Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,530 --> 00:00:02,820 Welcome to Deployability and Analysis Section. 2 00:00:03,410 --> 00:00:08,030 So we covered scanning and we managed to discover a bunch of information about our target. 3 00:00:08,330 --> 00:00:14,080 And right now we're going to use that information to discover whether our target has some vulnerabilities. 4 00:00:14,510 --> 00:00:17,480 We're going to cover three different tools in this section. 5 00:00:17,600 --> 00:00:22,280 And the first one is going to be an already familiar tool, which is called and MAP. 6 00:00:23,360 --> 00:00:27,080 We're going to tackle a subject on EMAP scripting. 7 00:00:28,030 --> 00:00:35,200 By now, we learned that map is used for scanning targets, but MAP can also perform vulnerability analysis 8 00:00:35,470 --> 00:00:40,180 and in some cases it can even perform exploitation with the help of different scripts. 9 00:00:40,780 --> 00:00:46,390 As this is advanced use of MAP, we should first explain what are these and map scripts. 10 00:00:47,410 --> 00:00:53,180 Well, and my scripts are commonly used in scanning to detect different service vulnerabilities. 11 00:00:53,830 --> 00:00:56,580 It can also be used for brute force forcing attacks. 12 00:00:56,950 --> 00:01:00,010 It can be used to detect a malware on target machine. 13 00:01:00,700 --> 00:01:07,780 It is also used to collect even more information about databases and other network services so we can 14 00:01:07,780 --> 00:01:12,040 consider this factor to be half scanning and have vulnerability analysis. 15 00:01:13,130 --> 00:01:18,620 The goal of this lecture, however, will not be the vulnerability analysis, but to show you how we 16 00:01:18,620 --> 00:01:19,760 can run the scripts. 17 00:01:20,850 --> 00:01:25,870 And before we even run them, we need to know what are our available options. 18 00:01:26,550 --> 00:01:28,430 So where are those scripts? 19 00:01:28,440 --> 00:01:29,330 How do we run them? 20 00:01:29,700 --> 00:01:32,340 How do we know which scripts even exist? 21 00:01:33,290 --> 00:01:40,250 Inside of the clinics, we can find all the scripts that any map has inside of this directory, so open 22 00:01:40,250 --> 00:01:51,680 up your terminal and navigate to user share and map and then scripts if I type. 23 00:01:51,710 --> 00:01:52,490 All right. 24 00:01:52,490 --> 00:01:55,160 Here we can see there are a lot of them. 25 00:01:55,940 --> 00:02:01,270 Let us test some of them out and see whether they give us any information about our target. 26 00:02:01,940 --> 00:02:05,120 Now, running scripts comes with two different options. 27 00:02:05,430 --> 00:02:12,920 We can either specify one script to use in a scan or we can specify a group of scripts that we will 28 00:02:12,920 --> 00:02:19,910 use inside of a scan and to fully understand all the possible things that we can do with scripts using 29 00:02:19,910 --> 00:02:20,370 a map. 30 00:02:21,260 --> 00:02:24,440 You should take a look at this page right here. 31 00:02:25,540 --> 00:02:34,360 This is the official end, my page from the Web dot org link, and in this book and usage dot org html, 32 00:02:34,630 --> 00:02:39,160 it will give us a good explanation about script groups and the usage of unmap. 33 00:02:39,940 --> 00:02:43,300 If we scroll all the way down, here is the usage and examples. 34 00:02:44,260 --> 00:02:50,410 We get different script categories, which are script groups we can see right here that are currently 35 00:02:50,410 --> 00:02:58,690 defined categories are not broadcast, brute default discovery and many more right here and down here. 36 00:02:58,690 --> 00:03:04,040 We can read about each and every one of them to see what each script group does. 37 00:03:04,600 --> 00:03:10,720 So, for example, right here, the broad script group, it says these scripts are used to brute force 38 00:03:10,720 --> 00:03:16,360 attacks to guess authentication credentials of a remote server, and that contains scripts for brute, 39 00:03:16,360 --> 00:03:23,290 forcing dozens of protocols, including HTP, Brute, Oracle, brute as an MP, bruta and so on and 40 00:03:23,290 --> 00:03:23,740 so on. 41 00:03:24,460 --> 00:03:26,110 Let us test some of them out. 42 00:03:26,350 --> 00:03:29,110 Let us start with this off script group first. 