Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:01
Hello, everybody. And welcome to the episode number 17 of the S E. P. Course with an ability. Steiner's My name is Alejandro Gina, and I'll be instructor for today's session.
00:12
Learning objectives is to understand how those inability scanners can help us to gather information and executed scans with different tools and see how can they help us in our penetration testing process.
00:24
So let's get down to business shall way.
00:28
First, we have nick toe. This is the first tool. Nick Thio is kind of a weapon. That ability scanner, uh, can give you a really useful information. And by the way,
00:42
you cannot use, uh I hope you're planning to take the recipe exam and laugh and you, during the last geeking actually use whatever technique you want. But during the exam, you cannot actually use uh,
00:59
moving ability scanners. The only one that a lot that they allowed you to use us for now is the nick toe. Because this, you know,
01:08
it's a movement ability scanner. But he's actually kid. Also, it can also be, you know, you can also see it like kind of ah ah,
01:19
information gathering tool eyes. Not so much of several inabilities guy. Nobody can give you some pointers or what words Lou got and, you know, checks. Um,
01:30
information that I can actually lead you to a new exploitation process.
01:38
But, you know,
01:40
what can I tell you? It's the only one that they allowed me to use
01:45
in exam because even even men exploit you can only use it in one machine.
01:52
You can only use message all in one machine. So even meadows blow is restricted during exam and vulnerability scanners again cannot be used during exam. However, they can do be used when you're actually trying to your penetration testing, you know, against anyone who hires you.
02:10
Yeah, they're really useful. But let's start with Nick Toe.
02:15
Ah,
02:16
we will use for this example the devil machine we have We will not be using for NATO or Windows XB mission because Nick, uh, our Windows XB machine doesn't have ah, Web server inside. So let me just
02:35
fire up nick toe.
02:38
I specify the host and just put the I pee off the debian machine.
02:46
Oh, sorry. It's nicked off.
02:53
And as you can see, it will tell you some useful stuff like, uh, always vdv which one is presented, and how could you actually go here? We can also give you some folders that you know are not visible at simple side.
03:10
We have a low G m
03:13
bakes a page and such and found we have, For example, server may leak in nuts. BIA attacks the Apaches version.
03:25
You know, it will give you some useful information, but as you can see, it will not give you that much of information. It depends also on the Web server. Of course, if they were server has ah lot of pages going on around the Web server, and it can actually, you know, give you more information. But as for this case, you can see that
03:46
the information is limited and you cannot
03:49
actually relied these us,
03:51
you know, to give you several, uh,
03:54
no pointers or words look at. But you know, it can lead you in the right direction. Maybe there were some red red herrings you're pursuing, and this can clarify some of them. But, you know, Nick, there's a really cool tool for me to use.
04:12
We have you know, this is one to the other to remember that we saw a bird suit. Uh, let me just fire up here. I don't want to upgraded right now.
04:24
Ah, but, you know, uh,
04:27
it has, ah, vulnerabilities, Kinder
04:30
embedded in it. However, it is only available again. That's for now for the professional or the paid version.
04:41
The pro version off Albert's it.
04:45
I gotta tell you, folks, if you actually are planning Thio become, like, kind of
04:50
and a book out counter or, you know, yeah, but hunter or
04:58
making a living out of exploiting known box off course for people who actually lets you to do so. You know, if you wanted to enroll in a Buck Hunter page, for example, but grout or you're actually kind to just perform penetration tester
05:15
protesting against your business
05:17
and your businesses all baby web Web based,
05:23
I gotta tell you, is worth every penny. I mean, if you're actually again trying to exploit vulnerabilities in with servers, uh, getting the pay version off Burkes, it is actually worth it. And one of the reason is because you can see that they're functionalities that you know, you can use it on Lee the pro version
05:43
as this one.
05:45
So yeah, that's I'm not gonna use it for these reasons. I do have the paid version, but I do have it only for for my work. So I cannot use it right right here in the machine.
05:59
Okay. Yeah, I'm gonna exit.
06:01
So, Yeah. Then we'll have a map. Uh, we already saw some cool stuff about em up. And then my prescription enjoyment. But, for example, and my
06:15
dash T dash dash script and just bold men abilities. General,
06:23
this word this this script will Well, this command will execute all the movement of a lot of scripts against the server. Uh, you know, this might take a while, but you get the idea. You will have a lot of information from from simply run in this.
