ZillyGurke – Minecraft Anarchy #048 – Full Ethical Hacking Course 2/6

Where is Illig Walker here of them Carter – server laser gonna admit their IP answer nine from turnin spy answers impressed by fear identity for entire domain silly who would prompt calm I’m surprised I guess about mentor Nikki Lee hoon you know yeah miss Carter comes server push me of team

The minecraft server lived this week most he not my quotes from the letting episode my friend and Microsoft’s old name avoid a naturally America take this are indemnified yet happy Ferguson yeah 13 servitude scientist Costigan super person else is not really here exact would Susan ever video to startin

Camasta Knicks my house cuz very good see see Jacobson was my fastest video knee Yeah oh yeah oh yeah Blackie the husband soon ha – I’m honey okay yeah Gonski ten years later yeah you know about each habit sudafed cooter I’m not off good fashioned in the era server by it as the host so avoids feel I can Arnhem so I

Now okay 50 Newton offline of the engine games already that of love on inflect see me offline the busy let’s in server started out on some items and see relief you know the bus it’s me at some yes Martha seared in a key flights and written my in buses it’s

In Yahoo hosting I saw this is this is Mickey rigor and the kyboot is a server here yeah you know so invite some minor fat Heidi Kuhne and they have a video here to speak nutritionists are super Tallis yeah my side it’s perceived harvest Watson oscillatory um yeah you know

Under you shown will often full ethical happy hit zoom let’s capture media on facebook on can be assigned backed up our Sean vida through ethical hacking course from demo cyber movement the filters don’t compilation whole clan of them free passcode cam torque yeah free code camped at auction it can only

Accept by accident after headstone tantalizing new you know yeah then gets a star vitae and rum hell was there too so it’s really cool guys you guys have asked for a magical magical mug I have put my ugly mug on an ugly mug if I ever give out any more merch than this

Please hello to all the new people that have come in I’ve seen quite a few come in alright so let’s talk about three shelves we’re gonna be doing two shell type it’s really most commonly there’s a reverse shell which is by far the most common and we’re gonna demonstrate this

With netcat here in a second if you’ve never used netcat before it is just basically a port listener or port connector depending on what you make it do and basically what you’re doing if you see this wonderful diagram that I stole here from hacking tutorials you

Can see that we have a attack box and this is the most common setup again say attacker IP is the 1.1 now all they’re doing is setting up a listener on port 4 4 4 4 with netcat which is NC by default on Kali Linux and the target machine is

Showing the netcat syntax and that’s fine that’s how we can actually connect but all you have to do is think about some sort of exploit which we’re going to learn about or some sort of shell code like you learned about last monday when resign of aru’s teaching us exploit development that’s shellcode

That you saw that will tell the the machine when it’s exploited to hey connect back to this port to this IP address and we’re just sitting there listening that’s kind of what a reverse shell is now there’s also something called a vine shell right so a vine

Shell is pretty much the opposite and my powerpoint presentation just died that is awesome one second okay fine show so the vine shell is the opposite we had a victim connect to the attacker in a sense of buying shell we open up a malicious port on the target machine and then we

Connect to it directly so it’s a little bit different and there are cases where you need one or the other typically reverse shell is fine but imagine that you are on a network say external pentesting and you need somebody to connect to you over the internet it would almost be easier if

You could do a buying shell and connect to them because to get them to connect back to you you have to open up a port on your router do a port forward and send it to your attacking machine now if you do a fine shell you pretty much just

Connect to them directly not saying that you couldn’t but I couldn’t do the reverse shell but the buying shell sometimes easier also sometimes reverse shell just doesn’t work so we’ll have to try to buy in the shell so tonight you’re gonna see an instance of where a

Shell doesn’t work and that actually is going to bring us into the talks of stage versus non staged payloads so we have two types of payloads you’re going to see and one is non stage so basically that’s going to send exploit shellcode all at once there’s no staging to it

It’s a little bit larger in size and it doesn’t always work because of that large size can’t always get the payload across now if you see we’re going to take a look at this later you’ll see it more in depth but if you look at the

Example over here you see where it says Windows it has the slash and then says meterpreter underscore reverse underscore TCP this is a reverse shell in meterpreter reverse TCP shell if we look at stage stage sends the payload in stages so it’s opposite right but it can be less stable because it’s sending

Things over in stages if we look at a stage payload it looks a little bit different where there was an underscore over here now there is a forward slash so Windows fourth – meterpreter forward slash reverse underscore tcp so a little bit different there now before we get