43 00:03:30,340 --> 00:03:36,280 We can read these scripts, deal with authentication credentials or by passing them on the target system. 44 00:03:36,820 --> 00:03:42,950 Examples include X 11 Xs, FTP, Anonymous and Oracle and some users. 45 00:03:43,300 --> 00:03:47,530 Now, these right here that you read are single script names. 46 00:03:47,920 --> 00:03:53,310 And these single scripts belong to this larger script group right here. 47 00:03:53,320 --> 00:03:58,570 It also says Scripts, which uses brute force attacks to determine credentials, are placed in the broad 48 00:03:58,570 --> 00:03:59,540 category instead. 49 00:04:00,400 --> 00:04:06,310 So right here, there are no scripts that are used for brute forcing and for the brute force thing simply 50 00:04:06,310 --> 00:04:13,390 means is running a bunch of usernames and passwords onto the target system to discover which one is 51 00:04:13,390 --> 00:04:16,060 the correct username and which one is the correct password. 52 00:04:16,210 --> 00:04:18,380 But more about brute forcing later on. 53 00:04:18,400 --> 00:04:24,880 For now, let us go and test some of these scripts to run a scan with a script group we can use and 54 00:04:24,880 --> 00:04:29,430 map Bastet script, and after it we specify the script group. 55 00:04:29,540 --> 00:04:31,000 So in my case, I will use of. 56 00:04:32,030 --> 00:04:38,740 And I can Minmetals Botibol machine pretty, since I can remember since can require the privileges, 57 00:04:38,750 --> 00:04:43,010 so let's add up and type in our password. 58 00:04:44,730 --> 00:04:51,180 As soon as it finishes, we're going to see whether this off script group discovered any useful information 59 00:04:51,180 --> 00:04:53,010 for us regarding vulnerabilities. 60 00:04:53,610 --> 00:04:55,200 OK, so it is finished. 61 00:04:55,380 --> 00:04:59,780 Let us see whether our script managed to detect anything unusual. 62 00:05:00,390 --> 00:05:07,260 So we get the standard output of all the open ports and we also get some other information for some 63 00:05:07,260 --> 00:05:07,830 of the ports. 64 00:05:08,130 --> 00:05:15,450 For example, right here we get FTP enum and this FTP is just a single script name from the unmap. 65 00:05:15,990 --> 00:05:19,480 It tells us that anonymous FTP login is allowed. 66 00:05:20,300 --> 00:05:20,630 Hmm. 67 00:05:20,910 --> 00:05:21,690 What does this mean. 68 00:05:22,290 --> 00:05:25,310 Well this is something that we will cover later for now. 69 00:05:25,380 --> 00:05:29,450 Just keep in mind that anonymous login is allowed for the port. 70 00:05:29,460 --> 00:05:30,090 Twenty one. 71 00:05:31,100 --> 00:05:37,070 Under the S.H. port, we get which authentication methods are supported right here. 72 00:05:38,150 --> 00:05:45,550 Down here, we get information for the Ezekial Port, he tells us that route account has a. password. 73 00:05:46,250 --> 00:05:48,980 This can also be very useful for us. 74 00:05:50,110 --> 00:05:53,860 And right here, we can see Tomcat, two dots drumkit. 75 00:05:55,030 --> 00:05:55,880 What does this mean? 76 00:05:56,360 --> 00:06:04,240 Well, this looks like a default Tomcat credentials, and if I go down here, it tells us posts can 77 00:06:04,240 --> 00:06:05,140 script results. 78 00:06:05,460 --> 00:06:09,310 It says that this is a valid credential for Tomcat. 79 00:06:09,970 --> 00:06:12,190 It is for the service running on this port. 80 00:06:12,900 --> 00:06:13,990 Let us check this out. 81 00:06:14,140 --> 00:06:19,510 This might be the first vulnerability that we find to check whether this is correct. 82 00:06:19,630 --> 00:06:27,940 We can go and open up Firefox and we are going to make a connection to our anticipatable on this port 83 00:06:28,090 --> 00:06:28,690 right here. 84 00:06:29,810 --> 00:06:35,480 So just find out the IP address of your anticipatable and if you scanned it right now, you already 85 00:06:35,480 --> 00:06:35,700 know it. 86 00:06:35,720 --> 00:06:40,060 So for me, it is one 182, that 168 that found that six. 87 00:06:40,700 --> 00:06:48,020 And to make a connection to a portable type two dots and then the port number, in my case, what seems 88 00:06:48,020 --> 00:06:51,050 to be a vulnerability is found on this port. 89 00:06:51,530 --> 00:06:54,740 So let's go to port and double Bass Strait here. 90 00:06:57,740 --> 00:07:00,050 It seems that it only pays to deport. 