Initial commit: HPR Knowledge Base MCP Server
- MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Lee Hanken
449
hpr_transcripts/hpr3090.txt
Normal file
449
hpr_transcripts/hpr3090.txt
Normal file
@@ -0,0 +1,449 @@
|
||||
Episode: 3090
|
||||
Title: HPR3090: Locating Computer on a Enterprise Network
|
||||
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3090/hpr3090.mp3
|
||||
Transcribed: 2025-10-24 16:35:43
|
||||
|
||||
---
|
||||
|
||||
This is Hacker Public Radio episode 3,090 for Friday 5 June 2020.
|
||||
Today's show is entitled Locating Computer Honor Enterprise Network
|
||||
and is part of the series Networking. It is the 50th anniversary show of operator
|
||||
and is about 40 minutes long
|
||||
and carries an explicit flag. The summary is
|
||||
Advanced NMA P-Tips.
|
||||
This episode of HPR is brought to you by AnanasThost.com.
|
||||
Get 15% discount on all shared hosting with the offer code
|
||||
HPR15. That's HPR15.
|
||||
Better web hosting that's honest and fair at AnanasThost.com.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
.
|
||||
inspection stuff will know and say, nope, no FTP for you. We only allow HTTPS and maybe
|
||||
email, email and I'm app and pop. We don't allow any other protocols. And there are some
|
||||
other methods you can basically hide encrypted traffic and or tunnel traffic through legitimate
|
||||
protocols like ICMP. There's HTTPS and a few other ones. So a lot of times companies get
|
||||
the intention that, hey, when you change it on the internet, the only thing you can do
|
||||
is DNS. Okay, DNS, you can actually tunnel through DNS. It's relatively slow, like dial
|
||||
up speeds because each packet has a maximum size of like 53 bytes or something. There's
|
||||
a number of other methods and ways to tunnel out protocols. They basically have cloned versions
|
||||
of other distributions like pond plug and PWN, PL, UG, pond plug, older other distributions
|
||||
feel free to reach out and if you want to link to those, but they basically facilitate
|
||||
all the configuration needed to create reverse tunnels and tunneling over arbitrary protocols
|
||||
and different protocols. I will say there's not a whole lot of need for all of that unless
|
||||
you're a highly secure environment and the only way to get out is 90% of the time you
|
||||
can get out via DNS. People will say, well, this computer is not connected to the internet.
|
||||
Well, if you can type in slookupyahoo.com and resolveyahoo.com and you have control over
|
||||
the device and you can run arbitrary code on that system, then you can tunnel your traffic
|
||||
over DNS and get on the internet. So we're talking high security, quote-unquote, error
|
||||
gaped networks that are power grid, infrastructure, big stuff that these people will say, nope,
|
||||
it's not on the internet. It can't get there. The only way to get there is a jumpbox which
|
||||
is connected to the internet via the series of other connections, tunnels, VPNs, road
|
||||
access, other protocols. So everything is connected to the internet. Don't let anybody
|
||||
tell you that anything is air-gapped. There's probably instances where you have three
|
||||
letter agencies where something is actually air-gapped and they have to manually move traffic
|
||||
to that thing. But in all, for all intents purposes, most of the time when people say air-gapped,
|
||||
they mean there's a jumpbox in between that in the internet. But that's my rant for tunneling
|
||||
and how internet's work at corporate environments in places where high security is involved.
