Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,020 --> 00:00:06,610 OK, that was loading for over an hour, but it is finally over. 2 00:00:06,660 --> 00:00:14,250 So we are ready to explore the necesito it is pretty simple to use your page should be blank since you 3 00:00:14,250 --> 00:00:15,990 haven't performed any scan yet. 4 00:00:16,620 --> 00:00:20,880 So we can click right here on this X button just to see better this page. 5 00:00:21,330 --> 00:00:24,900 And all you want to do from here is go to the new scan button. 6 00:00:26,210 --> 00:00:33,020 Right here, we will see all of the available options that we can do for our scans, so we got basic 7 00:00:33,020 --> 00:00:37,380 network scan, as it says, a full system scan suitable for any host. 8 00:00:38,000 --> 00:00:44,600 We got the advance scan, configure a scan without using any recommendations, and we got a bunch of 9 00:00:44,600 --> 00:00:45,500 the other options. 10 00:00:45,720 --> 00:00:51,860 And for some of them, we need the less professional version in order to use, such as this one, this 11 00:00:51,860 --> 00:00:55,920 one, this one, and all of these that have the upgrade on them. 12 00:00:56,590 --> 00:00:59,540 Now, it's already talked about witness centrals. 13 00:00:59,780 --> 00:01:04,640 We're only going to be able to scan local IP addresses inside of a company. 14 00:01:04,790 --> 00:01:08,460 You could use this tool to scan their networks for vulnerabilities. 15 00:01:09,290 --> 00:01:17,150 However, you cannot scan an external IP address with this scanning a website is not going to work unless 16 00:01:17,150 --> 00:01:18,430 it's inside of your network. 17 00:01:19,330 --> 00:01:26,380 Another thing to remind you is that we can scan with the free version up to 16 IP addresses, and if 18 00:01:26,380 --> 00:01:30,620 I'm not mistaken, those 16 IP addresses clean after 90 days. 19 00:01:30,640 --> 00:01:35,790 So after 90 days, you will be able to scan more IP addresses, but I'm not sure about that. 20 00:01:36,370 --> 00:01:41,920 And if you have a free version and you have more than 16 targets, you will have to scan that network 21 00:01:41,920 --> 00:01:43,680 with multiple Nessa's scans. 22 00:01:44,230 --> 00:01:51,310 So scanning big enterprise networks for big companies will require NASA's professional version. 23 00:01:51,830 --> 00:01:58,300 But what we want to do here to learn Nessus and how to use it, we want to go on to the basic networks 24 00:01:58,300 --> 00:01:58,600 can. 25 00:01:59,630 --> 00:02:06,830 And this basic scan will require us to specify some options now for our first scan will be scanning 26 00:02:06,980 --> 00:02:07,550 only. 27 00:02:08,840 --> 00:02:10,640 So turn it on. 28 00:02:10,670 --> 00:02:14,610 If you haven't already, check out the iPad to submit depletable. 29 00:02:14,630 --> 00:02:17,660 In my case, it is 190 to date, 168 at one point for. 30 00:02:18,750 --> 00:02:25,200 And once you do that, we can proceed to specify our options in the general tab under the name, you 31 00:02:25,200 --> 00:02:26,760 could specify anything you want. 32 00:02:26,790 --> 00:02:31,110 I will simply just type method exploitable under the description. 33 00:02:31,140 --> 00:02:32,590 I will just leave this empty. 34 00:02:32,610 --> 00:02:34,310 There is nothing really to specify here. 35 00:02:34,650 --> 00:02:36,360 You can put anything you want here. 36 00:02:36,360 --> 00:02:42,260 Just you can recognize which type of scan you did and on which target you did it in the folder. 37 00:02:42,390 --> 00:02:48,900 We will leave it on my scans and in the targets we specify the IP address of our target machine, since 38 00:02:48,900 --> 00:02:50,760 right now we are only scanning one machine. 39 00:02:50,970 --> 00:02:53,490 We will specify the IP address of metal plate. 40 00:02:54,090 --> 00:02:57,870 But if you were to scan on network, you would specify something like this. 41 00:02:58,140 --> 00:03:03,990 Wanted to do that 168 at one point one twenty four in case it is a 24 network. 