91 00:07:00,080 --> 00:07:04,010 Let me just free type this and type deport like this. 92 00:07:04,310 --> 00:07:07,760 So eight one eight zero and then visit this. 93 00:07:08,540 --> 00:07:12,230 And here we get the official Apache Tomcat page. 94 00:07:13,190 --> 00:07:16,220 Let's see whether we can find something interesting right here. 95 00:07:16,550 --> 00:07:20,660 And what we are looking for based on these credentials is a login screen. 96 00:07:21,350 --> 00:07:24,530 So this Tomcat administration seems interesting. 97 00:07:24,800 --> 00:07:32,360 If I click on it, it leads us to this admin page where we are required to specify username and password. 98 00:07:32,840 --> 00:07:36,920 And down here from our scan, we got Tomcat and Tomcat. 99 00:07:37,500 --> 00:07:39,470 Let's try it out and see whether it fits. 100 00:07:39,860 --> 00:07:45,220 If I type it for the username and Tomcat for the password, click on login. 101 00:07:46,100 --> 00:07:46,790 There it is. 102 00:07:47,080 --> 00:07:50,850 We managed to log in to the admin page of the Tomcat server. 103 00:07:51,330 --> 00:07:51,770 Great. 104 00:07:52,050 --> 00:07:55,940 This is our first vulnerability that we managed to discover and exploit. 105 00:07:56,430 --> 00:07:59,680 We are now in the administrator page of the Tomcat. 106 00:08:00,200 --> 00:08:05,540 Now, there are other things that we can do right here as well, but for now we are just happy that 107 00:08:05,540 --> 00:08:09,710 we managed to gain access to the administrator page down here. 108 00:08:09,710 --> 00:08:16,130 We have user databases, mail sessions, data sources, and these are all empty because this is a test 109 00:08:16,130 --> 00:08:16,580 machine. 110 00:08:16,790 --> 00:08:22,020 But if it was a real machine, this would probably all be filled with some other useful information. 111 00:08:22,790 --> 00:08:23,180 Great. 112 00:08:23,360 --> 00:08:25,060 Let's leave this on side for now. 113 00:08:25,880 --> 00:08:32,150 So we managed to gain access to the Tomcat administrator page with the help of map script. 114 00:08:32,630 --> 00:08:34,970 Let's see what else we can do with scripts. 115 00:08:36,080 --> 00:08:44,060 So let's go and try out the malware, scan these scripts test whether the target platform is infected 116 00:08:44,060 --> 00:08:45,470 by malware or vectors. 117 00:08:46,130 --> 00:08:49,070 Let's see whether our target is infected with malware. 118 00:08:49,280 --> 00:08:54,410 We can run the same command just this time instead of what we're going to use malware. 119 00:08:55,280 --> 00:08:56,630 Let's from the scan. 120 00:08:57,600 --> 00:09:00,730 And let me control this just so we can make this faster. 121 00:09:00,780 --> 00:09:06,840 I'm going to use the dash capital F option to scan only one hundred ports and not a thousand ports. 122 00:09:07,740 --> 00:09:11,250 And it doesn't seem to find any malware right here. 123 00:09:12,330 --> 00:09:18,060 But what you can do with this can you can wait for us to first exploit them at this point in the next 124 00:09:18,060 --> 00:09:23,910 election and then test this can once again to see whether you can notice any back doors that we uploaded 125 00:09:24,090 --> 00:09:26,700 that are making connection to our Linux machine. 126 00:09:27,790 --> 00:09:34,990 For now, it doesn't seem to give us any result for the first one hundred, but let's try another scan. 127 00:09:35,540 --> 00:09:43,600 We're going to use right now Debenham script group and what banners are are simply what the open port 128 00:09:43,600 --> 00:09:46,810 will give us is the information once we connect to it. 129 00:09:47,380 --> 00:09:51,390 Banders usually called information, disclosure and information disclosure. 130 00:09:51,400 --> 00:09:57,490 They can give us the exact version of the software running on an open port and we can see the scan has 131 00:09:57,490 --> 00:10:01,930 finished and we get depen, which calls the version for the FTP. 132 00:10:02,660 --> 00:10:05,890 We get the banner for the sausage that also calls the version. 133 00:10:06,400 --> 00:10:09,850 And this is something similar for the version that we covered in Anne-Mette. 134 00:10:10,880 --> 00:10:15,890 Now, sometimes Bender will look something like this, and this is something that we cannot read, but 135 00:10:15,890 --> 00:10:20,960 I'll show you in the exploitation section that this telnet port is one of the easiest ports to exploit 136 00:10:21,350 --> 00:10:23,380 and gain access to anticipatable. 