Finding & Exploiting Network Devices with Nmap

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello and welcome to another episode of hacking with friends today we're going to do some really exciting stuff and i'm joined here today with michael who is our chief cable dragger over here at uh our production team michael hi this is cody our official dingus of the studio okay and i'm a security researcher at varonis michael's vocabulary sometimes a little bit limited but today we're going to go into a topic i really like and i'm going to be dragging michael along the way we're going to be learning about target enumeration and actually we're going to hack a target today using mostly nmap and the reason we're gonna be using mostly nmap is you can't hack what you can't see so we are going to be focusing on identifying a device focusing in on it discovering an open service and actually breaking in so this should be pretty fun today michael have you ever done anything like this before um not really actually like i know new enumeration is like one of those subjects that kind of gets glossed over like everyone's all into like how do i hack wi-fi all the like sexy parts of hacking and then they're like okay i got access now what what i do yes so really what we're talking about today is what happens when you find an ethernet port that's just open and you can connect to any network that or anything on the network that's connected what did you find a wi-fi network that's not properly secured where it's just by default open and you can scan around on it there's lots of different reasons why you might have open access to a network with lots of stuff on it and one thing i should caution you before we do this is that some of the stuff we're going to be doing will definitely be illegal if you just happen to do this for example on your school network so while scanning is okay if somewhat suspicious uh there are other things that are not and in fact depending on where you are scanning can still get you in trouble so i brought this up a couple times but i was shocked to learn that you are not actually allowed to directly scan a computer that you don't own or don't have permission to in germany so they have to rely on tools like showdown to do the scanning for them and then just subscribe in order to get the results so has showdan technically been doing illegal scanning well they're located in the united states so if they happen to have german customers who are subscribing to a united states-based company's data then it's it it's a loophole yeah that uh yeah i mean it's it's one of those things where you know the data's out there and you can subscribe to it you just can't actually go out and do it yourself you need a third party to do the scanning so if you live in the united states then you can pretty much scan whatever you want although you might get an uh you might get some unwanted attention depending on what you're scanning and we need to get into some scope here because when i talk about identifying targets and stuff people who aren't familiar with networking are always kind of misidentifying whether we're talking about internal or external network stuff right so first let's say that uh one part of my job is from the complete outside of a network without having a password identifying different devices that are nearby maybe which network they're connected to and maybe even cutting one of them off from that network and hitting them with a phishing attack to try to break into the overall network that's all external network stuff we don't need to know the password we can't really see the contents of the communication but we can see metadata and that's enough to give us a very clear indication of what's going on today we're going to take a step even further and we're going to look at internal network stuff so let's say that based on one of our previous guides like the one where we're popping up a phishing page on someone's phone trying to get the network password we succeed so now we're actually part of the network we can join we can decode traffic we can actually do stuff what would a hacker really do here and that's what we're going to focus on today internal network stuff where we're basically assuming that we're ending up on a network that might be vulnerable it might be open it might have juicy stuff on it and we're trying to get around the network identify things that we're interested in and maybe even you know do something nefarious or something bad when we identify a target and today we're going to be hacking uh michael's raspberry pi okay yeah this magical raspberry pi that i set up yes yeah so michael's raspberry pi is currently behind us uh it is running i think kali linux and we are going to be breaking into the ssh connection of this really nice tool and hopefully you will know that it worked because we will get the screen behind us to light up or flash or do something when we reboot the device yeah i just thought of that just now it's like we planned it all along right yeah so okay we're gonna be deploying a couple tools here so let's say that i've gotten access to this network how well maybe they left an ethernet port open somewhere maybe we have gotten access to the wi-fi password maybe we've cracked it maybe we've fished it doesn't really matter we're in the network and now we can start to do bad stuff well what are our tools what are we able to do well first we're going to use nmap and we can also use something called arp scan in order to take advantage of two network features so um arps doing an arp scan takes advantage of address resolution protocol messages which are basically trying to figure out who is connected to which ip address and making a list of these relationships now we can perform a scan if we want to know everything that's on a network by just inquiring for every possible ip address on the network and saying who's here and basically anything that's on the network that is there is supposed to reply to us and this is a mechanism to amongst other things prevent collision make sure we don't get the wrong ip address and also make sure that messages are sent accurately now there's attacks that are based around arp spoofing and doing that sort of stuff but today we're going to be using arp the way it's intended and we're just going to be using it to discover other devices on the network so this is the first scan that we'll do and so that's how the whole scanning process works then is what i just um are for like all the ips on the network and then i go to each ip and ask for each individual port or no so the arp scan is going to be our first uh mechanism of discovery this is just going to be something to reference and figure out the network range now of course we can just join the network and then infer the network range from the ip address that we're given but in order to just kind of see what's already out there from one layer then we can just do a simple arp scan and that'll allow us to do a very fast scan that shows us the results very quickly now if we want to go into something more complex that's when we're going to move into nmap and with nmap we can do things