Hello and welcome back to the course. You need 500 text through logs. I mean, over here, eating the last video we talked about. What implication Tax owe us, and you are components
in this video. It's because our first attack vulnerability scans. Let's start with the Lord objectives.
In this video, the lot objectives are riveted vulnerabilities cans and its tools and identify vulnerabilities Cans with Webb. Seven. Log analysis.
First, let's remember what is a vulnerability. As we said before, A vulnerability is a weakness that can be exploited,
and there is a specific top above your abilities. You know what? Stop then you'll remember. Each stop
using components with no vulnerabilities.
This is more related to the components needed to the Web application to work, for example, using an old verse off PHP, although your application can be vulnerable even if all the components are updated. So if you have invulnerability Europe application, it's better to know.
Suppose your stock analysts working a big company.
How do you know that you're a Web application is vulnerable? You can investigation the Web application called in look for vulnerabilities, but this will need a lot of time. Another way is using vulnerability. Skinner's within our ability. Scanners are sorceress that try to find weakness in our Web application.
It's along some no attacks and check your application response. Depending on the weather application response, it will say that you have a vulnerability or not vulnerability. Scanners are available to everyone
so you can use to protect your application, and an attacker
can use to find vulnerabilities to exploit it later. Vulnerabilities Scanners are always good to test your security tools like ideas I PS and Web application fire. Oh, there are many vulnerability. Skinner's available some open sores and some paid
in. Some companies from our very skins are not considered as an attack. Sometimes it's called
pre attack. So in this course,
different are very skins. We'll be one type of attack,
so the vulnerability scanners can be used to perform for their ability skins.
And do you know any soft there is considered our vulnerability scanner
here? Some examples off, then I believe the scanners.
There are many others available. Some of them are specific for one from an ability like it's killing me.
Eskil map is really useful to touch your Web application against that's Kevin's actual attacks.
Another examples are nikto Zad Burp in AP skin.
You can find out about the lease on this website.
Can you think in one way? You then try them.
The easiest way to get five different abilities scanner is checking the user Asians, like in this example
they use their agent is the SQL map.
If you see in the log, I use their agents. We let it you have another ability scanner. There is a good chance there was 100 scan is happening against the Web server,
But what is the problem here?
Well, normally is not that easy. Remember that user agents are used to detect, but they can be fake it
and the vulnerability. Skinner's usually have the option to change. They use their agents,
so be careful. It's also possible to you see different user agents like programming language,
for example, by some requests.
Let's use nikto to perform my skin on our lab.
The 1st 2 lines are examples of the need to requests.
We didn't change the user agent so you can identify the nikto as a user agent. We had close to 1000 requests Lesson one minutes. So we have a big number of requests. Nice. My period of time. This is a common behavior off different abilities scanners, but if you want,
you can one. The skin is lower.
If you are doing a vulnerability skin,
you should look for all no vulnerabilities. As we saw this region rage, a lot off requests
and men off this request, we were turned Cheryl's, especially for hundreds for Do you agree with that?
So let's try to confirm the theory.
We will catch the number off the requests with NIKTO user agents
and after we count the same lines. Looking for 400 for the first is the number off the lines that have nikto as user agent. And the second is the number off the lines that have nikto as user agents and also the 404 ever.
You can see that the number is not really different.
That's happens because we do a lot of requests
and most of this request don't work.
This is a chip co case off the rabbit skin.
Important things to look for the user agent, the number off the requests in the number off the errors.
Now let's analyze this log.
The first line you can see the user agents nikto
Ahh! Weird request in house 400 for error. Other lines are similar, but some off the lines do not have nikto as user agents,
and if you look there, request the request is the same.
This is an example off requests, which crafted user agents. In both cases, they use their Agent Watts nikto
season when our baby skin has a known behavior. Here you have some directions that can help you to identify a vulnerability skin, start looking for the user. Agents look for scanners are no user agents.
Check the number off the requests.
Is their main requests a nice ma period of time?
And all these requests are coming from the same client I p address.
Look for the number off the errors and unexpected requests like PHP requests in a page that doesn't have PHP. As much as you know your application, it will be easier.
Also, Jack is the requests are two configuration pages are administration pace
Commons Operational system. Words in requests are suspicious, too.
It was like being catch shell
are examples off words. Use it even I believe skin
***, says my question.
Consider this in area
you're not. Team asked you to check their behavior off one Web server
because they found an increased number off the weed requests and 404 errors
the *** team sent up rich off the Web service of you
and say is that it looks normal.
US. The Web server logs in more information about the Web server.
They say that is on a party, and this is not a WordPress employ
here. A push off the Web. Several logs In the next life, we'll have some questions about this case.
I suggest that you pause the video and make the log analysis.
Remember to get the information on the logs like I p requests and remember to answer their who went in. What?
I hope that you like doing this. Log analysis.
Let's analyze together. No,
we have the same client. I P address There is doing lots off requests, then that 10 dot in
you also have Martin one request in the same time.
And man you 400 for errors
for the first line. Can you explain the 404
this request. Looks like a WordPress request
in this application is not a WordPress.
Now, based on this in a room is a stock analyst. Answer the questions
we checked. The address is causing the trouble.
The answer is little c
All the log lines contains this I p address.
Do what behavior did you even trying this log
did you find in the attack?
The answer is literacy vulnerability skin in the lessons like we saw some behaviors that confirms
different our beauty. You scan
like many 400 for errors.
Weird. Your requests,
many requests you nice. My period of time
inspected requests and others
you're not Jean is wearing for your Nancy's.
Let's compose a possible answer to the no
here, a possible answer
and the answer to the questions who went in what in the real world, there are no other activities that need to be performed
Well, I'll check if the website is vulnerable. Are if invulnerability waas exploited
a suggested action would be blocking this I p address
because it performing an attack
video summary in today's reader which coast
for the nobility skin attacks.
We showed something I really scanner examples and How didn't fight its behavior?
check the user. Asians
look for many requests. A nice small period of time,
Look for weird awards and unexpected requests. So this concludes our first attack example in law organizes
for the next video, we will review brute force attacks
and we need tried to brute force attacks. Join Web server logs and that is this.