WEBVTT

00:00.800 --> 00:02.000
Hello, my name is Steve.

00:02.570 --> 00:09.500
In today's digital landscape, the hypertext transfer protocol Http stands as one of the most widely

00:09.500 --> 00:10.610
used protocols.

00:10.640 --> 00:17.540
Web servers have evolved from serving static pages to handling interactive web applications with user

00:17.540 --> 00:18.320
interaction.

00:18.350 --> 00:24.410
This technological progress has opened the door to a potential vulnerabilities, particularly through

00:24.410 --> 00:30.680
the tainted user input that can manipulate application logic and lead to unintended malicious actions.

00:30.710 --> 00:37.400
The ease of web application development using modern framework has further contributed to an increase

00:37.400 --> 00:38.450
in vulnerability.

00:38.480 --> 00:40.940
Vulnerable applications on Internet.

00:40.970 --> 00:43.730
To address these concerns.

00:44.630 --> 00:54.170
We The Nmap scripting engine NSC offers a growing collection of Http scripts, transforming Nmap into

00:54.170 --> 00:59.120
an invaluable web scanner for penetration testers with Nmap.

00:59.150 --> 01:05.870
Not only can vulnerabilities as misconfigurations be identified, but web applications can also be crawled

01:05.870 --> 01:08.630
to discover intriguing information.

01:08.660 --> 01:15.500
This section aims to teach you how to leverage Nmap for web server auditing, ranging from automating

01:15.500 --> 01:19.310
configuration checks to exploiting vulnerable web applications.

01:19.340 --> 01:25.340
Additionally, I will introduce some of the NSC scripts that I have developed over the years, which

01:25.340 --> 01:29.660
I found useful during web penetration test conducting at web.

01:30.140 --> 01:38.600
So let's explore the various sections and topics covered in this section here of our course.

01:38.600 --> 01:41.840
So we will firstly list supported Http methods.

01:42.260 --> 01:48.630
With practical side, we will enumerate all the Http methods supported by a web server and web servers

01:48.630 --> 01:53.460
over various Http methods, some of which can pose security risks.

01:53.460 --> 01:59.460
So it's essential for system administrators and penetration testers to quickly identify these methods

01:59.460 --> 02:02.460
and test their accessibility.

02:03.250 --> 02:12.670
So in maps, Http method script provides a convenient way to accomplish this task and we will also discover

02:12.670 --> 02:14.950
interesting files and folders on a web server.

02:14.950 --> 02:21.100
We will do practical examples such as we will use Nmap to identify intriguing files and directories

02:21.100 --> 02:22.360
on web servers.

02:22.360 --> 02:26.770
And the explanation of this topic is in Nmap.

02:27.280 --> 02:34.510
Http enum script enables the discovery of potentially sensitive or hidden files and folders on web servers.

02:34.540 --> 02:39.730
This information can be valuable for further analysis and vulnerability assessment.

02:39.760 --> 02:45.160
We will also do brute forcing Http authentication.

02:45.250 --> 02:53.620
We will perform brute force attacks on Http authentication mechanisms because Nmap http brute script

02:53.620 --> 02:59.980
automates the process of attempting various username and passwords combinations to gain unauthorized

02:59.980 --> 03:01.750
access to protected web servers.

03:01.750 --> 03:08.000
So this topic highlights the significance of the strong authentication credentials.

03:08.000 --> 03:09.920
We will brute force web applications.

03:09.920 --> 03:18.320
We will practically do Nmap to launch brute force attacks against web applications.

03:18.320 --> 03:24.050
So in web boot scripts extend its capabilities to target web applications login forms.

03:24.050 --> 03:27.020
So by systematically attempting different credentials.

03:27.020 --> 03:34.670
So this script helps identify weak authentication mechanisms and emphasizes the importance of implementing

03:34.670 --> 03:37.130
robust password policies.

03:37.400 --> 03:40.640
We will also detect web application firewalls.

03:40.730 --> 03:49.910
Practically, we will do examples how to detect the presence of web application firewalls EFS using

03:49.980 --> 03:50.660
maps.

03:50.660 --> 04:02.080
So Nmap has a http F detect scripts which aids in identifying the existence of a VFS that so a w by

04:02.090 --> 04:12.740
w a f, I mean the web application firewall fire firewall.

04:13.280 --> 04:19.730
And that may have been be protecting web applications and we will understand the presence of such security

04:19.730 --> 04:26.600
measures and which is they are crucial for further penetration testing and vulnerability assessment.

04:27.170 --> 04:33.280
And we will do a lot of examples, which we will also do X and x.

04:33.320 --> 04:39.350
We will detect x and X vulnerabilities by x east side here.

04:39.920 --> 04:51.020
Um, we will do practical examples such as identifying potential cross-site tracing XD cross site tracing

04:51.020 --> 04:53.990
vulnerabilities with nmap and nmap.