|
||||
Well, I've had instances where client tells me there's no internet and I just tunnel
|
||||
out through my S tunnel and I'm going to go and I can do everything I need to do and
|
||||
perform all the assessments I need to form. Sometimes you'll see fairly often that some
|
||||
of these misconfigured proxy servers will block all internet traffic but they will allow
|
||||
anything HTTPS. So all you have to do is install HTTPS everywhere or use S tunnel or
|
||||
any other other methods. But it will force HTTPS on every site and then everything will
|
||||
just work and that's not the internet. So not only is it not plain text, it's everything
|
||||
is SSL and you don't have any visibility into it and they're not trying to break the SSL
|
||||
to even see what you're doing. So you can essentially exfilled data securely by default because
|
||||
there's no other way to get on the internet except through SSL. So when you tell your clients
|
||||
and vendors and whatever that everything is locked down except for SSL, then you're basically
|
||||
telling everyone that if you want to exfilled data, guess what? We're going to guarantee
|
||||
that that data is going to be encrypted when you exfilled it and nobody will have any
|
||||
visibility into it. So that was a bit longer of a rant than I would thought for networking
|
||||
and connectivity. But suffices to say if someone tells you a network connected thing doesn't
|
||||
have internet type NS lookup and do NSlookupspacegoogle.com and if you get a resolve tell them
|
||||
that that's what the internet is and laugh hysterically. Anyways, so let's move on to
|
||||
advanced in-map commands and or discovering networks. Now I'll involve I will follow
|
||||
up with some scripting. I call it find routers. So basically the idea is there's a number of
|
||||
things you can do. There's just some discovery scripts for in-map that you can say kind of
|
||||
listen for broadcast traffic which is not super effective when you're trying to traverse
|
||||
multiple networks. So the way networks work is if you're on the network you can hear the
|
||||
traffic in general. If you're not within that LAN or that subnet you can't necessarily
|
||||
hear the traffic unless it's intentionally being re-broadcasted out from the switch or
|
||||
device or whatever the thing is they call stuff that moves back it's around nowadays.
|
||||
So you've been dropped on site to do an assessment and you want to figure out what the network
|
||||
looks like. First thing you do is plug in and see if you get an address. If you get an
|
||||
address you're good. If you don't get an address and the port turns off and the color
|
||||
disappears and the power goes from the port they have a thing called port monitoring. Usually
|
||||
this is in the form of Cisco's ice and it has most of the time been misconfigured wherever
|
||||
I see it because it's really hard to do proper port security and make sure that everything is
|
||||
on the up and up and all your devices are compliant with certificates and things like that.
|
||||
So what usually happens is if you don't get that light and you get kicked off the network
|
||||
then you go find a phone, a printer, a fax machine, a thing that doesn't look like it's
|
||||
going to have support for secure connections and encryption. You can basically assume the
|
||||
identity of that device in most cases. So what you do is you flip the phone over or look
|
||||
at the printer, do like we do with the local stuff and look for that MAC address. Assign
|
||||
your computer's MAC address to that computer which MAC changer for Linux is what it's called.
|
||||
Windows is a little bit more tricky from seven and up. You kind of have to do some shenanigans
|
||||
to get that interface to change. There's not a whole lot of easy ways to do it. There's
|
||||
a couple of UI ones that out there that actually seem to work. But the idea there is you're
|
||||
taking the identity of a device that doesn't support certificates and when you set all this
|
||||
up correctly, the only way to really validate a person on the network is to either have
|
||||
a certificate or have them log in with some credentials. And you'll see this with like
|
||||
corporate wireless. You'll log in with your wireless credentials and that will get you
|
||||
on the wireless. And that's pretty secure actually in most cases. But for wire devices,
|
||||
you have printers and back machines and God knows whatever internet devices that need
|
||||
to be basically bypassed because they don't support encryption. They don't support certificates
|
||||
or anything like that. So you assume the identity of that phone and then you start doing
|
||||
saying where am I trying to get a DHCP address and most of the time 99.9% of the time your
|
||||
phones are going to be DHCP because no one can manage the static address of a large number
|
||||
of computers. So you might see static IPs in things like data centers or places where there's
|
||||
very important data going across. But in general, you're not going to see static IPs anywhere else.
|
||||
So work stations where there's people, where there's large numbers of devices, you're going
|
||||
to see DHCP utilized and that's where you can kind of capitalize on that and use that to
|
||||
take some else's identity. So you've taken the identity of a phone and guess what? It's not a
|
||||
different network. It's not segmented. It's not a different VLAN. It's on the same VLAN as
|
||||
everything else as all your work stations, which is also common because guess what? If you need to
|
||||
print that printer needs to be in the same area or sometimes it's easy actually easier just to put
|
||||
that printer in the same network as your desktop and not separate them out and have two different
|
||||
networks for your printers and your phones and and have everything on a flat network makes it
|
||||
a great easy great. But when you get an attacker on there, they can assume the identity of your phone
|
||||
and then say, you know, I'm in this 10.net work and I want to try to figure out what other
|
||||
devices are there. The first thing to do is obviously listen. You can sit on the network and listen
|
||||
and I'll put in that. I'm trying to make myself some notes here in that. I'm listening
|
||||
timeouts for discovery. Sorry, I have a very clicky keyboard. So you have timeouts for discovery,
|
||||
you can set on the discovery plug-in port in that. In that, I'll sit there and listen for
|
||||
an old broadcast protocols and we'll give you a dump of everything that is used in years.