like once we figure out the network range scan the entire network in sequence and figure out if there are any services open that we really want to start poking around at so yeah so we'll move into nmap and then we're going to start looking for targets that run services we know might be vulnerable now if you don't use an ssh key instead you use a password michael can you explain why that might be a bad idea well you can force those passwords you sure pretty easily which is why i always recommend people um fail to ban is a thing you can install on your ssh so that it like bans you if you get five failed attempts right so brute forcing for the unaware is something where we're gonna try out a whole bunch of passwords in order to try to break our way into this network and i actually came across this while i was looking at uh something about uh emote today the way that it was breaking into other devices and figuring out how to spread itself really intrigued me so i've been looking into ways of kind of replicating this behavior and showing off some of the ways that these iot attacks or other ransomware attacks work so this is something that also is integrated by a lot of really advanced tools to do brute forcing against networks or services so what we're going to be demonstrating today is something very similar to what something like emote would do after it managed to get into a new network and it was trying to broad to propagate itself by looking for vulnerable services all right so let's go ahead and switch over to my screen and we have a couple essential things we have to set up first so dark and spooky i know well it's almost halloween ish sort of according to every grocery store all right so a password there yeah what is this so all right we have a whole bunch of passwords in our password list and this is something that we're going to be using later i just wanted to show off that you know um whenever we're starting out with brute forcing attacks it's always good to have a base of passwords that are really really common some of these are more common than others and i've also seeded this with one i happen to know may just work a little bit later on just to demonstrate how all this happens but in general you'll need a good password list and i recommend for those who don't know anything about this just google wpa2 password list that's where i get a lot of my good ones if you're doing wpa2 stuff otherwise you can find common logins for just different operating systems and stuff and you'll find that the ones that are default are the ones that perform best um so here we're going to be taking advantage of a password that has been left default so what that means is when we set this up we never bothered to change it away from this exact same login and password that every other kali linux device now uses so unfortunately that means that it's very likely that this login pair is going to be in our brute forcing list ironically too like i feel like it makes a lot of script kitties or newer hackers vulnerable because they'll install something like cali and just leave everything default because they don't know to change anything that's correct yes and so ironically enough by trying to be a hacker they actually make themselves more vulnerable yep all right so right now we are connected to a wireless network and what we're going to do is first we're going to scan and we're looking for a raspberry pi device but let's say that we have just joined this network we have no idea what is on it um do i have ipcalc yeah i sure do okay so let's say that you're brand new to networking you don't know anything about the way that this stuff works and all you know is that you have an ip address and you don't know what it means so let me do i'm going to do ifconfig and to be kind to michael i'm going to be try to um i'm going to try to emit information that might upset him and he might have to blur let's see if i manage it out uh so i'm going to do ifconfig grep 192168 because that's what i know that the ip address starts with so here we go so my p address is 192 168 1 101. well what does that mean how many ip addresses are possible on this network what is like if you don't know any of that stuff you don't want to do the math you can type ipcalc if you're on a linux system or a mac os system and you have this installed then the um the ip address and look at this it gives you all the information about this it shows you the network range you can type this in order to scan everything on the network it tells you the minimum which is usually where the router is it tells you the maximum which is the largest uh the the highest ip address that is able to be assigned the broadcasting you know that this is going to everything so and it gives you the total number of hosts per network so you know this can support a total number of 254 different devices connected that's how many ip addresses it can give out isn't this useful yeah like the thing that's always confused me is is like the slash 24 slash some number at the end like i don't understand like what the purpose of that is so it's a network map so here you can see that the network mask is basically is 24. so if you look at just the bytes of the network mask it's two five five two five five two five five zero so only there's only basically ip addresses in this range that are available to be allocated so when when we're doing a network scan we can just do one nine two one six eight one zero basically starting all the way the absolute minimum and then we're saying slash 24 and basically we're giving it a subnet that says this is the range so the entire last octet is what you can go up and down so we're basically passing it a filter is what we're doing there okay that makes a little more sense but it's some of that weird like bite math going on there exactly so because i'm like slash 24 how do you get 255 possible ips out of it yeah like the literal of it is spelled out right here this is what your actual ip address is um if you're interested um ip addressing is not that hard i'm not going to go too much into it today because there's this great tool for people who want to cheat and just be able to get through it uh to be able to find this out but yeah i think that ipad address subnetting and stuff is something anybody would do well to learn a little bit about because it makes navigating networks really really easy some of the commands i'm going to show today do not require you to have a a subnet or an ip address or whatever you can just type them and they will work and that's why i like them because they're beginner friendly but other network tools will specifically require you to know the ip address that you're looking for and for a new hacker someone who hasn't done a lot of networking stuff it's super confusing you don't know how to like find stuff on the network you don't know where stuff is you don't know where you are so this network range right here this is what you need and in general if you're on a commercial network uh that's like just in the united states you're gonna see something like 192.168. one something and the zero slash 24 is the shortcut to scan the