1
00:00:00,660 --> 00:00:05,940
Welcome back to the official Start COP series for the certified 2010 Tester.

2
00:00:06,360 --> 00:00:09,600
This is going to be the vulnerability assessments module.

3
00:00:10,200 --> 00:00:11,900
We're going to talk about vulnerability assessments.

4
00:00:11,910 --> 00:00:15,450
We'll talk about the various tools to conduct vulnerability assessments.

5
00:00:15,960 --> 00:00:21,090
And we'll also look at different ways to analyze and prioritize vulnerabilities.

6
00:00:34,490 --> 00:00:35,480
So this is a headline.

7
00:00:36,320 --> 00:00:37,460
Our Table of contents.

8
00:00:37,790 --> 00:00:39,640
So we're gonna talk about vulnerability assessments.

9
00:00:39,650 --> 00:00:43,340
We'll look at the different types of vulnerability scans.

10
00:00:43,670 --> 00:00:49,310
We'll look at the different tools that are used for vulnerability scans like Nessus, open, bos, nikto

11
00:00:49,790 --> 00:00:50,330
and even.

12
00:00:52,630 --> 00:00:58,750
Some tools for scanning services like WordPress and Juma also look at different countermeasures.

13
00:01:01,280 --> 00:01:02,900
For vulnerability scans as well.

14
00:01:03,710 --> 00:01:08,270
So this is a chapter for we're looking at what are vulnerability scans, different types of vulnerability

15
00:01:08,270 --> 00:01:08,750
scans.

16
00:01:08,750 --> 00:01:16,790
We'll look at Nikko, the web marble security scanner, we'll get WP scan, DOOM, scan, open VOS and

17
00:01:16,790 --> 00:01:17,930
CMS map.

18
00:01:19,940 --> 00:01:21,380
So it is a vulnerability assessment.

19
00:01:21,380 --> 00:01:28,730
So it's really the process of defining, detecting, categorizing and prioritizing vulnerabilities in

20
00:01:29,150 --> 00:01:34,640
computer systems or information systems, as well as web applications and even network devices.

21
00:01:35,210 --> 00:01:43,280
That's all with the goal of providing an organization with an assessment that they can use to drive

22
00:01:43,610 --> 00:01:49,130
their different security strategies and also help enforce a certain level of security.

23
00:01:49,790 --> 00:01:55,970
So if the organization does not do proper viability assessments in vulnerability management programs,

24
00:01:56,390 --> 00:02:00,500
then they will be at risk for hackers and ethical hackers.

25
00:02:02,360 --> 00:02:05,510
Based on the software, hardware or other systems they have.

26
00:02:05,780 --> 00:02:08,570
There are many different ways to do vulnerability assessments.

27
00:02:08,900 --> 00:02:11,060
Vulnerability assessments may be done.

28
00:02:12,920 --> 00:02:17,630
As part of a larger scale compliance program.

29
00:02:19,650 --> 00:02:23,610
So let's get into some of the tools and some of the different vulnerability types.

30
00:02:23,610 --> 00:02:26,580
So we have network based more ability scans.

31
00:02:26,580 --> 00:02:31,230
These are used to find vulnerabilities that can be exploited over the network.

32
00:02:31,260 --> 00:02:35,460
Usually vulnerabilities come out in two flavors, either local or remote.

33
00:02:35,790 --> 00:02:38,250
They're also post based more abilities.

34
00:02:38,580 --> 00:02:45,270
So things like servers, workstations and even switches, routers and all that kind of stuff.

35
00:02:45,270 --> 00:02:52,170
Then of course, we have to look at wireless networking, so we have to look at the organization's Wi-Fi

36
00:02:52,170 --> 00:02:52,650
posture.

37
00:02:52,650 --> 00:03:00,420
If there is Wi-Fi allowed or maybe there's a guest wi fi or some commercial wi fi platform, these can

38
00:03:00,420 --> 00:03:06,600
be targets of attack through rogue access points and many other attack vectors.

39
00:03:07,200 --> 00:03:12,120
We also, of course, want to scan applications that are running on websites because websites are not

40
00:03:13,050 --> 00:03:14,520
largely static anymore.

41
00:03:14,520 --> 00:03:23,850
They're very dynamic with Java based websites and even flash in some cases the flash is becoming moving

42
00:03:23,880 --> 00:03:24,960
towards being retired.

43
00:03:25,170 --> 00:03:34,230
And then of course, we have the databases that hold those precious confidential or maybe proprietary

44
00:03:34,440 --> 00:03:39,120
information, the crown jewels, if you will, of your company.

45
00:03:39,390 --> 00:03:45,990
So if you're a online retailer, your database may be the most important thing that you have because

46
00:03:45,990 --> 00:03:50,610
it holds all your records of your inventory, your clients, your customers.

47
00:03:51,060 --> 00:03:59,460
And so their databases are vulnerable to things like SQL injection or command injection, any kind of

48
00:03:59,460 --> 00:04:06,390
attack that allows me to, as the attacker or an ethical hacker, to run commands on a database that

49
00:04:06,390 --> 00:04:12,240
maybe it wasn't intended that by the creator of the database.

