Vulnerability Scanning (part 3) Nmap Scripting Engine

00:04

all right. I mentioned we would see in map again. And indeed we shall

00:09

in math has something called the in map scripting engine, which

00:12

have some vulnerability scanning capabilities as well. I often use it for a manual checks to verify what I get out of the vulnerability scanner and to look for additional things like, uh,

00:25

like recently, the poodle vulnerability came out, and actually there was a map check that came out for it, I think before the necessary one did even don't quote me on that. I could be wrong. Maybe I just wasn't updated, but I updated the in math, and then I could check for Poodle Honest immediately

00:44

with the end up stripping engine. So it's always good to have atleast two things you're working with. Two pools is certainly better than one. So in March, scripting engine is one. I always in the reading

00:55

on my chest as well. So on Callie, we confined in my scripting and Jenna user share in that

01:03

scripts

01:04

on these a roller scripts. So this is gonna be written in Louis. So

01:11

that's another programming language to learn.

01:15

But you are, of course, able to write your own and not stripping engine scripts.

01:21

And so we can, of course, look at the code for any of these if we wanted to. But we also have an option to do. That's the script dead ish Filth

01:30

on, then

01:32

asked for information about a particular script or even a script category

01:38

like there's a category called Default.

01:41

It'll show us all of the scripts that Aaron the default category, which some of the most interesting one. They're not in the default category, But one thing you have to be careful with within map scripting engine is that some of them are actually

01:55

dangerous and can cause denial of service.

02:00

And

02:01

so, like, for instance, with you in my script does help

02:07

Andre, we watch

02:10

SMB dish check

02:14

bones.

02:23

This one is in the intrusive and denial of service categories.

02:30

Just warning These chicks are dangerous and very likely to bring down a server. They should not be running a production environment unless you and more importantly,

02:38

the business understand the risks.

02:42

So there are gonna be in the scripting into strips the same way there were with messes. We saw things that were

02:47

turned off automatically that could be intrusive.

02:52

There are gonna be things in a map scripting engine that could

02:54

potentially cause problems. Of course, as we saw with port scanning even something as simple as saying, Hi, port. What are you could call it the problem we saw that deserve it. 0.4 on 32. 32 actually went down during a version scan,

03:09

So it's always possible. But some of these, you know, they say this could cause a problem. We may not want to run that. So maybe using us to find our emissary ater 67 is not the best idea ever.

03:21

But we'll see. We have other options for that, and we already So I commanded it necessary. He was.

03:25

But we could do, like, say, about in my

03:30

That's the script, us help

03:37

and you like in a last we said we saw the network file system

03:46

on our Lennox system, so that might be something interesting discovery and say so. It's not run by the fault, but it is safe, so there's no reason we shouldn't run it.

03:55

But if we run just the default set of scripts, then we won't

04:00

get anything out of it. So that won't run that one.

04:02

They'll have to run this one manually if we want to do any network file system checking.

04:10

I wish. We certainly want to know what's in that work file system share. First we could look up how to do it ourselves or not to choose the script

04:17

so we can force you to default that

04:21

Nash SC or day Or does a give us the scripts?

04:28

Let's do Aren't you here

04:34

on Should always take our notes.

04:41

You know, it's called a strict

04:49

on this Will first take a minute to run.

04:53

Another thing you couldn't D'oh! I've been

04:56

out putting everything here. Of course you can.

04:59

Just copy of paged, I mean is long. I sure keeping track of what's coming out in one way or another.

05:08

Oh, yeah,

05:13

I was just gonna give us some additional information, so it looks like ftp anonymous log in aloud, so that could be really awesome. It could also be really nothing. But see, it actually went ahead and

05:26

logged in as anonymous. And

05:29

after what we could see, it looks like there's something called passwords don't text. So this might be something useful.

