Hello, everybody. And welcome to the episode number 17 of the S E. P. Course with an ability. Steiner's My name is Alejandro Gina, and I'll be instructor for today's session.
Learning objectives is to understand how those inability scanners can help us to gather information and executed scans with different tools and see how can they help us in our penetration testing process.
So let's get down to business shall way.
First, we have nick toe. This is the first tool. Nick Thio is kind of a weapon. That ability scanner, uh, can give you a really useful information. And by the way,
you cannot use, uh I hope you're planning to take the recipe exam and laugh and you, during the last geeking actually use whatever technique you want. But during the exam, you cannot actually use uh,
moving ability scanners. The only one that a lot that they allowed you to use us for now is the nick toe. Because this, you know,
it's a movement ability scanner. But he's actually kid. Also, it can also be, you know, you can also see it like kind of ah ah,
information gathering tool eyes. Not so much of several inabilities guy. Nobody can give you some pointers or what words Lou got and, you know, checks. Um,
information that I can actually lead you to a new exploitation process.
what can I tell you? It's the only one that they allowed me to use
in exam because even even men exploit you can only use it in one machine.
You can only use message all in one machine. So even meadows blow is restricted during exam and vulnerability scanners again cannot be used during exam. However, they can do be used when you're actually trying to your penetration testing, you know, against anyone who hires you.
Yeah, they're really useful. But let's start with Nick Toe.
we will use for this example the devil machine we have We will not be using for NATO or Windows XB mission because Nick, uh, our Windows XB machine doesn't have ah, Web server inside. So let me just
I specify the host and just put the I pee off the debian machine.
Oh, sorry. It's nicked off.
And as you can see, it will tell you some useful stuff like, uh, always vdv which one is presented, and how could you actually go here? We can also give you some folders that you know are not visible at simple side.
bakes a page and such and found we have, For example, server may leak in nuts. BIA attacks the Apaches version.
You know, it will give you some useful information, but as you can see, it will not give you that much of information. It depends also on the Web server. Of course, if they were server has ah lot of pages going on around the Web server, and it can actually, you know, give you more information. But as for this case, you can see that
the information is limited and you cannot
actually relied these us,
you know, to give you several, uh,
no pointers or words look at. But you know, it can lead you in the right direction. Maybe there were some red red herrings you're pursuing, and this can clarify some of them. But, you know, Nick, there's a really cool tool for me to use.
We have you know, this is one to the other to remember that we saw a bird suit. Uh, let me just fire up here. I don't want to upgraded right now.
Ah, but, you know, uh,
it has, ah, vulnerabilities, Kinder
embedded in it. However, it is only available again. That's for now for the professional or the paid version.
The pro version off Albert's it.
I gotta tell you, folks, if you actually are planning Thio become, like, kind of
and a book out counter or, you know, yeah, but hunter or
making a living out of exploiting known box off course for people who actually lets you to do so. You know, if you wanted to enroll in a Buck Hunter page, for example, but grout or you're actually kind to just perform penetration tester
protesting against your business
and your businesses all baby web Web based,
I gotta tell you, is worth every penny. I mean, if you're actually again trying to exploit vulnerabilities in with servers, uh, getting the pay version off Burkes, it is actually worth it. And one of the reason is because you can see that they're functionalities that you know, you can use it on Lee the pro version
So yeah, that's I'm not gonna use it for these reasons. I do have the paid version, but I do have it only for for my work. So I cannot use it right right here in the machine.
Okay. Yeah, I'm gonna exit.
So, Yeah. Then we'll have a map. Uh, we already saw some cool stuff about em up. And then my prescription enjoyment. But, for example, and my
dash T dash dash script and just bold men abilities. General,
this word this this script will Well, this command will execute all the movement of a lot of scripts against the server. Uh, you know, this might take a while, but you get the idea. You will have a lot of information from from simply run in this.
Uh, I'm not quite sure if this is allowed
in the other speakers, I should tell you that it is
because you're you're not actually executing apples and abilities. Kind of percent. I mean, meaning op, unbiased. Cory impact or, you know, nasa's You're just executed this and it will. You don't troll you some useful information. Um,
but you should You should consult this with with support with the offensive security guys, so I can tell you this is actually allowed or not.
But, you know, let me just stop that right here and show you other options. You can, for example, use the DDOS option to see if actually vulnerable to de ice attacks. You can also use the authentication to see if the page actually contains O. R. You know, for example, in this case, the port 22.
um, no or default passwords. You can also use the word default here.
Just run the default scripts and em up scripts against the server. Uh, you know, if you're actually trying to be not that nice, e or, you know, be stealthy, it's possible you can also use the shoot
that the script safe. It will like lunch, short version off, script in. So you can be, you know, not intrusive. Use non interested scripts. And, of course, if you're just desperate and when I run everything, you can also use
and these will actually launch all of the scripts against the server.
