1
00:00:00,530 --> 00:00:02,820
Welcome to Deployability and Analysis Section.

2
00:00:03,410 --> 00:00:08,030
So we covered scanning and we managed to discover a bunch of information about our target.

3
00:00:08,330 --> 00:00:14,080
And right now we're going to use that information to discover whether our target has some vulnerabilities.

4
00:00:14,510 --> 00:00:17,480
We're going to cover three different tools in this section.

5
00:00:17,600 --> 00:00:22,280
And the first one is going to be an already familiar tool, which is called and MAP.

6
00:00:23,360 --> 00:00:27,080
We're going to tackle a subject on EMAP scripting.

7
00:00:28,030 --> 00:00:35,200
By now, we learned that map is used for scanning targets, but MAP can also perform vulnerability analysis

8
00:00:35,470 --> 00:00:40,180
and in some cases it can even perform exploitation with the help of different scripts.

9
00:00:40,780 --> 00:00:46,390
As this is advanced use of MAP, we should first explain what are these and map scripts.

10
00:00:47,410 --> 00:00:53,180
Well, and my scripts are commonly used in scanning to detect different service vulnerabilities.

11
00:00:53,830 --> 00:00:56,580
It can also be used for brute force forcing attacks.

12
00:00:56,950 --> 00:01:00,010
It can be used to detect a malware on target machine.

13
00:01:00,700 --> 00:01:07,780
It is also used to collect even more information about databases and other network services so we can

14
00:01:07,780 --> 00:01:12,040
consider this factor to be half scanning and have vulnerability analysis.

15
00:01:13,130 --> 00:01:18,620
The goal of this lecture, however, will not be the vulnerability analysis, but to show you how we

16
00:01:18,620 --> 00:01:19,760
can run the scripts.

17
00:01:20,850 --> 00:01:25,870
And before we even run them, we need to know what are our available options.

18
00:01:26,550 --> 00:01:28,430
So where are those scripts?

19
00:01:28,440 --> 00:01:29,330
How do we run them?

20
00:01:29,700 --> 00:01:32,340
How do we know which scripts even exist?

21
00:01:33,290 --> 00:01:40,250
Inside of the clinics, we can find all the scripts that any map has inside of this directory, so open

22
00:01:40,250 --> 00:01:51,680
up your terminal and navigate to user share and map and then scripts if I type.

23
00:01:51,710 --> 00:01:52,490
All right.

24
00:01:52,490 --> 00:01:55,160
Here we can see there are a lot of them.

25
00:01:55,940 --> 00:02:01,270
Let us test some of them out and see whether they give us any information about our target.

26
00:02:01,940 --> 00:02:05,120
Now, running scripts comes with two different options.

27
00:02:05,430 --> 00:02:12,920
We can either specify one script to use in a scan or we can specify a group of scripts that we will

28
00:02:12,920 --> 00:02:19,910
use inside of a scan and to fully understand all the possible things that we can do with scripts using

29
00:02:19,910 --> 00:02:20,370
a map.

30
00:02:21,260 --> 00:02:24,440
You should take a look at this page right here.

31
00:02:25,540 --> 00:02:34,360
This is the official end, my page from the Web dot org link, and in this book and usage dot org html,

32
00:02:34,630 --> 00:02:39,160
it will give us a good explanation about script groups and the usage of unmap.

33
00:02:39,940 --> 00:02:43,300
If we scroll all the way down, here is the usage and examples.

34
00:02:44,260 --> 00:02:50,410
We get different script categories, which are script groups we can see right here that are currently

35
00:02:50,410 --> 00:02:58,690
defined categories are not broadcast, brute default discovery and many more right here and down here.

36
00:02:58,690 --> 00:03:04,040
We can read about each and every one of them to see what each script group does.

37
00:03:04,600 --> 00:03:10,720
So, for example, right here, the broad script group, it says these scripts are used to brute force

38
00:03:10,720 --> 00:03:16,360
attacks to guess authentication credentials of a remote server, and that contains scripts for brute,

39
00:03:16,360 --> 00:03:23,290
forcing dozens of protocols, including HTP, Brute, Oracle, brute as an MP, bruta and so on and

40
00:03:23,290 --> 00:03:23,740
so on.

41
00:03:24,460 --> 00:03:26,110
Let us test some of them out.

42
00:03:26,350 --> 00:03:29,110
Let us start with this off script group first.

43
00:03:30,340 --> 00:03:36,280
We can read these scripts, deal with authentication credentials or by passing them on the target system.

