1 00:00:00,510 --> 00:00:03,420 -: Welcome to the vulnerability analysis section. 2 00:00:03,420 --> 00:00:06,390 So we covered scanning and we managed to discover a bunch 3 00:00:06,390 --> 00:00:08,400 of information about our target, 4 00:00:08,400 --> 00:00:09,270 and right now, 5 00:00:09,270 --> 00:00:11,880 we are going to use that information to discover 6 00:00:11,880 --> 00:00:14,520 whether a target has some vulnerabilities. 7 00:00:14,520 --> 00:00:17,670 We are going to cover three different tools in this section 8 00:00:17,670 --> 00:00:20,820 and the first one is going to be an already familiar tool, 9 00:00:20,820 --> 00:00:22,353 which is called nmap. 10 00:00:23,370 --> 00:00:27,123 We're going to tackle a subject on nmap scripting. 11 00:00:28,050 --> 00:00:32,159 By now, we learned that nmap is used for scanning targets. 12 00:00:32,159 --> 00:00:35,520 But nmap can also perform vulnerability analysis 13 00:00:35,520 --> 00:00:38,397 and in some cases it can even perform exploitation 14 00:00:38,397 --> 00:00:40,830 with the help of different scripts. 15 00:00:40,830 --> 00:00:43,110 As this is advanced use of nmap, 16 00:00:43,110 --> 00:00:46,970 we should first explain, what are these nmap scripts? 17 00:00:46,970 --> 00:00:49,840 While nmap scripts are commonly used 18 00:00:51,319 --> 00:00:53,850 in scanning to detect different service vulnerabilities, 19 00:00:53,850 --> 00:00:57,000 it can also be used for brute forcing attacks. 20 00:00:57,000 --> 00:01:00,720 It can be used to detect a malware on target machine. 21 00:01:00,720 --> 00:01:03,690 It is also used to collect even more information 22 00:01:03,690 --> 00:01:07,230 about databases and other network services. 23 00:01:07,230 --> 00:01:10,050 So we can consider this lecture to be half scanning 24 00:01:10,050 --> 00:01:12,153 and half vulnerability analysis. 25 00:01:13,170 --> 00:01:15,030 The goal of this lecture, however, 26 00:01:15,030 --> 00:01:17,160 will not be the vulnerability analysis 27 00:01:17,160 --> 00:01:19,923 but to show you how we can run these scripts. 28 00:01:20,910 --> 00:01:23,130 And before we even run them, 29 00:01:23,130 --> 00:01:26,580 we need to know what are our available options. 30 00:01:26,580 --> 00:01:29,700 So where are those scripts, how do we run them? 31 00:01:29,700 --> 00:01:32,848 How do we know which scripts even exist? 32 00:01:32,848 --> 00:01:34,860 Inside of the catalytics 33 00:01:34,860 --> 00:01:37,431 we can find all the scripts that nmap has 34 00:01:37,431 --> 00:01:39,480 inside of this directory. 35 00:01:39,480 --> 00:01:43,443 So, open up your terminal and navigate to user, 36 00:01:44,850 --> 00:01:49,503 share, slash nmap, and then slash scripts. 37 00:01:50,580 --> 00:01:55,580 If I type Ls right here, we can see there are a lot of them. 38 00:01:55,950 --> 00:01:58,350 Let us test some of them out and see 39 00:01:58,350 --> 00:02:01,950 whether they give us any information about our target. 40 00:02:01,950 --> 00:02:05,460 Now, running scripts comes with two different options. 41 00:02:05,460 --> 00:02:09,360 We can either specify one script to use in a scan 42 00:02:09,360 --> 00:02:12,360 or we can specify a group of scripts 43 00:02:12,360 --> 00:02:14,910 that we will use inside of a scan. 44 00:02:14,910 --> 00:02:17,700 And to fully understand all the possible things 45 00:02:17,700 --> 00:02:21,270 that we can do with scripts using nmap, 46 00:02:21,270 --> 00:02:24,573 you should take a look at the page right here. 47 00:02:25,530 --> 00:02:30,090 This is the official nmap page from the nmap.org link 48 00:02:30,090 --> 00:02:34,680 and in the slash book, slash NSE-usage.html, 49 00:02:34,680 --> 00:02:37,710 it'll give us a good explanation about script groups 50 00:02:37,710 --> 00:02:39,960 and the usage of nmap. 51 00:02:39,960 --> 00:02:41,760 If we scroll all the way down here 52 00:02:41,760 --> 00:02:44,250 is the usage and examples. 