NSE, Vulnerability Testing & Exploitation Part 2 - NM

00:01

right. Welcome to the inn map scripting engine lab.

00:06

The goal of this lab is defined a Cisco switch on the network.

00:10

I'm gonna run of vulnerability, scan against it, and then I'll exploit it,

00:14

and then we'll look at the results together.

00:18

So I'm running Windows 10 on this

00:21

scanning station.

00:23

I'm gonna go ahead and navigate to the end map

00:27

directory.

00:40

Clear the screen.

00:41

All right. So first we'll run a pink sweep

00:45

like we've run a lot of times in the past.

00:51

Well, you said her notation, but I'm gonna limit the scope of this skin

00:56

since I have a little bit of insight into this network.

01:00

Okay, so we have to Cisco Devices here, and I happen to know that we're most interested in this device at 1921681.2.

01:12

So clear the screen again.

01:15

I'm gonna do a OS. Discovery

01:18

on that

01:19

device will do it. And Matt

01:22

Dash, capital o,

01:30

there's our results.

01:33

So it says no exact OS matches for hosts

01:36

and gives us the finger print.

01:38

Does show us that port 23 important 80 are open

01:42

but doesn't really give us

01:45

very good information about

01:48

what operating system that host is running.

01:49

Other than we know, the Mac address is here, and it's a Cisco device,

01:55

so I'll clear the screen again.

01:59

So if you remember from our OS

02:01

detection scans in the past, the previous lesson

02:07

we did a mad Dash Capital O

02:15

Oh, a scan. Dutch guests.

02:22

What the scan does is it gives us

02:25

a reasonable amount of certainty about the operating system that the target is running.

02:35

Scroll up

02:38

And here you see aggressive OS guesses. Cisco 29 50 Switch running Iowa's 12.1

02:46

and that's a 98% degree of certainty. And so that's pretty good. It's good enough for me,

02:53

so I'll go ahead and clear the screen again.

02:59

And

03:00

first of all, we'll run a typical default and map

03:04

NSC skin. And that is, With and Matt

03:07

Dash s Capital C against that target.

03:15

This runs every NSC script

03:19

that is categorized as a default

03:23

does give us some good information,

03:27

shows us the ports again that are open,

03:30

and you see that the agency to be off script came back with results,

03:38

not earth shattering. But

03:42

I want to show you that scan nonetheless.

03:45

So

03:46

next what I really wanted to show you. Waas

03:50

currently were in the map default directory on a Windows 10 device in this

03:58

This applies to any operating system that you're running. Really? But

04:02

if I go back,

04:06

yeah,

04:09

If I go back Ah, folder a directory and run and maps can

04:16

against the same target.

04:20

Obviously, it also run because map is in the path. So I'm gonna cancel that.

04:29

Get back in the end. Map folder,

04:30

clear the screen.

04:32

Um,

04:34

so

04:36

the reason I'm showing that is because one of the ways that you can run an M map scan is simply by

04:45

using the command and Mt. Dash dash

04:48

script

04:49

and then the name of the script that you want to run.

04:54

Well,

04:55

where we're at right now, we don't know the name of any of the script. So unless you just happen to memorize them all,

05:02

uh, you wouldn't really know what to run.

05:05

Well, what I like to do when I'm running and map scripts

05:10

personally, if I'm doing it from the command line, is I like to navigate into

05:15

the scripts directory. So

05:17

if we do it, I'll do it. D i r star dot,

05:21

which will show me all the folders in the end map directory

05:28

and you see this director right here, which is scripts.

05:31

So when I run and map scripts, I like to navigate to that folder. So we'll do a CD.

05:40

Yeah,

05:43

scripts.

05:45

I'll clear the screen again because it's get a little messy.

05:49

You do a D. I are here. You'll see every single and map script that downloads,

05:57

uh, and installs with the default and map install.

06:01

There's gonna be a lot of them,

06:03

all right, so you can see there's 591 scripts, all with the extension of NSC.

06:13

All right, so

06:14

any of these scripts can be run from

06:17

from any location at the command line, because and map,

06:20

as we learned earlier, is in the path

06:25

in this operating system.