|
||||
There's some other scary stuff like carp. It's the Cisco Discovery Protocol CCEDP. You can
|
||||
do some scary things like basically take over all the traffic on those. If they're misconfigured,
|
||||
I wouldn't recommend doing that at a client site but you can pretty quickly use some of the tools
|
||||
to figure out whether that's potentially possible or not. So you want to be mindful of Cisco
|
||||
Discovery Protocol. Also things like ICE. Once you connect to the network, you can try to do
|
||||
our poisoning and in some cases ICE, the Cisco ICE stuff prevents that. And in some cases,
|
||||
it doesn't by nature of how some of these products are configured by default.
|
||||
So I've been on client sites where they have this port monitoring which prevents anybody from
|
||||
just arbitrary plugging in. We've identified that device on the network. We've taken the MAC
|
||||
address of that device and assumed its identity and then we art boys in the whole network to
|
||||
have all the traffic tunnel through our system which basically brought home down the whole
|
||||
entire store because our traffic was getting no-routed because for whatever reason, part of ICE,
|
||||
the protection for port monitoring was working but we were able to do art poisoning. So all of the
|
||||
computers were basically logged out and had to re-log back in which was great because when they
|
||||
rebooted or restarted or tried to reconnect and tried to reauthenticate, we were sitting there with
|
||||
our traffic listeners and listening to all the traffic. So we were able to catch up that
|
||||
get flametech passwords for root devices and other protocols and basically we had to go back
|
||||
to the client and tell them explain to them how we were able to do it because they said they had
|
||||
these controls in place and they assumed that they were all working and that's where we're at
|
||||
today's. We have all these security controls but nobody knows that they're working like you know
|
||||
when your computer's not working because it will turn on or you know if the internet's not working,
|
||||
you can't get to the Facebook. But if your security protocols and your security controls aren't
|
||||
working, there's no way to know. It's a stroating your cat. You don't know if it's there or not. So
|
||||
that's why you have people like penetration testers and vulnerability assessment people to kind of
|
||||
test those controls and make sure that they're actually working. What you paid millions of dollars
|
||||
for is actually working. So I'll move in more to the more technical stuff. So we've listened for a
|
||||
while and we've discovered several networks, whatever. We scan those networks and we get back some
|
||||
information. Maybe we find some open protocols but nothing good. We want to do a full scan. We've
|
||||
done enough listening. We've done enough manual probing and we want to do like a full scan of the
|
||||
entire network. Now essentially what I ended up doing was there's kind of two pronged approach.
|
||||
If you can locate a switch or a networking device and use the SMTP function which is a simple
|
||||
network management protocol, simple SNNP, you always get those from switch around. So SNNP is
|
||||
simple network management protocol which basically allows networking devices to talk to each other
|
||||
and really get a feel for what the device is doing and kind of check it in.
|
||||
Civil network management protocol is kind of an old protocol. It was open to begin with of course
|
||||
with no authentication. So now we have V3 which has authentication. And then you have instances
|
||||
where people will wrap them in a secure tunnel like a VPN or something. But in general you
|
||||
some, I would say probably a fourth of the time or a third of the time you can find a network
|
||||
management device and if you can find a network management device you can dump all, you can do a
|
||||
walk, simple network management protocol walk and walk the tree of the protocol and it will dump out
|
||||
all the networks that it knows about. And that will give you a pretty good idea of at least the
|
||||
networks around you outside of your direct hop. And when I say hop that means the computer before
|
||||
the computer that talked to your computer, the on the way to get to you.