50
00:04:13,740 --> 00:04:14,730
So let's all get nicked.

51
00:04:14,730 --> 00:04:20,370
So first off and we'll talk about just where to find these vulnerability tools and Kali Linux, let's

52
00:04:20,370 --> 00:04:23,730
open up our virtual machine here and we go to the start menu.

53
00:04:23,730 --> 00:04:26,700
We've got a whole section.

54
00:04:26,700 --> 00:04:29,850
It's actually the number two of vulnerability management tools.

55
00:04:29,850 --> 00:04:32,670
Notice we have Nikita as well as End Map.

56
00:04:33,330 --> 00:04:38,940
There are other tools that are in there which we don't have time for, but there are many different

57
00:04:38,940 --> 00:04:40,590
tools for vulnerability analysis.

58
00:04:40,590 --> 00:04:48,480
They even have they put some of the tools under the web application section like one map and WordPress

59
00:04:48,480 --> 00:04:56,190
scan, but that's only because they typically are volatility assessments for things like websites now.

60
00:04:59,030 --> 00:05:04,400
There are many other tools besides this, so take it with a grain of salt and understand that there

61
00:05:04,400 --> 00:05:07,640
are lots more tools than just these that were being presented here.

62
00:05:08,150 --> 00:05:15,050
So Nektar is a web scanner that addresses web service for dangerous files, malicious common gateway

63
00:05:15,050 --> 00:05:20,570
interfaces or cages that are outdated, maybe unpatched servers and other problems.

64
00:05:20,990 --> 00:05:31,070
So it runs more than 6700 different tests, so that apply to various different server types.

65
00:05:31,880 --> 00:05:35,660
And so there's even a few variations of Nextel that run on Mac as well.

66
00:05:36,680 --> 00:05:39,920
And so, Nito, just keep in mind that it's not stealthy.

67
00:05:40,820 --> 00:05:43,770
It's not a tool that's going to it's going to set off some alerts.

68
00:05:43,770 --> 00:05:48,710
So let's go ahead and open up a command prompt or a terminal.

69
00:05:49,630 --> 00:05:54,500
Since we're dealing with Linux here and we're going to go ahead and look at the main page or the manual

70
00:05:54,500 --> 00:05:55,430
page for Nick to.

71
00:05:58,920 --> 00:06:05,700
So we want to scan a web server for known vulnerabilities and look for potential problems like default

72
00:06:05,700 --> 00:06:07,620
files and secure files.

73
00:06:09,930 --> 00:06:11,540
And Nicole has many different options.

74
00:06:11,550 --> 00:06:14,700
It can also display HTP redirects.

75
00:06:14,700 --> 00:06:16,950
It can look at cookies that are received.

76
00:06:17,370 --> 00:06:19,980
It can show any 200 responses.

77
00:06:20,280 --> 00:06:23,160
We can also set it to verbose.

78
00:06:23,190 --> 00:06:33,090
Let's go ahead and just run it on the local post here because we should still have our Apache server

79
00:06:33,090 --> 00:06:33,540
running.

80
00:06:38,460 --> 00:06:40,320
And because of that we have to pseudo.

81
00:06:48,210 --> 00:06:49,740
The Apache is not currently running.

82
00:06:49,740 --> 00:06:57,150
So let's go ahead and start that with the Apache Controller Command and Apache should be.

83
00:06:57,770 --> 00:06:58,440
There we go.

84
00:06:58,440 --> 00:06:59,160
It's now running.

85
00:06:59,790 --> 00:07:03,120
So let's go ahead and do Nikto Dash H.

86
00:07:05,040 --> 00:07:07,260
And we can see the help information.

87
00:07:07,980 --> 00:07:09,360
We can list plug ins.

88
00:07:10,740 --> 00:07:12,470
So this actually requires an argument.

89
00:07:12,480 --> 00:07:16,590
So let's go ahead and do the H local host.

90
00:07:16,590 --> 00:07:20,370
And we're also going to do the V for verbose node.

91
00:07:20,820 --> 00:07:22,980
So let's put in.

92
00:07:32,560 --> 00:07:34,060
What are our actual IP?

93
00:07:35,590 --> 00:07:38,160
I totally forgot in the process of doing this.

94
00:07:38,170 --> 00:07:40,360
192107.205.

95
00:07:40,390 --> 00:07:41,380
Let's try that again.

96
00:07:42,330 --> 00:07:43,210
We have a difference.

97
00:07:47,310 --> 00:07:49,530
So it's still saying it's an invalid IP.

98
00:07:52,260 --> 00:07:53,400
So we'll go to get that fixed.

99
00:07:53,400 --> 00:07:54,180
And we'll be right back.

100
00:07:55,350 --> 00:08:00,210
So we'll go ahead and run a scan on another machine on the network that I do know has a Web server running

101
00:08:00,750 --> 00:08:04,830
or will actually go ahead and enable on this local workstation as well.

102
00:08:04,830 --> 00:08:11,460
On the same subnet, I'm using the X a temp web server, so I'm going to go ahead and start Apache and

103
00:08:11,460 --> 00:08:14,160
my school and file Zilla.