53 00:02:44,250 --> 00:02:48,930 We get different script categories, which are script groups. 54 00:02:48,930 --> 00:02:51,480 We can see right here that the currently defined categories 55 00:02:51,480 --> 00:02:55,260 are auth, broadcast, brute default, discovery 56 00:02:55,260 --> 00:02:57,810 and many, more right here. 57 00:02:57,810 --> 00:03:01,020 And down here we can read about each and every one 58 00:03:01,020 --> 00:03:04,620 of them to see what each script group does. 59 00:03:04,620 --> 00:03:07,800 So for example, right here, the brute script group, 60 00:03:07,800 --> 00:03:10,680 it says these scripts are used to brute force 61 00:03:10,680 --> 00:03:12,840 attacks to guess authentication credentials 62 00:03:12,840 --> 00:03:14,430 of a remote server. 63 00:03:14,430 --> 00:03:17,400 Nmap contains scripts for brute forcing dozens 64 00:03:17,400 --> 00:03:21,270 of protocols, including http-brute, oracle-brute, 65 00:03:21,270 --> 00:03:24,510 snmp-brute, and so on and so on. 66 00:03:24,510 --> 00:03:26,340 Let us test some of them out. 67 00:03:26,340 --> 00:03:29,695 Let us start with this auth script group first. 68 00:03:29,695 --> 00:03:32,130 We can read these scripts deal 69 00:03:32,130 --> 00:03:33,840 with authentication credentials 70 00:03:33,840 --> 00:03:36,870 or bypassing them on the target system. 71 00:03:36,870 --> 00:03:41,430 Examples include x11-access, ftp-anonymous 72 00:03:41,430 --> 00:03:43,320 and oracle-enum-users. 73 00:03:43,320 --> 00:03:47,970 Now, these right here that you read are single script names 74 00:03:47,970 --> 00:03:50,430 and these single scripts belong 75 00:03:50,430 --> 00:03:52,890 to this larger script group. 76 00:03:52,890 --> 00:03:54,780 Right here, it also says scripts which 77 00:03:54,780 --> 00:03:57,930 use brute force attacks to determine credentials are placed 78 00:03:57,930 --> 00:04:00,390 in the brute category instead. 79 00:04:00,390 --> 00:04:01,740 So right here, 80 00:04:01,740 --> 00:04:04,800 there are no scripts that are used for brute forcing. 81 00:04:04,800 --> 00:04:08,040 And what the brute forcing simply means is running a bunch 82 00:04:08,040 --> 00:04:09,870 of usernames and passwords 83 00:04:09,870 --> 00:04:13,350 onto the target system to discover which one is 84 00:04:13,350 --> 00:04:16,230 the correct username and which one is the correct password. 85 00:04:16,230 --> 00:04:18,390 But more about brute forcing later on. 86 00:04:18,390 --> 00:04:21,839 For now, let us go and test some of these scripts. 87 00:04:21,839 --> 00:04:23,940 To run a scan with a script group, 88 00:04:23,940 --> 00:04:27,720 we can use nmap dash, dash, script and after it 89 00:04:27,720 --> 00:04:29,490 we specify the script group. 90 00:04:29,490 --> 00:04:31,603 So in my case, I will use auth 91 00:04:31,603 --> 00:04:34,680 and I will scan my method portable machine 92 00:04:34,680 --> 00:04:36,480 with the SYN scan. 93 00:04:36,480 --> 00:04:38,730 Remember, SYN scan requires sudo privileges, 94 00:04:38,730 --> 00:04:40,807 so let's add sudo 95 00:04:40,807 --> 00:04:43,293 and type in our password. 96 00:04:44,820 --> 00:04:45,930 As soon as it finishes, 97 00:04:45,930 --> 00:04:49,980 we're going to see whether this oath script group discovered 98 00:04:49,980 --> 00:04:53,610 any useful information for us regarding vulnerabilities. 99 00:04:53,610 --> 00:04:55,380 Okay, so it has finished. 