|
||||
So I'll check those, I'll dump those out and I'll use those as my initial crawling and then I'll
|
||||
look for more SMTP servers if I feel like it. But both times I'll kind of listen and then I'll
|
||||
do a full scan because I just don't have the time to be quiet to loud approach as quiet as that.
|
||||
So what I'll do is, is yes. And the problem with scanning all the 10. Dot is all
|
||||
explain kind of the local IP space. Private IP space is 192 is I don't know like 17,000 different
|
||||
host. Okay, so I'm cheating. We've got 192 is 65,000. Our 172 is 1 million and our 10. Dot is
|
||||
16 million. So even in a 172 environment, it's going to take anywhere from six hours to
|
||||
an hour or two hours, four hours to do a 172 scan with and map. Now I'll briefly talk about
|
||||
masking. Masking is a mmm stateless scanner and is extremely fast. With that said, it can bring
|
||||
down networks pretty easily. And in most cases, you don't want to use it on an assessment unless
|
||||
you really want to test and get some really quick scans done. Now we've had some success at some
|
||||
of my other employers using masking to quickly scan the entire network. And so what would take
|
||||
and map, you know, four hours to do or even days to do however long, masking can do it in a
|
||||
tiny fraction of the time by sending lots of packets very quickly and not really waiting for them
|
||||
to come back up. But in most cases, it's not something you want to run. There's other things like
|
||||
unicorn scan or whatever, but masking has most of the features sets that you want to be able to
|
||||
split up the network into manageable chunks and kind of go from there. So if you're scanning 172,
|
||||
generally you can kind of do like a quick ping scan and go from there. If you're trying to scan
|
||||
10.The approach that I come up with is a guessing approach. So if you're starting on a 10.You're going
|
||||
to do something like 10.1 or 10.10 or 10.5, 10.15, 10.20, 10.30, 10.40, 56, 7.8, 900, you're going to start at
|
||||
the normal 10th values, same for the other addresses. So it's going to be 10.5.5.10 or 10.5.5.1.
|
||||
And that last item is where I'm looking for routers. So basically my script or my kind of one
|
||||
liner that I have for M-MAP says, basically I'm looking for any address and guessing any address that
|
||||
ends in .1, .2, .254 and I think 253, I've seen routers in those spaces. And the idea there is to
|
||||
do a very small scan. So instead of a million hosts or was it 16 million, you're only scanning,
|
||||
I don't know how many tens of thousands, but it's like 60,000 or something say. And because we're
|
||||
only doing instead of 10 to the 10th or 10 to the 255 to the 255 to the 255, we're only doing
|
||||
instead of 20, 255, we're doing each 10 and maybe a couple of five. So we'll do for the math,
|
||||
we're going to do five or we're going to do zero, five, 10, 15, then 20, 30, 40, 56, 7, 8, 900,
|
||||
then maybe 105 and maybe 115 and then all the way up to 250 and maybe 240, whatever. And then
|
||||
the next one would be that same range. And then the last one would be .0 or .254. And the idea is to
|
||||
try to find other networks. And there's no easy way to do this. To my knowledge, unless you can
|
||||
get a full dump of a bunch of routers, there's no easy way to do this. So the only way to do it is
|
||||
to scan all of 10. Which there's no point in scanning 10.143.133.208. There's no point in scanning
|
||||
that IP address because chances are it's not going to be something that's at the beginning or the
|
||||
end of an IP space. So you want to intelligently scan the 10 space and greatly reduce your time
|
||||
to find those networks now. Once that output is done, it's a discovery and you can append and say,
|
||||
okay, okay, we've got a 10.0.5. Whatever and we've got a .5.15 and start mapping that out and then
|
||||
doing full scans within those ranges. So say you find 10.5.5. Whatever or 10.5.10 or 10.6 through
|
||||
15. And you scan those within that manually. And instead of scanning the entire 255 block,
|
||||
you're only scanning too because there's only two in there. And then you might add to that too.
