1
00:00:01,110 --> 00:00:02,520
Instructor: Welcome back.

2
00:00:02,520 --> 00:00:05,670
And in this video, I want to show you something

3
00:00:05,670 --> 00:00:09,990
that you will do every time you perform a penetration test.

4
00:00:09,990 --> 00:00:12,450
I want to show you how to manually search

5
00:00:12,450 --> 00:00:13,950
for vulnerabilities.

6
00:00:13,950 --> 00:00:16,290
And this is something that you will do a lot.

7
00:00:16,290 --> 00:00:19,623
You will use this more than any other tool that we covered.

8
00:00:20,760 --> 00:00:24,240
So, what manual vulnerability analysis is,

9
00:00:24,240 --> 00:00:28,170
is us simply Googling the vulnerabilities.

10
00:00:28,170 --> 00:00:31,170
For example, suppose we are attacking a target.

11
00:00:31,170 --> 00:00:33,780
And right here, I just performed the version scan

12
00:00:33,780 --> 00:00:35,550
for the Metasploitable.

13
00:00:35,550 --> 00:00:37,710
Imagine Metasploitable is our target

14
00:00:37,710 --> 00:00:41,100
and we just performed this version scan.

15
00:00:41,100 --> 00:00:45,990
We got these different ports open and different versions.

16
00:00:45,990 --> 00:00:49,473
How do we know if they're vulnerable without using any tool?

17
00:00:50,310 --> 00:00:51,720
Well, what we can do

18
00:00:51,720 --> 00:00:54,030
is we can copy the name of the version

19
00:00:54,030 --> 00:00:56,340
that is running on an open port,

20
00:00:56,340 --> 00:00:58,410
then go to Google,

21
00:00:58,410 --> 00:01:01,650
and just paste that name

22
00:01:01,650 --> 00:01:03,513
and add exploit.

23
00:01:06,120 --> 00:01:07,380
And here it is.

24
00:01:07,380 --> 00:01:09,780
We're already getting some response back.

25
00:01:09,780 --> 00:01:12,630
Python exploit for this version,

26
00:01:12,630 --> 00:01:13,680
which is the exact version

27
00:01:13,680 --> 00:01:15,153
that our Metasploitable has.

28
00:01:16,020 --> 00:01:19,740
VSFTPD, the exact version that we have.

29
00:01:19,740 --> 00:01:22,380
Backdoor Command Execution.

30
00:01:22,380 --> 00:01:23,280
And what you would do

31
00:01:23,280 --> 00:01:25,410
is you would just go to these links

32
00:01:25,410 --> 00:01:28,203
and try to find the exploit for it.

33
00:01:29,160 --> 00:01:32,500
Down here we already see that an exploit already exists

34
00:01:34,020 --> 00:01:35,523
for which platform it is.

35
00:01:36,390 --> 00:01:39,273
We can see right here the source code if we want to.

36
00:01:40,950 --> 00:01:42,450
And here it is,

37
00:01:42,450 --> 00:01:45,810
the exploit is coded in Python in this case.

38
00:01:45,810 --> 00:01:48,450
And this is how you would do

39
00:01:48,450 --> 00:01:50,430
most of your vulnerability analysis.

40
00:01:50,430 --> 00:01:52,200
We also get the Module Options,

41
00:01:52,200 --> 00:01:54,810
and what this Module Options are

42
00:01:54,810 --> 00:01:58,140
is something that we will cover in the exploitation section.

43
00:01:58,140 --> 00:02:01,560
This is how we can exploit the target using tools.

44
00:02:01,560 --> 00:02:02,910
We are going to cover that shortly.

45
00:02:02,910 --> 00:02:03,743
For now on,

46
00:02:03,743 --> 00:02:05,250
This is the way that you can find out

47
00:02:05,250 --> 00:02:07,140
how to exploit the target.

48
00:02:07,140 --> 00:02:08,880
You just go through bunch of links

49
00:02:08,880 --> 00:02:11,310
and see whether someone already came up

50
00:02:11,310 --> 00:02:14,070
with the exploit for that specific version.

51
00:02:14,070 --> 00:02:18,870
In this case for the vsftpd 2.3.4 version.

52
00:02:18,870 --> 00:02:22,350
And you would do this for any version that you discover.

53
00:02:22,350 --> 00:02:26,070
For example, you can go right here, Apache httpd,

54
00:02:26,070 --> 00:02:27,660
and copy the version.

55
00:02:27,660 --> 00:02:29,640
Make sure that you copy the number as well

56
00:02:29,640 --> 00:02:32,910
which in our case is 2.2.8.

57
00:02:32,910 --> 00:02:37,020
Then go and paste the name of that version.

58
00:02:37,020 --> 00:02:38,760
Add exploit,

59
00:02:38,760 --> 00:02:40,920
and here we already get the output,

60
00:02:40,920 --> 00:02:42,840
Security vulnerabilities.