104
00:08:14,790 --> 00:08:17,340
So I'm going to go to 7.2 23.

105
00:08:26,260 --> 00:08:28,960
Let's make sure we have a network connection just to be on the safe side.

106
00:08:35,940 --> 00:08:36,480
There we go.

107
00:08:37,140 --> 00:08:38,760
So I think the dash V was the problem.

108
00:08:39,210 --> 00:08:41,750
That does happen again when you don't work with these tools.

109
00:08:41,760 --> 00:08:43,050
Again, I say this all the time.

110
00:08:43,380 --> 00:08:48,270
You want to make sure that you use the man page and these tools can change.

111
00:08:48,540 --> 00:08:50,160
Sometimes switches will change.

112
00:08:50,610 --> 00:08:56,400
Notice it's already found the type of server and this happens to be Microsoft ISC server, Internet

113
00:08:56,410 --> 00:09:00,180
Information Services, and it found some vulnerabilities.

114
00:09:00,880 --> 00:09:06,480
So we could actually take this and write it to a file.

115
00:09:07,080 --> 00:09:09,570
But that's a basic run of Excel.

116
00:09:10,420 --> 00:09:17,640
And if you don't have any other vulnerability management tools, it is a great option.

117
00:09:19,090 --> 00:09:22,150
We're finding out quickly what's going on with that system.

118
00:09:23,200 --> 00:09:25,150
So Nektar has proxy support.

119
00:09:25,420 --> 00:09:31,960
You can save reports in plain text XML and even has several templates.

120
00:09:40,280 --> 00:09:41,390
So if we want to.

121
00:09:49,830 --> 00:09:52,290
Test on different websites.

122
00:09:52,320 --> 00:09:53,490
Let's go ahead and.

123
00:10:01,530 --> 00:10:03,240
See some other things we can do with it.

124
00:10:09,360 --> 00:10:13,970
So we went ahead and reran the same query with the verbose mode.

125
00:10:13,980 --> 00:10:19,230
So basically it's going to show all the different web tests it's going through.

126
00:10:19,560 --> 00:10:25,110
Again, it's a lot of data coming across the screen right now, but it tested a host and it actually

127
00:10:25,410 --> 00:10:27,570
did over 7000 requests made.

128
00:10:27,840 --> 00:10:29,160
And we can actually cat.

129
00:10:34,580 --> 00:10:34,750
Yeah.

130
00:10:41,800 --> 00:10:42,700
So to look at.

131
00:10:47,170 --> 00:10:47,890
To look at this.

132
00:10:47,890 --> 00:10:51,430
We're going to set up basically a simple web server.

133
00:10:55,940 --> 00:10:56,930
Clear the screen.

134
00:11:02,210 --> 00:11:03,800
I call this in Python.

135
00:11:07,450 --> 00:11:14,210
It's a simple one show that will actually serve up local directories.

136
00:11:16,340 --> 00:11:18,860
Now let's look at a tool called WP Scan.

137
00:11:19,230 --> 00:11:25,820
MP Scan is for scanning WordPress websites and obtaining vulnerabilities within the core version.

138
00:11:26,600 --> 00:11:28,220
Any plugins you might have.

139
00:11:28,520 --> 00:11:34,610
In addition, it can also look for weak passwords and other security configuration issues.

140
00:11:35,120 --> 00:11:41,960
So it'll look at your robot's text file, your debug log, if you have that many changes that were made,

141
00:11:42,350 --> 00:11:43,760
and so on and so forth.

142
00:11:45,410 --> 00:11:48,770
So we go to our Web application analysis tools.

143
00:11:50,560 --> 00:11:56,980
We have our WP scan or WordPress game tool and it's going to execute the Help file if you just click

144
00:11:56,980 --> 00:11:57,310
on it.

145
00:12:00,870 --> 00:12:01,860
And that notice there's the.

146
00:12:05,250 --> 00:12:05,820
Version.

147
00:12:06,810 --> 00:12:08,460
You can put verbose mode.

148
00:12:08,910 --> 00:12:09,690
You can.

149
00:12:11,780 --> 00:12:14,960
Output to a file just like you can with many of the other tools.

150
00:12:19,730 --> 00:12:20,840
You can enumerate.

151
00:12:21,260 --> 00:12:23,660
Look for plug ins that are vulnerable.

152
00:12:24,830 --> 00:12:26,360
On a particular WordPress site.

153
00:12:34,400 --> 00:12:35,780
So that was just a partial list.

154
00:12:35,780 --> 00:12:43,340
If you if you do the two ages, you get a more detailed list of options.

155
00:12:43,340 --> 00:12:45,490
So there's a lot of tools built into every piece.

156
00:12:45,620 --> 00:12:49,730
And of course, you don't want to use this on any sites that you don't have permission to.

157
00:12:51,380 --> 00:12:55,940
And it's a very powerful tool for finding vulnerabilities in WordPress websites.

158
00:13:02,610 --> 00:13:04,530
So you can run the.

159
00:13:06,050 --> 00:13:10,160
Never scanned RV and then the URL to look for vulnerable plug ins.