|
||||
So if there's a 5.10, then you want to scan 5 through 10. If there's a 10.10, you want to scan maybe 10
|
||||
through 20. And if there's 20, you want to scan back and forth each direction. So if there's a 5,
|
||||
maybe you want to scan 4 and 3. And it's a matter of guessing. And you're trying to guess where
|
||||
their IP ranges are because no one's going to assign wonky IP ranges. Another great way to
|
||||
find devices is just start adding together all your recon data. So as you get access to boxes,
|
||||
as you compromise hosts, you start dumping these networks out and dumping all this information
|
||||
into a single singular place and start mapping things out. And that's where things can get tricky
|
||||
because you need to understand that, like I said, everything is connected to the internet. So
|
||||
at the end of the day, you might be somewhere else is somebody else's backyard. So I kind of give
|
||||
the analogy of digging. So you're told to dig in somebody's backyard for dead bodies. And you dig
|
||||
and dig and dig and dig and you find a dead body and you're like, cool. And then there's a tag on
|
||||
the body that says, you know, left 15 feet over here, there's another dead body. And you keep digging,
|
||||
you keep digging, you're like, oh, look at all these bodies I found and you realize you're in
|
||||
somebody else's yard and you just dug up their dead bodies and you have to go tell them, hey,
|
||||
by the way, I found your dead bodies in your backyard and I'm sorry, this isn't my place to be
|
||||
and I'm not supposed to be here. But, you know, you're connected to my neighbor. So I don't know,
|
||||
it's not, it's your fault. You don't have a moat type of thing. So that can happen and it has
|
||||
happened and I haven't had any luckily any bad experiences. Just, you know, white flushed out faces
|
||||
because I freaked out. So the idea there is we've done our guess network and I'll improve my little
|
||||
my scanner and do the math on it. I used to have a bash script similar to what Kenneth had for
|
||||
the 10 dot and it would, you know, four, one, two, 10 and five, two, 15. It would like make the
|
||||
space and map out and dump out an input file. Now I just do come separated values and one line
|
||||
over in that. So there's no input text document that needs to be added. So I'll update that.
|
||||
I don't do a lot of discovery or been testing and stuff. I don't do client engagements anymore.
|
||||
I work for a company now. So, but I'll update that anyways because I like the idea of how I
|
||||
discovered networks and how quickly you can discover networks too. So from a discovery standpoint,
|
||||
you've, you know, done your scans, you find out your neighbors, you find out there's some five,
|
||||
some tens and some 30s through 35 and maybe there's a 40 through 43 and in the 10 dot space,
|
||||
you scan the 172 space just completely because it's a fast network and you've found everything
|
||||
on there. 192 use scan because, you know, it's easy to scan. There's only 65,000 in there and
|
||||
that's pretty, pretty, pretty quick to scan. And you have all your hosts. Now from a discovery
|
||||
standpoint, you've done pretty much everything you can do from an IP space to discover other hosts
|
||||
on the network. Now, when that starts to scale up is when you have access to another device.
|
||||
So, for example, if a device has two interfaces and those two interfaces are connected to
|
||||
two different networks that you may or may not be in scope or may or may not be part of the same
|
||||
network. So, for example, you've got a security vendor and the security vendor, the way they do
|
||||
their shenanigans is they, you know, set up a VPN from their corporate protected environment,
|
||||
quote unquote, to your, you know, your environment. So, they're connected so they can do updates and
|
||||
things like that. And you'll find that this happens a lot. Service providers, anybody that gives you
|
||||
a box that does magical things, they usually have full blown admin rights remotely to that box
|
||||
and they can do whatever they want, which is pretty scary in a enterprise environment because
|
||||
you're trusting them to have keys to your house. It's essentially giving some vendor a key to your
|
||||
house and hope that they don't, you know, some guy doesn't rob them of all their keys and, you know,
|
||||
try to break into everybody's house at once over the weekend. So, there's a pretty strong,
|
||||
it's a pretty strong chance that there's someone on the corporate network that is coming from
|
||||
somewhere else or that's up in dirt and it's sitting on a different network. So, you have to be
|
||||
careful with that and understand that, you know, maybe you pop a phone switch and that phone switch
|
||||
got to be being a connection to a different network. And you need to look around and say, hey,
|
||||
look, here's another interface. Let me look. Oops, this doesn't look like this has to do with phones.
|
||||
This looks like somebody else's network. This is not my client, the naming conventions different.