61
00:02:42,840 --> 00:02:44,580
If we click on it,

62
00:02:44,580 --> 00:02:47,220
we can see all of the vulnerabilities

63
00:02:47,220 --> 00:02:50,310
that this version of Apache has.

64
00:02:50,310 --> 00:02:52,290
Right here, we can see which score they have,

65
00:02:52,290 --> 00:02:55,530
and the higher the score, the stronger the vulnerability.

66
00:02:55,530 --> 00:02:58,410
Right here we can see the vulnerability ID,

67
00:02:58,410 --> 00:03:00,540
which remember from the last video I told you

68
00:03:00,540 --> 00:03:03,060
this format is used for vulnerabilities

69
00:03:03,060 --> 00:03:05,040
and you will see it a lot,

70
00:03:05,040 --> 00:03:09,000
and we can see all the vulnerabilities that it has.

71
00:03:09,000 --> 00:03:10,500
This one particularly,

72
00:03:10,500 --> 00:03:12,600
we are really interested in, why?

73
00:03:12,600 --> 00:03:15,630
Well, because it has this score, 10.

74
00:03:15,630 --> 00:03:18,540
That means that it is a really strong vulnerability.

75
00:03:18,540 --> 00:03:20,520
Most likely execution of code

76
00:03:20,520 --> 00:03:22,890
or remote access to the target.

77
00:03:22,890 --> 00:03:24,330
And it indeed is,

78
00:03:24,330 --> 00:03:27,510
it says right here, "Code execution."

79
00:03:27,510 --> 00:03:28,893
And if you click on it,

80
00:03:30,240 --> 00:03:32,763
you can see what this vulnerability does.

81
00:03:33,930 --> 00:03:37,920
You can see confidentiality impact is complete.

82
00:03:37,920 --> 00:03:39,960
Integrity impact, complete.

83
00:03:39,960 --> 00:03:42,060
Availability impact, complete.

84
00:03:42,060 --> 00:03:45,360
There is a total shutdown of the affected resource.

85
00:03:45,360 --> 00:03:48,180
The attacker can render the resource completely unavailable.

86
00:03:48,180 --> 00:03:51,390
So, this also seems like some kind of a DoS attack.

87
00:03:51,390 --> 00:03:52,470
And down here,

88
00:03:52,470 --> 00:03:57,030
we can see that this will most likely work only for Windows.

89
00:03:57,030 --> 00:03:58,350
As I'm noticing,

90
00:03:58,350 --> 00:04:00,300
Windows right here a lot.

91
00:04:00,300 --> 00:04:01,530
Windows right here,

92
00:04:01,530 --> 00:04:02,610
Windows right here.

93
00:04:02,610 --> 00:04:03,443
Now, of course,

94
00:04:03,443 --> 00:04:05,880
you would read through this a little bit more detailed

95
00:04:05,880 --> 00:04:09,000
but for now, this doesn't seem as an exploit

96
00:04:09,000 --> 00:04:10,890
that would work on our Metasploitable.

97
00:04:10,890 --> 00:04:13,680
Because Metasploitable is running on Linux,

98
00:04:13,680 --> 00:04:16,260
and this is what you would do most of your time

99
00:04:16,260 --> 00:04:18,180
researching for vulnerabilities.

100
00:04:18,180 --> 00:04:19,620
This is how you find them,

101
00:04:19,620 --> 00:04:21,750
and then you search for the exploit created

102
00:04:21,750 --> 00:04:24,500
by someone else that you can use to exploit the target.

103
00:04:25,590 --> 00:04:29,790
Another thing that you can do is you can use a tool inside

104
00:04:29,790 --> 00:04:33,240
of the cal Linux called searchsploit.

105
00:04:33,240 --> 00:04:36,663
And searchsploit, if I type --help,

106
00:04:37,770 --> 00:04:40,980
simply takes the input of the version of software

107
00:04:40,980 --> 00:04:43,710
and then it searches through cal Linux database

108
00:04:43,710 --> 00:04:46,020
through all of the exploits that cal Linux has,

109
00:04:46,020 --> 00:04:48,270
and tries to find an exploit that will work

110
00:04:48,270 --> 00:04:50,310
for that specific version.

111
00:04:50,310 --> 00:04:52,950
Right here we have some usage examples.

112
00:04:52,950 --> 00:04:55,440
But with a need to perform these complicated commands,

113
00:04:55,440 --> 00:04:58,800
all we can do is copy for example, some version.

114
00:04:58,800 --> 00:05:02,437
Let's say we copy this version of software

115
00:05:02,437 --> 00:05:05,850
UnrealIRC and copy this.

116
00:05:05,850 --> 00:05:08,190
And what we can do once we copy that version

117
00:05:08,190 --> 00:05:09,900
is type searchsploit,

118
00:05:09,900 --> 00:05:14,900
and then paste version name and we get the result.