Into tonight’s lesson I am going to show you a brief example of our our bind shell so I’ll show you how to use netcat and we’ll do a quick bind shell you might not be able to do this you might just have to follow along so let’s play

Let’s play victim and let’s play attacker so on this let’s play this machine being the victim let me open a new window here and the victim in a bind shell has been exploited and let’s just say that the shell code opened up a port on four four four five and when it it’s

A it’s a Linux machine so it opened up a bash terminal or it’s gonna open up a bash term on when somebody connects to it now I’ve got my fancy fish too and let’s just say okay I’m the attacker I’m making a bind can their witnesses a

Fish do I need to do is reach out to that machine which thanks on 1/29 will see and try to connect over four four four five nothing’s happening visually but let’s take a look over here okay so we did get a connection here and you see

We connected to 129 from 128 it opened up this port and let’s see here let’s say if we say Who am I there’s actually a shell here present working directory we’re in route hostname Cali so this was an example of a bind connection now what you need to

Pay attention to is the syntax if you are connecting all we need is netcat the IP address and the port we want to connect it if you’re listening let’s go back to my other machine and this is typical listening there’s netcat tack LBP and then the port you want to loosen up

So I use four four four five you see a lot of times like Metasploit it’s four four four four if you start getting trickier you might use for four three or eighty and try to bypass filtering because by a lot of babies block port four four four four or the firewall will

Block it so starting to come well known on that end you will see this a lot when it comes to running exploits when it comes to doing capture-the-flag you don’t see it as much in the pen testing realm unless you have to have a callback to nothing I don’t use it but

You don’t see it as much you’re gonna see it way more when you’re when you’re dealing with like capture the flag stuff and activox or osep but very very important to know how to spin up a quick listener alright so today is going to be a continuation of last week let me go

Ahead and close this out and last week we had our scanning blessing so we did a little bit MF we did a little bit of message we talked about nikto we talked about some other tools right and what we found was there were some likely vulnerabilities one of them was

This Apache mod SSL open SSL it just the spying kept coming up over and over and over again right see you down here the local buffer overflow attack we see a denial service so that one just kept coming up and we saw it when we googled

It that it was coming up we searched was it kept coming up the other one was a SMB type x-play so today we’re going to use Metasploit to exploit one of those and then we’re going to use we’re going to do some downloading and compiling off the web to perform another exploit

You’re gonna get to see how Metasploit works and you’re gonna get to see how it works for just downloading and compiling something like off of exploit DP or off of github so what we’re not gonna do today is we’re not gonna be working with any type of advanced shells we’re going

To talk a little bit about payloads and we get into it again is one of our palos it’s not going to work but what we’re going to say is we’re going to save everything for when we get into the a/v portion that’s going to be the meat of

This course so right now we’re all methodology a little bit of exploitation and then we’re gonna get into that exploitation we’re gonna get into more advanced shells and we’re gonna keep growing as we happen the past few weeks so let’s start with one of these let’s

Go ahead and just start with the more difficult we’ll save will save the Metasploit one for last so we found this Apache one point three point two zero now the first thing I would do as a pen tester and if I’ve seen all these things

Come up I would go out to Google and I would say hey Google what’s the patchy one point three point two zero exploit and you can see I’ve looked through some of these things but I was looking through it again so this one and we talked about this one

Last week this open button so it’s a patchy mana to sell in the Monticello pray in bed do it for buy local yes pasilla demo and they don’t tell you much about it sometimes will give you a little bit more info so we would want to

Do some research on this to make sure this is exactly what we’re going to be exploiting but if you come in here and you actually look a little closer eh find 1.30 matches so it looks like the 1 point 3 point 2 0 of Apaches alone

Herbal we’re on RedHat so if we look at Red Hat you can see that it’s seven point two that it’s running depending on the return address is what it looks like and we’ll either run number one or number two for that and try to exploit so somebody’s already going ahead of me

Check this exploit doesn’t really work that well so what we’re gonna do instead is we’re going to use open luck instead of open [ __ ] because we like to have better grammar here but you scroll down just for administering you see this help in where Nick or burning grandma become I

Ever say above I will make a new folder on here to go sauce on this right kiyo short for key optics is we’re gonna follow the instructions on the page so it says we gotta clone it we got to install this live SSL dev go ahead and

