00:03
>> Finally, we're going to show you
00:03
another great free scanner, which is Arachni.
00:03
Let's go check it out. We're going
00:03
to come over to the folder.
00:03
Let's come over here and
00:03
jump into the Arachni folder
00:03
through our CD to our desktop.
00:03
I see our Arachni folder,
00:03
I can't remember exactly where it was located at.
00:03
We're going to run the Arachni web script here,
00:03
to get the Arachni web setup.
00:03
We see here that it's listening on port 9292 localhost.
00:03
We're going to come over here to our browser,
00:03
we're going to do localhost 9292.
00:03
The admin account is admin@admin.admin,
00:03
and then the password is administrator.
00:03
I typed that incorrectly. There we are.
00:03
We're going to come up here to Scans, click Now.
00:03
I'm going to do a target URL of 192.168.0.11,
00:03
or whatever it is that you choose.
00:03
Remember to add the http.
00:03
We're going to check for SQL injections.
00:03
If you want some special description in here,
00:03
something for you to remember,
00:03
the different kinds of scans that you're doing
00:03
or who you're doing for or something like that,
00:03
you type that right here in the description portion.
00:03
We're going to perform a direct scan,
00:03
Now, our scanner is initializing and running through,
00:03
so let's let it do its thing.
00:03
We're starting to see some results here.
00:03
We scroll down here.
00:03
look at that sqlexample1 has found
00:03
>> a SQL injection here.
00:03
>> We click Awaiting Review,
00:03
and it'll give us some further detail such
00:03
as what exactly was injected into it,
00:03
then the request that was sent.
00:03
If there was a proper response back,
00:03
it would be here, but there was
00:03
no a proper response for this one.
00:03
Here's some more information about the SQL injection,
00:03
which can be very helpful for building your report.
00:03
Now, you can click Scans here,
00:03
and it will show you
00:03
your current scans and
00:03
any scans that you had in the past.
00:03
Then you just click on the I,
00:03
and it'll take you back to your current active scan,
00:03
and you can continue looking at and reviewing
00:03
the different injections here that you get.
00:03
Now, as you can see here,
00:03
that this may be missing some contacts
00:03
because the scan is still running.
00:03
If we wait for the end of the scan,
00:03
it'll give us some more detail about what
00:03
actually it found, fully.
00:03
Let's let this continue scanning here.
00:03
As we can see here, we can see the run-time,
00:03
how many pages it's actually scanned,
00:03
and how many issues it's found.
00:03
Let's let it continue doing its thing here.
00:03
The scan is complete.
00:03
Its found seven different vulnerabilities.
00:03
Let's go check out the review further to see
00:03
what additional details we may have gotten from this.
00:03
It recognize a fantastic tool,
00:03
it allows you to heavily edit your scans.
00:03
Now, we can look at the different profiles for
00:03
scannings and we can see
00:03
what different areas is actually fussing in,
00:03
what it actually it's putting
00:03
into the different fields here?
00:03
If we wanted to customize the SQL injection,
00:03
we go over to our profiles,
00:03
click the Edit button.
00:03
would edit what we were audited and things like that.
00:03
This is very important
00:03
for how in depth you may want the scan and go,
00:03
how aggressive you may want,
00:03
any usernames that you want put in and in passwords.
00:03
Say you have an application that
00:03
requires being logged into,
00:03
you can put your authentication methods here,
00:03
let it login and scan even deeper into the page.
00:03
Very handy stuff, very useful stuff.
00:03
Download Arachni, tweak it,
00:03
check it out, it's fantastic.
00:03
What exactly was covered?
00:03
Why the scanning is important.
00:03
Why the discovery is important.
00:03
Two different types of discoveries,
00:03
and then we also discussed
00:03
these different tools that you can use.
00:03
I showed you some examples of how to use them.
00:03
try out the different variables,
00:03
see what you can dig up.
00:03
>> Happy Arachni, everyone.