BSidesKC 2018 - Jared Bare - From Port Scanning to Password Cracking

so genitals you know the poor scared so hello everyone that should be says please two through seven to talk I really like these and have some fibers and outriggers so of course my soft is of course being depressed apparently these four times the impact of your night zero and I always thought it and wants to buy this stuff and all my talks displayed where all these are my own and and this information if you use it I'm not responsible so the great things in here my identity interested in jail don't hold me responsible a little bit about me I'm security loss of a large data company GCF IH certified colonists and a security oolitic Columbia Missouri

and then I'm all stood behind a very proud father so I just have to show up my girls at home too how many people here used in that automatically methods great for those who don't know this is security scan so you can do for discovery to do service discovery you can do a bunch of things on there so what did you know to impact and also brute force of drag passwords you can check our website for some spot on websites and you can also check the sign certificates you can see if your host and your networks one will - they have wanna cry and then also you can run some exploits as well as well as some

fuzzum fuzzum applications

so you've probably asked him more how does it do that has DL just ports me so it map that has a built in innocent American agent and this is Alisa scripts developed by the community so they take all the basic my house discovery experience and they take those and write those and so there's hunter script reviews and it's really fun I'm a little at sea one that is just a screen shot others to the iceberg of all the a mass spectrometer is literally hundreds of scripts different technologies with reduces so the question is for those who don't know how to use a map how to get started well first of all you need an admission the

commune uses words in your environment they sign up the rear boss boss boss on the team day of the scan for devices with make sure you get that documented somewhere eyeballs in your hosts where they like those likes you else wants a doctor as well ie a newsman and you also gave me some other things I have some terrific experience stickers is that

awesome the command line doesn't really matter which one and then if you don't have to mail an experience I like to say there's a movie for that because there is it Mexicans compact with ability so you'd like to put my butter let's see pretty grass today you know it's nice this will create on top politic grab for you organics so we are just going to go over some basic impact meds it's pretty simple just in math and if your posts whether that be Nike address assignment or a post name and then the gamble of that is that that's a little sweeter stand pat - they will give you Oh s detection and also some details and

then my favorite any in Mecca man when I start hiding the density that is showing the service from olive oil

and that's what this game looks like so as you can see see what ports are open ports will turn the basic message we had a negotiate the destined for the SS they chose peace we did the certificate check we also get the OS detection as well and that web the t4 actually sees the standard as well but again my favorite command is just s being that mostly again it says they all the versions will of course is running out as far as the software's concern and that's really good for the confer like out of date except to T Apache servers and what happen so useful in fact a man so if you want to take all

this if it makes you want out put it too far you can do that with PB o capital capital in that will create a text file you can also do it for XML if you like the worse things are there a scripting language and also you can do it for a record department from a clinic settings there's leading all three formats you can do a - both Echo Lake and then if you want to see the target listing and matter all you do is the bachelor case I ll and you can see to them vixen magic postal system inside ranges host names IP addresses and that's really nice if you have a big target list and then if

you want to scheme your entire career ipv6 hosts which it should be event out but before moving on I do you want to remember this cleaner because we are going to go over a few things a source brew through reporting concern about dead serious about it so I thought I felt responsible for what to do this information of that even if you're just playing around and get intelligence so after that big said let's have some fun so we're going to invoke the food for script I have on server and to do this we're just going to scan the website which is equal cycle TW I own that website by the way I'm not never take a

look at the output in DC oh great kept on I don't have telematics I don't but this is sort of indicator does all right he's got a mix of protocol let's go interpret forces so how we're gonna do that versus I'm gonna create a list of these demands and common passwords and of course I do that at the exact administrator bill in routes there's a lot of bill system administrators I don't know why all the common passwords a ham sandwich so we are going to Peppa daddy scripts built-in with in math and so that is the command-line arguments and what you get happy to pass between username may be useful listen your password list you can attack the host