But that's it. I mean, you can Actually, as we selling a previous video, you can actually, uh, execute other commands on, and he also used specifically scripts with the necessary I'm sorry, Emma. Script and enjoying
for your for your host. But, yeah, I'm up. Can also be considered kind of, uh, Evelyn Ability scanner. Ah, and
You can actually use man exploit to To to
execute kind of, ah, Evelyn ability scanner. Ah, but,
let me just show you hear MSF counsel.
oh, I got a warning. I have no database. Okay, let's fix this.
You should be saying they will create
But the point is that I am up has some, you know, limited, but, you know, important with inability scanners that you can actually use. We actually so that in a preview, speedy Oh, where you can actually find a specific building abilities and
actually exploit him in the same, you know, by using related modules for that. So, uh,
do you can actually kind of use Manus pally again in realize you can. You just met a split for whatever purpose you want or, you know, in your penetration testing process. But, you know, in exam they only let you use it for? For for on. Lee won Shin in the in the laugh.
You can use it for whatever number of machines you want,
but in in the exam beacon on Lee, use it for for one machine that that's it.
now that I'm in the service in MSF consults run and you can actually execute a mop scans from inside. I mean, I know that you can execute commands. For example, if config
it will, you know, execute the
the command, but, you know, as he was the terminal. But you can actually execute MM scripts from inside the Amazon Council and actually say the results to a database. You know, maybe you want exploited later, for some reason, so you can actually save it for later explosive ation.
So you can just ruin Devi map.
And these will, you know,
execute this can against that specific server, which is, you know, or David server. And you know,
it will close this, but, you know, if you consult that database, the information will be there, and you can actually use that for any system you want.
that's the point. It will save that for later explosion ation.
But was he poor? 22 important. 80. Open a sign out that we can see the Mac address of this host and the always feel your fingerprint to So, yeah, that's kind of a big deal. A swell. It will give you. Ah, really cool information for this,
Uh, no, uh, information guy that we just gather, you know, hopes that p and everything, And we can actually, um,
perform kind of noise, year attack or scan. But it will tell you more details about the system. For example, just let me cover it pays you
But this What am I doing wrong here?
Not often. It as a route.
I'm not rude. Surprise.
let me just wait for this to start and execute the command once again,
and it will, you know, take a while. But it will get you a lot of information. Um, more than the previous you man. You know, as you can see the here, we can see information like what? Algorithms are being used for the s H service. Um, you know
who is who owns Oahu? Is the title off more information in general? Uh, what operating system? Uh, you know, more information. We will see more information about it. For example, we can use Remember the actual remotes module Centauri
Use, for example. We can actually use.
Just copy based that here. So we can see, you know, gather information. Because at the end, you can actually perform this process manually. I mean, this kind of ah bowling ability. A manual for levity, Skynner.
Right on. Then you just set her host
and run. Oh, you can set threats as well.
And it will tell us a lot of information, and then you can simply go to Google
and, you know, say shh. The
or Let me just fire up a different personal. We gather information about s age, but let me just fire out this in here and use a Hillary and said our host
And as you can see, we will see more information, Apache. And we can just copy paste that in here and go to Google and set apart yah
that that I'm sorry that
to that to that 16 and maybe CVS
And you will tell us, uh, all development abilities that found in this specific version of Apache. As you see there's lot. Ah, And then you can just search, for example, for CV that I can get your remote access, for example. That means copy Paste the commanding here
and just say, search the TV and the number,
and it's because he doesn't have a module exploitable module in Maris plot. You cannot force. Try to search, pull, exploit to the inmate on the wild to actually get that, you know, again, really? Manual process.
Yeah, but you can also, you know, search for a specific string, for example.
Okay. I don't wantto find out the c v I I I was I want to find out, man. Exploit. If actually something might explode and you know yeah, there's too, you know? When is that the U. S. If you are actually interesting, it just forming a denial of service attack? Yeah, there's a module here.
Let me see if it gives you more information. Uh,
but oh, yeah. Rapid. Seven. Yeah, I agree. Let's go. Whatever. Ah, and actually tells you the name of the module. So
yeah, you can actually you get the point. I mean,
use. He gives you the even that the module that you want to use them as if I have the up today version. Yeah, I do have the upstate version,
but the point is that this is really kind of a manual approach.
If you're actually trying to do this for several systems, this would take a while and, you know, probably not that nice see, But, you know, you know, if you're
trying to speed up the process, maybe that's not the good approach. So let's jump to open bus thesis Anna pincers on. You know, you are free of invaders. Kind of first, you need to install it at this point in time for mass does not come still by the fall in Cali.
That, of course, my change in New Orleans Cal diversions.
But in salads, just type a pretty dash get in style, Optimus and that's it.
The installation configuration of happened buses began this video Is this this? It takes a while. You can actually find really useful videos on YouTube or Google itself to have to, you know, uh,
salad and con figure it gets. It needs additional configuration after it's installed. But, you know,
Not that. Hardly pee. So you just have to type up mass.
and it will start service. I already did this. And this service is up and running. And you can actually, uh, if you're in the commander, you have to type
is up my *** after you style. It is often best check set up. And it will tell you, you know, it seems that you're up, dumbass. Dash nine insulation show, Kate. But it will to actually tell you what needs to be done. If it says warning, You can kind of ignore it.