06:41
Uh, I'm not quite sure if this is allowed
06:45
in the other speakers, I should tell you that it is
06:48
because you're you're not actually executing apples and abilities. Kind of percent. I mean, meaning op, unbiased. Cory impact or, you know, nasa's You're just executed this and it will. You don't troll you some useful information. Um,
07:04
but you should You should consult this with with support with the offensive security guys, so I can tell you this is actually allowed or not.
07:15
But, you know, let me just stop that right here and show you other options. You can, for example, use the DDOS option to see if actually vulnerable to de ice attacks. You can also use the authentication to see if the page actually contains O. R. You know, for example, in this case, the port 22.
07:34
Actually a sets,
07:35
um, no or default passwords. You can also use the word default here.
07:44
Just run the default scripts and em up scripts against the server. Uh, you know, if you're actually trying to be not that nice, e or, you know, be stealthy, it's possible you can also use the shoot
08:01
script
08:03
that the script safe. It will like lunch, short version off, script in. So you can be, you know, not intrusive. Use non interested scripts. And, of course, if you're just desperate and when I run everything, you can also use
08:22
the optional
08:24
and these will actually launch all of the scripts against the server.
08:31
But that's it. I mean, you can Actually, as we selling a previous video, you can actually, uh, execute other commands on, and he also used specifically scripts with the necessary I'm sorry, Emma. Script and enjoying
08:48
for your for your host. But, yeah, I'm up. Can also be considered kind of, uh, Evelyn Ability scanner. Ah, and
08:56
with man exploit,
08:58
let me just
09:01
You can actually use man exploit to To to
09:07
execute kind of, ah, Evelyn ability scanner. Ah, but,
09:13
you know,
09:13
let me just show you hear MSF counsel.
09:18
But then again, um
09:22
oh, I got a warning. I have no database. Okay, let's fix this.
09:28
Just typing here.
09:33
You should be saying they will create
09:37
the John filed.
09:39
But the point is that I am up has some, you know, limited, but, you know, important with inability scanners that you can actually use. We actually so that in a preview, speedy Oh, where you can actually find a specific building abilities and
10:00
actually exploit him in the same, you know, by using related modules for that. So, uh,
10:09
do you can actually kind of use Manus pally again in realize you can. You just met a split for whatever purpose you want or, you know, in your penetration testing process. But, you know, in exam they only let you use it for? For for on. Lee won Shin in the in the laugh.
10:28
You can use it for whatever number of machines you want,
10:31
but in in the exam beacon on Lee, use it for for one machine that that's it.
10:39
So, uh,
10:41
let me just go here
10:43
now that I'm in the service in MSF consults run and you can actually execute a mop scans from inside. I mean, I know that you can execute commands. For example, if config
10:58
it will, you know, execute the
11:03
the command, but, you know, as he was the terminal. But you can actually execute MM scripts from inside the Amazon Council and actually say the results to a database. You know, maybe you want exploited later, for some reason, so you can actually save it for later explosive ation.
11:20
So you can just ruin Devi map.
11:22
And these will, you know,
11:24
execute this can against that specific server, which is, you know, or David server. And you know,
11:31
it will close this, but, you know, if you consult that database, the information will be there, and you can actually use that for any system you want.
11:41
But, you know, uh,
11:43
that's the point. It will save that for later explosion ation.
11:46
But was he poor? 22 important. 80. Open a sign out that we can see the Mac address of this host and the always feel your fingerprint to So, yeah, that's kind of a big deal. A swell. It will give you. Ah, really cool information for this,
12:05
Uh, no, uh, information guy that we just gather, you know, hopes that p and everything, And we can actually, um,
12:15
perform kind of noise, year attack or scan. But it will tell you more details about the system. For example, just let me cover it pays you
12:26
Daddy here
12:28
hopes
12:31
did the map.
12:33
But this What am I doing wrong here?
12:35
Not often. It as a route.
12:39
Let me see.
12:41
Oh,
12:43
I'm not rude. Surprise.
12:46
Okay,
12:52
let me just wait for this to start and execute the command once again,
13:01
and it will, you know, take a while. But it will get you a lot of information. Um, more than the previous you man. You know, as you can see the here, we can see information like what? Algorithms are being used for the s H service. Um, you know
13:22
who is who owns Oahu? Is the title off more information in general? Uh, what operating system? Uh, you know, more information. We will see more information about it. For example, we can use Remember the actual remotes module Centauri
13:41
way
13:43
Use, for example. We can actually use.