Copy this I’ve already got it but we can try it again you can see mines up to date I will I’ll sit here and wait for you guys just for a second just so you guys can get this installed if in case you are following along it might take a

Minute a fruit 5:05 are you from New Mexico that was the 505 comes from just engine we’ll never mind alright so installed we’re going to compile so we’re gonna use a compiler called GCC we’re gonna grab the file we want a cap I like I said [ __ ] hell ask

And show you what’s in this folder right so let’s see neither open lock hello okay so there’s open [ __ ] see and there’s the readme so we’re gonna do is we’re going to say GCC I’m gonna stay open [ __ ] we’re gonna do an attack of O and we’re just gonna name it whatever we

Want I’m just going to name it open to be easy and then there was one more thing we had one more instruction the – L crypto so we gotta type that in as well okay so the LS you can see that in green mean we have executable permissions on open is

There open gives us all of the readings here so the target what does come did you fly tell from user support and – see so we don’t have to declare the port so we should the player is we’re not gonna have to run it over at the cell that’s fine

We don’t know what C is it says open in connection use range 40 to 50 okay so we’ll just use 40 the box is going to be the IP address and then the target is going to be whatever offset this isn’t here so remember we were on 7.2 of

RedHat and it was Apache one point three point two zero so what we have here we have two options we got one or two I’m gonna cheat just a little bit and tell you that it’s this guy the six so we tried 6a it won’t work then we

Would just move around 260 I’m just gonna save us the step and save us some time so she run the exploit stop forward slash open we’re gonna say 0 X 60 we’re gonna use the IP address of the Machine we’re attacking for theatrics and we’re

Gonna do the – Thea 14 and let that run see if this game of the Shellback it sure did okay and we are route on gap tricks level one so we have just exploited this machine now from here there’s a numeration that I would do right off the

Bat and I don’t want to go into post exploitation because that’s really gonna be saved for next week but we should talk about at least a little bit about it right so there’s some things here that we can do me party I’m the kindest person cuz I like to look at because our

Networking commands Arps not pound okay see you’re out route not found so pseudo – oh we might not have a great shell here do don’t work so soon – shell tells us who can run the sudo command well we’re route right now so we’re gonna run all the commands but if you

Actually miss them this is really good information to know you might have some sort of tool or command that you can run a pseudo that you wouldn’t expect so we could upgrade this to bash I’m not getting into all that yeah does that sound fun and then so you want to also

Be present working directory puts you into okay three you into temp and you move around and you navigate another one I look at would be net staff as a networking command again we’re gonna talk about all this when we move into Windows it’ll be easier to give you the

Visual now the crown jewels are the SD password we could have cat that at the shadow right shadow okay so there’s some users on here we’ve got route we’ve got routes hash we’ve got John and Harold as well we’ve got the hatches shutting to rip [ __ ] so we would take this

The we track this information we would also extract the Etsy password file and we would combine those we do something called on shadow which basically combines both the files and would allow us to least go into hash cat or John or whatever and try to crack those I’ve got

A video on cracking that we will cover this again at a later time but if you want to cover it sooner or later you don’t know about this topic you can go watch the video I have my youtube of cracking hash tag so it’s pretty straightforward but this important thing

To dump okay now we’re using the art we’re using brow and netstat basically all I’m doing is looking for other network connections it’s possible that this is a little home computer it’s running to nix one of the nicks is on one network one of the nicks is on

Another network and you’re able to talk to a whole new subnet of networks so it’s important to look at where your routing table eyes what connections you have with netstat and are and yeah so anyway I’m not going to spend too much time on that I do want to go into

Medicine really quick and show you some things with payloads and so let’s just go into a new new tap here but it is what it is all right so let’s repeat a step from last week so what we did was we found the SMB remember we’re looking for SMB version

And we could just type that in a minute actually make it easier okay so let’s just copy this remember again there’s the different types there’s the auxilary exploit post exploit so we’ve been doing an auxilary this entire time now we’re going to start going into exploitation

In terms of module so first we’ll use this paste it and what I like to do I like to come in here and I just like to type info gives you a little bit about it tells you the basic options you know it’s just an SMB version detection more

Important when it comes to exploits to know exactly what you’re running and sometimes they give you a little bit more information on the module itself so we need our hose also we could just get the basics again from just typing options and not have all that information so our host that’s the

Remote host that’s what we’re going to try to exploit or talk to at least so we’re going to 102.1 30 and we don’t have an SMB paths or SMB user that we need those remember from last time this was just giving up information on a default login we run it we see that