44
00:03:36,820 --> 00:03:42,950
Examples include X 11 Xs, FTP, Anonymous and Oracle and some users.

45
00:03:43,300 --> 00:03:47,530
Now, these right here that you read are single script names.

46
00:03:47,920 --> 00:03:53,310
And these single scripts belong to this larger script group right here.

47
00:03:53,320 --> 00:03:58,570
It also says Scripts, which uses brute force attacks to determine credentials, are placed in the broad

48
00:03:58,570 --> 00:03:59,540
category instead.

49
00:04:00,400 --> 00:04:06,310
So right here, there are no scripts that are used for brute forcing and for the brute force thing simply

50
00:04:06,310 --> 00:04:13,390
means is running a bunch of usernames and passwords onto the target system to discover which one is

51
00:04:13,390 --> 00:04:16,060
the correct username and which one is the correct password.

52
00:04:16,210 --> 00:04:18,380
But more about brute forcing later on.

53
00:04:18,400 --> 00:04:24,880
For now, let us go and test some of these scripts to run a scan with a script group we can use and

54
00:04:24,880 --> 00:04:29,430
map Bastet script, and after it we specify the script group.

55
00:04:29,540 --> 00:04:31,000
So in my case, I will use of.

56
00:04:32,030 --> 00:04:38,740
And I can Minmetals Botibol machine pretty, since I can remember since can require the privileges,

57
00:04:38,750 --> 00:04:43,010
so let's add up and type in our password.

58
00:04:44,730 --> 00:04:51,180
As soon as it finishes, we're going to see whether this off script group discovered any useful information

59
00:04:51,180 --> 00:04:53,010
for us regarding vulnerabilities.

60
00:04:53,610 --> 00:04:55,200
OK, so it is finished.

61
00:04:55,380 --> 00:04:59,780
Let us see whether our script managed to detect anything unusual.

62
00:05:00,390 --> 00:05:07,260
So we get the standard output of all the open ports and we also get some other information for some

63
00:05:07,260 --> 00:05:07,830
of the ports.

64
00:05:08,130 --> 00:05:15,450
For example, right here we get FTP enum and this FTP is just a single script name from the unmap.

65
00:05:15,990 --> 00:05:19,480
It tells us that anonymous FTP login is allowed.

66
00:05:20,300 --> 00:05:20,630
Hmm.

67
00:05:20,910 --> 00:05:21,690
What does this mean.

68
00:05:22,290 --> 00:05:25,310
Well this is something that we will cover later for now.

69
00:05:25,380 --> 00:05:29,450
Just keep in mind that anonymous login is allowed for the port.

70
00:05:29,460 --> 00:05:30,090
Twenty one.

71
00:05:31,100 --> 00:05:37,070
Under the S.H. port, we get which authentication methods are supported right here.

72
00:05:38,150 --> 00:05:45,550
Down here, we get information for the Ezekial Port, he tells us that route account has a. password.

73
00:05:46,250 --> 00:05:48,980
This can also be very useful for us.

74
00:05:50,110 --> 00:05:53,860
And right here, we can see Tomcat, two dots drumkit.

75
00:05:55,030 --> 00:05:55,880
What does this mean?

76
00:05:56,360 --> 00:06:04,240
Well, this looks like a default Tomcat credentials, and if I go down here, it tells us posts can

77
00:06:04,240 --> 00:06:05,140
script results.

78
00:06:05,460 --> 00:06:09,310
It says that this is a valid credential for Tomcat.

79
00:06:09,970 --> 00:06:12,190
It is for the service running on this port.

80
00:06:12,900 --> 00:06:13,990
Let us check this out.

81
00:06:14,140 --> 00:06:19,510
This might be the first vulnerability that we find to check whether this is correct.

82
00:06:19,630 --> 00:06:27,940
We can go and open up Firefox and we are going to make a connection to our anticipatable on this port

83
00:06:28,090 --> 00:06:28,690
right here.

84
00:06:29,810 --> 00:06:35,480
So just find out the IP address of your anticipatable and if you scanned it right now, you already

85
00:06:35,480 --> 00:06:35,700
know it.

86
00:06:35,720 --> 00:06:40,060
So for me, it is one 182, that 168 that found that six.

87
00:06:40,700 --> 00:06:48,020
And to make a connection to a portable type two dots and then the port number, in my case, what seems

88
00:06:48,020 --> 00:06:51,050
to be a vulnerability is found on this port.

89
00:06:51,530 --> 00:06:54,740
So let's go to port and double Bass Strait here.

90
00:06:57,740 --> 00:07:00,050
It seems that it only pays to deport.

