1
00:00:01,370 --> 00:00:04,610
‫The simple network management protocol S&P.

2
00:00:05,850 --> 00:00:13,470
‫Is used to query networked devices for information such as bandwidth utilization, collision rates and

3
00:00:13,770 --> 00:00:15,110
‫a whole lot of other information.

4
00:00:16,850 --> 00:00:20,810
‫But it doesn't only provide network management and monitoring capabilities.

5
00:00:21,960 --> 00:00:28,920
‫But it's also capable of changing the configurations on the host, allowing the remote management of

6
00:00:28,920 --> 00:00:29,900
‫the network device.

7
00:00:31,180 --> 00:00:34,000
‫Yes, I can tell this gets you excited, huh?

8
00:00:34,770 --> 00:00:36,300
‫My young apprentice.

9
00:00:37,500 --> 00:00:39,240
‫And you are right.

10
00:00:40,320 --> 00:00:48,390
‫So S&P servers can offer considerable information for penetration testers to perform reconnaissance

11
00:00:48,420 --> 00:00:57,330
‫on a specific system, you may also see S&P installations on some operating systems to specify information

12
00:00:57,330 --> 00:01:01,320
‫such as CPU utilization, free memory and so on.

13
00:01:02,600 --> 00:01:10,280
‫It's often automatically installed on many network devices with public and the restring string and private

14
00:01:10,280 --> 00:01:11,180
‫in the right string.

15
00:01:12,550 --> 00:01:21,190
‫On Windows based devices by poorly configured S&P, you can extract patch levels, running services,

16
00:01:21,730 --> 00:01:32,110
‫usernames, uptime routes and, well, so much information that it'll totally level up the penetration

17
00:01:32,110 --> 00:01:32,740
‫test for you.

18
00:01:35,420 --> 00:01:39,440
‫So let's use the services command to search for S&P service.

19
00:01:40,500 --> 00:01:46,470
‫And yes, indeed, you only have to open the S&P report on Matus voidable three.

20
00:01:47,940 --> 00:01:48,930
‫The version is one.

21
00:01:49,880 --> 00:01:58,970
‫As an MP, version one and version two, both have proven security flaws, but S&P version three is

22
00:01:58,970 --> 00:02:03,500
‫improved with encryption as well as better check mechanisms.

23
00:02:06,090 --> 00:02:09,390
‫But anyway, I'll search for S&P auxiliaries.

24
00:02:13,310 --> 00:02:17,540
‫And this time I'm going to start with S&P Inam.

25
00:02:19,080 --> 00:02:20,360
‫Show me the options.

26
00:02:21,910 --> 00:02:28,390
‫Oh, and by the way, the community strings are essentially passwords that are used to read or write

27
00:02:28,390 --> 00:02:29,620
‫information to a device.

28
00:02:30,740 --> 00:02:36,620
‫So if the S&P version is right and you guessed the community strings.

29
00:02:37,990 --> 00:02:46,120
‫The S&P itself can allow anything from excessive information disclosure to full system compromise.

30
00:02:47,410 --> 00:02:54,190
‫Let me give you an example, if you get the read right, S&P community string for a Cisco router, you

31
00:02:54,190 --> 00:02:59,740
‫can download, modify and upload the configuration to the router with a back door.

32
00:03:01,560 --> 00:03:05,130
‫So here, I'm not going to change the community variable.

33
00:03:07,300 --> 00:03:11,290
‫I will just set the port to one six one.

34
00:03:12,460 --> 00:03:15,280
‫And yeah, everything looks quite good.

35
00:03:16,390 --> 00:03:17,620
‫Now, I'll run the namaliu.

36
00:03:20,450 --> 00:03:26,420
‫So as you can see, S&P brings all the information about the target, Métis voidable three.

37
00:03:27,820 --> 00:03:32,710
‫From running applications to network interfaces.

38
00:03:34,230 --> 00:03:42,630
‫Service information, device information, user renumeration, nearly everything about the target.