06:27

So

06:29

but I like to run the NSC scripts from the scripts folder simply because

06:34

I can narrow down what script

06:38

I'm interested in the most. And there's just a ton of them here. So

06:45

I think you get my main point. So,

06:48

for instance, we see this

06:50

ex m p P. Dash info dot N S. C.

06:56

If I want to run that

06:58

script, we can do it and map

07:00

dash ash script

07:03

ex M P P Dash Info

07:09

Uh, you know, in map has a lot of flexibility, so we can do and map Dash Script equals X M P P dash info.

07:18

Or you can add the NSC

07:21

if you want,

07:25

or you can leave out the equal sign into it X MPB dash info

07:30

alone or add the NSC.

07:32

Both will run.

07:34

I actually don't know what that script does. So

07:39

as we learned in the past, if you're interested in learning what

07:44

a particular script does,

07:46

you run a unmapped space dash dash, script

07:50

help

07:56

and I can run it like that. Or like I said, I can add the NSC.

08:00

Well, go ahead and run it like this

08:01

and just for giggles, I'll add the equal sign.

08:09

All right, so the Exim peopIe info

08:13

Here are the categories that it belongs to. Default Seif Discovery Inversion

08:18

And here's a brief description that the programmer provided for us. Connects to accept P P server port 50 to 22 collect server information

08:31

and so forth.

08:33

And if we want more information, we can

08:35

highlight that you are l and go to it in your browser.

08:41

All right, So that's the main point I want to provide to you was that there's multiple ways that you can run scripts and NSC you running from multiple locations. But I like to run him in the scripts folder

08:52

personally because

08:56

it's easy to get help on him, learn about him and easy toe. See a list of all the ones that you're interested in.

09:05

All right, So

09:07

another thing I want to show you is that you can run

09:09

scripts. For instance, this is in the category default Seif Discovery invert inversion so you can run scripts by their category.

09:22

Bye.

09:22

Simply doing an M app

09:26

dash dash script

09:30

and then putting the category.

09:33

This one is a default script, but it's also a safe script. So I wanted to I could also

09:39

safe to it. Then put your target.

09:45

I'll go and run this. I'm gonna run all of the default and safe scripts against the target that we

09:50

found earlier.

09:56

All right, that script was taking a little bit too long, so I I'm gonna clear the screen,

10:01

but you get the point. You can run multiple categories by simply naming the category and separating by a comma. And the same is true with a particular script. So I'm currently in the scripts folder of En Masse.

10:15

I'll do a D i. R. Again. There's a ton of them here.

10:18

Let's say I'm interested in these v NC

10:22

script, so I'll do it. They are.

10:26

Start out.

10:26

I'll do it! Starr v. NC started Star Wild cards.

10:31

Here's all the,

10:35

uh, scripts related to BNC, so I'll go ahead and do. I'm interested in vincey info and fancy title

10:43

so I can do ah mm and map

10:48

dust, a script,

10:50

BNC,

10:52

uh, info

10:52

and DNC title.

10:56

We'll do against the same target.

11:05

So my point is,

11:07

you can next to the script. You can put an equal sign if you want, and you can either a list

11:13

the categories that you're interested in, or you can actually put the specific scripts.

11:20

We got a result, so I'll move on to the next

11:24

thing. And that is one of the most important reasons why I wanted to do this lab.

11:28

And that is

11:30

now that we found our Cisco switch on our network. I want to do a vulnerability skin against it. And

11:37

in n map,

11:39

One of the simplest ways that you could do a vulnerability scan against any device is by using the category bomb.

11:46

So we'll do it on a map.

11:50

Dash a script

11:52

category bomb

11:54

against

11:54

the Sisko switch.

11:58

This script takes a little bit of time. So how? Cut the video, and once the results come back, we'll talk about him.

12:07

Okay? And there's our results, So I'm gonna scroll up.

12:13

So essentially that run ran every scan, every NSC script that

12:18

had

12:20

a category of vulnerability or bone.

12:28

I enter a bunch of times to see the status,

12:31

but

12:33

you can see several different vulnerabilities here. It's not vulnerable to this

12:39

deal. Less attack

12:43

does have telling it open

12:50

shows that's vulnerable to authentication. Bypassed by http Verb tampering

12:58

gives all the details here the earl's where you can find out

13:03

more information about those vulnerabilities.

13:09

So that's really interesting information to me.