42 00:03:04,170 --> 00:03:06,720 I believe you can also specified like this. 43 00:03:06,720 --> 00:03:10,440 So want to add to the 168 that one dot two fifty five. 44 00:03:11,010 --> 00:03:17,490 But right now let us just go with our metal plate and with the free version we can even scan two hundred 45 00:03:17,490 --> 00:03:18,570 and fifty five hosts. 46 00:03:18,990 --> 00:03:21,000 Remember we can only scan 16. 47 00:03:22,050 --> 00:03:27,840 Once you specify this, we want to proceed to the schedule tab and here this schedule tab is useful 48 00:03:27,840 --> 00:03:32,760 once you want to schedule their scans on a certain period of time or you just want to schedule a scan 49 00:03:32,760 --> 00:03:35,050 while you're doing something else on the site. 50 00:03:35,610 --> 00:03:39,110 For now, we're going to leave it off under the notifications. 51 00:03:39,240 --> 00:03:43,570 You can choose if you want to send results to some emails over SMTP server. 52 00:03:44,110 --> 00:03:47,890 We are not going to be doing that right now in the Discovery tab. 53 00:03:47,940 --> 00:03:49,320 This is the important stuff. 54 00:03:50,240 --> 00:03:57,560 Here we choose how many and which ports we want to scan, we have an option of scanning common ports 55 00:03:58,250 --> 00:04:00,990 and this is similar to a map default ports. 56 00:04:01,760 --> 00:04:09,200 It will only scan most popular ports or you can select scan all ports, which we are going to use right 57 00:04:09,200 --> 00:04:12,650 now to scan all sixty five thousand ports, no exploitable. 58 00:04:13,040 --> 00:04:16,940 And if you want, there is a custom option, which is the third option right here. 59 00:04:17,150 --> 00:04:21,020 But we are pretty satisfied with this scan all ports option. 60 00:04:21,470 --> 00:04:27,230 If you read the settings, the general settings always tells the Nexus localhost use Fastnet for discovery 61 00:04:27,230 --> 00:04:28,790 and of the ports or settings. 62 00:04:28,790 --> 00:04:35,210 We have scanned all ports usenet's that if credentials are provided use since scanner if necessary, 63 00:04:35,810 --> 00:04:40,340 and we're pinging hosts using TCP, AAFP and ICMP. 64 00:04:41,270 --> 00:04:41,600 Good. 65 00:04:42,410 --> 00:04:49,280 Once you set this to scan all ports, you can go to the assessment and in the assessment tab we can 66 00:04:49,280 --> 00:04:50,900 choose what we want to scan for. 67 00:04:51,530 --> 00:04:53,180 So there are a few options. 68 00:04:53,210 --> 00:04:59,390 If I click right here on this can type, we have scanned for known web vulnerabilities, scan for all 69 00:04:59,390 --> 00:05:03,590 web and abilities and scan for all Verbruggen abilities complex. 70 00:05:04,010 --> 00:05:08,620 For the purposes of this tutorial, we will be scanning for known Web vulnerabilities. 71 00:05:08,840 --> 00:05:09,250 Why? 72 00:05:09,530 --> 00:05:12,290 Well, this will just take lesser time to finish. 73 00:05:12,890 --> 00:05:18,560 When you run scan for complex web vulnerabilities, it usually takes a lot more time and we can see 74 00:05:18,560 --> 00:05:25,460 right here and the general settings avoid potential false alarms enabled by scanning and web applications. 75 00:05:25,790 --> 00:05:31,970 We will crawl up to one thousand pages, up to six directories, and we will test for known vulnerabilities 76 00:05:31,970 --> 00:05:33,830 in commonly used Web applications. 77 00:05:34,040 --> 00:05:36,500 These are our assessment settings. 78 00:05:37,460 --> 00:05:42,650 But also, keep in mind that if we discover some vulnerabilities, we will see how to attack them in 79 00:05:42,650 --> 00:05:46,700 the Web penetration testing section that will come right after the exploitation section. 80 00:05:47,150 --> 00:05:53,900 For now, let us just see whether Nessus will find something juicy right after we go to the report settings. 81 00:05:54,410 --> 00:05:56,570 And usually you want to leave this on default. 