There is a Samba 2.2.1 a height here Brad sembène right so we’re gonna go and go to Firefox again we’re gonna say and pull this beast that they exploit and we did have a version in here I believe well we already know right we know it’s read that I’m wondering if the

Version came out in the SNB sometimes it does just clinic to point or see no nothing came out there okay but we do know it you know it’s right happy so there’s a couple different ones in here and you see the name of it is actually

Under this trans to open so we can do is we can common we could say search that trans you open well okay and the reason we’re seeing so many different ones in this Google search page is because likely see what they’ve got likely these are custom written exploits from exploit

Evy and they also have some usually rapid7 that ties in the Metasploit so they’ve got Metasploit module information so you’re gonna see quite a few and also on top of that there’s one two three four separate modules for the different types of operating system so

We know we are running Linux so I’m just going to go ahead and we’re gonna say option and again we’re gonna set the our hose also again good to read info before we fire off this exploits the buffer overflow found in samba versions two point two zero two two point two eight

This particular module is capable of explaining the flaw and x86 systems do not have the nodes that’s that option set so we are meeting these conditions in terms of in terms of version x86 and it’s talking about Red Hat older versions we’ve confirmed run seven point

Two so I don’t know in terms of older what that means but I would be comfortable enough trying to fire this so we say run – confirmed cuts in you know you can exploit this cut do it alright control see that you should be having the same issue so what’s

Happening is you’re getting a session open that means you were actually talking to the computer you’re exploiting in some time is working in your favor and then the session dies immediately which means something’s also not working in your favor my antennas go off right away to something to do with

The payload here when I mentioned earlier that that was going to be payload related well here’s where it comes up so if we go into here and we type in options again now you can see something that was not here before gives us the feel of options okay we cancel

That so maybe something is wrong and what we can do is we say okay I’m running Linux x86 interpreter reverse TCP we can try to change this into a buying PCP and there’s so many payloads like you could say set payload we come in here we say Linux and we know it’s

X86 because that’s what’s available for this we double tap okay so there’s a bunch of stuff in here now you thought we were using returner reverse GCT there is a shell bind or there’s a meterpreter buying TCP right but we could try to do this if we’re dead set on getting a

Meterpreter shell but but when we so this won’t work we can come through here as well and we can look at some of the non page payloads remember do you see the difference here again when is it coming up you see the fourth flashes we’re talking stage oh my gosh is after

The shell here that’s they’re chasing based Ajanta so because our stage payloads are not working we’re gonna try a non stage payload payload instead so we can try a Linux one and see the work doubled assay shall reverse teeth okay – hissing Moss Shawn Shawn – okay sometimes they’re coming to options

Because what happens is when you set a new payload it actually erases everything that’s set under the payload before so it just tells us the command it’s going to run the l hotel for if it all looks fine sometimes those braces up type in run let’s see if this works I

Honestly haven’t tried it with this one this one works so I’ll show you the one that I tried it would be for after this case away my name so again we’re roof so this is pretty cool we got a shell here there are some cool things that we

Can do did you not see my humble brag what is this this is black badge from winning the CTF buddy oh yeah and all my other swag oh yeah doc do still ocean dizziness that is me forgetting don’t tell me to go play some CTF oh yeah yeah you got company indispensable

All right so any of it so we’ve got this command shell pretty much the same thing as before so you exploited this machine two ways now we’ve got one pallet report to write if we’re writing a real reporter right we’ve talked about all the other vulnerabilities that we had

Before if I can pull up some of them we don’t even I didn’t capture all them because I got tired of just writing it down and pull this over maybe remember we’re going through these one by one we found there’s a default web page there is some header disclosure

Floral for disclosure week ciphers we’ve got a lot of flaws here if we’re going to be right in this reporter on top of of course the critical vulnerabilities that we’ve already found and would have to report as well but if you’re finding these vulnerabilities on the assessment you should be alerting immediately

Should be an immediate stop and alert to whoever the IT manager or project manager is in charge of in charge of things right for who you’re you’re doing a pen test for so first exploit I would have called immediately and said hey I just exploit your machine what do you

Want me to do sometimes they say create go back try again find all the path you can give them the time frame that is it for the exploitation all right we’re gonna do one more exploit we’re gonna do one we do one blue chroot kind of so let’s close out