05:35

It comes up. I think is a medium in NASA's. Yeah, I mean, it could have no potential exploit ability. I mean, as long as nothing's in there, that is

05:46

sensitive that you don't want people to see

05:49

on. Otherwise it's configured correctly. You can't break out of the directory,

05:55

then everything's fine. If I didn't have a drop box or something, I mean anonymous FTP might be a way I want to distribute files

06:03

for my classes. There's nothing wrong with that, so it may have no business impact whatsoever. I mean, the real thing about FTP is that it also indicates in plain text what if we're using Anonymous doesn't matter because it's not real credentials anyway.

06:16

But in some cases like this, you might say that would never happen. Well, actually, I do know of times that has happened, that

06:26

clients have had anonymous FTP available to the Internet and that they've had corporate secrets actually in there.

06:32

So

06:33

it is something that could possibly happen.

06:38

Kanta

06:40

SMTP support 25

06:44

that has the verify burr verb verify verb will allow us to check to see whether a certain user name exists

06:50

that would help us find valid. Use your names for password guessing.

06:56

That might be something we want to check out.

07:00

Looks like for HD GP It zam Ped 1.7 point two. You're not familiar with Sam ped.

07:09

It's unease e way to get a Web server database and PHP and all that running.

07:15

And it doesn't necessarily come installed with all the best security if you should just enabled, as we'll see. And you know, most people, they want to get on with it. That one installs amped and get on with building whatever it is they're building on top of it, probably doing some development,

07:31

so they may just leave it in its default state

07:35

early common

07:38

looks like we've got some

07:40

S S L

07:41

version, too. And some ciphers here, maybe Cem

07:45

weeks I for sweets.

07:47

That would be something we would report on, but unlikely we would be able to get

07:53

accessed. Any system through anybody who does will be quite famous and hacking circles because it comes up all the time

08:01

that my sequel again, that we saw that my sequel was unauthorized when we did our version scanning so we won't be able to

08:09

get into that directly. There may be another way,

08:16

its windows Expedia. And indeed it is.

08:22

We also have anonymous STP allowed

08:26

on our Lennox system.

08:28

Doesn't look like there's anything in there

08:31

as his age

08:33

says it has. The trace message on H T T p.

08:41

It didn't automatically run anything for network file system here. I was expected it wasn't in the default set.

08:48

We only ran the default sit here.

08:54

So what's wrong?

09:00

No. Todo esta script equals and do NFS Tajol s

09:05

against

09:09

are Lennox system and we do that dash p for port do

09:15

possibly

09:16

might be once

09:18

it's actually gonna talk to more than one for it. Obviously

09:24

see who's network file system down here a 2049 but it actually talks. Don't want 11. The our PC bond for

09:31

could get it.

09:35

It's all like STP is actually 20 and 21 kind of things.

09:39

So it looks like we've got something called export Georgia like we saw

09:45

on DDE.

09:46

She was in there.

09:48

So is it only list 10

09:50

file so there may be more of it. Looks like we have read modified elite know execute.

09:56

We can read files

09:58

and even modify them

10:01

that we could make changes to files in there. What's gonna be particularly interesting to us is this dot Sshh,

10:11

idee underscore. Arcee shouldn't be there. That's obviously I used it in another class and somebody screwed up where they were supposed to be putting things that is going to come up, but that's not where it goes.

10:22

I was actually gonna be interesting to us. Is this dot as his age shoulder,

10:26

It looks like someone named Georgia shared her home folder not thinking about some of those hidden directories that start with the DOT

10:33

If we do and l s

10:35

Dash A for all, as we saw in the linen section, we can see

10:41

So what might be stored in a dot sssh directory when other SS H is running with cell for 22?

10:48

Let's actually we're gonna store are keys to our public and private keys for George. We're going to be there so we can get access to those. We might be ableto bypass

10:58

authentication for us a sage and get access to that system. So that might be

11:03

pretty cool. Definitely seems like something we should take a look at

11:07

when we go on. So there's certainly more scripts to look at. I only should view the default on an example. So gonna figure the user share in map scripts.

11:16

You see all of them here,