that we just brute force to tell that protocol that's pretty simple pretty easy to do but it's something fun you can do game over here's some more resources grips you can actually the course SSH my sequel Postgres logins keeping brute-force LDAP and an SMB protocol it is and that also there is plenty more you can do this work for close the forces concerns so go ahead check out the website so it connects to the hosts what else was listening on there well four or three so obviously it's a web server so my implant it's expired and see if it's signed what that we keep maybe so there's some bleep curveballs so to do that we are going to

do in math and script and maybe that's Excel sir look at that it's totally not a self-signed cert you know for his teen eliminations and this is really do that I actually use this in my environment too because we do developers we're really starting and run tests names all the time because in developers but they do not renew their cell site service and so I just sweep my entire network using the script and see what post happening so see then the cell sensor surely the sir has too many excitement as I'm just guessing here so we invoke en masse script he has Sicilian up ciphers in the host and as you can see TLS 103 that ciphers throw

all at him and a map will tell you what warnings there is like three days are mostly 32-week ciphers in the world in action trades as well and that's really handy so a little bit trivia TLS is wonderful to what anybody now raise your hand if you know what attack some are little is that I buy and learn said that here tying so no you here so again we test the Telos protested certificate and by the way you can invoke multiple scripts on the same vampire and so why we're doing this so Larry and I are just with the same spirit comment and there you go and actually it actually to the port so if you're running like that Tomcat I'm

certain for you can also check patents were out here's some in advancement map stuff but it won't really dive deep into this but some stuff you can be you can build your own scripts that using different - or pipeline where everyone knees you can actually build in se scripts themselves and so I have my teens sometimes like dropping information to slide right in blue in a secret or haven't done that yet that's on the list you can actually I want to make baskets so one say exactly demands do you have an environment or should not be built in you can actually sign with set up a cron job test that the fire reports can it

really be the slack if that pork desk a little bit better and then just contribute to community by building around scripts it's blue is kind of interesting language it's kind of fun to get it to you a box kind of like seeds for that organ if you're super familiar skiing whatever again this is just a batch script and already what we're trying to detect what into other words the change and it'll take it out or send a note that in Toronto every 15 minutes and we're going to have the information to the slack and that's what that looks like it just really ain't that that's why 15 lines of code

another really good thing that I like to use is alongside with my other tools you can use for mobility detection and all you have to do is impose even old script commands up there you can also check for water cry most this was what a lot of I was did last year that was written pretty quick it was really helpful for us because we had a long time to have that day and not have to date because that screw it and then also you can check for the infamous now MSO a tier six seven I hope these very never enough but I know there is it's a fast reduced to best to serve and that's what sorry

yeah that is the vulnerability of sexual scripted put right now so it'll go through some basic normativity checks don't use that to replace your one with vulnerability scanner just using a pencil in school

yeah this is continuing welcome today that is out there for the wanna cry one which is really acceptable for us again kind of blew through this web of get some information but some disclaimers on the school is that it might be as controversial you know it's either be given hackers more tools to get your binder where you have better tools to audit your environment I'm kind of mix a little bit of both but I kind of I feel it's a good tool that everybody any IT professional I just hear you should use if you do use this and you by accident or even with intentional purposes you can and will go to jail it will arrest

you if the log your IP and you ignore the warnings and addressing the camera quick no I didn't touch on this but if you have if you could this AWS make sure you give permission because if you don't they will shut down here into this account right now I've seen before we repeat with the 13 now shut down there in the president's office crafter why because it was scan [Music] so yeah again you always give permission when you're running this tool that's the number one thing so summary again everybody does a map it's free that's why they supported that we have a huge community that it's not a new forum encourage keep it go downloaded a cutest topics are playing

for just initially and then life at least it's it's fun this is fun of you I love this this is my favorite analysis because it's so simple of tcp is to see to teach just resources at my website and see dollar amounts levels of a programming language thanks so much guys like something and

the style of the chocolate by their well-being is solely to do security for their country analysis of my project it's a publicly traded company and also essentially the former part of justice prosecutor in our state they actually said that are you traded companies and in some cases we'll talk about the prosecutors prepared to the cover so people talk like that to be truly human to the Box other variables are surprises because is everybody