630
Let's go ahead and take this SSA log in and we're gonna go ahead and say use options

55
00:04:54,180 --> 00:04:56,970
and now we have kind of our brute force options here.

56
00:04:57,000 --> 00:05:02,220
Let me make this a little bigger sense prettier so we've got a brute force speed from zero to five five

57
00:05:02,220 --> 00:05:05,370
being the fastest dribbling passwords.

58
00:05:05,370 --> 00:05:06,420
No no no.

59
00:05:06,450 --> 00:05:10,080
We can set a hard password and we could set a hard user name.

60
00:05:10,110 --> 00:05:18,350
We could set a user and password file a user pass user as password file again.

61
00:05:18,360 --> 00:05:21,090
We can have a password file as well.

62
00:05:21,090 --> 00:05:27,520
So we have a lot of different options here that we can utilize but we're gonna go ahead and do the same

63
00:05:27,520 --> 00:05:35,820
kind of thing we're going to say set user name and we're just gonna say room and then we're going to

64
00:05:35,820 --> 00:05:41,010
say set pass file and similar to what we just use.

65
00:05:41,010 --> 00:05:51,870
We're gonna say user share wordless Meadows flight and then we're going to say lyrics

66
00:05:54,220 --> 00:06:02,100
unique sorry Unix passwords and that should set the pass file and then we just seen our host as well

67
00:06:02,100 --> 00:06:13,950
set our host and we'll say 1 9 2 1 6 8 5 7 1 3 4 say options one more time and you can see that we've

68
00:06:13,950 --> 00:06:21,480
got our password file set we've got our our host set we've got our our port on twenty two threads is

69
00:06:21,480 --> 00:06:27,870
one username route and we should be good to go now we can set multiple threads here we could set threads

70
00:06:27,870 --> 00:06:33,180
to like 10 this is really going to amp it up I mean this should be detected in a second but we're gonna

71
00:06:33,180 --> 00:06:39,240
try to run it and we could set actually let me control see let's set verbose to true as well just so

72
00:06:39,240 --> 00:06:47,830
you could see that it's actually working set verbose to true and then we're gonna run this and then

73
00:06:48,460 --> 00:06:56,260
it's going to attempt different credentials here and it'll say Hey I found it in the light up green

74
00:06:56,320 --> 00:06:57,880
and then we'll know it's good.

75
00:06:58,210 --> 00:07:04,030
So this is actually going kind of slow surprisingly and you can see here that we are at attempt 112

76
00:07:04,060 --> 00:07:05,190
116.

77
00:07:05,380 --> 00:07:12,760
So this is out also going slow and we do not have a successful attempt or a log in I actually don't

78
00:07:12,760 --> 00:07:18,040
believe there's going to be one but you never know.

79
00:07:18,040 --> 00:07:22,240
I believe I remember taking this off line and trying to crack the password and wasn't any kind of weak

80
00:07:22,240 --> 00:07:22,830
password.

81
00:07:22,860 --> 00:07:28,000
So you can let your brute brute force run if you want to go with it but I'm going to go ahead and kill

82
00:07:28,000 --> 00:07:32,430
mine and that's it for this video.

83
00:07:32,440 --> 00:07:38,560
So from here we're going to talk about a similar methodology called credential stuffing which we've

84
00:07:38,650 --> 00:07:45,910
already talked about before except we're not brute forcing but we're using common knowledge to our advantage.

85
00:07:45,910 --> 00:07:48,400
So we'll talk about a little bit of Chris stuffing in the next video.