|
||||
Let me just make my notes and, you know, tell the client that, you know, we've discovered and we're
|
||||
able to move laterally through someone else's connections, right? And I would say, I think that
|
||||
pretty much covers network discovery. You know, there's other networks besides IP networks that
|
||||
I don't really have time to get into or want to get into here, but I don't have a whole lot of
|
||||
experience with anything outside of TCP networking and discovery. So, I think I pretty much
|
||||
and talked about discovery to the fullest extent that I can. But I will say, if you do get the
|
||||
chance to pilot masking, you can throttle it to different speeds. So, where masking or a scan
|
||||
on in-map takes, you know, 30 minutes, it might take three seconds or 60 seconds with masking.
|
||||
So, depending on the speed, you want to start slow, not even the default, you want to start
|
||||
slow and then start ramping it up until people start reporting the things are out. Now, things
|
||||
might actually go down and then you don't figure out till later because that's how businesses work.
|
||||
They don't understand the networking and the networking infrastructure folks don't really know what
|
||||
it looks like when someone goes after their network like that. You're essentially kind of denial
|
||||
of servicing the entire network when you're using masking. So, you want to start slow and start
|
||||
scaling it up and, you know, we were able to do masking from nine boxes on 100,000 hosts in
|
||||
30 minutes, two hours, something like that. So, we can do an entire 10. scan, 172 scan,
|
||||
and 192 scan all in under two hours. And I'll put that, my lame DM-map, lame DM-map, it's a distributed
|
||||
in-map script that I wrote that I had assigned to another gentleman and, you know, he was trying to
|
||||
kind of make it gold and I said, look, we just need to POC this, see if it works. And he wasn't
|
||||
able to lip it in time, so I quickly wrote a script that would just work. It's not secure,
|
||||
necessarily by any means, but just use this as HK's to run and perform scans on other boxes.
|
||||
And it picks up batch jobs and all kinds of stuff and checks the remote host to see if they're
|
||||
running in-map, if they're not, it picks up the next batch job. So, that's kind of interesting.
|
||||
Anyways, I think that covers all network discovery that I'm aware of. Now, there's the whole
|
||||
wireless thing, you know, you can do it with your phone, you can do it with an Uber-tooth,
|
||||
on Uber-tooth, and Uber-one, whatever, you can do it with any number of things. But nowadays,
|
||||
like wireless discovery is pretty simple as far as discovering networks, but as far as breaking
|
||||
into them, you've got, you know, secure networks with certificates, you've got passwords,
|
||||
you can try and brute force. There's home networks that have varying degrees of protocols,
|
||||
which have issues or known routers that have issues or weak passwords that you can kind of brute
|
||||
force keys and pins for those. But in general, wireless is a little more difficult to do
|
||||
discovery on, especially if you don't have authentication to wireless, because in most cases,
|
||||
your wireless is going to have authentication on it, but you'd be surprised. Your commercial
|
||||
or your residential wirelesses aren't protected. Mine is a passphrase, but it's pretty weak.
|
||||
So, I would like to do a thing on wireless discovery, but I haven't done it in honestly 10 years
|
||||
professionally. I set up a couple of Linux boxes to do more driving stuff with Kizment,
|
||||
and that's about closest I've gotten, so there's not a whole lot there. But in general,
|
||||
I'll say some more in-app specific stuff. So, my favorite switches are, kind of go over my favorite
|
||||
switches here. So, one thing people don't know is if you're running in-app kind of interactively,
|
||||
you can use the D and V as in Victor and D as in Delta keys to increase the debug level and
|
||||
the verbosity level and holding shift will decrease the relevant switch. So, shift D will decrease,
|
||||
shift D will increase and V will increase and D will increase the debug level. Those are
|
||||
little known, so you can turn them up and down. If in-app looks like it's being weird,
|
||||
being walky, you can kind of turn the debug level up a couple and see what it's doing,
|
||||
what it's getting stuck on and kind of adjust from there. But once you kind of tell in-app to run,
|
||||
there's not a whole lot you can do to pick up where you left off. They do have some resume stuff,
|
||||
but it's not 100% and it doesn't really scale to that big. Let's see, SV is like service
|
||||
finger printing. I will do script arguments. I'll provide kind of my one-liner for in-map.