82 00:05:56,580 --> 00:05:58,970 So we are not going to be changing anything right here. 83 00:05:59,300 --> 00:06:05,210 And finally, in the advanced that we will leave it on default for now and proceed to click on Save. 84 00:06:05,540 --> 00:06:07,550 So click on Save right here. 85 00:06:08,980 --> 00:06:10,810 And you should have your skin right here. 86 00:06:11,840 --> 00:06:19,100 Now you will notice that it does not automatically start, we must launch it and we do that by clicking 87 00:06:19,100 --> 00:06:22,970 on this arrow right here, which says launch, click on it. 88 00:06:25,550 --> 00:06:31,820 In just a few seconds, here it is, these green arrows will start spinning and our skin has officially 89 00:06:31,820 --> 00:06:32,300 started. 90 00:06:33,170 --> 00:06:37,940 This will try to discover all the vulnerabilities it can find for the political machine. 91 00:06:38,990 --> 00:06:43,480 Now, keep in mind that these scans can take a lot longer then and map scans. 92 00:06:43,730 --> 00:06:49,940 You can always check the current status scan by clicking on the scan name, in our case on the anticipatable. 93 00:06:51,590 --> 00:06:57,980 And you will be able to see what it managed to find for now during the scan, different vulnerabilities 94 00:06:58,220 --> 00:07:00,140 will be marked with different colors. 95 00:07:00,890 --> 00:07:04,310 We will have blue color, which means information, disclosure. 96 00:07:04,940 --> 00:07:10,670 And what that is, is it possibly managed to find some information that should be private or it managed 97 00:07:10,670 --> 00:07:16,010 to find the service version or something similar that allows us to find out more information about the 98 00:07:16,010 --> 00:07:16,490 target? 99 00:07:16,640 --> 00:07:19,610 It doesn't necessarily mean that the information is useful, though. 100 00:07:20,150 --> 00:07:26,500 Then we have green, yellow and orange vulnerabilities or also known as low, medium and high vulnerabilities. 101 00:07:26,750 --> 00:07:32,450 And at the end we get the most interesting vulnerabilities which are critical vulnerabilities. 102 00:07:33,610 --> 00:07:37,270 This usually includes remote code execution or something similar. 103 00:07:38,440 --> 00:07:44,170 So what you can also do, you can click on them, and this is just what it managed to find at this current 104 00:07:44,170 --> 00:07:45,420 point of scan. 105 00:07:46,240 --> 00:07:48,780 So we got one critical vulnerability for now. 106 00:07:49,210 --> 00:07:55,450 We got to mix vulnerabilities, one medium vulnerability and some information disclosure right here. 107 00:07:56,610 --> 00:08:02,040 Let's go back and we're going to wait for this to finish, and once it's done, we will get back to 108 00:08:02,040 --> 00:08:03,210 it and see the results. 109 00:08:03,750 --> 00:08:04,590 All right. 110 00:08:04,830 --> 00:08:06,630 It is finally over. 111 00:08:06,930 --> 00:08:14,040 And we can see if I click on the scan that it managed to discover a bunch of vulnerabilities, all kinds 112 00:08:14,040 --> 00:08:14,310 of them. 113 00:08:15,000 --> 00:08:18,540 Let us go through these results and see some of the vulnerabilities it found. 114 00:08:19,260 --> 00:08:23,360 Remember, we are most interested in critical and high vulnerabilities. 115 00:08:24,060 --> 00:08:27,740 Others can also be useful, but these two are the main ones. 116 00:08:28,290 --> 00:08:34,070 First thing we see is that it managed to find seven critical motability, 11 vulnerabilities. 117 00:08:34,560 --> 00:08:41,790 Thirty six medium vulnerabilities, seven low and one hundred and forty eight information disclosure. 118 00:08:42,660 --> 00:08:43,980 Let us click on the scan. 119 00:08:44,980 --> 00:08:51,190 Right here, we can order the vulnerabilities by their severity, so if I click on this arrow, it will 120 00:08:51,190 --> 00:08:55,940 go from the information to the critical, but mostly we are interested in critical vulnerabilities. 121 00:08:55,950 --> 00:08:59,410 So click it once again and let's go with any one of them. 122 00:08:59,630 --> 00:09:02,290 We're going to see an example of each vulnerability. 123 00:09:02,320 --> 00:09:08,350 We're going to check one critical, one high, one medium, one low and one information disclosure. 