160
00:13:14,530 --> 00:13:17,920
You can enumerate vulnerable themes.

161
00:13:21,250 --> 00:13:23,980
And you can also check for users as well.

162
00:13:28,180 --> 00:13:30,520
Let's talk about June scan.

163
00:13:30,700 --> 00:13:36,490
June scan is a vulnerability enumerator numerator as well or the Joomla.

164
00:13:38,150 --> 00:13:39,710
Webb's platform.

165
00:13:45,130 --> 00:13:51,370
So June scan is not in the CALLIE installation by the fall of 2020.

166
00:13:51,700 --> 00:13:55,960
But you can do just an app dash get install.

167
00:13:59,690 --> 00:14:03,920
Of it and you'll it'll download it see it's already download the first pseudo to root

168
00:14:08,060 --> 00:14:14,990
and see where it's on the latest version 00.70 and install the necessary perl libraries for it to be

169
00:14:14,990 --> 00:14:15,530
able to work.

170
00:14:16,010 --> 00:14:21,110
Let's go inside the screen and there's no manual page for this program.

171
00:14:23,210 --> 00:14:24,410
But there is a health file.

172
00:14:24,860 --> 00:14:26,750
This is another hospital.

173
00:14:27,470 --> 00:14:35,150
If you want to enumerate a system that you know is running Juma, which you could you can go out and

174
00:14:35,150 --> 00:14:42,860
find vulnerable Joomla websites with Google Dorking of course and your.

175
00:14:44,650 --> 00:14:46,870
You can also run it from behind a proxy.

176
00:14:48,800 --> 00:14:50,810
So essentially the command looks like this.

177
00:14:53,430 --> 00:15:01,050
Jim scanned dash, dash the URL and the website you want to scan.

178
00:15:11,210 --> 00:15:14,240
Now let's look at a tool called Drew Poem.

179
00:15:14,270 --> 00:15:14,840
This is a.

180
00:15:16,390 --> 00:15:17,110
Play on words.

181
00:15:17,380 --> 00:15:20,290
Of the Drupal system.

182
00:15:22,430 --> 00:15:26,810
So DuPont has two separate modes enumerate and exploit.

183
00:15:27,350 --> 00:15:34,190
So with enumerate mode, you can enumerate files, you can enumerate what modules are running and even

184
00:15:34,190 --> 00:15:38,330
what themes, and it actually allows you to exploit vulnerabilities with it.

185
00:15:39,560 --> 00:15:41,570
So let's switch over to our call box.

186
00:15:46,480 --> 00:15:47,770
And we'll open up the terminal.

187
00:15:51,680 --> 00:15:52,930
Go and see the roots.

188
00:15:54,120 --> 00:15:54,630
And

189
00:15:59,250 --> 00:16:01,210
DuPont is not in the calorie repository.

190
00:16:01,240 --> 00:16:02,520
That's one of the first things you'll see.

191
00:16:03,060 --> 00:16:04,410
So you have to essentially.

192
00:16:06,340 --> 00:16:10,390
Go out to its GitHub site and pull down a copy.

193
00:16:12,490 --> 00:16:15,160
Sometimes these tools do get.

194
00:16:16,560 --> 00:16:17,130
Updated.

195
00:16:17,400 --> 00:16:19,920
Sometimes there might be a long time before they get updated.

196
00:16:19,920 --> 00:16:24,420
So this is the the GitHub repository.

197
00:16:25,610 --> 00:16:28,220
Z version 1.0.4.

198
00:16:29,450 --> 00:16:31,610
And it's been tested on version seven and eight.

199
00:16:31,610 --> 00:16:34,760
So again, it may not be able to do all systems.

200
00:16:37,910 --> 00:16:40,220
And the installation you have to.

201
00:16:42,500 --> 00:16:46,280
Call it from Python as it is a Python tool.

202
00:16:51,020 --> 00:16:58,010
So go ahead and grab the link or get I will get clone and we'll paste the.

203
00:16:59,040 --> 00:16:59,760
Like in their.

204
00:17:01,700 --> 00:17:02,120
All right.

205
00:17:04,970 --> 00:17:06,890
I'll go ahead and look at the read me file.

206
00:17:12,360 --> 00:17:12,840
So.

207
00:17:14,910 --> 00:17:16,950
This can also be run from a doctor container.

208
00:17:22,490 --> 00:17:23,540
As an alternative.

209
00:17:25,360 --> 00:17:29,260
There's basic usage commands and then there's the installation.

210
00:17:29,260 --> 00:17:29,650
So.

211
00:17:34,330 --> 00:17:36,690
First we got to run some commands.

212
00:17:41,780 --> 00:17:51,530
How to run the required commands to make sure that everything installs correctly for the screen losing

213
00:17:51,530 --> 00:17:52,490
tip for this one.

214
00:18:01,850 --> 00:18:06,790
So it's collecting a few things that it needs to be able to install it and it's finished.

215
00:18:06,800 --> 00:18:07,550
So now.

216
00:18:16,410 --> 00:18:17,550
There's the Help file.