entire network uh and that includes everything possible on that network and that's why i always say like if you're getting into ethical hacking like i strongly suggest like setting up your home own home network doing pf sense whatever you want to do just because you're going to force yourself to learn more this networking stuff right because that way when you do like crack the system then you aren't like a lost ball in highways you're like oh yeah here i just need to you know scan the network do this and that and you're not like what what ips what what is that yeah yeah so a shadow to this by the way because i believe he's the one that taught me this little trick very handy so okay um so we have the network range but let's say that i'm a i'm a total beginner i don't even know what this means i just want to find out everything i can on the network well let's do the arp um okay we were talking about before so um i've updated mac os and uh wireshark has gotten very finicky but i'm going to risk it all and see if i can possibly look on the network and see what this looks crash the system uh can you make that terminal window it won't matter because uh wireshark is gonna launch right now okay let's see what happens that's so tiny no no okay cool all right so it's running i'm gonna minimize this whoa get small let's get small all right um and then wire shark where are you why are you okay i'm going to put you over here so hopefully what i expect to see is a bunch of art packets go out when we do an arb scan so let's talk about arp scan uh man let's see if it has a man page yeah cool it sure does but it's not big enough there um so arp scan the arp scanner very useful so it explains how it works basically um you can use the localnet command to identify the the ip address that you have and then scan the entire network range it does it for you it's so handy it's so useful so there's a bunch more information this is actually a very powerful very useful tool you can see that there's different things you can do with it oh my gosh there's so many different things you can do with it but i'm not going to do any i'm just going to do arp scan sudo scan tac l that's the the abbreviation for it and then when i press enter i expect to see on this side a big flood of art packets but let's see and so i know in previous streams and stuff we've talked about fing which is an app on your phone that does scanning so is it is that essentially what fieng is doing is this kind of let's take a look so we'll we'll take a look with thing hold on let me um let me go ahead and move this over and for those of you that might hey look look at this um so we have tons of our packets going out what are they saying what are they asking i demand to know so if we want to take a look at this i can double click um address resolution protocol um yeah so it's basically asking uh and actually let me close this and go to the main window because i like the way that they sum it up the messages are like kind of like simplistic like yeah i like the protocol name that makes it super easy to realize what what's what at least to some degree there's more information here i know it um okay so you can see here that sender mac address sender ip address target mac address target ip address so it's um sending to broadcast it doesn't know who it's sending it to but it's targeting a specific uh ip address it's basically looking at this one in particular so that is the behavior that we're able to actually see and you can see it's doing it in a sequence so it's it's targeting every single one by one by one by one ip address yeah so basically it's just shouting out to like a parking space and being like hey is there car there and then exactly yeah there's another um there's another way to show source destination protocol transmitter text item no maybe but yeah what i was gonna say earlier is fing is an app you can download on your phone i think it's on uh android and apple but i know it's for sure on android and it's just a very simple way when you're connected to a wi-fi network to scan it really quickly and then it'll allow you also to port scan individual devices as well super useful anytime you're working with like a raspberry pi or like anything that's going to the network and you need to address it by its ip and you don't know where it is um also like just if you want to you know mess around with your friends and you have their permission like you know you can port scan for uh iot devices and stuff like that yeah so okay i'm not going to dig too much into this it's basically just asking a series of questions usually when you uh look at these packets it literally is just saying like hey who has this tell her tell this and that's really what this is saying it's making it's asking a question and demanding a response from anyone that's at that address that is so many packets yeah it is so let's take a look at what we found a ton of stuff lots of stuff yeah so just a few devices yeah looking at this on on this column right here we can see that we've identified some stuff like we've we found a dyson this is a like we found maybe a vacuum cleaner or something and then we've also found some stuff that you know might be the router i think i know what all the unknowns are so we found a roku a streaming device but we don't know the manufacturer of all of these devices yet we just know which of the ip addresses on the left side are occupied so this is good for us because there is information here but we don't quite know yet what is going on so one thing we could do well i was going to say something i think we covered in the psense stream is maybe you should always trust those mac addresses so like they can be swift we have a good idea of what the device is but it could you know be saying oh i'm a virgin vertical launch system from lockheed martin but you know clearly i don't think we have one of those hiding in our basement so those yeah but yeah no we don't um so yeah so uh what we're going to do next does require us to know an ip address so we know what our pi ip address is so let's go ahead and do a search but this time we're going to do something a little bit more general so we're going to do an nmap scan and let's take a look at man and map and this is always a good idea if you're going to be using a new tool just looking at the man page if one is available so nmap network mapper did you know that that's what it stands for well yeah but it seems like amazing uh like common sense but you never thought about it kind of thing right so i'm going to open this little bigger um so we can see uh that there's tons of different scans we can do and we can see some examples are these all example scans some of them are which is great uh scrolling through options summary there's so many options operating system detection just like all this stuff target specification man like i feel like this is the kind of thing i get page four to read no no the man page is pretty good um sn pn uh port yeah port list so and it describes how it does it as well so if you want to know the methodology behind any of these scans then you know it's really helpful to know them and