|
||||
What's the other ones I like to use? To check for external connectivity,
|
||||
the ports open, you can scan letmeoutofyour.net. So, if you scan like the top 2,000 ports with
|
||||
letmeoutofyour.net and you get one open, and you hope that it's not using the packet inspection,
|
||||
you can tell your traffic whatever you want over that port if you're lucky. Let's see,
|
||||
there's heartbeat checkers and I'll put the link to my food script. I will say there's specific
|
||||
ones around SMB stuff that I have some notes for. But in general, there's only like four switches
|
||||
you need to know and they're kind of all in here. Let's see, there's the T5 setting,
|
||||
which I try to use where possible that makes it faster and sets some things for you. I'll also do
|
||||
max retries one and min parallelism 100. That seems to help make things a little bit quicker. It
|
||||
really depends. You have to find your bottlenecks and kind of work around your bottlenecks sometimes.
|
||||
I always use the dash dash open because I don't want closed or filtered ports in my
|
||||
gobbling up my results. I also like top ports. That's a fun one to do. I'll use that
|
||||
Genoise Speaking. I'll do output all, which is O and then capital A. Lowercase O capital A.
|
||||
I'll do top ports. I'll do T5. I'll do SS, which is by default if you're running through anyways.
|
||||
I have some custom Oracle script checking that will make a, in the list, you look for Oracle,
|
||||
there's some notes around Oracle, do an Oracle scans to try to find default logins and stuff
|
||||
for Oracle instances. There's a lot too in that. It's essentially a vulnerability scanner.
|
||||
I'm working on a one-liner. I think it's called like work in progress, WIP, in that one-liner,
|
||||
something like that, bone scan. It's pretty noisy, obviously, so it gets stuck in a lot of places.
|
||||
I'm working on the more networks that get access to, the more I'll run that one-liner. If it
|
||||
doesn't get stuck anywhere, or if it gets stuck somewhere, then I'll evaluate how I got stuck and
|
||||
either add it in or work around that thing that it gets stuck on. There's a fair number of plugins
|
||||
that run if you enable all the plugins and disable all the safety stuff, they will run and take
|
||||
for flipping ever, and especially if it's something with throttle authentication, like SSH, whatever.
|
||||
Anyways, there's a million things. I will link to somebody else's in-map training thing that
|
||||
it's a really great job. He supports the community here nationally and goes to conferences and stuff.
|
||||
Brimstone pretty sharp dude here in Atlanta, so I'll post his get repository for like in-map training
|
||||
if you want to get into all the weeds of that. There's some really great stuff in there. Great
|
||||
approach. Anyways, hope this helps out. If you have any questions, feel free to hit me up. If you're
|
||||
doing an assessment, feel free to dial me in or reach out to me and get my number. I take calls
|
||||
from folks fairly often, and it's great to hear somebody, hey, I got access to this box.
|
||||
But I don't know what to do, or I think this thing is interesting over here. What do I do?
|
||||
And there's not a whole lot of people out there that will spoon-feed you the right steps to do
|
||||
things. You can hang out in Discord chat and read team and pen-testing forums and pen-testing chat
|
||||
rooms and stuff, but really nobody's going to hold your hand and really help you out. But
|
||||
hope for your reach out to me if that's your, that's your dig or if you're interested in it.
|
||||
I'm going to go from there. Appreciate it. Thank you.
|
||||
You've been listening to Hacker Public Radio at HackerPublicRadio.org.
|
||||
We are a community podcast network that releases shows every weekday, Monday through Friday.
|
||||
Today's show, like all our shows, was contributed by an HBR listener like yourself.
|
||||
If you ever thought of recording a podcast, then click on our contribute link to find out
|
||||
how easy it really is. Hacker Public Radio was founded by the Digital Dove Pound and the
|
||||
Infonomicon Computer Club, and is part of the binary revolution at binwreff.com.
|
||||
If you have comments on today's show, please email the host directly, leave a comment on the website
|
||||
or record a follow-up episode yourself. Unless otherwise status, today's show is released on
|
||||
creative comments, attribution, share a like, 3.0 license.
|
||||
Reference in New Issue
Block a user