1 00:00:00,300 --> 00:00:03,120 Welcome to the unmap script overview. 2 00:00:03,360 --> 00:00:14,190 Now, remember, this is going to be the most most interesting lecture throughout this, and maybe the 3 00:00:14,190 --> 00:00:20,460 reason is this is where we cover the backbone, the core of the and maps it is. 4 00:00:20,910 --> 00:00:23,250 And this is what we call and map. 5 00:00:23,250 --> 00:00:24,630 Script engine. 6 00:00:25,350 --> 00:00:26,080 Now, what is that? 7 00:00:26,370 --> 00:00:33,160 It's not really some, you know, fuzzy or some some some just like a jargon or something. 8 00:00:33,480 --> 00:00:42,330 It's very, very important, you know, subject when it comes to the when it comes to the end map product 9 00:00:42,330 --> 00:00:42,780 in a way. 10 00:00:43,770 --> 00:00:51,330 Now, what happened is and map you making use of making use of a scripting language to perform a whole 11 00:00:51,330 --> 00:00:53,160 lot of automation stuff. 12 00:00:53,910 --> 00:00:56,740 Let's see where exactly we make use of it. 13 00:00:57,890 --> 00:01:05,610 So first thing is, you know, it is the most popular feature of a map that allow you to automate the 14 00:01:05,610 --> 00:01:07,520 wide range of scanning tasks. 15 00:01:08,360 --> 00:01:10,220 Let's understand one by one. 16 00:01:10,260 --> 00:01:11,700 The first thing is this. 17 00:01:12,060 --> 00:01:15,750 It makes you perform some sophisticated motion detection. 18 00:01:16,400 --> 00:01:18,090 Oh, well, wait for a second. 19 00:01:18,420 --> 00:01:23,220 We still have an option with the, you know, our basic and map scanning. 20 00:01:23,220 --> 00:01:27,950 That's minus as we if you remember that correctly. 21 00:01:28,500 --> 00:01:28,940 Right. 22 00:01:29,430 --> 00:01:39,120 But as if you if you were if you recall my point or the minus, as we can only perform some basic version 23 00:01:39,120 --> 00:01:39,470 check. 24 00:01:39,780 --> 00:01:49,020 And I and I talked about some complex software as well, like Skype for business, you know, finding 25 00:01:49,020 --> 00:01:49,890 out that version. 26 00:01:50,340 --> 00:01:57,780 In that case, the NSC, the NSC script plays a very, very important role. 27 00:01:57,960 --> 00:02:03,030 And that's where sophisticated motion detection feature really becomes helpful. 28 00:02:03,330 --> 00:02:11,220 OK, so there are many other software as well where the NSC script becomes very helpful as well. 29 00:02:11,370 --> 00:02:11,720 All right. 30 00:02:12,180 --> 00:02:14,240 So one lability detection. 31 00:02:14,260 --> 00:02:19,590 Now, this is, again, a kind of stuff that we have been looking at. 32 00:02:19,710 --> 00:02:27,120 You know, if you recall the way we have been getting the version exactly the same, which was a detection 33 00:02:27,420 --> 00:02:28,290 board scanning. 34 00:02:28,290 --> 00:02:30,270 We used to get the vulnerability right. 35 00:02:30,690 --> 00:02:37,590 We we try to get if there's any one of the vulnerable ports out there on the server side or probably 36 00:02:37,590 --> 00:02:43,090 on the targets out or if there's any one less vulnerable version for any of the software. 37 00:02:43,110 --> 00:02:43,400 Right. 38 00:02:43,800 --> 00:02:52,470 But this is something which is, again, going on at one site because there has been many there are 39 00:02:52,470 --> 00:03:01,140 many peripheral applications are independent, you know, of modules that run on every server. 40 00:03:02,130 --> 00:03:06,590 That becomes very, very important when it comes to securing the entire system. 41 00:03:07,050 --> 00:03:14,250 What of the script that has been developed by the NSC developers that that's called SSL Heartbleed. 42 00:03:14,700 --> 00:03:20,610 And this has become very, very helpful in terms of finding out the vulnerabilities related to the SSL. 43 00:03:20,850 --> 00:03:21,260 All right. 44 00:03:21,660 --> 00:03:26,700 So that's where, you know, you can go and find out some more advanced vulnerability. 45 00:03:26,850 --> 00:03:34,440 OK, let's there's one more very cool stuff that's called a back door detection, but thus you can even 46 00:03:34,440 --> 00:03:39,550 find out backdoor for any you know, for any involvement. 