then if this is overwhelming to i believe you can just do nmap tag h look at that i really can i just say that like don't trust developers who um when you type tag h they pretend like they don't know what you mean they're like oh error do you mean help i was like do you really need me to write to like type out all those characters to know that i want to know my poor pitiful soul like i'm sorry it's just it's anti-social programming um okay so over here we can see a big condensed list of all the stuff you can do and it gives you some examples as well um and then at the bottom it'll give you some real examples you can just type in and just go so in fact if we want to like you know take a look at nmap tac v attack a scan meter ml.org you can see wow it's doing a bunch of scanning stuff it's loading a script oh yay open ports scanning services like yeah very nice okay all right and of course this is just something that you are allowed to scan so if you want to go ahead and scan this it's literally scanmed.nmap.com so uh you can see wow tons of information on the ssh host key oh you can see that there's an ssh port open interesting um so and then it's running ubuntu interesting so again this is not another network feel free to you know knock on the door of this because it's not ours um but you know this is like a built-in example of how you can use nmap and if you want to get started you know they i feel like they don't really care if yeah an important note i feel like about this is this is a pretty loud process right like it can be if you're monitoring the network you're going to see a ton of traffic well okay it really depends on what you want like look at this stuff the the way that you are able to do a scan here there's so many different options if you want to go like low and slow and try to do something that's not going to be detected you can do that with nmap you just need to get into the weeds a little bit and like do some of the stuff that might not be as common so okay um let's go ahead and do a very basic scan so let's say we have no idea what we're looking for yet all we know is that we want to look for something interesting michael what do you think would be the sign of something interesting like a device that we could mess with like one or two examples um anything with open ports like i particularly like open like ssh or ftp or or or what other ports of kinds of ports might be useful for controlling a device um internet like http yes 80 80 88 81 80 80 um 81 81 and 80 81 those are okay yeah those are so those are all the internet one those are all the internet ones so what do we mean by this what is what does michael mean by internet um port well what he means is a web server isn't that yes isn't that right so that means that there is not technically connected to the internet or whatever if you want to get pedantic about like all of that dante if you want to get correct about it yeah so basically what it means is that if we find a port that's open and it's on a certain port that tends to be reserved for web servers there's probably an interface being offered up for you to connect to and you would never know that this is the case but a lot of the time if you go to a coffee shop or something and you do a scan like the one i'm about to do which you might not be allowed to do uh you'll find that there's ports open on things like security cameras or all sorts of other stuff that shouldn't be open and sometimes if you just go to that port um which we'll show how to do you'll find that there's just something there sometimes it doesn't need a password it can be pretty surprising to see that you know you can just like make the printer to a test page anytime you want in another office upstairs just because they're on the same network and so many times even if there is a password it's default stuff that it's ridiculous and like oftentimes when you do scans like that you'll find like router login pages that i've been you know at friend's houses i've had permission to scan networks and like these are internet people these are tech people and i'm like you you haven't touched your router ever like you haven't changed the default admin admin or admin password it's pretty ridiculous and then you know a lot of times like a lot of the devices will be like that like printers um are another very common one yep all right so what does this look like to you i'm gonna make this big well okay pseudo whoa whoa whoa whoa whoa hold on why it hates it what have you done you broke it all right so sudo i'm gonna as an admin run in map on the ip range of like the default like local network range other one being like ten zero zero um and then i'm gonna look for ports 80 81 8080 and 80 81 that's it boom let's see what happens oh yeah attack piece i guess for the ports yep so we're just saying that we want to see this but i've made a fatal mistake a noob mistake i have said that i want to see everything the status of everything on the network regardless of whether or not the port is open or closed so if i'm a hacker and i want to find out like hey i want to find some stuff that's oh so you want to look at look at all this bad news that got closed closed closed closed closed we got one that's open but this is not a very condensed report i if i scroll up every single thing on the network is listed here so like like cool but there's a better way to do this so let's go ahead and rather than tediously go through this let's just go back up to our last command and do dash dash open wireshark oh my god nmap is beautiful yeah uh and we're going to redo this again but we're just going to say like anything that doesn't have something interesting going on just omit that if it's closed if it's filtered like you know i don't want to see it and we can also invert this if you want to just look for closed things we could do that as well if we so desired but look at this all right we found only things that are open this is a much more condensed report everything here is a positive hit so we have some unknown mac addresses we have concerningly some sort of interface open on our roku god knows what that is let's go ahead and uh let's go sure that's safe and mundane yeah great um so we can see there's a freaking printer connected that's wonderful uh you know all those great great news so okay let's say that we want to look at the uh what's the least harmful thing let's go ahead and look at the uh roku right yeah sure okay um all right i'm nervous now uh so let's see if i can just open well let me no it hates it i have to actually you know do it in a real browser you're so tedious you know what i mean okay fine all right so let's do this 192 168 165 it's gonna be oh and it immediately challenges us admin admin who knows right now i wonder what are the like default it doesn't work real quick but if i cancel it then like i still you know it takes me somewhere i also know that it goes to 80 80. so if i do 8080 okay it doesn't want to give me anything but the point here is i can start to attack this i now am able to start you know messing with it i'm able to start trying to log in suddenly i might looks like something very easily