91
00:07:00,080 --> 00:07:04,010
Let me just free type this and type deport like this.

92
00:07:04,310 --> 00:07:07,760
So eight one eight zero and then visit this.

93
00:07:08,540 --> 00:07:12,230
And here we get the official Apache Tomcat page.

94
00:07:13,190 --> 00:07:16,220
Let's see whether we can find something interesting right here.

95
00:07:16,550 --> 00:07:20,660
And what we are looking for based on these credentials is a login screen.

96
00:07:21,350 --> 00:07:24,530
So this Tomcat administration seems interesting.

97
00:07:24,800 --> 00:07:32,360
If I click on it, it leads us to this admin page where we are required to specify username and password.

98
00:07:32,840 --> 00:07:36,920
And down here from our scan, we got Tomcat and Tomcat.

99
00:07:37,500 --> 00:07:39,470
Let's try it out and see whether it fits.

100
00:07:39,860 --> 00:07:45,220
If I type it for the username and Tomcat for the password, click on login.

101
00:07:46,100 --> 00:07:46,790
There it is.

102
00:07:47,080 --> 00:07:50,850
We managed to log in to the admin page of the Tomcat server.

103
00:07:51,330 --> 00:07:51,770
Great.

104
00:07:52,050 --> 00:07:55,940
This is our first vulnerability that we managed to discover and exploit.

105
00:07:56,430 --> 00:07:59,680
We are now in the administrator page of the Tomcat.

106
00:08:00,200 --> 00:08:05,540
Now, there are other things that we can do right here as well, but for now we are just happy that

107
00:08:05,540 --> 00:08:09,710
we managed to gain access to the administrator page down here.

108
00:08:09,710 --> 00:08:16,130
We have user databases, mail sessions, data sources, and these are all empty because this is a test

109
00:08:16,130 --> 00:08:16,580
machine.

110
00:08:16,790 --> 00:08:22,020
But if it was a real machine, this would probably all be filled with some other useful information.

111
00:08:22,790 --> 00:08:23,180
Great.

112
00:08:23,360 --> 00:08:25,060
Let's leave this on side for now.

113
00:08:25,880 --> 00:08:32,150
So we managed to gain access to the Tomcat administrator page with the help of map script.

114
00:08:32,630 --> 00:08:34,970
Let's see what else we can do with scripts.

115
00:08:36,080 --> 00:08:44,060
So let's go and try out the malware, scan these scripts test whether the target platform is infected

116
00:08:44,060 --> 00:08:45,470
by malware or vectors.

117
00:08:46,130 --> 00:08:49,070
Let's see whether our target is infected with malware.

118
00:08:49,280 --> 00:08:54,410
We can run the same command just this time instead of what we're going to use malware.

119
00:08:55,280 --> 00:08:56,630
Let's from the scan.

120
00:08:57,600 --> 00:09:00,730
And let me control this just so we can make this faster.

121
00:09:00,780 --> 00:09:06,840
I'm going to use the dash capital F option to scan only one hundred ports and not a thousand ports.

122
00:09:07,740 --> 00:09:11,250
And it doesn't seem to find any malware right here.

123
00:09:12,330 --> 00:09:18,060
But what you can do with this can you can wait for us to first exploit them at this point in the next

124
00:09:18,060 --> 00:09:23,910
election and then test this can once again to see whether you can notice any back doors that we uploaded

125
00:09:24,090 --> 00:09:26,700
that are making connection to our Linux machine.

126
00:09:27,790 --> 00:09:34,990
For now, it doesn't seem to give us any result for the first one hundred, but let's try another scan.

127
00:09:35,540 --> 00:09:43,600
We're going to use right now Debenham script group and what banners are are simply what the open port

128
00:09:43,600 --> 00:09:46,810
will give us is the information once we connect to it.

129
00:09:47,380 --> 00:09:51,390
Banders usually called information, disclosure and information disclosure.

130
00:09:51,400 --> 00:09:57,490
They can give us the exact version of the software running on an open port and we can see the scan has

131
00:09:57,490 --> 00:10:01,930
finished and we get depen, which calls the version for the FTP.

132
00:10:02,660 --> 00:10:05,890
We get the banner for the sausage that also calls the version.

133
00:10:06,400 --> 00:10:09,850
And this is something similar for the version that we covered in Anne-Mette.

134
00:10:10,880 --> 00:10:15,890
Now, sometimes Bender will look something like this, and this is something that we cannot read, but

135
00:10:15,890 --> 00:10:20,960
I'll show you in the exploitation section that this telnet port is one of the easiest ports to exploit

136
00:10:21,350 --> 00:10:23,380
and gain access to anticipatable.