47 00:03:40,260 --> 00:03:45,600 Now, I hope you all of you might be aware about what exactly Bacto can perform. 48 00:03:45,960 --> 00:03:48,870 If you look at the entire cyber content process. 49 00:03:49,150 --> 00:03:54,290 I know the advanced persistent threat and moment back door, please. 50 00:03:54,300 --> 00:04:01,560 And, you know, crucial role in terms of making sure somebody wipe off your wipe out all the data and, 51 00:04:01,560 --> 00:04:08,600 you know, accelerate the return the number if you don't leave any, you know, footprint across. 52 00:04:09,030 --> 00:04:16,560 So that's where Back-Door, it's even more helpful more to most of the time, you know, this kind of 53 00:04:16,560 --> 00:04:19,050 a back door get detected by the map. 54 00:04:19,170 --> 00:04:23,790 Regular motion detection by some at one swarms. 55 00:04:23,790 --> 00:04:25,890 Detection requires the NSA scoop. 56 00:04:26,220 --> 00:04:33,780 You know, so a script like, you know, there are have been many back like double pulser, NSA backdoor, 57 00:04:34,080 --> 00:04:37,470 which was very focused to the SMB protocol in the Microsoft. 58 00:04:38,040 --> 00:04:41,740 So that's where the NSA has been very, very popular. 59 00:04:42,390 --> 00:04:48,350 And one more is the one more popular feature is called Libretti Exploitation. 60 00:04:48,540 --> 00:04:54,610 Now, of course, those is a very advanced tool made for this Mandelstam. 61 00:04:55,080 --> 00:04:59,550 And, you know, but the with the and map the. 62 00:05:00,040 --> 00:05:07,180 It is not to have a kind of penetration testing to be performed, but it's predominantly deployed to 63 00:05:07,180 --> 00:05:14,530 perform the one ability scanning, but it helps for better penetration testing when it get integrated 64 00:05:14,530 --> 00:05:15,370 with your methods. 65 00:05:15,850 --> 00:05:16,230 All right. 66 00:05:16,750 --> 00:05:20,930 So that's where that's really a great value to the point. 67 00:05:21,270 --> 00:05:21,660 All right. 68 00:05:21,910 --> 00:05:29,830 So let's look at how exactly it looks like, you know, the syntax looked like so the Syntaxes and MapMyFitness 69 00:05:29,830 --> 00:05:34,350 AC and the target or the so minus AC. 70 00:05:34,360 --> 00:05:37,210 Remember that this is the this is the default. 71 00:05:37,330 --> 00:05:46,180 When you type this, the say is OK, minus as as usual, stand for the scan, see stand capital C, 72 00:05:46,180 --> 00:05:55,240 stand for the next script or you can even make use of minus minus script that also resembles to the 73 00:05:55,240 --> 00:05:55,720 script. 74 00:05:56,470 --> 00:06:04,540 OK, you can specify multiple scripts and the name of it, but if you don't specify it will take into 75 00:06:04,540 --> 00:06:12,430 account the default, the default script, meaning that those are SSL charges and some SCDP titers. 76 00:06:12,730 --> 00:06:15,210 Let me show you how exactly how exactly that works. 77 00:06:15,940 --> 00:06:17,770 So if I'm on the Calli. 78 00:06:20,760 --> 00:06:23,480 I'm sorry, wonderful. 79 00:06:25,620 --> 00:06:36,120 Let me clear to weather here, but if I just do and math minus as captaincy and let let let me tell 80 00:06:36,120 --> 00:06:42,450 you, if I, you know, scan for our own server, then go to at one point one forty one. 81 00:06:44,540 --> 00:06:46,220 You will see it. 82 00:06:46,580 --> 00:06:49,680 It will make use of some default script. 83 00:06:50,750 --> 00:07:00,700 I have to specify a script name after minus a C, but if I don't specify it, it would take, you know, 84 00:07:00,710 --> 00:07:02,750 a default script and do a. 85 00:07:03,240 --> 00:07:03,600 OK. 86 00:07:03,980 --> 00:07:06,530 And that's what the venue press center. 87 00:07:06,540 --> 00:07:07,550 Let me show you something. 88 00:07:07,910 --> 00:07:13,230 When you type any in my script and you keep we keep waiting for this. 89 00:07:13,830 --> 00:07:17,270 Now what would you do if you keep on happening? 90 00:07:17,430 --> 00:07:23,030 You just press enter and you get to know how much time still bending or what's the percentage you see, 91 00:07:24,140 --> 00:07:28,590 we still have one second left and ninety eight percent has been done. 92 00:07:28,850 --> 00:07:32,810 You press again ninety eight point one five. 93 00:07:33,830 --> 00:07:36,680 It seems like it's about to be finished. 