forced yeah and what back is this right 192.168.124. very suspicious let's go ahead and find out connecting connecting and then oh you might find my plex server yeah we could find all sorts because i don't open my flex server i may i may not all right we're gonna go ahead and run this uri doesn't exist we found a light bulb ladies and gentlemen oh okay you're gonna find like 20 of those we're gonna find no most of them are not online uh what is this another light bulb so this requires this is an api um so it requires a little bit something extra for us to interact with it this one another port 80 open what's this a printer hooray and it looks like it was designed in 1995. cal that is change administrator password oh my gosh all right can i tell you this is the number one thing you can expect to find on public networks if you do a scan like this you're gonna find some wonderful person who very trustingly has just plugged in something like our brand new printer and decided that you know they're not going to set it up so now if i wanted to uh anybody on our network can set up this printer um and if this was put in a public network that means if you were able to find this ip address and this port being open you could too so is that good no like because whoever finds this first owns your computer like they are owns this device like they can change it to whatever they want and they can terrorize you with all sorts of prints or shenanigans you know when so yeah the ransomware video or live stream i jokingly talked about how we're going to get to the point where it's going to be like ransomware devices where and i feel like this is the that perfect example is like you could just write a script that like scans all the publicly available networks for printers for this page if it has it changes the password and then prints out a sheet of paper if you want this printer back give me two bitcoin okay so we have a clue here it's recommended to communicate via https for entering an administrator password do you remember the um the port for https michael no shameful i know i know i can't call myself a hacker now is it four four six or four four yeah i can look at it okay well no we're we're not going to freaking look it up because that is the whole point of it so let's do sudo and map in math what is and this is running like i'm not even going to do any arguments and it will do a much more invasive scan okay four four three four four three i was so close four four six i was doing four four yeah i was very close all right so it's not it's not opening anyway let's see if we get a better oh wait no not slash four four three coal and fourth right yeah okay so i'm just still still nothing here that's great well let's just could it be though https just trust me just do it no one hates it okay so that's very funny um but you guys can see that like there are things that are left open that are are kind of sketchy and like this is the reason why finding stuff on here is a good idea so um let's say that we are more interested in okay let's let's run another scan so there are some other flags we can run so sv what does that do i don't know [Music] yes this is the scan for varonis you can tell by the capital v yeah yeah what else could it be okay no um so this we just did a service scan okay so what we're able to so as you can see we weren't able to detect any varnishes with uh with our scan but we were able to detect other services running so what's interesting here is uh this sort of scan will go through and look for different services running on ports so we can see jet direct that sounds like some printer crap yeah uh we have tcc rap we have printer tcp wrapped printed definitely sounds like a printer yeah it all sounds like very printery stuff uh so if we wanted to do let's say we want to do although that would be great if you were to implant a rogue device on a network and just name it printer because no one would suspect that who would suspect the printer well i guess that a lot of printers do get compromised so they might actually suspect that okay so this is what we did so we just did a scan now where we did dash o what do you think dash o is open operating system so we attempted to figure out what the operating system is behind this stuff so with this scan which where did it go there's so much green i love it okay yeah so sudo and map dash pn and this can surround port blocking dash o to attempt to identify and then so first we see all the stuff that's open all kind of similar information but then linux our printer is running linux in fact it's running ddwrt version 3.0 um linux kernel 442 that's pretty cool so that's why it would be pretty bad to compromise a printer because you basically have a full embedded linux system on the network well i mean yes but also if we have any vulnerabilities we know anything about linux about this particular version of right right linux then you know privilege escalation on that particular version of linux i'm sure you could look up and find yeah so you know if we do this c e you know maybe we could find some sort of problems with this yeah like a list of vulnerabilities related to this and we can see like okay does this affect like a version of linux that's recent looks like there's nothing that's super recent but you know this is a way that we could potentially find an exploit and go after this so this is how hackers will start to enumerate stuff and find out more information so that this isn't what we're going to look for today in fact how much time how far are we well we are 33 minutes all right guys so now let's go ahead and get into the actual exploitation stuff let's go ahead and find something we can try to break into so michael if we were going to break into a service aside from ftp file transfer protocol what might you look for uh well we already discussed like http like web servers so ssh would be like another natural one there you go let's do that especially all right so what port is ssh on it of course you could always change this port to something else but if we're scanning around and looking for services running then it probably wouldn't help right of course you put me on is it it's 90 or 40 or so it's like a two-digit one i forget yeah it is two digits and one of the digits is two 22 and the other digit is two yeah all right so it is port 22. that's default so let's say that we we don't know if any devices have port 22 open yet do we so we need to use freaking nmap for that list like something i've talked about in some of the videos is these poor numbers are are more a matter of convention than they are like law right so like technically i could have ssh running on like 9999 right yeah or any number yes um but i can also just scan any target for every on every single port and just see what services are running it just takes longer uh one zero slash twenty four and when we say longer are we talking like just seconds longer or would that like take substantially i've already forgotten what you've asked me hold on sudo nmap attack p22 open okay what was your question um so you were saying it would take longer if you wanted to scan like every port