100 00:04:55,380 --> 00:04:56,250 Let us see 101 00:04:56,250 --> 00:05:00,390 whether our script managed to detect anything unusual. 102 00:05:00,390 --> 00:05:03,773 So we get the standard output of all the open ports 103 00:05:03,773 --> 00:05:06,780 and we also get some other information 104 00:05:06,780 --> 00:05:08,130 for some of the ports. 105 00:05:08,130 --> 00:05:11,670 For example, right here we get ftp-anon 106 00:05:11,670 --> 00:05:14,670 and this ftp-anon is just a single script name 107 00:05:14,670 --> 00:05:16,020 from the nmap. 108 00:05:16,020 --> 00:05:19,535 It tells us that anonymous ftp login is allowed. 109 00:05:19,535 --> 00:05:22,320 Hmm, what does this mean? 110 00:05:22,320 --> 00:05:24,720 Well, this is something that we will cover later. 111 00:05:24,720 --> 00:05:26,250 For now, just keep in mind 112 00:05:26,250 --> 00:05:30,183 that anonymous login is allowed for the port 21. 113 00:05:31,170 --> 00:05:32,970 Under the ssh port, 114 00:05:32,970 --> 00:05:36,480 we get which authentication matters are supported, 115 00:05:36,480 --> 00:05:37,313 right here. 116 00:05:38,160 --> 00:05:42,240 Down here we get information for the sql port. 117 00:05:42,240 --> 00:05:46,230 It tells us that root account has empty password. 118 00:05:46,230 --> 00:05:49,143 This can also be very useful for us. 119 00:05:50,160 --> 00:05:53,913 And right here we can see tomcat, two dots, tomcat. 120 00:05:54,960 --> 00:05:56,460 What does this mean? 121 00:05:56,460 --> 00:06:01,410 Well, this looks like a default tomcat credentials 122 00:06:01,410 --> 00:06:05,460 and if I go down here it tells us posts can script results. 123 00:06:05,460 --> 00:06:09,990 It says that this is a valid credential for tomcat. 124 00:06:09,990 --> 00:06:12,900 It is for the service running on this port. 125 00:06:12,900 --> 00:06:14,160 Let us check this out. 126 00:06:14,160 --> 00:06:17,730 This might be the first vulnerability that we find. 127 00:06:17,730 --> 00:06:19,650 To check whether this is correct 128 00:06:19,650 --> 00:06:22,890 we can go and open up Firefox. 129 00:06:22,890 --> 00:06:25,350 And we are going to make a connection 130 00:06:25,350 --> 00:06:28,833 to our metasploitable on this port right here. 131 00:06:31,531 --> 00:06:33,570 So, just find out the IP address of your meta exploitable 132 00:06:33,570 --> 00:06:35,700 and if you scanned it right now, you already know it. 133 00:06:35,700 --> 00:06:40,700 So for me it is 192.168.1.6. 134 00:06:40,800 --> 00:06:42,463 And to make a connection to a port 135 00:06:42,463 --> 00:06:46,200 I will type two dots and then the port number. 136 00:06:46,200 --> 00:06:47,520 In my case, 137 00:06:47,520 --> 00:06:51,510 what seems to be a vulnerability is found on this port. 138 00:06:51,510 --> 00:06:54,933 So let's copy the port and I will paste it right here. 139 00:06:55,950 --> 00:07:00,000 Oops, it seems that it only pasted the port. 140 00:07:00,000 --> 00:07:04,320 Let me just retype this and type the port like this. 141 00:07:04,320 --> 00:07:08,610 So eight, one, eight, zero and then visit this 142 00:07:08,610 --> 00:07:13,200 and here we get the official Apache Tomcat page. 143 00:07:13,200 --> 00:07:14,033 Let's see 144 00:07:14,033 --> 00:07:16,650 whether we can find something interesting right here. 145 00:07:16,650 --> 00:07:19,200 And what we are looking for based on these credentials 146 00:07:19,200 --> 00:07:21,360 is a login screen. 147 00:07:21,360 --> 00:07:24,810 So, this tomcat administration seems interesting. 148 00:07:24,810 --> 00:07:28,680 If I click on it, it leads us to this admin page 149 00:07:28,680 --> 00:07:32,910 where we are required to specify username and password. 