94 00:07:37,370 --> 00:07:44,480 But, you know, the moment you keep pressing up, it will keep telling your kids it's almost in the 95 00:07:44,480 --> 00:07:47,300 process, but it is taking some time. 96 00:07:47,660 --> 00:07:52,260 It's because the we are trying to target to the floatable. 97 00:07:52,460 --> 00:07:59,150 You'd all be already infected machine and that could be multiple, you know, one available. 98 00:07:59,450 --> 00:08:03,140 That's why it is taking a bit more time than expected. 99 00:08:03,290 --> 00:08:03,680 All right. 100 00:08:04,130 --> 00:08:11,150 So I can also show you if let's say for the study purpose and you really want to, you know. 101 00:08:11,690 --> 00:08:12,610 Oh, OK. 102 00:08:12,800 --> 00:08:14,780 Let me first cover this up. 103 00:08:15,380 --> 00:08:20,890 So you see, we got the output and in the output you will. 104 00:08:24,490 --> 00:08:27,130 You will see there are many. 105 00:08:27,530 --> 00:08:34,510 Sorry, this is our scanning status, and in the output status, you will see some of the port has been 106 00:08:34,510 --> 00:08:44,220 covered and when we have just put minus C test, it has taken this script into account FPP, minus A. 107 00:08:45,300 --> 00:08:52,270 And it makes sure that the anonymous FPP logins are allowed or not on the system and we get to know 108 00:08:52,270 --> 00:08:53,110 the status of it. 109 00:08:53,680 --> 00:08:56,390 And it's also look at some more script. 110 00:08:56,560 --> 00:09:02,890 So as I told you, as I said, minus the host key, that is again a default script to look at. 111 00:09:02,890 --> 00:09:11,050 If there's any, you know, assorted sausage related volubility available for hostages, then also related 112 00:09:11,050 --> 00:09:12,850 to the DNS buying. 113 00:09:14,290 --> 00:09:16,590 And we get to know some more as well. 114 00:09:16,930 --> 00:09:23,920 So it will give you more idea about, you know, what are the version available, my school script and 115 00:09:23,920 --> 00:09:24,510 everything. 116 00:09:24,520 --> 00:09:25,700 What is the capability? 117 00:09:25,700 --> 00:09:28,620 There was a number of the my school, everything. 118 00:09:28,630 --> 00:09:35,830 So you don't really have to struggle in terms of finding out, you know, if there is any, you know, 119 00:09:37,390 --> 00:09:45,160 specific features or application being found vulnerable or not, it will make use of some default script 120 00:09:45,160 --> 00:09:49,180 to give you details about my school, SDP and everything. 121 00:09:49,210 --> 00:09:53,110 OK, so let's say for study purposes, you want to target to something. 122 00:09:53,110 --> 00:10:01,000 And you know very well that legally it is most of the country don't allow the scanning of their application 123 00:10:01,000 --> 00:10:03,050 or server the way you want to. 124 00:10:03,610 --> 00:10:10,960 So there and do a very crazy stuff or here you can basically scan their own server. 125 00:10:11,050 --> 00:10:15,490 So they have made a specific server just for this. 126 00:10:15,790 --> 00:10:25,360 So the name of this is getting me dot the map the world when the name is so clear that, you know, 127 00:10:25,570 --> 00:10:26,720 it makes sense as well. 128 00:10:27,160 --> 00:10:35,830 So the moment you type in my business as C and scan me and map dot org, it will give you a very clear 129 00:10:35,830 --> 00:10:36,630 idea about it. 130 00:10:36,700 --> 00:10:40,620 Normally you can reduce the timestamp by minus four. 131 00:10:40,930 --> 00:10:46,900 You can make use of that as well to get the faster response as well. 132 00:10:47,410 --> 00:10:48,460 So that's a one way. 133 00:10:48,730 --> 00:10:56,570 Let let's go to our other engine stats and get to know what else we can do with it. 134 00:10:57,370 --> 00:11:01,170 So there's one more thing called a.e debug script debug. 135 00:11:01,210 --> 00:11:01,900 Now what is that? 136 00:11:02,740 --> 00:11:10,030 The moment you make use of these NIST scripts, you can also get to know what all happening behind the 137 00:11:10,030 --> 00:11:10,330 scenes. 