217
00:18:19,600 --> 00:18:25,060
You pick the mode, there's the the hostname, the target, the go after enumeration.

218
00:18:26,450 --> 00:18:31,610
And of course, you could use Google Dorking to find out a system that's actually running Drupal.

219
00:18:38,110 --> 00:18:39,040
And there you go.

220
00:18:51,420 --> 00:18:52,950
Now let's talk about Open Vos.

221
00:18:52,950 --> 00:18:59,790
Open Vos is best for doing hard reality scanning, where manual scanning would be a very time consuming

222
00:18:59,790 --> 00:19:01,020
and tedious process.

223
00:19:03,120 --> 00:19:10,050
Now calling Linux the old version that used to have open Vos when it opened.

224
00:19:10,050 --> 00:19:15,060
Vos is a actually a fork of Nessus, the NASA's marble scanner.

225
00:19:16,140 --> 00:19:18,600
So in a02 route.

226
00:19:22,710 --> 00:19:30,090
And usually would go out to app get install open Vos and it's going to have to download a whole bunch

227
00:19:30,090 --> 00:19:33,120
of packages or to be able to install.

228
00:19:34,390 --> 00:19:38,740
You could go to this synaptic package manager or something like that.

229
00:19:39,700 --> 00:19:42,700
You can see that open box is not there by default.

230
00:19:43,210 --> 00:19:46,360
Open box is actually called the The Green Zone.

231
00:19:48,530 --> 00:19:49,160
Scanner.

232
00:19:52,540 --> 00:19:57,940
And if you want to get the community edition for you or some other system, you can go to this website,

233
00:19:57,940 --> 00:19:59,020
green bone dot net.

234
00:19:59,560 --> 00:20:01,750
And they do have a pro version.

235
00:20:05,090 --> 00:20:08,810
You can also run it in a virtual machine as a separate system itself.

236
00:20:10,070 --> 00:20:12,920
And they also have a test, a live demo.

237
00:20:14,730 --> 00:20:16,230
So they have other solutions too.

238
00:20:16,590 --> 00:20:20,280
But we just want the community ignition.

239
00:20:32,260 --> 00:20:34,900
And they do have various security feeds as well.

240
00:20:35,830 --> 00:20:37,420
The ISO is right here.

241
00:20:38,080 --> 00:20:41,050
So you download this ISO and then you can import that into.

242
00:20:42,280 --> 00:20:43,150
A virtual machine.

243
00:20:43,150 --> 00:20:45,460
Of course, they give you the shot to 56.

244
00:20:45,700 --> 00:20:51,520
It will work with either VirtualBox or VMware ESX AI.

245
00:20:52,000 --> 00:20:55,720
Of course you're going to need to have at least a dual core system for gigs of RAM.

246
00:21:07,480 --> 00:21:11,290
So let's see our Open Vos interface.

247
00:21:11,320 --> 00:21:15,850
It has both the command line interface as well as a gooey, much like masses.

248
00:21:15,850 --> 00:21:18,310
So this will take a while to install.

249
00:21:19,720 --> 00:21:22,540
This is a brief overview of some of the open VOS components.

250
00:21:22,900 --> 00:21:28,510
It has a command line client which you can access to run commands as well, much like SS.

251
00:21:29,200 --> 00:21:35,110
It has the web client which you run through the browser and then there is the open vos manager daemon

252
00:21:35,620 --> 00:21:42,340
and Open Vos works off of a skill like database and then it has something called the MVP, plug ins,

253
00:21:42,350 --> 00:21:43,840
network vulnerability tests.

254
00:21:44,230 --> 00:21:48,310
These are essentially the signatures for the different abilities that are out there.

255
00:21:50,780 --> 00:21:57,440
And then Open Box has its own scanner that you can customize and you can run different scans on either

256
00:21:57,440 --> 00:22:00,350
discovery scans, you can run compliant scans.

257
00:22:00,950 --> 00:22:07,400
Now you can do system by system more ability scans and generate reports, as we'll see here in a moment.

258
00:22:09,590 --> 00:22:20,390
So MBT is a plug in that's written in the Nessus attack scripting language because Nvidia's.

259
00:22:21,790 --> 00:22:25,270
Follow essentially the same pattern as NASA's.

260
00:22:27,120 --> 00:22:34,890
So if you go to the open source website open last night or you can see they have more than 50,000 vulnerability

261
00:22:34,890 --> 00:22:38,580
tests and it's been maintained by Rainbow Network since 2009.

262
00:22:39,420 --> 00:22:44,970
So you can actually go to their site and try out their live demo or you can download the virtual appliance

263
00:22:44,970 --> 00:22:45,180
as well.

264
00:22:45,450 --> 00:22:48,960
As we've shown, this is the live demo site.

265
00:22:51,250 --> 00:22:56,320
And it actually gives you the username and passwords is similar to what you would see on a regular network.

266
00:22:56,560 --> 00:22:59,020
So you have your dashboard here, which you can customize.

267
00:23:00,380 --> 00:23:03,080
You can look at some examples, scans that have been run.

268
00:23:04,710 --> 00:23:07,140
These are some of these are done on in the cloud systems.