Of this jump here we’re gonna do one together I’m gonna do something from hack the box and what we’re gonna be doing is let me remember the name of the Machine we’re to be doing lame lame is one of the easier machine so I’m gonna get connected if you’ve got a VIP

Membership you can follow along if you don’t that’s okay just kind of watch and soak it in so I’m gonna CD to my downloads folder do my open BPM okay it’s going to be sitting at 3:00 I do believe let that run all double check that real quick while it’s running seems

Down bills bad ideas are too high I’m a little concerned Oh key lever – Nikki dinki in Chapman quits it in him leopard passage bought his to school chandi extra cookies an ama right now you like that take some questions while we’re waiting I could be very unlucky we

Could just be the middle Laura from New Mexico originally you know how I lived in New Mexico yeah if you stood enough someone son you got to stay humble rum ham you’ve got to stay humble I need new trainings I’m working on I’ve got to finish the coolers kiri west penetration testing

Screen by May 15 and I’m like three chapters in so I don’t know if I’m gonna finish that one I may need an extension reading faking uses available offense great okay there’s the paint let’s end map that I am a stands for ask me anything all right so we’re gonna let this run

Just for a minute should be quick I don’t think there’s a lot of ports open on this one how much time do I spend on TTA environment not as much as I like anymore when I get practice time nowadays I’m practicing on like sin act and doing

Real world I don’t know I just don’t know better yeah we won was Wireless so I actually like Wireless quite a bit yeah as fast as you can all interesting cup sets and some does not mean I enjoyed that game how most people do not have

Ever done at the box office or I have not that is all my to do this so I got the iteration testing extreme already purchased for elearn security I plan on doing that together with offshore to kind of piece them in and get some real look advanced Active Directory training in

There’s no carry gray stay humble Push the who learn best move quits not forgetting the bass bone comes a 50-meter veiled he’s on yeah I got so I get some guns a bass bone I don’t know so much better and so much laughing miss ina booty diamond like my osep I went through every single chapter to the

Subchapter and a sub subchapter all the way through and then all the exercises and then all the machines down below which I won’t scroll down to but you can see about how far I am down this the more detailed notes the better you are some people like cherry tree I like

Keith note because keep note is more color friendly to my eyes I like a white background I don’t do the dark background I notice if you like the dark background this is dragging now how would I organize my notes on offshore or Ross labs just the way you

Saw it pretty much exactly the same way you thought so Synnex is a private bug bounty program let me see if I can bring up get my ugly mug off of the page like how bugcrowd comes up first that’s funny this is Cenac basically there’s the red

Team you apply for the red team and you send a resume if they like your resume you have to do a written assessment a practical assessment an interview etc and a background check and then you get in any way to do one for every type of

Assessment so if you want to work on web apps you have to do web apps if you want to work on hosts assessments like network you have to do a host assessment so there’s mobile there’s hardware there’s a bunch of them I only have hosted web app just there’s quite a few

That I could still still attempt and try to do when Wolfman is no face to mush you some foods along interference or movements of spices you apply and try to make it pretty much sorry that I’m slow or empty I won’t answer any more of your questions tonight buddy how’s it signal

All right we’ll get back to the AMA in a little bit so let’s look at this because we are still not an AMA territory we are only at 8:47 my people all right 1:39 four or five perfect we’ve got three two which is interesting so if we’re

Enumerate and so I won’t capture the flag when when SSH is open we’re gonna try to do a brute force attack during a pen test to see if the sim catches us and if they have we control Thank You Rui I know that I appreciate that so for 139 four four five

What we’re doing is we’re looking at these that we’re saying okay can we connect to to 139 4 4 5 and see what the version is well we don’t need the version we got it right here already can we connect to it anonymously what kind of information can we get out of the

Folders etc and this 3 6 3 2 I’ve actually never seen before doing this machine so okay so when we roll through it here we can take a look at FTP if we want so let’s just open up a new tab real quick I’ll take my space off the

Screen we’ll do a new tab and we’ll just say FTP okay so it says anonymous logins available so we’d say anonymous anonymous okay successful pretty much commands I said LS here comes directly sting okay anything there so we can put things in here if we wanted to its put available

Yeah however for another time into the black this is for some reason I feel like a web server like somehow the FTP lives where the the web server is and you could put something in there like a reverse shell maybe that’s interesting or they put some kind of file in there

For you to upload interesting or download interesting but sorry trying to read the chat and do both you guys are crazy how often are versions reported accurately and that pretty often but anyway so without a way to target this right now you know unless I can get a