137
00:10:24,140 --> 00:10:27,710
And we are going to do this over Baner for now.

138
00:10:27,710 --> 00:10:30,020
It seems that we cannot even agree to this banner.

139
00:10:30,230 --> 00:10:35,750
But later we are going to use the exact same banner for Telnet to gain access to them at this point.

140
00:10:36,860 --> 00:10:38,400
Let's check out another skin.

141
00:10:39,170 --> 00:10:41,210
Let's try this again group.

142
00:10:41,390 --> 00:10:45,110
And this group is called Explained.

143
00:10:46,160 --> 00:10:53,060
And while it runs, if I go right here and try to find that scan group, it tells us that the scripts

144
00:10:53,090 --> 00:10:58,370
that belong to this exploit scan group aim to actively exploit some ability.

145
00:10:58,820 --> 00:11:02,230
Here are some of the examples of the script names that belong to the group.

146
00:11:02,720 --> 00:11:07,450
So this script group will actually try to exploit if it finds a similar ability.

147
00:11:07,940 --> 00:11:10,580
Let's see whether it's finished.

148
00:11:10,820 --> 00:11:12,090
And it did finish.

149
00:11:12,650 --> 00:11:20,580
Right here we can see Port 80, spidering limited to this, found the following possible seats are fallibilities.

150
00:11:21,410 --> 00:11:26,480
So here are the possible vulnerabilities that it found for this specific vulnerability.

151
00:11:27,050 --> 00:11:32,680
And for note, don't worry about this, this type of vulnerabilities for the port.

152
00:11:33,180 --> 00:11:37,510
We are going to cover deep website penetration testing, Section four Nauen.

153
00:11:37,550 --> 00:11:41,980
We're just taking a look at how we can discover them using vulnerability analysis.

154
00:11:42,440 --> 00:11:43,820
Let's go all the way up.

155
00:11:44,180 --> 00:11:45,830
And 40 outport.

156
00:11:45,980 --> 00:11:49,100
It tells us right here that the port is vulnerable.

157
00:11:49,470 --> 00:11:56,330
It is running this version and it seems that it managed to exploit it, as it says right here, vulnerable

158
00:11:56,330 --> 00:11:57,350
and exploitable.

159
00:11:58,280 --> 00:12:01,070
And right here we get the exploit results.

160
00:12:01,730 --> 00:12:08,690
The map script ran this comment and it actually managed to get the router count on the target machine.

161
00:12:09,440 --> 00:12:11,660
So we found another vulnerability.

162
00:12:12,320 --> 00:12:14,800
Here is the FTP report that is exploitable.

163
00:12:15,290 --> 00:12:20,420
Now, we don't really know how to exploit it yet, but for now, with the help of scripts and vulnerability

164
00:12:20,420 --> 00:12:23,630
analysis, we know that this right here is exploitable.

165
00:12:24,440 --> 00:12:29,480
And in the exploitation section, we're going to see exactly how we can gain access and perform the

166
00:12:29,480 --> 00:12:32,560
same thing that the EMAP performed right here.

167
00:12:33,320 --> 00:12:36,610
Now, under these IDs, you will see this name right here.

168
00:12:37,100 --> 00:12:39,160
Now get used to these type of names.

169
00:12:39,470 --> 00:12:42,560
This is how different abilities are labeled.

170
00:12:43,220 --> 00:12:47,060
These two thousand and eleven is a year when the vulnerability occurred.

171
00:12:47,700 --> 00:12:48,500
OK, great.

172
00:12:49,160 --> 00:12:51,890
But these are just some of the script groups that we can run.

173
00:12:52,140 --> 00:12:56,720
Of course, we're not going to be running all of them in this video since, as you see right here,

174
00:12:56,720 --> 00:12:57,590
there is a lot of them.

175
00:12:58,070 --> 00:13:00,890
You can test them out and see what each and every one of them do.

176
00:13:01,400 --> 00:13:04,550
But for now, let us just see how we can run one script.

177
00:13:04,880 --> 00:13:11,690
We saw how we can run script groups, but sometimes you will only want to run a single script.

178
00:13:12,020 --> 00:13:16,670
And we already know that scripts are located inside of this directory right here.

179
00:13:17,540 --> 00:13:22,910
And there is a lot let's go all the way up and try to find some cool script.

180
00:13:23,600 --> 00:13:23,950
Hmm.

181
00:13:24,590 --> 00:13:26,150
This one seems interesting.