119
00:05:15,120 --> 00:05:16,080
It'll tell us right here

120
00:05:16,080 --> 00:05:20,250
there are already some existing exploits for the UnrealIRC.

121
00:05:20,250 --> 00:05:23,550
We also get which version are the exploits for.

122
00:05:23,550 --> 00:05:26,070
One of them are Backdoor Command Execution.

123
00:05:26,070 --> 00:05:29,160
The second one is Local Configuration Stack Overflow.

124
00:05:29,160 --> 00:05:32,160
We also get the Denial of Service exploit

125
00:05:32,160 --> 00:05:33,690
and on the right side,

126
00:05:33,690 --> 00:05:37,050
we get the path to those exploits.

127
00:05:37,050 --> 00:05:39,750
Right here, this one is under Linux remote

128
00:05:39,750 --> 00:05:43,980
and it is named 16922.rb.

129
00:05:43,980 --> 00:05:46,980
And this rb simply stands for Ruby.

130
00:05:46,980 --> 00:05:49,383
This is coded in the Ruby language.

131
00:05:50,220 --> 00:05:51,780
One of them is for Windows,

132
00:05:51,780 --> 00:05:53,520
one of them is for Linux.

133
00:05:53,520 --> 00:05:55,110
Since we are running Metasploitable,

134
00:05:55,110 --> 00:05:58,770
we would only be interested in the Linux exploit.

135
00:05:58,770 --> 00:06:03,030
So, let's try to navigate here how we can find this exploit.

136
00:06:03,030 --> 00:06:05,080
Well, we can copy the name of the exploit

137
00:06:06,270 --> 00:06:08,700
and use locate command

138
00:06:08,700 --> 00:06:11,462
to find where exactly this exploit

139
00:06:11,462 --> 00:06:13,740
is located on our machine.

140
00:06:13,740 --> 00:06:16,443
And it is in this path right here.

141
00:06:17,280 --> 00:06:20,310
So, you can copy to this directory,

142
00:06:20,310 --> 00:06:22,773
cd and then paste the directory name.

143
00:06:23,730 --> 00:06:28,143
And if I were to nano 16922.rb,

144
00:06:29,400 --> 00:06:30,720
this will open an exploit

145
00:06:30,720 --> 00:06:34,890
that we would use to attack that UnrealIRC open port.

146
00:06:34,890 --> 00:06:35,723
As we can see,

147
00:06:35,723 --> 00:06:38,400
it also tells us that this is a backdoor program.

148
00:06:38,400 --> 00:06:41,100
This file is also part of Metasploit Framework.

149
00:06:41,100 --> 00:06:43,830
And Metasploit Framework is one of the biggest tools

150
00:06:43,830 --> 00:06:44,790
that we are going to cover.

151
00:06:44,790 --> 00:06:46,050
In the next section,

152
00:06:46,050 --> 00:06:47,730
we'll cover all of the basics of it

153
00:06:47,730 --> 00:06:50,310
and we will also cover how we can run exploits

154
00:06:50,310 --> 00:06:52,080
and attack different machines

155
00:06:52,080 --> 00:06:54,990
using this Metasploit Framework.

156
00:06:54,990 --> 00:06:56,610
Okay, cool.

157
00:06:56,610 --> 00:06:59,430
We found an exploit for this specific software

158
00:06:59,430 --> 00:07:01,020
using searchsploit.

159
00:07:01,020 --> 00:07:02,670
So, now we know we got exploit

160
00:07:02,670 --> 00:07:04,680
for that version of software that we have

161
00:07:04,680 --> 00:07:05,700
on our Metasploitable.

162
00:07:05,700 --> 00:07:07,770
So, this is usually how you would perform

163
00:07:07,770 --> 00:07:09,930
most of your vulnerability analysis.

164
00:07:09,930 --> 00:07:12,150
You either use tools like searchsploit,

165
00:07:12,150 --> 00:07:15,630
or you manually try to find an exploit on Google

166
00:07:15,630 --> 00:07:18,270
to see whether anyone has exploited it before.

167
00:07:18,270 --> 00:07:21,240
And if they have, how did they do it?

168
00:07:21,240 --> 00:07:23,610
You will also use Nmap scripts sometimes,

169
00:07:23,610 --> 00:07:26,580
but I personally rarely use Nmap scripts

170
00:07:26,580 --> 00:07:28,710
for vulnerability analysis.

171
00:07:28,710 --> 00:07:30,390
And the last tool that we are going to cover

172
00:07:30,390 --> 00:07:33,420
for the vulnerability analysis is going to be Nessus,

173
00:07:33,420 --> 00:07:35,430
which we will see in the next section.

174
00:07:35,430 --> 00:07:37,050
That tool is huge

175
00:07:37,050 --> 00:07:40,590
and you will use it a lot in your vulnerability analysis.

176
00:07:40,590 --> 00:07:41,423
See you there.