150 00:07:32,910 --> 00:07:37,500 And down here from our scan we got tomcat and tomcat. 151 00:07:37,500 --> 00:07:39,870 Let's try it out and see whether it fits. 152 00:07:39,870 --> 00:07:42,420 If I type tomcat for the username 153 00:07:42,420 --> 00:07:46,140 and tomcat for the password, click on log in. 154 00:07:46,140 --> 00:07:47,160 There it is. 155 00:07:47,160 --> 00:07:51,300 We manage to log to the admin page of the Tomcat server. 156 00:07:51,300 --> 00:07:53,790 Great, this is our first vulnerability 157 00:07:53,790 --> 00:07:56,490 that we manage to discover and exploit. 158 00:07:56,490 --> 00:08:00,210 We are now in the administrator page of the Tomcat. 159 00:08:00,210 --> 00:08:02,640 Now there are other things that we can do right here 160 00:08:02,640 --> 00:08:05,340 as well, but for now we are just happy 161 00:08:05,340 --> 00:08:09,270 that we managed to gain access to the administrator page. 162 00:08:09,270 --> 00:08:12,240 Down here we have user databases, mail sessions, 163 00:08:12,240 --> 00:08:15,030 data sources, and these are all empty 164 00:08:15,030 --> 00:08:16,800 because this is a test machine, 165 00:08:16,800 --> 00:08:18,480 but if it was a real machine, 166 00:08:18,480 --> 00:08:20,340 this will probably all be filled 167 00:08:20,340 --> 00:08:22,800 with some other useful information. 168 00:08:22,800 --> 00:08:25,860 Great, let's leave this on side for now. 169 00:08:25,860 --> 00:08:27,960 So we managed to gain access 170 00:08:27,960 --> 00:08:30,060 to the Tomcat administrator page 171 00:08:30,060 --> 00:08:32,610 with the help of nmap script. 172 00:08:32,610 --> 00:08:35,133 Let's see what else we can do with scripts. 173 00:08:36,090 --> 00:08:41,090 So let's go and try out the malware scan. 174 00:08:41,130 --> 00:08:43,409 These scripts test whether the target platform 175 00:08:43,409 --> 00:08:46,140 is infected by malware or back doors. 176 00:08:46,140 --> 00:08:49,200 Let's see whether our target is infected with malware. 177 00:08:49,200 --> 00:08:50,880 If we can run the same command, 178 00:08:50,880 --> 00:08:52,740 just this time instead of auth, 179 00:08:52,740 --> 00:08:55,320 we're going to use malware. 180 00:08:55,320 --> 00:08:56,763 Let's run the scan. 181 00:08:57,660 --> 00:08:59,310 And let me control c this, 182 00:08:59,310 --> 00:09:00,780 just so we can make this faster, 183 00:09:00,780 --> 00:09:03,450 I'm going to use the dash capital F option 184 00:09:03,450 --> 00:09:07,800 to scan only 100 ports and not thousand ports. 185 00:09:07,800 --> 00:09:11,433 And it doesn't seem to find any malware right here. 186 00:09:12,360 --> 00:09:14,670 But what you can do with this scan, 187 00:09:14,670 --> 00:09:18,365 you can wait for us to first exploit the method exploitable 188 00:09:18,365 --> 00:09:20,880 in the next section and then test this scan once again 189 00:09:20,880 --> 00:09:22,980 to see whether you can notice any back doors 190 00:09:22,980 --> 00:09:25,170 that we uploaded that are making connection 191 00:09:25,170 --> 00:09:26,793 to our Cal Linux machine. 192 00:09:27,810 --> 00:09:30,840 For now, it doesn't seem to give us any result 193 00:09:30,840 --> 00:09:33,570 for the first 100 ports. 194 00:09:33,570 --> 00:09:35,550 Let's try another scan. 195 00:09:35,550 --> 00:09:39,390 We're going to use right now the banner script group. 196 00:09:39,390 --> 00:09:43,650 And what banners are, are simply what the open port 197 00:09:43,650 --> 00:09:47,400 will give us is the information once we connect to it. 198 00:09:47,400 --> 00:09:50,010 Banners usually hold information disclosure. 