Time
3 hours 28 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Description

In this Scanning technique lab, you'll learn to use the Host reconnaissance tool nikTo to scan a vulnerable network. nikTo is the advanced version of Windows WikTo, a tool that finds website vulnerabilities.

Video Transcription

00:04
in this video. I wanna spend some time, and I want to work with a web application. Vulnerability Testing Skinner. Very well known one Nick, too. Now, there is a with a windows equivalent of this week too. But it's just
00:20
easy enough to do this right from the Cali command line interface.
00:24
Um, and so what we're gonna do is what, you know, taking the information that we learn from before, you know, we know that there's a vulnerable server out on the network, and we saw that the web port was open. So we're gonna go ahead and do a little reconnaissance, and then go ahead and scan this. So
00:40
I'm gonna check my host. I'd be addressed by the config or I f config rather cause I'm on you. Next,
00:46
I can peg Ethernet zero game on the 92.1 28 network. I'm gonna paying my target when the attitude
00:55
that 1 68 that magnitude at 1 31 verify of connectivity. And again I could see a little bit of activity going on in the back here inside, um, the ether rate just to simply demonstrate the volume of traffic.
01:10
Okay, so we're gonna do is Nick too, And I k t o okay. And we're gonna just do a highlight of the tour when they were gonna point it at the server and run it.
01:18
So this is Nick to a version 2.1 point four,
01:23
and ah, no, ho specified. That's what you get. If you just type the command, you basically get the help.
01:27
Um, I can set us a configuration file. Aiken, turn the outputs. If I want those display to me or not,
01:34
I can do a tack H war attack host for the target host, which is what we're gonna d'oh.
01:41
And then I could choose what I wanted to do with an output. And I highly recommend this one just because it's easier for documentation for illustration here.
01:49
I'm simply going to ah, have everything go to the command line terminal, but it does rush to the terminal fast. So ah, you know, you may realistically want to consider using mess with tone out. Put up a file. Also, you can choose no SSL or a disabled for four error page not found checks. Use a specific
02:07
port if there's something else other than 80. You can specify that,
02:12
Um, and then you can get into privileges or force SSL mode, um, or tune it or update it. So one of the easiest things to do first, to make sure that we have the latest and greatest plug ins, would be to do a Nick to update
02:27
tunic to Dash Update, and it'll take a little bit the run, and we'll just be interesting to see this. Go out the surf dot net, basically, download that up Bug fall and you can see that it was significant traffic.
02:40
And it says, retrieving the variables in the database variables in the icon and the server messages in the plug ins and the database test than any sort of changes. And it says this version is outdated. Please upgraded to 0.15 or a better version, and we could we could realistically check this. I mean, what we could do here is we
03:00
you know, since I'm apparently using an outdated version,
03:01
I could do a nap, get off date as well.
03:05
And this is basically just making sure that all of my sources are updated, um, or I can do an act, get
03:14
upgrade
03:16
okay. And that will literally go through an upgrade of each one. Now, I'm not gonna do this here and now, because apparently I need 23 more megabytes of additional Ah, disk space. I'm sorry. I'm gonna get, you know, 978 megabytes of archives,
03:36
and so I'm gonna fill this up. So
03:38
you do to get his summary 612 upgraded zeer lean, newly installed, zero to remove, and 44 not upgraded. So you get a little summary at the end of your update.
03:47
I'm not necessarily concerned for the demonstration purposes that we actually have a distinct and scans. I'm more concerned about the syntax of the committee, but I just wanted you to know you should update the tool before you run it on. A live host wanted to walk you through that just slightly. So we're gonna clear the screen
04:05
and then basically scan. So it's an i k
04:11
t o dash age for hosts, and then we're gonna point it at a particular server. So let's do it to our server http
04:18
Cole and forceps for stash 1 92.1 68.92 dot 1 31 Now, I could have chose the D. N s name or the D N. A name of a server here, Um, but it's just is easy. And you should be completely fluent with doing it both ways. If you don't get anything with the domain name resolution, you can take the main
04:39
name resolution out of the equation.
04:41
Um, so it's really just a matter of preference, But I do want you to know that you could do both, so I actually have a service set up, and I can do virtual directory
04:50
ford slash index that HTM L Now, before I hit scan here and see what the scan looks like. I want to show you what the other side and the server settings are for what we actually are scanning. So I'm gonna go back over here to my Windows 2000 machine or a server. It just happens to be a vulnerable server on the network.
05:11
When I go to my administrative tools that I'm gonna look at the information service is manual,
05:15
um, manager
05:17
Or basically, just open up the MNC, go to the default websites and you can see the virtual directory that I have created a virtual directory and index that HTML here. It just that kind of elaborate. Just a little bit more on what this looks like. I'm gonna go down to the dinette pub and see this from a file point of view.
05:35
I'm gonna go to to the virtual directory that have stored in my route www roof older
05:41
and you can see the index that html And this was just a a basic html page that I created. You know, html turned ahead a roll on in the head or say hello world and in the body Say, you know, cyber very IittIe thought I t. And then basically and that so very, very easy Basic html nothing fancy here.
06:00
So then we open up.
06:01
We stopped that we go to our servant. Http Colon towards such forced us from any 2.1 68.92 to 1 31 And we could pull up that virtual directory