138 00:11:10,630 --> 00:11:14,680 Look, let me tell you what happens the moment you make use of any script. 139 00:11:14,680 --> 00:11:21,220 Let's say, you know, you just with any scanning board scanning of scanning wasn't detection. 140 00:11:21,220 --> 00:11:28,210 You just try to get to know if the borders open or not or the wording is what, the version of the software. 141 00:11:28,210 --> 00:11:35,640 But if you want to be very specific about if the what's the entity beheader or of the SRT behavior, 142 00:11:35,860 --> 00:11:41,890 what are the you know, what are the ETP methods are available and all the stuff you can make use of 143 00:11:41,890 --> 00:11:42,160 this. 144 00:11:42,400 --> 00:11:44,390 And that's where it becomes very, very helpful. 145 00:11:44,860 --> 00:11:51,580 Let me show you making use of some Anissa's script while you perform the script. 146 00:11:52,420 --> 00:11:59,770 OK, and meanwhile, we were when we were talking, we also got the response came in from the scan, 147 00:11:59,770 --> 00:12:01,790 me and my brother watching. 148 00:12:01,830 --> 00:12:02,100 Right. 149 00:12:02,680 --> 00:12:06,850 So let me just clear this and let me tell you what exactly I'm talking about. 150 00:12:07,120 --> 00:12:11,980 So let's say you want to, you know, make use of a script, OK, and map script. 151 00:12:11,980 --> 00:12:16,390 And we'll talk about the list of any script that are available. 152 00:12:17,830 --> 00:12:19,990 For now, let's make use of a script. 153 00:12:20,140 --> 00:12:30,640 So as I told you earlier, we can either make use of a C minus A, C or B can also make use of minus 154 00:12:30,640 --> 00:12:34,240 minus script, hyphen IFN script. 155 00:12:34,540 --> 00:12:42,650 OK, and then name off our script the name of for instance, script over here. 156 00:12:43,240 --> 00:12:52,300 Now if you just want the if you just want to execute this script, you can simply put the IP address 157 00:12:52,300 --> 00:12:58,210 or the target IP address over here like then dorjee one dot one forty one. 158 00:12:59,750 --> 00:13:06,970 But if you also wanted to know what's really happening behind the scene while one this command what 159 00:13:06,970 --> 00:13:15,640 the script is getting executed, you can also make use of a command budget minus minus or hyphen hyphen 160 00:13:15,640 --> 00:13:16,240 script. 161 00:13:17,560 --> 00:13:19,200 Minus address. 162 00:13:20,350 --> 00:13:20,800 OK. 163 00:13:21,190 --> 00:13:27,190 The moment you do that for any any script I'm talking about, you also get to know what's really happening 164 00:13:27,190 --> 00:13:27,800 behind the scenes. 165 00:13:28,180 --> 00:13:30,870 You got to see this. 166 00:13:30,880 --> 00:13:33,550 I have make use of made use of this command. 167 00:13:33,970 --> 00:13:41,140 And in spite of just having this is just the output of the script, I get to know this is the NSC script, 168 00:13:41,530 --> 00:13:44,290 SCDP header, and this is the out of output. 169 00:13:44,290 --> 00:13:47,590 Often I get to know about headers of SCDP. 170 00:13:48,040 --> 00:13:53,470 The header usually talk about the server, details about you to point to point eight. 171 00:13:54,190 --> 00:13:55,870 It's on the server. 172 00:13:56,260 --> 00:13:58,750 What's the what's the server framework. 173 00:13:58,750 --> 00:14:04,510 It's to be connection is closed content type text and all this stuff. 174 00:14:04,510 --> 00:14:06,550 What are the ports has been open and everything. 175 00:14:06,580 --> 00:14:19,030 OK, but at the at the top you also get to know the press, you know, you executed this script and 176 00:14:19,030 --> 00:14:25,060 you get to know that the connection was initiated from the local port to the destination port on board 177 00:14:25,060 --> 00:14:27,250 18, and it was found to be close. 178 00:14:27,640 --> 00:14:33,870 But then a lot of other stuff has also been executed based on the raw socket and other stuff. 179 00:14:33,880 --> 00:14:42,760 OK, but this is what I mean when I talk about, you know, the this script in a way, the debugging 180 00:14:42,760 --> 00:14:43,400 option of it. 181 00:14:43,900 --> 00:14:44,290 All right. 182 00:14:44,620 --> 00:14:45,420 So let's go ahead. 183 00:14:46,090 --> 00:14:47,850 What are different types of scripts? 