yes but that would only be like a couple of seconds longer right no it would be like another minute or two okay because you're scanning every port on so think of it as like enumeration for for every device you find on the network you're scanning like 9000 ports as opposed to for every device on the network you're scanning one point yeah so you could say like your first pass is you would target specific ports but then if you want to do a deeper scan you can do like every port and see if there's any like sneaky ssh hidden servers all there and like on your own server if you are worried about some of that stuff i mean it's not that much protection but you could always put it on another port or something yeah okay so let's go ahead and run this one so what is this going to do michael uh we're going to scan the network for port 22 and only show the open ones yep that's it so let's see what happens once we get that back we can select a target and hopefully we'll be able to learn a little bit about the operating system and maybe identify hey our raspberry pi noise all right so we've identified 215. so let's go ahead and map it okay nmap 215. and isn't the ssh server disabled by default and raspbian or well i guess this is cali it is kali and it's open by default so i'm also going to do this in this invasive where i try to identify the operating system so maybe it'll identify it as kali linux maybe it won't who knows let's see how good and map really is it's probably going to just identify it as debian if i was going to guess but if it manages to profile those kali linux that would be hilarious it's interesting that it doesn't do anything more to secure ssh by default well you can um and it sort of does i think you do have to open it maybe i'm not sure no exact os matches for host very sneaky kylie linux um so it's uh so what's this uh tcp fingerprint thing we're looking at i have no idea because this is um like apple darwin and there's no apple anything involved in this but maybe it's obfuscating itself i don't know who cares um i although i suspect that it's actually fingerprint from here or something so all right so we have this uh let's do one more scan i just want to do sv see if there's anything else open uh okay so we can see that it's running open ssh at 8.3 and oh that's where we could have been yeah so sometimes if one thing doesn't give you give it up you just got to get more aggressive with those scans and if you there's a couple scans in here that like that uh like nmap people can feel free to drop the comments that are like particularly aggressive that are just like signs of you becoming frustrated with the box but i'll tell you what it is and uh it's just like poking around and prodding it like eventually something will fall out you are gosh darn it exactly and here we can figure out that you know it's linux linux kernel it's a raspberry pi it's running debian that's a clue that it might be running cali because cali is based on debian i hear if you type harder it works yeah better hacks yeah so okay so now we have something else we can do we've identified something we've gotten a couple clues about it and if i do actually let's see um and um [Music] so are there any other scans we can do let's do let's just do some of these random ones because i want to see as much as i can about this target i want to see if we can actually provoke it into telling us it's a raspberry price let's do a what's that should i do who knows i'm just taking these from the bottom example i'm just running them um i just want maybe it means all fire all weapons um actually i should i it seems like i have time so let's scroll up yeah deploy all deploy all weapons um man there are a lot of options guys stay safe um well there's a capital a but oh enable os detection version detection script scanning and trace rock yeah cool okay whatever so some results yeah we got some results so yeah still with the it stills identifying open ssh and stuff this one seems to just have like done a lot of work so i'm gonna go ahead and recommend the a scan it's a great scan and i uh stand behind it okay okay um raspberry pi trading yeah it's not really telling us too much also maybe i'll try this last last example ir yeah cool do it um so the next thing we're going to do as soon as i'm done playing with nmap um must be number of random oh yeah i don't want to scan a bunch of random ips i've exceeded myself all right all right so we've identified our target it is 192 168 1 215. we've seen that it's running open ssh and we have reason to believe that it is a kali linux system so what we're going to do is we're going to use a tool i really like called tricks okay yeah sounds like oh it's real so ssh t-r-i-x h uh option requires an argument noise noise dash help invalid host i feel like this is ssh tricks man there we go all right tricks a very fast multi-threaded ssh login cracker now what let's say that we have a piece of malware or even a hacker but for this for the sake of a piece of mall we're like emoted that's spreading over wi-fi and it's managed to get access to a wi-fi network with a really terrible uh password so once it manages to log in it might run a scan of that network and try to identify things that are open like this ssh port and then run a cracking tool that's commonly available like this so this is going to open multiple threads and attempt to crack this raspberry pi and what we're hoping to do is be able to break into this computer and without knowing the password of course we're going to hope that it's the default password we're going to try to break in and just probably just get it to reboot who knows so all right let's go ahead and quit out of this and we're going to start building our command so how do we use um tricks i'm assuming we have to aim it at an ip and then we give it a password list oh it wants dash capital h i'm sorry that you don't like the way that i ask for help i'm sorry do you even use the dash lowercase okay yeah you use it for house whatever all right all right all right me and the the creator of citrix will have a conversation about this later but basically what we need to do is use this syntax so we need to do dash h to identify the host and then we need some arguments so the arguments that are available are a user list a password list oh yeah a password a username string and a password string so this gets complicated if we don't know the username that means we need to for every username we try we have to try every password so very quickly this begins to take a long time but if we stick to defaults then this can actually be a pretty economic attack and that's why i highly recommend disabling the admin login and like creating a user that is you know like even michael michael being a very common name would would dramatically increase the security because then you'd have to like brute force all the possible oh i forgot about this i have to say this is actually excellent so if you just want to just just duke it out just go like no no learning none of this stuff you just want to tap just it has a d dash d so let's just try it ssh tricks dash h we'll put in our target oh no not