182
00:13:26,900 --> 00:13:33,200
All bypass and this dot and as is just the extension for the scripts.

183
00:13:34,420 --> 00:13:41,080
And by the way, do not blindly run these scripts, what you can do to check out what exactly a certain

184
00:13:41,080 --> 00:13:41,680
script does.

185
00:13:42,020 --> 00:13:51,100
These you can copy its name and then run the command studio and map that script to help.

186
00:13:52,030 --> 00:13:57,340
And then the name of the script so based the script, name and type.

187
00:13:57,340 --> 00:14:03,880
And it will tell us that this particular script detect some vulnerability in that filter and other firewalls

188
00:14:04,210 --> 00:14:11,270
that use Halberstadt Anemically open ports for protocols such as FPP and Sipi right here.

189
00:14:11,290 --> 00:14:13,400
It also tells us how the script works.

190
00:14:13,420 --> 00:14:19,390
So the script works by spoofing a packet from the target server, asking for opening a related connection

191
00:14:19,390 --> 00:14:22,750
to a target port and to run it.

192
00:14:23,140 --> 00:14:29,680
In case you want to run it, you can type through the script and it is similar to running the script

193
00:14:29,680 --> 00:14:30,100
groups.

194
00:14:30,100 --> 00:14:35,790
All we need to do is just paste the name of the script and add the IP address.

195
00:14:37,330 --> 00:14:44,470
It will start running the script onto the target and for now it seems that we got the exact same output

196
00:14:44,470 --> 00:14:45,910
of a normal amp can.

197
00:14:46,690 --> 00:14:48,460
Usually you will get this output.

198
00:14:48,490 --> 00:14:50,400
That means the script didn't work.

199
00:14:51,190 --> 00:14:55,960
So since this one didn't seem to give any output, let's try another one.

200
00:14:56,620 --> 00:15:04,210
Let's try the one that we already know will give us an output and that one is FCP and on top.

201
00:15:04,210 --> 00:15:04,600
And it's.

202
00:15:05,980 --> 00:15:13,070
And remember when we ran one of the script groups, this script gave us the output for the output,

203
00:15:13,210 --> 00:15:19,840
telling us that anonymous FTP login is allowed, let's see whether we get the same result right now.

204
00:15:20,170 --> 00:15:26,740
If I run it, go all the way up and it tells us anonymous after logging a lot.

205
00:15:27,700 --> 00:15:33,760
And I already told you that FTP anonymous login means that you can use anonymous username and a random

206
00:15:33,760 --> 00:15:35,820
password to log in to the FTP.

207
00:15:36,730 --> 00:15:37,960
Let's see whether it will work.

208
00:15:37,970 --> 00:15:39,100
Let's just test it out.

209
00:15:39,400 --> 00:15:40,180
We are curious.

210
00:15:40,210 --> 00:15:46,900
We want to see what does this anonymous FTP log in me to do that we're going to connect to a target

211
00:15:46,900 --> 00:15:47,990
using FTP.

212
00:15:48,400 --> 00:15:52,510
So you just type FTP and then the IP address of the target machine.

213
00:15:52,510 --> 00:16:00,700
In our case of the metal citable press enter and right here it will ask us for the name lets type anonymous

214
00:16:03,130 --> 00:16:05,200
and let's type the password here.

215
00:16:05,200 --> 00:16:06,640
You can type anything you want.

216
00:16:06,640 --> 00:16:08,440
In my case I will just type password.

217
00:16:08,800 --> 00:16:12,040
One, two, three and press enter and here it is.

218
00:16:12,340 --> 00:16:19,060
Login successful remote system type is Unix and now we can use the help command to see what are our

219
00:16:19,060 --> 00:16:24,840
available options inside of this FTP so we can run these commands right here.

220
00:16:25,540 --> 00:16:25,920
Great.

221
00:16:25,930 --> 00:16:33,670
It seems that FTP anonymous login is indeed allowed, but once again more about FTP and the FTP liabilities

222
00:16:33,670 --> 00:16:35,890
that we discovered in the exploitation section.

223
00:16:36,460 --> 00:16:42,370
For now, we managed to find out about some potential vulnerabilities such as the Tomcat administrator

224
00:16:42,370 --> 00:16:44,170
login the FTP port.

225
00:16:44,170 --> 00:16:47,020
Twenty one should to also be vulnerable.

226
00:16:47,230 --> 00:16:51,250
Remember when we ran the Exploit script group, it told us that it is exploitable.

227
00:16:51,970 --> 00:16:57,130
But let's also see what else we can find using other vulnerability analysis tools.