User to open up an FTP you know it’s still bad that I can anonymous logon this is definitely finding on an assessment but unless I can social engineer user to open up some malware that I put in it may not be worth my time at the moment unless I can find a

Different way to execute that malware so we can check out this version of 2.3.4 and see if there’s an exploit for it okay so it’s got an exploit for back to our command execution we go in and we read that looks like a rapid seven meeting a Metasploit module module

Exploits malicious backdoor that was added to the download archive so if there was if this is patch it’s not going to work and I can tell you right now that patch however would I be trying this the textbook yes I would this is probably one of the first things that I

Would try but for the the sake of saving time here because we still have another lesson to get into I’m gonna go ahead just tell you this one’s not it so with that out of the way that’s the stage I usually don’t touch until near the end I

Would Google this OpenSSH and see if I could find anything but I would also look at this SM BD 3.0 point to zero being copy that search it rapid sevens got another one called the username map script you guys spoil any Game of Thrones or endgame for anybody

Else in Japan that falls under rule number one don’t be a dick also exception the insolence or student might say her name to stay humble yeah yeah distill it can you go exploit a command execution vulnerability in sim version 3.0 point to zero through three point 0.25 rc3 when using the non default

Username at map script configuration option by specifying a username containing shell metacharacters attackers can execute arbitrary commands no authentication is needed to exploit this vulnerability since the option is used to map usernames prior to authentication this is an unaffected unauthenticated RCE remote code execution so we’re going to try that again this

Was a username math script open up a new Metasploit show me those user math and it probably wouldn’t pull me in here if I would have read a little harder yes it does use your math script right down here by J Delta Our caucus of us don’t understand Johnston whether or not it works is a whole another question let’s see if we the host is still up it’s not doing the time I read that just went through or if this box is just incredibly unstable this is

What you pay for gonna get you so we’ll let this run for a second it just doesn’t work we’re stopping at nine o’clock I do have VIP VIP cups like 13 bucks a month how often do Metasploit models work for me on tests fairly often if I’m

Confident about it but you know there’s some like like you saw the vs ft PD right I would have been fairly confident that it was working and or if that would have been the next point I would have fire it off and it would have wouldn’t worked it

Didn’t have the backdoor version in it so you run those situations like that there’s some were you just like yeah I know this is money it’s gonna fire it off it’s gonna work but sometimes you do have to kind of spray and pray I guess she the best of your abilities there we

Go all right run and we’ve got a show so again do a my Leo root hostname lame I would cap the Etsy shadow again do all those hashes in there we can ARP – a it responds back in orderly fashion apparently they don’t like networking commands today there it is we could

Print the route I was a low-level user sudo – L again I would look around for important files so our destinations going out dot zero out of a wildcard gateway nothing special there we could check the net stat if we wanted to but just some basic basic enumeration I would definitely look

Around all the the files that I could find and see what’s interesting there that’s really what enumeration is right you’re meticulous and outside you got to be just as meticulous on the inside especially if you’re doing capture the flag stuff thanks icon for the the stub I appreciate that

Thank so you guys thanks to MuNet thanks low kids appreciate it you guys are awesome okay so that is it for exploitation we are running right on time now if you were on the mailing list you notice that I sent out what we’re gonna be talking about what do we do in

A situation when there is nobody that or nothing right that we can exploit let’s even narrow this down a little bit more cuz some of you’re gonna jump right to social engineering well I’ll just call the help desk in Telemundo so the cops are dead yeah that’s possible right

You’ve definite social engineer but with a lot of these engagements a lot of pentesting external Network engagements have no social engineering allow there are different search sort types of assessment – that sorts of assessments for that where there are full-on engagements that allow social engineering there’s strictly social engineering engagements so companies

Like to limit you in scope as much as possible humans are the weakest link so we can still exploit humans being Lika sling even if everything else holding true is pretty much unexploited all right say this companies up to date on their patching they you know maybe you find some small vulnerabilities but

There’s nothing that you can get remote code execution steps we’re gonna talk about tonight now if you sat through my Carolina con talk already it’s gonna be semi repetitive but only a tiny piece of it is from that Carolina con talk so if somebody asked about the website the website really quick

If you want on the mailing list Thank You Vita I appreciate this up if you come into there’s a more up here okay you come into more the contact subscribe and you come down to here this isn’t the best website I’m not a good web dev if you come down here and just

Join the mailing list you’ll get the weekly email so let’s go ahead and talk do I draw my logo and no I did I bought it on Fiverr cuz I’m cool you’re not getting emails I would try resis crying you might have typed in the wrong email Fiverr is dope

All right let me get up this PowerPoint presentation since they killed my original one so we’re gonna talk about a couple different concepts tonight and we’re gonna talk about we’re gonna be talking about credential stuffing and password spraying are some of the biggest items that we can do social

Engineering is not allowed so let’s go ahead and present this from the current slides you’re not to go through my whole spiel again alright so we’re gonna start off with credential stuffing and then we’ll show you this absolute total test of unfortunate dusties uber so we’ve got a compromised server here we’ve got

Credentials for Joe sue and Bob these are part of some breach you can think equifax you can think whatever breach you want these hatches get taken people take the hashes and they take them offline and crack them for you sometimes they’re nice then they put them on the

Clear web sometimes they put them on the dark web and try to sell them so however you obtain this you can get these clear text passwords Oh Joe’s up here we got Joe hi Dan the Joe how do we take these these clear text passwords right and we try to put them against

Website login if you’re a bad guy you’re putting these credentials firing them off that random email servers you’re firing them off at banks you’re firing them off wherever you can login with them right if you’re a good guy well what you’re going to be doing is you’re going to be still

Scoff like a good hacker that you are and you’re going to try to log into a website that is owned by the client so and if you’re lucky these credentials will work right away and that is the benefit of credential stuffing so a simple script can go a

Long way this is actually version – we are now in version 3 so people have been asking about breach parts here’s the github for breach parts right here so basically this tool what it does is it searches through a 1.4 billion clear text password list and it spits out what

You what you specify it to spit out so if we go through the script really quick and it may be hard to read basically this is the usage up here if you see it says for each parts domain to search file to output so if you wanted to

Search and we did test the last week we’re actually gonna do Tesla this week again we’re just gonna keep with Tesla if you say breach parts at Tesla calm and then just say Tesla dot text you don’t go ahead and output that for you so what it’s going to do is it’s going

To roll through and it’s gonna create a bunch of files it’s going to create a master dot text it’s gonna create users dot text and a password text then the master dot text has a user name colon password users is just all the users passwords is just all the

Passwords that way you don’t have to do an off and sort it out I’m already doing that for you so we do a touch of a master file we total all the files and we do a file account because we could have this boy yeah but that’s a

Beautification is a really nice image file to another country that is innocent and hiding script person of user just don’t get a bit of test Dr. television didn’t listen and addicted password list Tesla to mains as a male Smith at Tesla you know its mustard Amstell none right princeton expiration right and we’ll talk about that in a second but let’s look at the 7100 and see what that render looks like if this breaks in or something crazy

Dude I I’m done for the night I’m not trying to break in a test on the live stream with the raw responsibly yes Fagan was a whuppin a nice to mustn’t miss bootless disclosure and a little agai life pentest neva de la can effectively God life Asif

In where’s there than a nice a responsible disclosure we’re gonna find out what his password was polish customer she’s of one Trump’s I’m a believer live in his presentation and Firearms damn it’s very smooth we cannot find you in so for whatever reason it was giving us a different response there for a

Second we can come back and look at this I like to sort this by length I have no idea of those different site alcohol as long as it should to be here mine then it’s a Mets tickets for the company has done Fidesz episode so as a

Human run option either which mine is officially closed chariots davidís sloppy dork is lighted here is my cleaner Skippy dog win-win crack crack skipper yeah you know I saw das is their full ethical hacking course hook Laden often free camp free code camp a free code camp dot walk so I say

YouTube channel our request is from the cyber mentor you know I was cartas online respond inevitable items of my Nick Naturalist suden video oh and yeah the server here of TFS be in the minecraft server is laser gun and Anna he saw but wouldn’t even addressing love he also right back

You know their skip Lancia along on and supply and Missy map updates awesome new year new me to goof off and experienced a layer I use around abuse niched my net member ishita fear universe you know as a finish might appear here in game services or 2000 server backup started annoy updated him

In a Nova’s income so he’s a you know auspicious has the option and server there leah is and women platinum current and then he Muhammad avoid you know IPS as you know in from final five from a team from his life here here normally I’m Chet a tentative Kipps

Of the domain Zilly Zilly whom procom yeah just disbursement is episode I talk about from a cyber mental full ethical hacking course on busy neurons in the next hour there was a known leader shoes