269
00:23:08,430 --> 00:23:10,020
You can generate reports.

270
00:23:12,700 --> 00:23:14,500
You can see what the results were.

271
00:23:16,030 --> 00:23:17,410
What host Reid enumerated.

272
00:23:17,900 --> 00:23:20,800
Yes, they give you a vulnerability list and then the severity.

273
00:23:21,460 --> 00:23:26,800
So you can click on individual IP addresses and you can see what the vulnerability actually was.

274
00:23:29,500 --> 00:23:31,060
It's a very versatile program.

275
00:23:35,350 --> 00:23:38,450
You can set up different sets of credentials.

276
00:23:38,590 --> 00:23:42,250
So right on here, there's a domain admin and a scan user.

277
00:23:42,850 --> 00:23:49,510
You can set different permission levels, so maybe you have different groups and different roles for

278
00:23:49,510 --> 00:23:50,770
your system administrators.

279
00:23:51,610 --> 00:23:53,230
Let's look at the invitees.

280
00:23:53,260 --> 00:23:56,340
These are all the different network vulnerability tests.

281
00:23:56,350 --> 00:24:00,970
You can see 81,343 as of this recording.

282
00:24:02,720 --> 00:24:07,610
And you can see you can click through and see all the different scans.

283
00:24:11,700 --> 00:24:12,990
And all that, all that good stuff.

284
00:24:12,990 --> 00:24:16,650
They sort by numerical score.

285
00:24:19,470 --> 00:24:25,950
And it even has a common vulnerability scoring system or cvss score calculator.

286
00:24:26,790 --> 00:24:32,460
So if you want to figure out what the severity level of a particular ability, it's very useful.

287
00:24:33,870 --> 00:24:34,980
Our program in that regard.

288
00:24:34,980 --> 00:24:37,020
Let's go see how our download is done yet.

289
00:24:40,640 --> 00:24:40,920
All right.

290
00:24:40,940 --> 00:24:42,290
Looks like it's there.

291
00:24:43,830 --> 00:24:51,650
So then we're going to run the open vos dash, set up command, and it's going to run through it's set

292
00:24:51,650 --> 00:24:56,780
up to build out all of the vulnerability tests and then we'll be able to actually start it.

293
00:24:58,580 --> 00:25:01,050
It's going to go through and put all of its shortcuts.

294
00:25:03,530 --> 00:25:07,280
Z notice now you have access to the menu items that were not there before.

295
00:25:17,160 --> 00:25:20,020
It's want to let this let us finish and then we'll come back.

296
00:25:21,720 --> 00:25:24,350
These are some of the different components of Open Vos.

297
00:25:24,360 --> 00:25:27,780
It has a management protocol, a skill like database.

298
00:25:27,990 --> 00:25:34,830
You can run many different scanners if you need to based on the different types of systems it has.

299
00:25:36,400 --> 00:25:38,920
The ability to start, stop and resume scans.

300
00:25:41,150 --> 00:25:49,400
You can even pull in from a centralized repository much like NASA's does with and the feed gets updated

301
00:25:49,400 --> 00:25:50,570
on a regular basis.

302
00:25:52,100 --> 00:25:58,580
It also has a command line interface that you can run on Windows Linux and you can also integrate open

303
00:25:58,670 --> 00:25:59,360
source with.

304
00:26:00,460 --> 00:26:05,140
S&amp;P tools like Nagase or any other S&amp;P.

305
00:26:06,520 --> 00:26:07,090
Program.

306
00:26:07,630 --> 00:26:16,810
So Open Vos uses the Open Vos transfer protocol and it always uses SSL or transport and it has some

307
00:26:16,810 --> 00:26:21,010
support for the Windows management instrumentation interface.

308
00:26:23,700 --> 00:26:26,850
This is the sample demo, what it will look like when you run it.

309
00:26:30,600 --> 00:26:32,960
Now let's talk about CMS math.

310
00:26:33,270 --> 00:26:39,540
This is a python open source scanner that automates the process of detecting security flaws for a lot

311
00:26:39,540 --> 00:26:41,820
of the most popular content management systems.

312
00:26:42,240 --> 00:26:45,540
The idea is to integrate this into a single tool.

313
00:26:45,540 --> 00:26:51,180
So the content management systems are WordPress, Joomla, Drupal and Moodle.

314
00:26:56,180 --> 00:26:58,150
The CMS map comes with Illinois.

315
00:26:58,370 --> 00:27:02,270
This is the GitHub repository.

316
00:27:02,690 --> 00:27:04,850
If you want to get the latest and greatest version.

317
00:27:06,370 --> 00:27:07,090
You can do that.

318
00:27:07,090 --> 00:27:08,170
You can also do it.

319
00:27:09,880 --> 00:27:13,720
You can install it with Python if you want to be able to run it from anywhere.

320
00:27:14,890 --> 00:27:16,330
So let's go over to our.

321
00:27:19,060 --> 00:27:25,180
Call the box and we'll go ahead and type in C and S now.

322
00:27:28,750 --> 00:27:30,610
And that is that it's not in the.

323
00:27:34,750 --> 00:27:41,260
Main download the 2020 version of Calleigh amongst all the other tools that are here.