that i was i copied something no i need to just put in the actual when all else spells use tacky whoa it's way up here where'd it go here it is 215. worst copy and paster ever all right uh so that's the host and then dash capital d right capital yep okay so let's see what happens it's probably gonna fail so we didn't specify anything we didn't set how many threads but you can see that it's it's going for it oh okay so i think the only reason it's going to be able to do this well is because it has a short password list of 79 right yes because if it had like a full like even like a million password list i imagine this would take quite some time yes and as you can see it's even it hasn't even got through the first 79 yet so um and you're seeing cannot connect air oh no i'm a weak program and i'm sad um it'll keep doing this basically you just need to adjust and make sure oh no it's really trucking along now um you'll be able to like uh adjust this so it goes slower faster and uses more or less threads and that's kind of how you'll calibrate this to make it work on whatever network yeah i feel like so it's this poor this poor fricking i don't know if this would actually allow you to do this but i feel like it would be great if you could take like the million most common passwords organized by uh how frequently they occur and do like okay the first hundred of those common passwords on like those all those users and then proceed to the next two thousand and so that way you're you're trying the most common ones first on all of them and so that way what you'd be more likely to get this faster yeah there's a whole science to like iot malware also that constantly uses techniques like this to propagate to other iot devices on the same network so you know they've what they found also is that some of these will attempt this sort of process against wi-fi networks well they'll just try to connect over and over and over and over with like the top dumb wi-fi passwords now i really don't think it's going to get this because this password list is like quite large and i'm not sure if the default credentials are even on here but if you want to go ahead and take a crack at something you have permission to that you find on your network that has ssh open then this will work and in fact i believe that tricks also works for ftp which is funny oh cool um so is this the default uh ssh login for cali yes what do you mean uh so is the pi actually configured with the default the pi has not been modified it's just been set up with kali linux so it's going to be the default so i would hope that a tool like this would have default uh it was fairly recently changed to cali cali so i'm not sure that it's been updated since oh gotcha um or at least that i've updated this tool since then so i'm gonna assume that it's gonna fail so let's say that it doesn't work and you're sad and you're upset and you don't know what to do well fortunately all the things that you need to know are in this great information that tricks gave to us where is it that's end map so down here somewhere in this giant scrolling mess i have you'll see that we can use the username string we can use the username string to hard code in something we already know so in this case we know that if we put dash l it going to actually append that to the list or is it just going to do that it's just going to do this one we're hard coding in one so we know that kali linux has a default username of cali but we're not sure if the password has been changed so let's go ahead and provide a list in fact i'm gonna go up a little bit and i'm just gonna go ahead and use this pre-seasoned one i prepared in the oven earlier all right so there are some additional arguments here let's see what they mean so first we have dash e i don't know why this is here because it doesn't even work so dash e means i want to exit as soon as we find the first valid login you can put this at the beginning you can put at the end it doesn't matter it doesn't work in any position that i've been able to ascertain except what the terminal or like no i need to stop the program without doing this it will keep chugging along even after it finds a valid login so if you have a million passwords and it finds it on the 10th time it will not tell you until it's completely i feel like that's just lazy coding this is a person that doesn't put doesn't allow you to just type dash h they want you to type capital what did i say about that an attack h vendetta going on i'm just saying like that's how you get to help like don't make it okay all right so we also have a password list so password.txt so i'm going to go ahead and just copy this whole thing and before we run it i'm going to um go ahead and show password.txt so cat yeah why are we looking at this earlier alright so we have lots of different potential passwords all in all we have i think like um i really want to know hundred or so who uses that super long password it's like a default one i think uh one two three four five six seven eight nine it's like one two three four five six seven it's just it's just a super long password that's just you know it's just yeah yeah it's just accounting all the way up like so nestled somewhere in here is cali the very common uh default password so it's not the first one and we're gonna have to go through some in order to see but you can see it's gonna try a whole bunch of different passwords and we'll need to whittle through them in order to actually try that out so what is the command we're gonna use here damn it of course i copied that why did i copy that all right here it is all right so we have the dash e that's useless that's useless we have the dash h which is specifying the target 192 168 1 215. this is the raspberry pi we found we have the capital dash capital l kali so that's just specifying we're only looking for this username then we have dash uh lowercase k which is the password list and then finally dash t 40. michael what's that port no no time no t40 threads threads oh threads so what is the thread um it's just like a portion of the cpu's power that can be run in like parallel so you can have multiple threads working on the same thing um right so we're going to basically create we're going to attempt to create 40 simultaneous connections to the raspberry pi and all start trying to connect at the same time a lot of them are probably going to error out but just by being an octopus and trying everything all at once like we might be able to get through this list very quickly otherwise we're going to be stuck here for a while yeah so if we did this with one thread it's not going to here let's do it with so it's going to suck watch boom okay so all right we're attacking we're a hacker we're breaking in cool but it's going to take us forever because we're only using one thread so good thing we have a fast processor what's the limiting factor here on threads is it the pi's processing power well no it's it's the network uh it's the speed of the of the network and then also the speed at which the raspberry pi is responding to our attempts to connect so look we've tried one two it's been 15 seconds what and