13:46
Said use
13:48
Skynner.
13:50
Just copy based that here. So we can see, you know, gather information. Because at the end, you can actually perform this process manually. I mean, this kind of ah bowling ability. A manual for levity, Skynner.
14:05
Right on. Then you just set her host
14:13
and run. Oh, you can set threats as well.
14:18
50
14:20
right.
14:20
And it will tell us a lot of information, and then you can simply go to Google
14:28
and, you know, say shh. The
14:33
or Let me just fire up a different personal. We gather information about s age, but let me just fire out this in here and use a Hillary and said our host
14:46
Andi, Then
14:50
run.
14:52
And as you can see, we will see more information, Apache. And we can just copy paste that in here and go to Google and set apart yah
15:01
that that I'm sorry that
15:05
to that to that 16 and maybe CVS
15:09
And you will tell us, uh, all development abilities that found in this specific version of Apache. As you see there's lot. Ah, And then you can just search, for example, for CV that I can get your remote access, for example. That means copy Paste the commanding here
15:26
and just say, search the TV and the number,
15:31
and it's because he doesn't have a module exploitable module in Maris plot. You cannot force. Try to search, pull, exploit to the inmate on the wild to actually get that, you know, again, really? Manual process.
15:48
Yeah, but you can also, you know, search for a specific string, for example.
15:52
Okay. I don't wantto find out the c v I I I was I want to find out, man. Exploit. If actually something might explode and you know yeah, there's too, you know? When is that the U. S. If you are actually interesting, it just forming a denial of service attack? Yeah, there's a module here.
16:11
Let me see if it gives you more information. Uh,
16:15
but oh, yeah. Rapid. Seven. Yeah, I agree. Let's go. Whatever. Ah, and actually tells you the name of the module. So
16:23
yeah, you can actually you get the point. I mean,
16:26
use. He gives you the even that the module that you want to use them as if I have the up today version. Yeah, I do have the upstate version,
16:37
but the point is that this is really kind of a manual approach.
16:41
If you're actually trying to do this for several systems, this would take a while and, you know, probably not that nice see, But, you know, you know, if you're
16:51
trying to speed up the process, maybe that's not the good approach. So let's jump to open bus thesis Anna pincers on. You know, you are free of invaders. Kind of first, you need to install it at this point in time for mass does not come still by the fall in Cali.
17:10
That, of course, my change in New Orleans Cal diversions.
17:15
But in salads, just type a pretty dash get in style, Optimus and that's it.
17:21
The installation configuration of happened buses began this video Is this this? It takes a while. You can actually find really useful videos on YouTube or Google itself to have to, you know, uh,
17:34
salad and con figure it gets. It needs additional configuration after it's installed. But, you know,
17:41
and that's this.
17:42
Not that. Hardly pee. So you just have to type up mass.
17:48
That should start,
17:49
and it will start service. I already did this. And this service is up and running. And you can actually, uh, if you're in the commander, you have to type
18:00
is up my *** after you style. It is often best check set up. And it will tell you, you know, it seems that you're up, dumbass. Dash nine insulation show, Kate. But it will to actually tell you what needs to be done. If it says warning, You can kind of ignore it.
18:18
That if he say's ever or you have to fix it, you have to run the commands. But I will tell you what commands to run.
18:23
It's not that hard, believe me. So, bath, that's that. So then just go to our report that the service is actually running, by the way, I like the desktop version. Better,
18:37
uh, because, uh, the end, Um,
18:41
if our this let me just say it your way.
18:45
My use your name
18:48
buzz work really is it is
18:51
to remember. Okay. Safe. Whatever. Okay, It seems like a great graphic user interface. But
19:00
you know what happens if I
19:03
stretch this out?
19:06
I don't see how these circles get all messed up.
19:11
You know, if I go back to the normal, Yeah, they seems to be good, but, you know, I don't like that. So I prefer if the desktop version has a better but I do believe it does. So that's why I prefer that. So, for example, this is the dashboard. You can actually modify this, you know, uh,
19:29
by severity. You have all the vulnerabilities that always that he has.