124 00:09:08,650 --> 00:09:11,200 Let's go, for example, with this one. 125 00:09:12,230 --> 00:09:19,460 So it says Neff's exported share information, disclosure, this is a critical vulnerability down here, 126 00:09:19,460 --> 00:09:24,950 we can see the description and it says at least one of the NAFS shares exported by the remote server 127 00:09:25,310 --> 00:09:31,420 could be mounted by the scanning host and attacker may be able to leverage this to read and possibly 128 00:09:31,420 --> 00:09:33,020 Vereide files on remote host. 129 00:09:33,590 --> 00:09:38,450 He tells us what is the solution to fix this vulnerability, as it says Conficker nafs on the remote 130 00:09:38,450 --> 00:09:42,260 coast so that only authorized hosts can mount its remote shares. 131 00:09:43,160 --> 00:09:43,760 Down here. 132 00:09:43,760 --> 00:09:46,070 It tells us where it found the vulnerability. 133 00:09:46,370 --> 00:09:51,740 It found it on our display table on the two thousand forty nine UDP port. 134 00:09:52,580 --> 00:09:57,560 And what you would do, for example, is you would then Google this vulnerability, which we learned 135 00:09:57,560 --> 00:10:02,330 in the previous video, were recovered Googling vulnerabilities and search it and you would see how 136 00:10:02,330 --> 00:10:03,200 you would exploit this. 137 00:10:03,380 --> 00:10:05,760 For now, we know that this exists. 138 00:10:06,260 --> 00:10:08,330 Let's check another critical vulnerability. 139 00:10:08,930 --> 00:10:13,580 Let's go, for example, onto this one, bandshell, factor detection. 140 00:10:15,270 --> 00:10:20,910 It says a shell is listing on the remote port without any notification being required, an attacker 141 00:10:20,910 --> 00:10:24,700 may use it by connecting to the remote port and sending commands directly. 142 00:10:25,210 --> 00:10:25,590 Hmm. 143 00:10:26,130 --> 00:10:28,070 This seems like a really big problem. 144 00:10:28,650 --> 00:10:33,910 And we're going to see in the next section how we can actually gain access from this critical vulnerability. 145 00:10:34,500 --> 00:10:36,780 It is very, very easy, trust me. 146 00:10:37,260 --> 00:10:41,310 But these types of misconfiguration happen often down here. 147 00:10:41,310 --> 00:10:46,970 We can see the solution, verify the remote coast has been compromised and reinstall the system if necessary. 148 00:10:47,400 --> 00:10:53,450 And the actual motability is found on the port one five to four over Tsipi. 149 00:10:54,330 --> 00:10:57,360 Now, since critical vulnerabilities are most important. 150 00:10:57,390 --> 00:10:58,650 Let us check another one. 151 00:10:59,580 --> 00:11:03,600 Let's go on to this one free and see server password is password. 152 00:11:03,940 --> 00:11:09,150 So it seems that we get the default credentials for some software running on our anticipatable. 153 00:11:09,420 --> 00:11:14,250 As it says, the server running on the remote coast is secured with a weak password. 154 00:11:14,520 --> 00:11:18,510 And this type of vulnerability is something that you will find the most. 155 00:11:19,020 --> 00:11:24,810 Now, it doesn't have to be anything connected to the BNC server, but weak credentials are something 156 00:11:24,810 --> 00:11:26,850 that even the biggest companies have. 157 00:11:27,360 --> 00:11:29,670 And you can have all the security in the world. 158 00:11:29,670 --> 00:11:32,830 But if your password is weak, none of that security will matter. 159 00:11:33,510 --> 00:11:37,290 Down here, we see the Nessus logged in using a password password. 160 00:11:37,620 --> 00:11:38,940 And what was it on? 161 00:11:39,090 --> 00:11:46,380 It was port five thousand and nine hundred over TSIPI So we will see how we can exploit all of this. 162 00:11:46,650 --> 00:11:49,380 But let us also check out some other vulnerabilities as well. 163 00:11:50,340 --> 00:11:53,700 Pache, Tomcat, HP, Connecter, request injection. 164 00:11:54,180 --> 00:11:54,990 Let's click on it. 165 00:11:55,140 --> 00:12:00,330 This seems to be a high vulnerability and it tells us a fault for inclusion. 