199 00:09:50,010 --> 00:09:51,390 And by information disclosure, 200 00:09:51,390 --> 00:09:53,400 they can give us the exact version 201 00:09:53,400 --> 00:09:56,070 of the software running on an open port. 202 00:09:56,070 --> 00:09:58,350 And we can see the scan has finished, 203 00:09:58,350 --> 00:10:02,670 and we get the banner, which holds diversion for the ftp. 204 00:10:02,670 --> 00:10:06,450 We get the banner for the ssh, that also holds diversion. 205 00:10:06,450 --> 00:10:08,670 And this is something similar for diversion scan 206 00:10:08,670 --> 00:10:09,873 that we covered in nmap. 207 00:10:10,890 --> 00:10:13,350 Now sometimes banner will look something like this 208 00:10:13,350 --> 00:10:15,630 and this is something that we cannot read. 209 00:10:15,630 --> 00:10:17,490 But I will show you in the exploitation section 210 00:10:17,490 --> 00:10:21,420 that this telnet port is one of the easiest ports to exploit 211 00:10:21,420 --> 00:10:24,382 and gain access to metasploitable. 212 00:10:24,382 --> 00:10:27,150 And we are going to do this over banner. 213 00:10:27,150 --> 00:10:30,240 For now, it seems that we cannot even read this banner 214 00:10:30,240 --> 00:10:33,030 but later we are going to use the exact same banner 215 00:10:33,030 --> 00:10:35,943 for telnet to gain access to the metasploitable. 216 00:10:36,870 --> 00:10:39,150 Let's check out another scan. 217 00:10:39,150 --> 00:10:41,430 Let's try this scan group. 218 00:10:41,430 --> 00:10:45,213 And this scan group is called exploit. 219 00:10:46,200 --> 00:10:47,580 And while it runs, 220 00:10:47,580 --> 00:10:51,270 if I go right here and try to find it, scan group, 221 00:10:51,270 --> 00:10:54,570 it tells us that the scripts that belong to this exploit 222 00:10:54,570 --> 00:10:58,830 scan group aim to actively exploit some vulnerability. 223 00:10:58,830 --> 00:11:01,020 Here are some of the examples of the script 224 00:11:01,020 --> 00:11:02,700 names that belong to the group. 225 00:11:02,700 --> 00:11:05,910 So this script group will actually try to exploit 226 00:11:05,910 --> 00:11:07,920 if it finds our vulnerability. 227 00:11:07,920 --> 00:11:10,860 Let's see whether it finished. 228 00:11:10,860 --> 00:11:12,750 And it did finish. 229 00:11:12,750 --> 00:11:15,450 Right here, we can see port 80, 230 00:11:15,450 --> 00:11:17,220 spidering limited to this found 231 00:11:17,220 --> 00:11:21,420 the following possible csrf vulnerabilities. 232 00:11:21,420 --> 00:11:24,220 So, here are the possible vulnerabilities that it found 233 00:11:25,440 --> 00:11:27,120 for this specific vulnerability. 234 00:11:27,120 --> 00:11:29,640 And for now on, don't worry about this. 235 00:11:29,640 --> 00:11:33,180 This type of vulnerabilities for the htp port. 236 00:11:33,180 --> 00:11:35,640 We are going to cover in the website penetration 237 00:11:35,640 --> 00:11:36,870 testing section. 238 00:11:36,870 --> 00:11:38,580 For now, we are just taking a look 239 00:11:38,580 --> 00:11:42,420 at how we can discover them using vulnerability analysis. 240 00:11:42,420 --> 00:11:44,280 Let's go all the way up. 241 00:11:44,280 --> 00:11:47,460 And for the ftp port, it tells us right here, 242 00:11:47,460 --> 00:11:49,470 that the port is vulnerable. 243 00:11:49,470 --> 00:11:51,660 It is running this version 244 00:11:51,660 --> 00:11:54,570 and it seems that it managed to exploit it, 245 00:11:54,570 --> 00:11:58,036 as it says right here, vulnerable and exploitable. 246 00:11:58,036 --> 00:12:01,710 And right here we get the exploit results. 247 00:12:01,710 --> 00:12:05,550 The nmap script ran this command and it actually 248 00:12:05,550 --> 00:12:09,480 managed to get the root account on the target machine. 249 00:12:09,480 --> 00:12:12,300 So we found another vulnerability. 