137 00:10:24,140 --> 00:10:27,710 And we are going to do this over Baner for now. 138 00:10:27,710 --> 00:10:30,020 It seems that we cannot even agree to this banner. 139 00:10:30,230 --> 00:10:35,750 But later we are going to use the exact same banner for Telnet to gain access to them at this point. 140 00:10:36,860 --> 00:10:38,400 Let's check out another skin. 141 00:10:39,170 --> 00:10:41,210 Let's try this again group. 142 00:10:41,390 --> 00:10:45,110 And this group is called Explained. 143 00:10:46,160 --> 00:10:53,060 And while it runs, if I go right here and try to find that scan group, it tells us that the scripts 144 00:10:53,090 --> 00:10:58,370 that belong to this exploit scan group aim to actively exploit some ability. 145 00:10:58,820 --> 00:11:02,230 Here are some of the examples of the script names that belong to the group. 146 00:11:02,720 --> 00:11:07,450 So this script group will actually try to exploit if it finds a similar ability. 147 00:11:07,940 --> 00:11:10,580 Let's see whether it's finished. 148 00:11:10,820 --> 00:11:12,090 And it did finish. 149 00:11:12,650 --> 00:11:20,580 Right here we can see Port 80, spidering limited to this, found the following possible seats are fallibilities. 150 00:11:21,410 --> 00:11:26,480 So here are the possible vulnerabilities that it found for this specific vulnerability. 151 00:11:27,050 --> 00:11:32,680 And for note, don't worry about this, this type of vulnerabilities for the port. 152 00:11:33,180 --> 00:11:37,510 We are going to cover deep website penetration testing, Section four Nauen. 153 00:11:37,550 --> 00:11:41,980 We're just taking a look at how we can discover them using vulnerability analysis. 154 00:11:42,440 --> 00:11:43,820 Let's go all the way up. 155 00:11:44,180 --> 00:11:45,830 And 40 outport. 156 00:11:45,980 --> 00:11:49,100 It tells us right here that the port is vulnerable. 157 00:11:49,470 --> 00:11:56,330 It is running this version and it seems that it managed to exploit it, as it says right here, vulnerable 158 00:11:56,330 --> 00:11:57,350 and exploitable. 159 00:11:58,280 --> 00:12:01,070 And right here we get the exploit results. 160 00:12:01,730 --> 00:12:08,690 The map script ran this comment and it actually managed to get the router count on the target machine. 161 00:12:09,440 --> 00:12:11,660 So we found another vulnerability. 162 00:12:12,320 --> 00:12:14,800 Here is the FTP report that is exploitable. 163 00:12:15,290 --> 00:12:20,420 Now, we don't really know how to exploit it yet, but for now, with the help of scripts and vulnerability 164 00:12:20,420 --> 00:12:23,630 analysis, we know that this right here is exploitable. 165 00:12:24,440 --> 00:12:29,480 And in the exploitation section, we're going to see exactly how we can gain access and perform the 166 00:12:29,480 --> 00:12:32,560 same thing that the EMAP performed right here. 167 00:12:33,320 --> 00:12:36,610 Now, under these IDs, you will see this name right here. 168 00:12:37,100 --> 00:12:39,160 Now get used to these type of names. 169 00:12:39,470 --> 00:12:42,560 This is how different abilities are labeled. 170 00:12:43,220 --> 00:12:47,060 These two thousand and eleven is a year when the vulnerability occurred. 171 00:12:47,700 --> 00:12:48,500 OK, great. 172 00:12:49,160 --> 00:12:51,890 But these are just some of the script groups that we can run. 173 00:12:52,140 --> 00:12:56,720 Of course, we're not going to be running all of them in this video since, as you see right here, 174 00:12:56,720 --> 00:12:57,590 there is a lot of them. 175 00:12:58,070 --> 00:13:00,890 You can test them out and see what each and every one of them do. 176 00:13:01,400 --> 00:13:04,550 But for now, let us just see how we can run one script. 177 00:13:04,880 --> 00:13:11,690 We saw how we can run script groups, but sometimes you will only want to run a single script. 178 00:13:12,020 --> 00:13:16,670 And we already know that scripts are located inside of this directory right here. 179 00:13:17,540 --> 00:13:22,910 And there is a lot let's go all the way up and try to find some cool script. 180 00:13:23,600 --> 00:13:23,950 Hmm. 181 00:13:24,590 --> 00:13:26,150 This one seems interesting. 