166 00:12:00,330 --> 00:12:02,580 Motability was found in HP Connecter. 167 00:12:02,850 --> 00:12:08,790 Our remote unauthenticated attacker could exploit this vulnerability to read Web application files from 168 00:12:08,790 --> 00:12:10,070 a vulnerable server. 169 00:12:10,620 --> 00:12:15,330 It tells us that the solution is to actually upgrade Tomcat server to the newer version. 170 00:12:16,020 --> 00:12:21,810 And down here it tells us over which port did it find a vulnerability, which is Port 29. 171 00:12:22,770 --> 00:12:27,960 On the right side, we can also see some additional vulnerability information, such as what is the 172 00:12:27,960 --> 00:12:28,770 vulnerability for? 173 00:12:28,770 --> 00:12:29,940 It is for Apache attack. 174 00:12:29,940 --> 00:12:32,010 It is the exploit available. 175 00:12:32,040 --> 00:12:35,160 Yes, the exploit exists for this and they are available. 176 00:12:35,580 --> 00:12:42,540 The patch was published on March 1st, 2020, and vulnerability was also published on that same day. 177 00:12:42,750 --> 00:12:49,290 And Nessus managed to successfully exploit it, reference information and here the vulnerability names. 178 00:12:50,100 --> 00:12:54,910 She would just type this search for an exploit for it and you would manage to exploit them at this point, 179 00:12:54,920 --> 00:12:55,500 the machine. 180 00:12:56,430 --> 00:13:01,110 Let's check out a few more vulnerabilities and then we are going to wrap up with this tutorial. 181 00:13:01,110 --> 00:13:06,870 Let's go to a medium one and let's go, for example, to this one. 182 00:13:06,870 --> 00:13:09,000 SMB signing not required. 183 00:13:09,450 --> 00:13:13,990 Signing is not required under both SMB server and authenticated remote. 184 00:13:13,990 --> 00:13:19,110 Tacker can exploit this to conduct man in the middle attacks against the SMB server. 185 00:13:19,920 --> 00:13:26,010 Now we have not covered many in the middle yet, but later in the course we will be devoting an entire 186 00:13:26,010 --> 00:13:29,910 section to this attack to the man in the middle attack. 187 00:13:30,420 --> 00:13:36,990 So for now, we just know that the S&P support, which is running on Port four for five, is vulnerable 188 00:13:36,990 --> 00:13:38,490 to the man in the middle attacks. 189 00:13:39,540 --> 00:13:43,560 OK, let us also check out some information disclosure. 190 00:13:44,340 --> 00:13:51,000 So right here we can open a cell detection service detection, get request SSL DL's version supported 191 00:13:51,210 --> 00:13:54,900 so we can check out which SSL and versions are supported. 192 00:13:55,440 --> 00:14:00,270 This plug into text, which are some Thaler's versions, are supported by the Remote Service for Encrypting 193 00:14:00,270 --> 00:14:07,080 Communications, and this port seems to be running SSL version two as Salvacion three and version one. 194 00:14:07,320 --> 00:14:12,750 And these are just different protocols used for encryption of the data that is being transferred over 195 00:14:12,750 --> 00:14:13,350 this port. 196 00:14:13,980 --> 00:14:18,900 And once again, you will see that SSL is vulnerable to the man in the middle attack. 197 00:14:18,900 --> 00:14:22,080 We can decrypt this data using that specific attack. 198 00:14:23,020 --> 00:14:27,460 However, don't worry, if you fully don't understand what I'm talking about, this is once again something 199 00:14:27,460 --> 00:14:29,140 that we will cover in a later section. 200 00:14:29,650 --> 00:14:30,430 OK, great. 201 00:14:31,390 --> 00:14:34,810 Do you see right now how amazing this NSA scandal is? 202 00:14:35,790 --> 00:14:40,890 It literally gave us most of the vulnerabilities just from a single scan in the next section. 203 00:14:40,920 --> 00:14:46,140 We will see how to exploit most of these vulnerabilities on them at this point, but on other targets 204 00:14:46,140 --> 00:14:46,500 as well. 205 00:14:47,350 --> 00:14:53,370 In the next video, we're going to scan other machine using Nessus and we're going to see what results 206 00:14:53,370 --> 00:14:55,170 we get see in the next. 21600