WEBVTT

00:00.950 --> 00:08.450
Discovering hidden files and directories on web servers is not only essential but can also be a thrilling

00:08.450 --> 00:13.100
part of a penetration testers job in the realm of digital espionage.

00:13.520 --> 00:19.130
Uncovering valuable information can be the difference between success and failure.

00:19.220 --> 00:22.100
Luckily, there is a powerful tool.

00:23.000 --> 00:28.910
At our disposal Nmap with its robust database and versatile capabilities.

00:29.330 --> 00:37.730
Nmap shines as a web scanner, enabling us to unearth integrating files, directories and even vulnerable

00:37.730 --> 00:38.780
web applications.

00:38.780 --> 00:46.340
So let's embark on a journey to explore the depths of web server and unravel their secrets.

00:46.370 --> 00:51.350
Imagine you are tasked with assessing the security posture of a target web server.

00:51.380 --> 00:58.580
The first step is to initiate a scan using Nmap web scanning features.

00:58.610 --> 01:07.790
By employing the Http enum script so you with this script, you unlock a treasure trove of possibilities.

01:07.820 --> 01:15.650
The script leverages the Nmap extensive database, which encompasses a wide range of interesting files,

01:15.650 --> 01:19.010
directories and application vulnerabilities.

01:19.040 --> 01:26.490
Among the games you might stumble upon a Readme file database dumps, forgotten configuration backups,

01:26.610 --> 01:35.910
common administration panels and even attack payloads designed to exploit directory traversals in vulnerable

01:35.910 --> 01:37.020
web applications.

01:37.050 --> 01:41.580
The Http script is not just a simple file and directory enumerator.

01:41.580 --> 01:52.050
It's also supports advanced pattern matching, enabling it to identify specific versions of web applications.

01:52.080 --> 01:58.740
So to embark on the exciting web scanning adventure, open your terminal or command prompt and with

01:58.740 --> 02:07.710
Nmap at your fingertips execute this command here Nmap script http enum here and after that you will

02:07.710 --> 02:11.280
enter the SRV and then your target.

02:11.280 --> 02:14.520
In this case, our example target will be telecom.

02:14.550 --> 02:17.840
This is my website that I that uses on WordPress.

02:17.880 --> 02:23.610
It's a regular website, nothing special about nothing I made specially vulnerable.

02:23.610 --> 02:32.640
It's just a regular website that I just created and here you can use arrow keys to see the present of

02:32.700 --> 02:35.400
works and here.

02:36.040 --> 02:45.340
As the scan commences, Nmap will diligently explore the target web server, applying the Http script

02:45.340 --> 02:51.340
and performing version detection with SV here to gather as much information as possible.

03:00.320 --> 03:01.670
91 present.

03:02.880 --> 03:04.440
It's almost done.

03:11.890 --> 03:12.460
That's it.

03:12.490 --> 03:13.180
It's done.

03:14.560 --> 03:16.660
9.99%.

03:16.660 --> 03:18.520
It should be done right now.

03:18.550 --> 03:24.550
No, it's scanning again and say timing is 97.78%.

03:24.610 --> 03:29.560
Now it will show us the results and that will of our scanning.

04:08.720 --> 04:11.180
99.78%.

04:13.170 --> 04:14.730
I was stopped with you right here.

04:14.730 --> 04:16.230
It might take longer.

04:18.830 --> 04:20.960
The firewall of our code.

04:20.960 --> 04:26.240
Silicom has blocked our request since the is not completing now.

04:26.710 --> 04:29.600
Here waited almost.

04:33.310 --> 04:41.350
Almost ten minutes here, but now we are now executing a new scan with without the SRV here.

04:41.560 --> 04:45.880
Now, quickly, we will in three minutes we will get our results.

04:48.150 --> 04:55.620
And here, once the scan complete its mission, a comprehensive report will materialize before your

04:55.620 --> 04:56.330
eyes.

04:56.340 --> 04:59.910
So showcasing the secrets uncovered here.

04:59.910 --> 05:03.930
So let's delve into the an example to illustrate bond results.

05:03.930 --> 05:14.520
So this tantalizing output here reveals that an assortment of discoveries among them there are admin

05:14.520 --> 05:17.040
block, a directory, a test.

