NSE, Vulnerability Testing & Exploitation Part 2 - NM
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
7 hours 1 minute
right. Welcome to the inn map scripting engine lab.
The goal of this lab is defined a Cisco switch on the network.
I'm gonna run of vulnerability, scan against it, and then I'll exploit it,
and then we'll look at the results together.
So I'm running Windows 10 on this
I'm gonna go ahead and navigate to the end map
Clear the screen.
All right. So first we'll run a pink sweep
like we've run a lot of times in the past.
Well, you said her notation, but I'm gonna limit the scope of this skin
since I have a little bit of insight into this network.
Okay, so we have to Cisco Devices here, and I happen to know that we're most interested in this device at 1921681.2.
So clear the screen again.
I'm gonna do a OS. Discovery
device will do it. And Matt
Dash, capital o,
there's our results.
So it says no exact OS matches for hosts
and gives us the finger print.
Does show us that port 23 important 80 are open
but doesn't really give us
very good information about
what operating system that host is running.
Other than we know, the Mac address is here, and it's a Cisco device,
so I'll clear the screen again.
So if you remember from our OS
detection scans in the past, the previous lesson
we did a mad Dash Capital O
Oh, a scan. Dutch guests.
What the scan does is it gives us
a reasonable amount of certainty about the operating system that the target is running.
And here you see aggressive OS guesses. Cisco 29 50 Switch running Iowa's 12.1
and that's a 98% degree of certainty. And so that's pretty good. It's good enough for me,
so I'll go ahead and clear the screen again.
first of all, we'll run a typical default and map
NSC skin. And that is, With and Matt
Dash s Capital C against that target.
This runs every NSC script
that is categorized as a default
does give us some good information,
shows us the ports again that are open,
and you see that the agency to be off script came back with results,
not earth shattering. But
I want to show you that scan nonetheless.
next what I really wanted to show you. Waas
currently were in the map default directory on a Windows 10 device in this
This applies to any operating system that you're running. Really? But
if I go back,
If I go back Ah, folder a directory and run and maps can
against the same target.
Obviously, it also run because map is in the path. So I'm gonna cancel that.
Get back in the end. Map folder,
clear the screen.
the reason I'm showing that is because one of the ways that you can run an M map scan is simply by
using the command and Mt. Dash dash
and then the name of the script that you want to run.
where we're at right now, we don't know the name of any of the script. So unless you just happen to memorize them all,
uh, you wouldn't really know what to run.
Well, what I like to do when I'm running and map scripts
personally, if I'm doing it from the command line, is I like to navigate into
the scripts directory. So
if we do it, I'll do it. D i r star dot,
which will show me all the folders in the end map directory
and you see this director right here, which is scripts.
So when I run and map scripts, I like to navigate to that folder. So we'll do a CD.
I'll clear the screen again because it's get a little messy.
You do a D. I are here. You'll see every single and map script that downloads,
uh, and installs with the default and map install.
There's gonna be a lot of them,
all right, so you can see there's 591 scripts, all with the extension of NSC.
All right, so
any of these scripts can be run from
from any location at the command line, because and map,
as we learned earlier, is in the path
in this operating system.
but I like to run the NSC scripts from the scripts folder simply because
I can narrow down what script
I'm interested in the most. And there's just a ton of them here. So
I think you get my main point. So,
for instance, we see this
ex m p P. Dash info dot N S. C.
If I want to run that
script, we can do it and map
dash ash script
ex M P P Dash Info
Uh, you know, in map has a lot of flexibility, so we can do and map Dash Script equals X M P P dash info.
Or you can add the NSC
if you want,
or you can leave out the equal sign into it X MPB dash info
alone or add the NSC.
Both will run.
I actually don't know what that script does. So
as we learned in the past, if you're interested in learning what
a particular script does,
you run a unmapped space dash dash, script
and I can run it like that. Or like I said, I can add the NSC.
Well, go ahead and run it like this
and just for giggles, I'll add the equal sign.
All right, so the Exim peopIe info
Here are the categories that it belongs to. Default Seif Discovery Inversion
And here's a brief description that the programmer provided for us. Connects to accept P P server port 50 to 22 collect server information
and so forth.
And if we want more information, we can
highlight that you are l and go to it in your browser.
All right, So that's the main point I want to provide to you was that there's multiple ways that you can run scripts and NSC you running from multiple locations. But I like to run him in the scripts folder
it's easy to get help on him, learn about him and easy toe. See a list of all the ones that you're interested in.
All right, So
another thing I want to show you is that you can run
scripts. For instance, this is in the category default Seif Discovery invert inversion so you can run scripts by their category.
Simply doing an M app
dash dash script
and then putting the category.
This one is a default script, but it's also a safe script. So I wanted to I could also
safe to it. Then put your target.
I'll go and run this. I'm gonna run all of the default and safe scripts against the target that we
All right, that script was taking a little bit too long, so I I'm gonna clear the screen,
but you get the point. You can run multiple categories by simply naming the category and separating by a comma. And the same is true with a particular script. So I'm currently in the scripts folder of En Masse.
I'll do a D i. R. Again. There's a ton of them here.
Let's say I'm interested in these v NC
script, so I'll do it. They are.
I'll do it! Starr v. NC started Star Wild cards.
Here's all the,
uh, scripts related to BNC, so I'll go ahead and do. I'm interested in vincey info and fancy title
so I can do ah mm and map
dust, a script,
and DNC title.
We'll do against the same target.
So my point is,
you can next to the script. You can put an equal sign if you want, and you can either a list
the categories that you're interested in, or you can actually put the specific scripts.
We got a result, so I'll move on to the next
thing. And that is one of the most important reasons why I wanted to do this lab.
And that is
now that we found our Cisco switch on our network. I want to do a vulnerability skin against it. And
in n map,
One of the simplest ways that you could do a vulnerability scan against any device is by using the category bomb.
So we'll do it on a map.
Dash a script
the Sisko switch.
This script takes a little bit of time. So how? Cut the video, and once the results come back, we'll talk about him.
Okay? And there's our results, So I'm gonna scroll up.
So essentially that run ran every scan, every NSC script that
a category of vulnerability or bone.
I enter a bunch of times to see the status,
you can see several different vulnerabilities here. It's not vulnerable to this
deal. Less attack
does have telling it open
shows that's vulnerable to authentication. Bypassed by http Verb tampering
gives all the details here the earl's where you can find out
more information about those vulnerabilities.
So that's really interesting information to me.
Um, I would like to try toe attack and exploit some of those vulnerabilities, so I'm gonna clear the screen
Course Assessment - NMAP