That if he say's ever or you have to fix it, you have to run the commands. But I will tell you what commands to run.
It's not that hard, believe me. So, bath, that's that. So then just go to our report that the service is actually running, by the way, I like the desktop version. Better,
uh, because, uh, the end, Um,
if our this let me just say it your way.
buzz work really is it is
to remember. Okay. Safe. Whatever. Okay, It seems like a great graphic user interface. But
you know what happens if I
I don't see how these circles get all messed up.
You know, if I go back to the normal, Yeah, they seems to be good, but, you know, I don't like that. So I prefer if the desktop version has a better but I do believe it does. So that's why I prefer that. So, for example, this is the dashboard. You can actually modify this, you know, uh,
by severity. You have all the vulnerabilities that always that he has.
You have a point a point in time, homemade Evelyn abilities
were created. And, you know you can't sleep
play with these. Ah, lot. I mean, there's a lot of information that can be done in here. For example, the user's I mean, there's only one user. At this point, you can have groups rolls and you, you know, even connect with now lap or a radio server for for authentication. That's pretty cool on believed. And remember, this is open source
free to use the scanner with humility is kind of
So this is It has a lot of off stuff that, you know, this is really good to be free extras. Well, you can feed performance C C. B. S s calculator now a lot of stuff. Configuration, for example. You can configure your targets here. Your systems. Maybe you have
network. Not not. Not an isolated system.
You go fearing here board list, maybe. Okay, all TCP. But maybe you just want to search for weapons. What's 80 and four foot tree, for example?
This is this is the configuration you will use for your scans.
Right. So you that square skull configuration grandchild's maybe you you will be
Ah, scanning. Sssh. Service's f to be or lugging Web service is
so you just have to put *** credentials in here because maybe you're not actually a penetration testers. You just r a c I s o or a CEO Or, you know, some someone just interested in knowing how bold level are your systems or how Mabel in the abilities have included in your systems. So, yeah, you can do that.
It's kind configuration. You can discovery empty, full and fast,
full and fast. Lt made you know you can create you can even create your own.
You can create your own. It's Connors. And, you know, this is really, really useful alerts, schedules report for months. Maybe you're just trying to get the report for management T. C. To just define maybe a new investment, you know? Yeah, this is
all the reviewers, and you can you can do, but, you know, let's get down to task, which we need a new scan. Yeah, I will. I don't have any come figure, as you can tell. So I will tell a new scam, but, you know, task Wizard, and he will do that All of this for me and I will just typed I p
off off the term target machine and it will start, scan
and, you know, requested and we'll start in a while. But that that's the point. That's really easy to use. Graphic user interface, any wheel. It will tell you a lot of information for four year
and you can actually exploit that later. Uh,
you know that the point is that this is really noisy, so make sure that you actually have the permissions to do self, even if if you're running it against your business or your company or what happened?
this this is the seal little bit boggy because this had happened to me before, and, you know,
But the point is that this can actually give you a really cool information. Okay? What happened?
I'm using the same credentials. Uh, this can actually give you a really good information about Lynn abilities and how to exploit him. Maybe they're not actually spread exploitable.
Well, we believe you are really good information.
I don't know what happened. You guys, this kind of failing, but you get the point. Um, another good bearish in Ah, good availability scanners that you can use is, for example,
nikto. I'm sorry. I already say that Core impact. These are really group inabilities kinder, you know, But it's kind of pricey also that the NASA's paid version is really pricey as well. But if if you were actually invested in final inabilities in your system
and actually you can actually bay for it, I will say go for it.
I mean, I like the necessary person that paid Bush better that the Cory Impact. But you know
this version's will give you a lot of more information. Really customizable reports. I mean, I do love that the paid version of NASA's Ah. But you can also get the free version or the community version of NASA's, which is really cool is really limited. Of course,
you cannot run it against several systems. I guess there's there's a limit. I guess this 15 or 20
I can remember the number, but yeah, you can actually use those, um,
I would endure your system. So yeah, that's that.
So in this, huh? Opposes. And the question Is this information gathering techniques here passive or active? What's considered differently active? You're actually this is, I guess, the most. The noise. Just way to actually get information from from the victim's system. So yeah, active differently.
Converse with the uses of vulnerability scanner? Yeah, the proportion of the papers and you can actually use it as a woman I live. It's kinder. What is performed by the command nikto, Dash H and that and I pee well, he will actually perform
some kind of family scandal against the Web server you're defining
in this video with some tools that could be used as a little Italy scanner. And I was gonna billitteri scanner itself
executed some vulnerability. Skynyrd's to understand. How can they help us in our penetration testing process? A supplemental material, I will say Go to the open bys page. These guys have a lot of information there, ***, that that can be useful for you and basically, anything they can. You go
for our combats or any other vulnerabilities. Kind of equal beat, you know, is you're fine.
Looking forward in the next video, we'll crop cover cross ice krypton.
Well, that's it for today, folks. I'm hoping you're the video and talk to you soon.