19:33
You have a point a point in time, homemade Evelyn abilities
19:37
were created. And, you know you can't sleep
19:41
play with these. Ah, lot. I mean, there's a lot of information that can be done in here. For example, the user's I mean, there's only one user. At this point, you can have groups rolls and you, you know, even connect with now lap or a radio server for for authentication. That's pretty cool on believed. And remember, this is open source
20:00
free to use the scanner with humility is kind of
20:02
So this is It has a lot of off stuff that, you know, this is really good to be free extras. Well, you can feed performance C C. B. S s calculator now a lot of stuff. Configuration, for example. You can configure your targets here. Your systems. Maybe you have
20:19
network. Not not. Not an isolated system.
20:23
You go fearing here board list, maybe. Okay, all TCP. But maybe you just want to search for weapons. What's 80 and four foot tree, for example?
20:36
This is this is the configuration you will use for your scans.
20:40
Right. So you that square skull configuration grandchild's maybe you you will be
20:45
Ah, scanning. Sssh. Service's f to be or lugging Web service is
20:52
so you just have to put *** credentials in here because maybe you're not actually a penetration testers. You just r a c I s o or a CEO Or, you know, some someone just interested in knowing how bold level are your systems or how Mabel in the abilities have included in your systems. So, yeah, you can do that.
21:11
It's kind configuration. You can discovery empty, full and fast,
21:15
full and fast. Lt made you know you can create you can even create your own.
21:21
You can create your own. It's Connors. And, you know, this is really, really useful alerts, schedules report for months. Maybe you're just trying to get the report for management T. C. To just define maybe a new investment, you know? Yeah, this is
21:38
all the reviewers, and you can you can do, but, you know, let's get down to task, which we need a new scan. Yeah, I will. I don't have any come figure, as you can tell. So I will tell a new scam, but, you know, task Wizard, and he will do that All of this for me and I will just typed I p
21:57
off off the term target machine and it will start, scan
22:03
and, you know, requested and we'll start in a while. But that that's the point. That's really easy to use. Graphic user interface, any wheel. It will tell you a lot of information for four year
22:19
from your target,
22:21
and you can actually exploit that later. Uh,
22:25
you know that the point is that this is really noisy, so make sure that you actually have the permissions to do self, even if if you're running it against your business or your company or what happened?
22:38
Oh,
22:40
this this is the seal little bit boggy because this had happened to me before, and, you know,
22:47
let me just
22:51
But the point is that this can actually give you a really cool information. Okay? What happened?
22:59
I'm using the same credentials. Uh, this can actually give you a really good information about Lynn abilities and how to exploit him. Maybe they're not actually spread exploitable.
23:14
So yeah, this
23:17
Well, we believe you are really good information.
23:22
I don't know what happened. You guys, this kind of failing, but you get the point. Um, another good bearish in Ah, good availability scanners that you can use is, for example,
23:34
nikto. I'm sorry. I already say that Core impact. These are really group inabilities kinder, you know, But it's kind of pricey also that the NASA's paid version is really pricey as well. But if if you were actually invested in final inabilities in your system
23:53
and actually you can actually bay for it, I will say go for it.
23:57
I mean, I like the necessary person that paid Bush better that the Cory Impact. But you know
24:03
this version's will give you a lot of more information. Really customizable reports. I mean, I do love that the paid version of NASA's Ah. But you can also get the free version or the community version of NASA's, which is really cool is really limited. Of course,
24:19
you cannot run it against several systems. I guess there's there's a limit. I guess this 15 or 20
24:26
I can remember the number, but yeah, you can actually use those, um,
24:30
those versions,
24:33
I would endure your system. So yeah, that's that.
24:40
So in this, huh? Opposes. And the question Is this information gathering techniques here passive or active? What's considered differently active? You're actually this is, I guess, the most. The noise. Just way to actually get information from from the victim's system. So yeah, active differently.
25:00
Converse with the uses of vulnerability scanner? Yeah, the proportion of the papers and you can actually use it as a woman I live. It's kinder. What is performed by the command nikto, Dash H and that and I pee well, he will actually perform
25:14
some kind of family scandal against the Web server you're defining
25:19
in this video with some tools that could be used as a little Italy scanner. And I was gonna billitteri scanner itself
25:26
executed some vulnerability. Skynyrd's to understand. How can they help us in our penetration testing process? A supplemental material, I will say Go to the open bys page. These guys have a lot of information there, ***, that that can be useful for you and basically, anything they can. You go
25:44
for our combats or any other vulnerabilities. Kind of equal beat, you know, is you're fine.
25:48
Looking forward in the next video, we'll crop cover cross ice krypton.
25:53
Well, that's it for today, folks. I'm hoping you're the video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor