NMAP

Course
Time
6 hours 31 minutes
Difficulty
Beginner
CEU/CPE
7

Video Transcription

00:00
So, first of all, we know that it's running, telling that, um
00:04
and since I'm in the script folder, I'm gonna go ahead and do it.
00:08
They are on all the
00:12
tone that related
00:15
attacks or exploits that we can run in and map against telling that
00:24
devices tell that enabled devices. All right, so there's a tone, that brute
00:29
script,
00:31
So we'll go ahead and run on and map
00:38
dash a script.
00:39
Tell him that
00:41
brute
00:42
against
00:44
that target.
00:59
And actually, this isn't true
01:03
brute force attack that tries every combination of letters and numbers and special characters. It's really a dictionary attack,
01:11
in other words, that uses a list of
01:15
credentials.
01:18
And because of that, it actually runs a little bit faster than a brute force attack would,
01:23
especially given the fact that
01:26
were having to provide a user name and password.
01:36
I didn't adjust the timing on this attack, so
01:41
it'll take a little bit of time
01:42
in the future. I'll probably just the timing just to make it go a little bit faster.
01:53
Okay, there's the results, as you all know, running, telling that on any modern device is a terrible idea.
02:00
Um, if
02:01
somebody, if any half decent
02:06
hacker or
02:07
network administrator is listening on traffic.
02:13
Tell him that
02:15
user names and passwords are sent in plain text and
02:17
really, without any script arguments at all, and not very much time.
02:23
This discovered the user name here and password for that device at 1.2.
02:30
And
02:31
granted, it's not extremely complicated username and password, but
02:36
this is it right here.
02:38
So
02:38
just to prove that it works, I'll clear the screen. It's the user name of admin in a pastor of Trust. No, in the number one
02:49
clear the screen will do it. Tell him that of 1 92.1 68 that 1.2
02:55
user name
02:57
admin,
02:59
password
03:00
Trust
03:01
no
03:02
Number one.
03:05
And I'm in
03:07
the Sisko switch.
03:10
And I got in with just a simple NSC script,
03:15
so running the Vulnerability scan showed us what the vulnerability Waas and I ran on exploit using the telling that brute script
03:24
right? So
03:25
I'll get out of that Cisco switch,
03:30
clear the screen.
03:30
Another one of the vulnerabilities had to do with http since a GP was open
03:37
and that was a good run,
03:40
I'll do a D. I. R. Of
03:45
all the IGP attacks that we can run against this device
03:52
and there's a ton of, um,
03:53
the one I'm most interested in is the default accounts
04:00
script,
04:02
and that is
04:06
right here
04:09
going. Highlight it.
04:11
Copy it,
04:15
Clear screen and we'll d'oh! Um, I'll do a script help first
04:28
gives us a ton of detail about how it works and
04:32
what arguments you can pass to it and where you get more information about it.
04:44
Really good information. So we'll do and map
04:46
script,
04:49
paste it again
04:51
against the same target.
04:58
Oh, and actually, I'm gonna adjust the timing too.
05:01
We'll make it out
05:04
35 which is insane
05:09
Hit. Enter
05:11
should go a little bit faster.
05:18
Okay, so this
05:20
right here shows me the default accounts.
05:25
It's a user name and password of Cisco.
05:28
So
05:30
it's, you know, it's Port 80.
05:31
So we'll go ahead and open up our favorite browser,
05:35
which is Internet Explorer.
05:38
I'm kidding,
05:42
and we'll navigate to that
05:45
address.
05:48
All right, so the user name
05:50
provided in that NSC scripture with Cisco
05:57
password with Cisco.
06:09
OK, and we're in.
06:15
Okay, so
06:16
granted
06:17
these this device is vulnerable.
06:20
I'm not gonna act like it isn't
06:24
has some obvious flaws as a default user name and password enabled
06:30
as a very weak
06:30
telling that password.
06:33
But
06:34
nevertheless,
06:38
it was pretty easy to break in using standard NSC scripts. And that's the main point.
06:44
We saw the vulnerabilities, we saw how to attack it and usernames and passwords. And so all right, now I'm gonna minimize this, actually, and I want to go over one more exploit,
06:59
and that is one that is actually very common out there.
07:03
And don't do this against, uh,
07:08
a device or ah, target that
07:11
you're not,
07:13
uh, that you don't own or that you don't have a written contract for
07:17
and that is the slow Loris attack.
07:19
And so we're gonna do Ah,
07:21
and map
07:32
slow lowers. It should be slow, Loris. I'll do the timing of t five.
07:38
In this case, it really matters because this is a denial of service attack.
07:42
We'll do it against that same target,
07:48
and I'm pretty sure that this one continues to run. I don't think that it has a time out. And so while this runs,
07:56
it's running against the same device that were just on.
08:01
All right, So here's the device. I'm gonna do a refresh on this device and, well, you can already see it's taken it down. So the slow Loris attack, the denial of service attack.
08:15
You can look at the details about how it works, but
08:18
is basically opening up so many connections against this Web server that it can't keep up.
08:24
Um,
08:24
and and I'm not even running it from multiple host. So it's not a sophisticated denial of service attack in the sense that it's not using a baht net.
08:35
We're not. It's not distributed. It's not a reflective or, um,
08:41
amplified attack.
08:43
It's a simple
08:45
attack against
08:48
Cisco Switch, which really could affect production if you're, you know, in ah Enterprise Network.
08:56
Uh, and even still, I'm refreshing. And
09:01
at least the Web interface is completely down right now,
09:07
so I'll go ahead and hit control C
09:09
and stop that
09:11
and it might take a second. I'll minimize the end map
09:18
scan and I'll do a refresh,
09:22
and eventually the device should
09:24
catch up and be able to respond.
09:31
So I encourage you to look into that soul Loris attack. Um,
09:35
in the main point is,
09:37
try it against your networks,
09:41
potentially vulnerable devices and see if they can handle it
09:43
and then
09:46
do a script help and go to the u R L provided and learn more about it.
09:50
Um,
09:52
hope this is really helpful for you. And I appreciate you going through this lesson on map scripting engine,
09:58
and I'll see you in the next video.
10:01
In this lesson, we answer the questions of what is and map scripting engine, and how does it work?
10:07
Next we examined how the and map scripting engine gives us the ability to perform advanced scanning.
10:13
Then we went through a lab that demonstrates its use as a vulnerability scanner and exploitation tool.
10:18
Thanks so much for going through this lesson with me, and I'll see you in the next one.

Up Next

NMAP

The network mapper (NMAP) is one of the highest quality and powerful free network utilities in the cybersecurity professional's arsenal.

Instructed By

Instructor Profile Image
Rob Thurston
CIO at Integrated Machinery Solutions
Instructor