182 00:13:26,900 --> 00:13:33,200 All bypass and this dot and as is just the extension for the scripts. 183 00:13:34,420 --> 00:13:41,080 And by the way, do not blindly run these scripts, what you can do to check out what exactly a certain 184 00:13:41,080 --> 00:13:41,680 script does. 185 00:13:42,020 --> 00:13:51,100 These you can copy its name and then run the command studio and map that script to help. 186 00:13:52,030 --> 00:13:57,340 And then the name of the script so based the script, name and type. 187 00:13:57,340 --> 00:14:03,880 And it will tell us that this particular script detect some vulnerability in that filter and other firewalls 188 00:14:04,210 --> 00:14:11,270 that use Halberstadt Anemically open ports for protocols such as FPP and Sipi right here. 189 00:14:11,290 --> 00:14:13,400 It also tells us how the script works. 190 00:14:13,420 --> 00:14:19,390 So the script works by spoofing a packet from the target server, asking for opening a related connection 191 00:14:19,390 --> 00:14:22,750 to a target port and to run it. 192 00:14:23,140 --> 00:14:29,680 In case you want to run it, you can type through the script and it is similar to running the script 193 00:14:29,680 --> 00:14:30,100 groups. 194 00:14:30,100 --> 00:14:35,790 All we need to do is just paste the name of the script and add the IP address. 195 00:14:37,330 --> 00:14:44,470 It will start running the script onto the target and for now it seems that we got the exact same output 196 00:14:44,470 --> 00:14:45,910 of a normal amp can. 197 00:14:46,690 --> 00:14:48,460 Usually you will get this output. 198 00:14:48,490 --> 00:14:50,400 That means the script didn't work. 199 00:14:51,190 --> 00:14:55,960 So since this one didn't seem to give any output, let's try another one. 200 00:14:56,620 --> 00:15:04,210 Let's try the one that we already know will give us an output and that one is FCP and on top. 201 00:15:04,210 --> 00:15:04,600 And it's. 202 00:15:05,980 --> 00:15:13,070 And remember when we ran one of the script groups, this script gave us the output for the output, 203 00:15:13,210 --> 00:15:19,840 telling us that anonymous FTP login is allowed, let's see whether we get the same result right now. 204 00:15:20,170 --> 00:15:26,740 If I run it, go all the way up and it tells us anonymous after logging a lot. 205 00:15:27,700 --> 00:15:33,760 And I already told you that FTP anonymous login means that you can use anonymous username and a random 206 00:15:33,760 --> 00:15:35,820 password to log in to the FTP. 207 00:15:36,730 --> 00:15:37,960 Let's see whether it will work. 208 00:15:37,970 --> 00:15:39,100 Let's just test it out. 209 00:15:39,400 --> 00:15:40,180 We are curious. 210 00:15:40,210 --> 00:15:46,900 We want to see what does this anonymous FTP log in me to do that we're going to connect to a target 211 00:15:46,900 --> 00:15:47,990 using FTP. 212 00:15:48,400 --> 00:15:52,510 So you just type FTP and then the IP address of the target machine. 213 00:15:52,510 --> 00:16:00,700 In our case of the metal citable press enter and right here it will ask us for the name lets type anonymous 214 00:16:03,130 --> 00:16:05,200 and let's type the password here. 215 00:16:05,200 --> 00:16:06,640 You can type anything you want. 216 00:16:06,640 --> 00:16:08,440 In my case I will just type password. 217 00:16:08,800 --> 00:16:12,040 One, two, three and press enter and here it is. 218 00:16:12,340 --> 00:16:19,060 Login successful remote system type is Unix and now we can use the help command to see what are our 219 00:16:19,060 --> 00:16:24,840 available options inside of this FTP so we can run these commands right here. 220 00:16:25,540 --> 00:16:25,920 Great. 221 00:16:25,930 --> 00:16:33,670 It seems that FTP anonymous login is indeed allowed, but once again more about FTP and the FTP liabilities 222 00:16:33,670 --> 00:16:35,890 that we discovered in the exploitation section. 223 00:16:36,460 --> 00:16:42,370 For now, we managed to find out about some potential vulnerabilities such as the Tomcat administrator 224 00:16:42,370 --> 00:16:44,170 login the FTP port. 225 00:16:44,170 --> 00:16:47,020 Twenty one should to also be vulnerable. 226 00:16:47,230 --> 00:16:51,250 Remember when we ran the Exploit script group, it told us that it is exploitable. 227 00:16:51,970 --> 00:16:57,130 But let's also see what else we can find using other vulnerability analysis tools. 23047