05:17.040 --> 05:20.490
Here we also have we have the potentially interesting folder.

05:20.490 --> 05:27.330
It also have the the this descriptions for one of these folders.

05:27.330 --> 05:31.500
Each of these folders here we have possible admin folder here, possible admin folder.

05:31.500 --> 05:37.290
We have a patch tonk tomcat which is unauthorized to us.

05:37.320 --> 05:46.860
We have the key file upload so we can if we go to this here, we can upload files and so on.

05:46.860 --> 05:49.780
We also have open cart editor file upload.

05:49.930 --> 05:58.450
So here understanding the inner workings of the Http enum script, The deepens our appreciation for

05:58.450 --> 05:59.950
its trueness.

05:59.950 --> 06:10.660
So here the Nmap script http enum option acts as a catalyst signaling Nmap to activate the Http script

06:10.660 --> 06:17.260
whenever it detects a web server originally contributed by Ron, both this script primarily focused

06:17.260 --> 06:19.210
on directory discovery.

06:19.210 --> 06:24.790
Over time, the script has evolved as the community expanded its collection of fingerprints to include

06:24.790 --> 06:30.880
various files like version files, read and forgotten database backups.

06:30.910 --> 06:40.360
Notably, the script has enhanced to integrate a database further enriching its detection capabilities.

06:40.390 --> 06:48.520
And it's worth venturing into the intricacies of the fingerprint database used by the Http script.

06:48.520 --> 06:58.150
So the fingerprints reside in the Http fingerprints Rusa file securely stored in the NS lib data directory.

06:58.150 --> 07:03.400
So here we will scan in C lib.

07:03.400 --> 07:12.640
So we don't we can't actually reach it, but we will look at and look at it in the next lectures.

07:12.640 --> 07:17.110
So here this represented a law tables.

07:17.110 --> 07:23.110
Each entry contains a valuable information, including a specific file path patterns to match.

07:23.110 --> 07:28.600
And if you are feeling adventurous, you can contribute to this, to this database by appending your

07:28.720 --> 07:35.140
own entries or even employing an alternative fingerprint file using http dot fingerprint file script

07:35.140 --> 07:35.860
argument.

07:36.340 --> 07:44.950
For instance, you can do this in nmap script http http enum here, and after that you can enter the

07:44.950 --> 07:45.850
script arguments.

07:45.850 --> 07:55.690
Of course, as we always see script arguments and after that we will use the http enum dot fingerprint

07:55.690 --> 08:03.640
file here and here you will enter your fingerprint file and after that you will enter your target,

08:03.670 --> 08:05.140
the IP or domain.

08:05.140 --> 08:11.320
And in this command you replace the default fingerprint file with your own enabling customization and

08:11.320 --> 08:18.370
expanding the scope of your discoveries And the further enhance your reconnaissance, you can modify

08:18.370 --> 08:28.970
the base path of the scan by utilizing the http enum htp enum base path string argument of Sorry of

08:29.020 --> 08:29.410
sorry.

08:29.410 --> 08:30.580
Is my voice going now?

08:30.580 --> 08:31.120
Yes.

08:31.120 --> 08:38.110
So you can do this by enumerating http enum script argument here.

08:39.550 --> 08:49.540
And however, if you are a specific directories here, you can also sorry for this my microphone.

08:50.140 --> 08:51.880
It's actually going and coming here.

08:51.880 --> 08:52.420
Sorry.

08:54.310 --> 08:54.820
Okay.

08:55.850 --> 08:56.630
So.

09:01.330 --> 09:01.750
That's it.

09:03.060 --> 09:05.460
And here you can.

09:05.610 --> 09:13.530
As I said, this Http scripts script begins its exploration from the root directory and however, if

09:13.530 --> 09:22.650
you suspect specific directories holds secrets, you can interact Nmap to focus its efforts efforts

09:22.650 --> 09:23.520
accordingly here.

09:23.520 --> 09:27.210
So here you will enter after script arguments.

09:27.210 --> 09:31.890
We will use http enum enum.

09:32.880 --> 09:34.980
Of course you can use multiple arguments here.

09:34.980 --> 09:35.930
I'm just I was.

09:36.120 --> 09:36.510
I will.

09:36.600 --> 09:40.680
I'm just deleted the previous one because I want to show better here.