324
00:27:43,620 --> 00:27:49,160
So what we can do is we can go ahead and use Python to install it.

325
00:27:58,570 --> 00:27:59,670
We'll do it both ways.

326
00:27:59,670 --> 00:28:00,970
So you can just see the.

327
00:28:02,270 --> 00:28:03,820
Process, right?

328
00:28:06,130 --> 00:28:06,440
Okay.

329
00:28:16,330 --> 00:28:18,560
So there's no CMS map in their power structure.

330
00:28:18,560 --> 00:28:23,150
You're going to have to do it from the GitHub page.

331
00:28:28,990 --> 00:28:31,060
Make sure I actually copy that text.

332
00:28:32,040 --> 00:28:33,880
You want to do paste?

333
00:28:35,190 --> 00:28:35,850
There you go.

334
00:28:39,740 --> 00:28:40,730
So now we've cloned it.

335
00:28:40,940 --> 00:28:42,410
The second step we're going to do.

336
00:28:42,950 --> 00:28:45,500
We're going to use PIP to install it.

337
00:28:50,450 --> 00:28:53,820
That was the directory.

338
00:28:54,060 --> 00:28:56,730
Or we can just run the Python script.

339
00:29:09,350 --> 00:29:09,430
You

340
00:29:12,450 --> 00:29:14,190
can look at the read me file.

341
00:29:42,910 --> 00:29:43,510
Here we go.

342
00:29:44,690 --> 00:29:46,630
Now it's actually setting up the team's map.

343
00:29:48,550 --> 00:29:48,850
All right.

344
00:29:48,850 --> 00:29:50,080
Successfully installed.

345
00:29:50,530 --> 00:29:53,110
And now we should be able to run it from anywhere.

346
00:29:55,940 --> 00:29:58,370
So CNN doesn't have a main page.

347
00:30:14,440 --> 00:30:15,990
So there is the help file.

348
00:30:16,860 --> 00:30:20,430
So if you want to run it, you pick the website that you want to run on.

349
00:30:24,170 --> 00:30:27,470
You pick the type of scan you want to do.

350
00:30:29,810 --> 00:30:31,310
Whether you're running WordPress.

351
00:30:31,310 --> 00:30:31,910
Drupal.

352
00:30:34,560 --> 00:30:38,220
You can actually set it to enumerate without searching for exploits.

353
00:30:46,850 --> 00:30:50,660
Just keep in mind, this is an attack, both of you, Iran, on the system that, you know, have permissions

354
00:30:50,660 --> 00:30:50,960
on.

355
00:30:52,480 --> 00:30:54,280
You can get yourself in serious trouble.

356
00:30:56,710 --> 00:30:58,420
So this is some examples.

357
00:31:01,090 --> 00:31:04,090
So let's talk about some of the different countermeasures that are out there.

358
00:31:05,680 --> 00:31:06,070
So.

359
00:31:08,530 --> 00:31:11,860
We know that the bad guys or the.

360
00:31:13,570 --> 00:31:20,080
The non ethical hackers can search for vulnerabilities and exploits and be able to.

361
00:31:22,000 --> 00:31:26,500
Do these things, just like we can see ourselves as ethical hackers.

362
00:31:26,950 --> 00:31:33,580
So that what you want to do is you want to set up your firewalls and your IDs and your security appliances

363
00:31:33,880 --> 00:31:40,030
to block these types of probes, like from tools like and mapping vulnerability scanners.

364
00:31:40,510 --> 00:31:43,060
You want to filter out any unreachable messages.

365
00:31:43,060 --> 00:31:51,010
So if somebody tries to send a ping or ICMP packet to see what is there, you don't want that information

366
00:31:51,010 --> 00:31:53,710
to get out that you'll tell that to.

367
00:31:54,990 --> 00:31:56,790
How your firewall to filter that out.

368
00:31:57,450 --> 00:32:01,830
You always want to make sure that you're if you're using a firewall, make sure that your latest service

369
00:32:01,830 --> 00:32:05,250
pack is installed, make sure you've installed anti spoofing roles.

370
00:32:05,250 --> 00:32:12,210
So if you have spoofed IP addresses on external interfaces, those will not be accepted.

371
00:32:15,660 --> 00:32:17,670
And now let's do some practice questions.

372
00:32:18,780 --> 00:32:19,790
We have a question here.

373
00:32:19,800 --> 00:32:24,540
This tool can detect the shellshock vulnerability and map.

374
00:32:26,880 --> 00:32:27,360
PD.

375
00:32:28,620 --> 00:32:31,290
Your skin or skin map.

376
00:32:38,340 --> 00:32:40,140
Correct answer is B or PD.

377
00:32:42,070 --> 00:32:45,130
So an end map can do some vulnerability scanning and detection.

378
00:32:45,130 --> 00:32:50,320
But OPD has specific logic for the shellshock vulnerability.

379
00:32:51,270 --> 00:32:52,380
Let's go to the second question.

380
00:32:52,380 --> 00:32:56,010
Which tool is used for scanning WordPress websites?