250 00:12:12,300 --> 00:12:15,330 Here is the ftp port that is exploitable. 251 00:12:15,330 --> 00:12:17,670 Now we don't really know how to exploit it yet, 252 00:12:17,670 --> 00:12:18,503 but for now, 253 00:12:18,503 --> 00:12:21,120 with the help of scripts and vulnerability analysis 254 00:12:21,120 --> 00:12:24,480 we know that this right here is exploitable. 255 00:12:24,480 --> 00:12:26,250 And in the exploitation section we're going 256 00:12:26,250 --> 00:12:28,356 to see exactly how we can gain access 257 00:12:28,356 --> 00:12:31,260 and perform the same thing that the nmap 258 00:12:31,260 --> 00:12:33,360 performed right here. 259 00:12:33,360 --> 00:12:37,140 Now under these IDs, you will see this name right here. 260 00:12:37,140 --> 00:12:39,480 Now get used to these type of names. 261 00:12:39,480 --> 00:12:43,200 This is how different vulnerabilities are labeled. 262 00:12:43,200 --> 00:12:47,760 These 2011 is a year when the vulnerability occurred. 263 00:12:47,760 --> 00:12:49,200 Okay, great. 264 00:12:49,200 --> 00:12:50,190 But these are just some 265 00:12:50,190 --> 00:12:52,200 of the script groups that we can run. 266 00:12:52,200 --> 00:12:54,060 Of course, we are not going to be running all 267 00:12:54,060 --> 00:12:56,670 of them in this video since, as you see right here, 268 00:12:56,670 --> 00:12:58,080 there is a lot of them. 269 00:12:58,080 --> 00:12:58,950 You can test them out 270 00:12:58,950 --> 00:13:01,440 and see what each and every one of them do. 271 00:13:01,440 --> 00:13:04,920 But for now, let us just see how we can run one script. 272 00:13:04,920 --> 00:13:07,410 We saw how we can run script groups 273 00:13:07,410 --> 00:13:12,060 but sometimes you will only want to run a single script. 274 00:13:12,060 --> 00:13:15,150 And we already know that scripts are located inside 275 00:13:15,150 --> 00:13:19,470 of this directory, right here, and there is a lot of them. 276 00:13:19,470 --> 00:13:23,640 Let's go all the way up and try to find some cool script. 277 00:13:23,640 --> 00:13:26,430 Hmm, this one seems interesting. 278 00:13:26,430 --> 00:13:31,430 Firewall bypass and this dot nse is just the extension 279 00:13:32,370 --> 00:13:33,363 for the scripts. 280 00:13:34,500 --> 00:13:38,520 And by the way, to not blindly run these scripts, 281 00:13:38,520 --> 00:13:40,680 what you can do to check out what exactly 282 00:13:40,680 --> 00:13:41,970 a certain script does, 283 00:13:41,970 --> 00:13:46,417 is you can copy it's name and then run the command sudo 284 00:13:47,370 --> 00:13:51,243 nmap dash dash script dash help. 285 00:13:52,080 --> 00:13:54,630 And then the name of the script. 286 00:13:54,630 --> 00:13:58,470 So, base the script name and type enter. 287 00:13:58,470 --> 00:14:01,050 It'll tell us that this particular script 288 00:14:01,050 --> 00:14:02,970 detects the vulnerability in net filter 289 00:14:02,970 --> 00:14:05,670 and other firewalls that use helpers to dynamically 290 00:14:05,670 --> 00:14:09,213 open ports for protocols such as ftp and sip. 291 00:14:10,770 --> 00:14:13,440 Right here, it also tells us how the script works. 292 00:14:13,440 --> 00:14:15,810 So the script works based proofing a packet 293 00:14:15,810 --> 00:14:17,460 from the target server asking 294 00:14:17,460 --> 00:14:20,851 for opening a related connection to a target port. 295 00:14:20,851 --> 00:14:24,600 And to run it, in case you want to run it, 296 00:14:24,600 --> 00:14:28,020 you can type sudo nmap dash script. 297 00:14:28,020 --> 00:14:30,090 And it is similar to running the script groups. 298 00:14:30,090 --> 00:14:32,770 All we need to do is just paste the name of the script 299 00:14:32,770 --> 00:14:35,943 and add the IP address. 