09:41.130 --> 09:49.560
So base path and here you can also use the web here and after that you can enter the target here.

09:49.560 --> 09:59.580
So we with this command Nmap will scrutinize the web directory, revealing any intriguing files or directories

09:59.610 --> 10:00.680
lurking within.

10:00.690 --> 10:02.130
But wait, there's more.

10:02.130 --> 10:09.730
So in a remarkable collaboration between Nmap and Nick Tom, an exciting feature was born.

10:09.760 --> 10:18.100
The Http enum script now supports parsing Nick to database files, which opens up a realm of possibilities

10:18.100 --> 10:25.300
by integrating the powerful Nick database, the script dynamically transforms nick entries into Lua

10:25.330 --> 10:29.950
tables and merges them with an existing fingerprint database.

10:29.950 --> 10:38.440
So this collaboration enables you to leverage the strengths of both tools and conduct more truth assessments.

10:38.440 --> 10:44.680
So the harness to harness this power, you can use the nmap here.

10:45.130 --> 10:53.500
Script http enum Nmap or nick here Nick to database path.

10:53.920 --> 10:55.300
This is a script argument.

10:55.510 --> 11:01.420
With this you can provide the a map the path to your database file.

11:02.210 --> 11:09.590
And here after that you will enter with equalities after Equitis and you will enter path to Nicto database

11:09.590 --> 11:09.890
file.

11:09.890 --> 11:15.020
And after that you will enter your target domain or IP address.

11:16.490 --> 11:22.340
And here, as you can see, there's no such path exists because I don't have the database right now.

11:22.340 --> 11:27.470
But you will learn that how to integrate and use that database index lectures.

11:27.470 --> 11:35.480
And here this amalgamation of Nmap and this capabilities offers unparalleled depth and precision in

11:35.480 --> 11:37.640
uncovering hidden vulnerabilities.

11:37.640 --> 11:46.040
So armed with armed with armed with Nmap web scanning pruners, you can venture into the digital wilderness

11:46.040 --> 11:51.350
on unearthing hidden files, directories and potential vulnerabilities.

11:51.380 --> 11:55.940
However, with great power comes with great responsibility.

11:56.330 --> 12:04.010
Always ensure you have a proper authorizations and consent before engaging in any security testing activities.

12:04.010 --> 12:10.010
Remember, penetration testing should be conducted ethically within legal boundaries.

12:10.010 --> 12:16.470
So before concluding our expedition, let's keep a few additional points in mind.

12:16.470 --> 12:27.690
The first is the first is regularly using the Http fingerprints, dot fingerprints, dot lua file with

12:27.690 --> 12:35.190
new fingerprints and patterns strengthens the accuracy and effectiveness of the Http enum script.

12:35.190 --> 12:41.610
So stay informed about the emerging web vulnerabilities and adapt your fingerprint database accordingly

12:41.610 --> 12:44.790
to stay ahead of potential threats.

12:45.570 --> 12:50.030
And here I have two more suggestions to keep in mind.

12:50.040 --> 12:53.670
So the second is file and directory.

12:53.670 --> 13:02.430
Discovery is only one phase of comprehensive web server security assessment to ensure holistic security

13:02.430 --> 13:03.500
evaluation.

13:03.510 --> 13:09.690
Compliment your scans with techniques such as vulnerability scanning, input validation testing and

13:09.690 --> 13:11.900
secure configuration assessment.

13:11.910 --> 13:20.730
And the second and the last suggestion is embrace the thrill of exploration, but always prioritize

13:20.730 --> 13:22.260
responsible disclosure.

13:22.260 --> 13:27.840
If you uncover sensitive information or vulnerabilities during your scans, handle them with care and

13:27.840 --> 13:33.630
report them to the relevant authorities or system owners to ensure proper remediation.

13:33.660 --> 13:39.930
Now, armed with Nmap and its formidable web scanning capabilities, go forth and uncover the hidden

13:39.930 --> 13:47.470
gems within Web servers, empowering organizations to strengthen their security and defend against potential

13:47.470 --> 13:47.950
threats.

13:47.980 --> 13:49.240
Happy scanning.

13:49.360 --> 13:50.620
See you in next lecture.

13:50.620 --> 13:51.610
My name is Typhoon.