381
00:32:57,990 --> 00:32:59,120
So are.

382
00:32:59,190 --> 00:32:59,790
I'll scan.

383
00:33:01,520 --> 00:33:02,510
WP scan.

384
00:33:03,440 --> 00:33:04,730
Angry IP scanner.

385
00:33:06,320 --> 00:33:07,280
Or John the Ripper.

386
00:33:17,270 --> 00:33:22,250
Answer is WP scan or WordPress scan and IP is more of a network discovery tool.

387
00:33:24,380 --> 00:33:30,140
John the Ripper is a password cracking tool and you are also and can scan websites, but it's meant

388
00:33:30,140 --> 00:33:34,310
for not metaphors specifically for WordPress sites.

389
00:33:35,300 --> 00:33:37,460
Which language is WP scan written in?

390
00:33:40,220 --> 00:33:43,460
Is it b h html.

391
00:33:44,520 --> 00:33:45,060
Ruby.

392
00:33:46,230 --> 00:33:46,860
Or Pearl.

393
00:34:00,650 --> 00:34:01,970
Correct answer is Ruby.

394
00:34:03,070 --> 00:34:10,310
Option as written in the Ruby programming language and before what tool that is built in the caller

395
00:34:10,310 --> 00:34:12,950
limits for more abilities scanning gym websites.

396
00:34:12,960 --> 00:34:16,520
So keep in mind this is not true for the latest version, but.

397
00:34:17,620 --> 00:34:20,260
Older versions of Kelly did have this tool belt them.

398
00:34:21,330 --> 00:34:22,560
Is it WP scan?

399
00:34:23,950 --> 00:34:24,670
There are, Buster.

400
00:34:25,810 --> 00:34:28,960
Sequel Map or dreams scan.

401
00:34:31,370 --> 00:34:33,260
Keep in mind that the name kind of gives it away.

402
00:34:34,010 --> 00:34:35,930
Correct answer is D James Tan.

403
00:34:40,870 --> 00:34:46,120
Number five, what open source vulnerability scanner that is built into Kali Linux was developed by

404
00:34:46,450 --> 00:34:47,830
NASA's engineers.

405
00:34:49,660 --> 00:34:50,320
Nick tell.

406
00:34:51,960 --> 00:34:52,890
Open Vos.

407
00:34:55,000 --> 00:34:58,330
WP scan or gym scan.

408
00:35:05,400 --> 00:35:07,140
Correct answer is open Vos.

409
00:35:11,220 --> 00:35:11,730
So Open.

410
00:35:11,740 --> 00:35:15,600
Vos is a fork of nurses and it has the network vulnerability test.

411
00:35:15,600 --> 00:35:19,380
We know Nikto is the web application scanner from the command line.

412
00:35:19,380 --> 00:35:26,220
If you only have one tool to use and not any commercial products or you don't have open Vos at your

413
00:35:26,220 --> 00:35:32,010
disposal, you can use Nikto and of course WordPress scan and James scan are not correct because they're

414
00:35:32,010 --> 00:35:36,690
for WordPress sites and the Joomla content management system.

415
00:35:38,230 --> 00:35:41,500
So in summary, we talked about different processes of.

416
00:35:42,830 --> 00:35:47,630
Discovering prioritizing ranking vulnerabilities based on risk factors.

417
00:35:48,170 --> 00:35:53,720
Talk about the different types of vulnerability scans, be they wireless database scans.

418
00:35:53,720 --> 00:35:56,750
We looked at Nick, so we looked at what PD.

419
00:35:58,340 --> 00:36:03,470
We looked at Open Vos, the Nets or the network vulnerability tests.

420
00:36:03,830 --> 00:36:09,230
These are essentially plug ins that are developed in the Nessus attack scripting language, and this

421
00:36:09,230 --> 00:36:12,170
is a fork of the original NASA's code base.

422
00:36:12,620 --> 00:36:16,970
OpenVPN is good for large networks where manual scanning would be too cumbersome.

423
00:36:19,550 --> 00:36:21,200
And we talked about CMS map.

424
00:36:23,000 --> 00:36:29,720
Which is a python open source CMS scanner that helps detect security falls in some of the most popular

425
00:36:30,080 --> 00:36:31,130
CMS programs.

426
00:36:33,420 --> 00:36:38,210
This is a summary of the topics we covered vulnerability assessments, more body scans.

427
00:36:38,570 --> 00:36:43,100
We looked at some of the tools for vulnerability scans as well as some of the countermeasures.

428
00:36:48,110 --> 00:36:49,310
Thank you for your attention.

429
00:36:49,350 --> 00:36:54,850
Hope you learned more than you knew before about vulnerability scanning and vulnerability assessments.

430
00:36:54,860 --> 00:37:00,950
It's an important part of the process, especially doing a full on pen test or red team engagement.

431
00:37:02,420 --> 00:37:04,160
We'll see you in the next module.

432
00:37:06,170 --> 00:37:09,070
And some may be based on different work environments.

433
00:37:09,080 --> 00:37:13,160
Some might also be based on security frameworks.

434
00:37:13,400 --> 00:37:14,630
Compliance frameworks.