06:13
on basically see the page load.
06:18
Okay. And so all improving here is that yes, there is a web server, But let's pretend we didn't know this. Let's say that only thing that we have here is a scan from our client that basically says, Hey, we have a target 1 92.1 31 saw Ford 80 open.
06:36
Um and we can scan it now. I am scanning something specific here, but
06:41
there's other ways to enumerate the virtual directory. And frankly, I don't even have to put the virtual directory information there. But I just want to show you that you can't. Okay, So if I switch over to either a broke wake, you conceal a lot of traffic going right back and forth. I mean, the screen is Ah, all rat.
07:00
So this is a whole bunch of http traffic as the color coded label on the left illustrates. And when this is done running, you know of the rhetoric. Go. Bye bye. So we're gonna let this run and will continue as soon as it's finished,
07:23
and it looks like it's done.
07:26
So Weaken Tell this done. Because the red, which is http traffic is basically going down an ether rave. So we'll go back over it. We'll get a summary here in the nick to results one host tested. That's great. And since this is a completely vulnerable server, from the beginning. Um,
07:44
there's the command that we ran. It was the version. Our target I p or the host's name. The specific poor, which is the default, which is 80. But again, we could have changed that the start time of the skin in the end time of the bottom. So it confirms that it's a windows box. It actually fingerprints the operating system. This is I asked 5.0
08:01
which, at that point, if I found this one a rail network, I would probably get up and do a happy dance,
08:05
because realistically, all of these should have been upgraded. Right now,
08:09
there's no siege. I directories, at least that are sad.
08:13
Uh, I I s appears to be outdated nt four hour or the like. So they're kind enough to tell us that it's outdated. Thank you.
08:22
Um, retrieve the M s author via the header.
08:24
Okay, I will qualify what that means. And you could just go to Google and basically search for these tones and see what you get back. Retrieve the dad header. Um,
08:35
which is an offering? Inversion and component allowed. Http methods, you know, Trey scared head lead puts, etcetera.
08:43
it found, um open source. Phoned Ability database 56 46. Http. Method allow header delete May allow clients to remove files on the web server. Okay.
08:56
And you could basically go through these one at a time, so had delete put move.
09:03
Okay. And I would go through these one by one, especially anything that has ah, you know, ah, vulnerability, database reference. And it doesn't matter if it's an open source vulnerability database or if it's what I would consider more of the conventional, um,
09:18
common vulnerabilities and exposure. See the e references to the vulnerabilities.
09:22
Nonetheless, it gives you the information. What? You can go research to actually quantify if these are actual truth on the police, which in this case, more like is or are these realistically false positives?
09:35
Um, and in some cases will actually tell us, you know, make sure that you actually have these patches installed. Well, considering that I built the server years and years ago, and I use it for, you know, demonstrating Boland abilities, I can insure you that these are not stalled.
09:50
Ah, but we get pretty good information. Everything from cross site scripting, thio specific egg boned ability, database information.
09:56
In some cases, you can actually link right to the Microsoft TechNet security bulletins and, uh,
10:05
you know, go through it and then, of course, mitigate the risk.
10:09
So that's the overview of the nick to Web application pen destined scanner. Always keep your signatures up the date, latest and greatest. And then also, I'll finish this with showing that we can take off the virtual directory.
10:26
And then I can realistically just take all of this and out put it to a file by changing my command slightly
10:31
and putting a double ampersand. I'm sorry. Double greater than at the end of it. Which means redirect and depend to a file. And we'll call this Ah, you know, Nick, to scan today's date, which would be month. Um, you don't want to add spaces in here of the month day
10:52
year,
10:52
and then case number, So just puts, you know, C C c c for case number dot t X t. And then again, you could just let that run. And sure enough, you can see it running in the background
11:05
simultaneously. We're not gonna let that finish. But just to prove to you that there is stuff in the file. You can go ahead and look at that. And there's your documentation that you would use. And all I did was basically, you could do realistically interrogate this file. You could do a less amore head tail
11:24
opening up with specific file editor. Either way,
11:26
that's where your information as which just happens to be store because I didn't use a file path in the directory that you're currently working out off.
11:35
So I hope you enjoyed the video. That's a Nick to scan at least the overview of it, Um, find a whole vulnerable server on your own home network, um,
11:43
and get some practice with actually one doing the skins against the target,
11:48
but also researching the actual vulnerabilities and determining how to fix them and patch them. So I want you always to be ableto work offensively and defensively. In this case, we would just have to apply a bunch of patches on really get the system up today who are actually afraid to go operating system.
12:07
Um,
12:09
but that's basically the overview. So again, don't forget to work offensively and defensively. My name's Leo dragger. Don't forget to check us out on the social networks Facebook. Lengthen YouTube and Twitter, and I'll see you in the next video

Up Next

Strategic DNS Ops and Security

Domain Name Servers (DNS) are the Internet's equivalent of a phone book. They maintain a directory of domain names and translate them to Internet Protocol (IP) addresses

Instructed By

Instructor Profile Image
Anthony Harris
Senior Systems Engineer at ZenPoint Solutions
Instructor