there's only 201 passwords on this there's only two we've tried three passwords it's better than doing it manually but hey let's do multi-threading huh yeah multi-threading seems okay let's stop this this is painful all right so now let's go back and let's change the number of threads let's do 40 freaking threads yeah over 9000 no no it'll break my computer will catch on fire we're going to do 40. we're going to do 40. ready sure all right go go deploy the weapon all right we're 30 whoa okay cool all right no chill it's fine just i know that looks like i know but look we're we're 60 we're 60 deep we're 52 deep and we've already found one so okay so the program has successfully found a login but it's not sharing it with us because that that that would be too useful that that option is a little bit too um trick to function properly uh but yeah it's uh we're almost there with so look at this we've got a login cali cali so okay cool i was like it would have been perfect if it had said we found the login and just didn't like how to use the help menu but aside from that you know it's not it's not that bad um okay so here's the moment of truth let's try to log in so we have here the ip address that we found with our nmap scan so ssh um kali at and then 192 168 1 215. yeah cool okay are you sure you want to trust this computer this computer should be asking if it wants to trust me yes okay cool now it's asking for the password all right we found kali what could that be right and we have kali linux absolutely no warranty we will be um something to the applicable lock great okay we're in we've managed to get into uh our completely uncustomized kali linux installation cool yeah so all right let's go so this is the moment of truth let's go ahead and switch back to just us um and if i've gotten this all right if we've managed to do this correctly i can type reboot um and what should happen is one of these screens behind us or both these screens behind us should restart so what we again what we've done is we've started from just joining the network we've scanned around we've looked for ports that were open we've identified a service we're interested in and then we used a cracking utility to figure out what the correct login is and now we're going to test it so i'm going to do sudo reboot i'm of truth password for cali is cali and go connection closed okay i'm so nervous what's gonna happen yeah but all right we've learned a lot oh oh okay it works yeah see it happened it happened totally oh yeah i see code running yes sweet all right we did it yes so we have managed to take remote control of this computer behind us this poor raspberry pi by scanning around on the network identifying your raspberry pi and identifying the service that would allow us to break in and in fact once we figured that out we were able to take control of it by brute forcing the password now what are the lessons learned here michael what would you do to prevent this uh fail to ban would be a first one so that's what does that do so that limits you to x number of login attempts so you could set that five is a common one so it would ban uh access from a certain computer once it tries to access five times or more and gets the password wrong um so failed bandwidth would be a good one doing it on a different port i mean it's just it's like a speed bump for a hacker but it's something you could do um definitely disable the uh admin or default login and create your own user and also obviously create a secure password doing all of those things like it would be virtually impossible short of someone finding a post-it note with the username and password in your office or something there wouldn't be a way to like get into that as far as i know without like a zero day or something yeah i mean there's always things that you might miss but in general if you make sure to take common sense steps to you know change anything that's default get rid of any anything that's uh you know just too simple use a key for ssh instead of just setting a you know a plain text password that anybody can guess there's people with a lot of time on their hands who once they learn how to identify something can go after it and in general it's a really good idea to make sure that if they do locate a device on your network that it's not configured in a way to give them a really easy way of accessing it because being the lowest hanging fruit is never a good idea and of course we need to reiterate that some of the stuff we've done today such as brute forcing the password and logging in could be a problem if you do not have permission to or if the device doesn't belong to you so while the first part of our presentation of just scanning around probably was legal for at least for people in the united states make sure that you do have permission before you go around trying to brute force your way into a service right because that will get you in a lot of trouble especially if it is on a public network a school network a business network a government network anything like that will get you in trouble so uh yeah just be safe out there and make sure that you have permission to uh interact with devices before you go about breaking in set up your own home lab it's much easier that way much safer that way always have permission so yes all right and that's pretty much all the time we have today thank you guys for coming along with us uh if you have any ideas for upcoming episodes you can always feel free to hit me up on twitter codykinsey michael is his legal name on twitter uh the underscore hoyt yes and uh also if you like this content veronis has a lot of other great stuff out there in particular we recommend the ad powershell course which is a great way to get started learning how to script in a powershell for active directory which is where a lot of some of the more interesting corporate hacks happen so if you're in a position where you're managing active directory and you want to learn to become more powerful with it it is a great place to start yeah uh don't forget to like comment and subscribe and click the notification bell and then you'll get notified on youtube every time we go live we also go live on uh periscope linkedin of all places and twitch yep but you can always watch these anytime if you didn't catch the live stream then you can go to our youtube channel all these are saved there and of course we appreciate you leaving any comments any feedback so we can learn and make these even better so cool thank you guys i really like nmap so if you guys like this just shout out let me know we can go even further teach you guys some scripting with that map how you can chain it with other fans i love it i could do a whole another hour on it so yeah thank you guys for hanging out and we will see you next time bye you

Info

Channel: SecurityFWD

Views: 1,748

Rating: 5 out of 5

Keywords: kody kinzie, kali linux, how to, nmap basics, nmap tutorial, nmap for beginners, port scan, nmap tutorial kali linux, nmap full tutorial, nmap complete tutorial, network mapper

Id: moqFdH9XF6A

Channel Id: undefined

Length: 57min 14sec (3434 seconds)

Published: Tue Sep 29 2020