300 00:14:37,380 --> 00:14:41,310 It'll start running this script onto the target. 301 00:14:41,310 --> 00:14:42,143 And for now, 302 00:14:42,143 --> 00:14:44,490 it seems that we got the exact same output 303 00:14:44,490 --> 00:14:46,710 of a normal nmap scan. 304 00:14:46,710 --> 00:14:48,480 Usually you will get this output. 305 00:14:48,480 --> 00:14:50,909 That means the script didn't work. 306 00:14:50,909 --> 00:14:54,840 So since this one didn't seem to give any output, 307 00:14:54,840 --> 00:14:56,610 let's try another one. 308 00:14:56,610 --> 00:14:57,660 Let's try the one that 309 00:14:57,660 --> 00:15:00,570 we already know will give us an output, 310 00:15:00,570 --> 00:15:04,683 and that one is ftp-anon dot nse. 311 00:15:06,030 --> 00:15:10,110 And remember when we ran one of the script groups, 312 00:15:10,110 --> 00:15:13,230 this script gave us the output for the ftp port, 313 00:15:13,230 --> 00:15:17,250 telling us that anonymous ftp login is allowed. 314 00:15:17,250 --> 00:15:20,190 Let's see whether we get the same result right now. 315 00:15:20,190 --> 00:15:23,550 If I run it, go all the way up 316 00:15:23,550 --> 00:15:26,853 and it tells us anonymous ftp login allowed. 317 00:15:27,720 --> 00:15:30,780 And I already told you that ftp anonymous login means 318 00:15:30,780 --> 00:15:32,850 that you can use anonymous username 319 00:15:32,850 --> 00:15:35,437 and a random password to log to the ftp. 320 00:15:36,840 --> 00:15:37,950 Let's see whether it'll work. 321 00:15:37,950 --> 00:15:39,390 Let's just test it out. 322 00:15:39,390 --> 00:15:40,223 We are curious. 323 00:15:40,223 --> 00:15:44,370 We want to see what does this anonymous ftp login mean. 324 00:15:44,370 --> 00:15:48,360 To do that, we're going to connect to a target using ftp. 325 00:15:48,360 --> 00:15:49,890 So you just type ftp 326 00:15:49,890 --> 00:15:52,560 and then the IP address of the target machine. 327 00:15:52,560 --> 00:15:54,390 In our case, of the metasploitable. 328 00:15:54,390 --> 00:15:55,890 Press enter. 329 00:15:55,890 --> 00:15:59,160 And right here, it'll ask us for the name. 330 00:15:59,160 --> 00:16:00,790 Let's type anonymous 331 00:16:03,180 --> 00:16:04,830 and let's type the password. 332 00:16:04,830 --> 00:16:06,630 Here, you can type anything you want. 333 00:16:06,630 --> 00:16:09,720 In my case, I will just type password 1, 2, 3 334 00:16:09,720 --> 00:16:10,980 and press enter. 335 00:16:10,980 --> 00:16:14,070 And here it is, login successful. 336 00:16:14,070 --> 00:16:16,080 Remote system type is Unix. 337 00:16:16,080 --> 00:16:18,630 And now we can use the help command to see what 338 00:16:18,630 --> 00:16:22,320 are our available options inside of this ftp server. 339 00:16:22,320 --> 00:16:25,530 So we can run these commands right here. 340 00:16:25,530 --> 00:16:29,790 Great, it seems that ftp anonymous login is indeed allowed. 341 00:16:29,790 --> 00:16:33,660 But once again, more about ftp and the ftp vulnerabilities 342 00:16:33,660 --> 00:16:36,480 that we discovered in the exploitation section. 343 00:16:36,480 --> 00:16:37,950 For now, we managed to find 344 00:16:37,950 --> 00:16:40,260 out about some potential vulnerabilities. 345 00:16:40,260 --> 00:16:43,110 Such as the Tomcat administrator login, 346 00:16:43,110 --> 00:16:47,250 the ftp port 21 showed to also be vulnerable. 347 00:16:47,250 --> 00:16:49,380 Remember when we ran the exploit script group, 348 00:16:49,380 --> 00:16:51,990 it told us that it is exploitable. 349 00:16:51,990 --> 00:16:53,490 But let's also see what 350 00:16:53,490 --> 00:16:57,273 else we can find using other vulnerability analysis tools.