04:54.560 --> 05:02.660
Nmap http trace script http trace script detects if the trace method is enabled on web servers, which

05:02.660 --> 05:06.280
could lead to excessive vulnerabilities.

05:06.820 --> 05:16.270
So this topic emphasizes the importance of disabling the trace method to mitigate potential security

05:16.270 --> 05:16.800
risks.

05:16.810 --> 05:21.400
And we will also detect a famous ICS vulnerabilities.

05:21.400 --> 05:29.710
So we will practically identify cross-site scripting vulnerabilities using Nmap, cross-device, cross-site

05:30.070 --> 05:30.610
scripting.

05:30.610 --> 05:44.290
I mean the ICS vulnerabilities using Nmap and Nmap http http x ed scripts helps identify potential vulnerabilities

05:44.290 --> 05:49.840
in web applications by injecting specific payloads and analyzing the responses.

05:49.840 --> 05:56.230
So this topic here demonstrates the importance of input, validation and output encoding to prevent

05:56.260 --> 05:58.270
excess attacks.

05:59.180 --> 06:02.110
And we will find we will with Nmap.

06:02.120 --> 06:05.720
We will also find the SQL injection vulnerabilities.

06:05.720 --> 06:15.590
We will discover SQL injection vulnerabilities with Nmap, which is Nmap http SQL injection script assist

06:15.590 --> 06:20.120
in identifying potential SQL injection vulnerabilities in web applications.

06:20.120 --> 06:26.240
So this topic highlights the significance of proper input, sanitization and prepared statements to

06:26.240 --> 06:29.110
prevent these types of attacks.

06:29.120 --> 06:33.020
We will also find web applications with default credentials.

06:33.020 --> 06:38.120
We will identify web applications that may be using default credentials, for example, admin.

06:38.540 --> 06:46.340
For example, if you have a WordPress site and didn't assign specific password for it, the probable

06:46.400 --> 06:50.780
password will be admin, admin or admin pass here like this.

06:50.780 --> 06:58.550
So we will scan these websites and Nmap http default account script checks for the presence of web applications

06:58.550 --> 07:00.660
with default usernames and passwords.

07:00.660 --> 07:07.200
So this recipe underscores the importance of changing default credentials to enhance security on your

07:07.200 --> 07:15.600
website or server, we will detect insecure cross domain policies, which is we will identify insecure

07:15.600 --> 07:18.000
cross domain policies in web applications.

07:18.000 --> 07:22.260
And the Nmap also has the Http cross.

07:22.260 --> 07:27.360
Http cross domain cross domain XML script.

07:27.960 --> 07:36.300
Uh, with this script it will helps us to detect insecure cross domain policies which can lead to cross-site

07:36.300 --> 07:39.900
scripting and cross-site request forgery vulnerabilities.

07:39.930 --> 07:44.280
This highlights the need for proper cross domain policy configuration.

07:44.370 --> 07:49.800
And here we will also detect exposed source code control system.

07:49.800 --> 07:53.730
So identifying exposed source code control systems on web server.

07:53.730 --> 08:04.050
So Nmap also has a uh http svn enum script that scans web servers for export subversion SVN repositories

08:04.080 --> 08:07.470
revealing potentially sensitive source code and configuration files.

08:07.470 --> 08:12.840
This underlines the significance of securing version control systems.

08:12.840 --> 08:17.880
We will also audit the strength of Ciphersuites in SSL servers.

08:18.460 --> 08:26.680
And with practical examples, we will evaluate the strength of cipher suites used in SSL, TLS connections.

08:27.750 --> 08:31.260
And maps SSL enum ciphers.

08:31.560 --> 08:39.900
Enum Cipher script can assist in outputting SSL TLS servers by examining the supported cipher suites

08:39.900 --> 08:41.190
and their strength.

08:41.220 --> 08:47.520
This result emphasizes the importance of using secure cipher suites to protect sensitive data.

08:47.520 --> 08:57.240
So this section in this lecture we rely on the http https spider NSA libraries which offer extensive

08:57.240 --> 08:58.560
configuration options.

08:58.560 --> 09:06.900
So you will also learn how to get information and advanced configuration options related to Http, http

09:07.350 --> 09:09.420
pipelining and web crawling.

09:09.420 --> 09:16.890
So by utilizing the powerful Http scripts, you can enhance your web server auditing capabilities,

09:16.890 --> 09:21.150
discover vulnerabilities, and strengthen the security of your web applications.

09:21.150 --> 09:28.030
Stay proactive in your security efforts, and leverage these tools effectively to bolster your defenses.

09:28.120 --> 09:34.510
Remember, responsible and ethical use of web application scanning tools is essential to protect systems

09:34.510 --> 09:40.750
and networks and always have the proper authorization before conducting any security assessments or

09:40.750 --> 09:42.070
penetration testing.