184 00:14:48,610 --> 00:14:50,650 This is really, really important. 185 00:14:50,650 --> 00:14:56,280 If you really want to be very, you know, expand your knowledge and be a penetration tester. 186 00:14:56,980 --> 00:15:00,100 So the first interesting script type is art. 187 00:15:00,640 --> 00:15:06,310 And I'll show you in detail and I'll show you how you can learn more about it and can get details about 188 00:15:06,310 --> 00:15:07,540 those script. 189 00:15:08,320 --> 00:15:16,000 And once we finished this, so the first step is what authors the category for script related to the 190 00:15:16,000 --> 00:15:22,300 user authentication so we can try multiple walkability related to the user authentication and access 191 00:15:22,300 --> 00:15:23,500 control mechanism. 192 00:15:24,010 --> 00:15:31,870 Next, as broadcast, this is to broadcast multiple host and gather the information group brooders related 193 00:15:31,870 --> 00:15:33,130 to the brute force attack. 194 00:15:33,430 --> 00:15:40,120 We can get to know if the users are vulnerable or the systems are vulnerable to the brute force attack. 195 00:15:40,660 --> 00:15:42,580 Then there's one more called default. 196 00:15:42,880 --> 00:15:48,500 This category is for the script that are executed when this script scan is executed. 197 00:15:48,760 --> 00:15:49,870 All right, then. 198 00:15:49,870 --> 00:15:52,630 Then we have the discovery as a name. 199 00:15:52,630 --> 00:15:56,800 So just it as a discovery scan, but even more advanced. 200 00:15:57,130 --> 00:16:01,820 We'll talk about it when we perform this category of unnecessary. 201 00:16:02,260 --> 00:16:10,350 Then there's a DOS, as the name says, it's denial-of-service or distributed denial of service when 202 00:16:10,360 --> 00:16:11,230 it has critical. 203 00:16:11,890 --> 00:16:19,360 So we can even detect if the if the applications of the servers are vulnerable to it, then we have 204 00:16:19,360 --> 00:16:28,420 exploited this category of script can identify if the if there's any exploit available or this can be 205 00:16:28,420 --> 00:16:32,140 exploitable, all the stuff then external. 206 00:16:32,800 --> 00:16:38,830 This category is especially dependent on third party services if we want to test it out. 207 00:16:38,830 --> 00:16:46,360 But any third party integration or API integration or service and then the first, it's basically fuzzier 208 00:16:46,390 --> 00:16:46,900 in a way. 209 00:16:47,500 --> 00:16:54,110 It's just did the software testing McKennis and not very specific to the security one ability. 210 00:16:54,130 --> 00:16:59,020 But I'm more into the fuzzing kind of involvement, the the application testing. 211 00:16:59,020 --> 00:17:00,790 It's getting executed. 212 00:17:01,630 --> 00:17:12,880 Let's continue into this category is for for scanning some instance which may lead to, you know, crashing 213 00:17:12,880 --> 00:17:17,680 up the crashing out the entire software and that application all together. 214 00:17:18,130 --> 00:17:24,400 So that could be because of network noise and in fact, the entire network all together. 215 00:17:24,850 --> 00:17:30,370 So that's, again, a part of testing software, testing and moment malware detecting the malware. 216 00:17:30,370 --> 00:17:31,750 But this is a script. 217 00:17:32,020 --> 00:17:40,210 I'll show you how there are there have been multiple unless the script has been built by a developer 218 00:17:40,540 --> 00:17:47,500 all across the world for specific malware itself to detect some of the signatures of those malware is 219 00:17:47,890 --> 00:17:48,340 OK. 220 00:17:49,500 --> 00:17:55,420 See if this is not about finding the vulnerability, more of finding some of the safe application. 221 00:17:55,690 --> 00:17:57,670 OK, then we have Wazzan. 222 00:17:58,510 --> 00:18:02,500 And this is specifically, as I told you earlier, for avoiding detection. 223 00:18:02,500 --> 00:18:11,260 But advanced version detection, OK, not the minus as we basic version detection option at the end 224 00:18:11,260 --> 00:18:12,130 we have one. 225 00:18:13,030 --> 00:18:19,690 This is for specific CV detection to let's say you have been notified with some. 226 00:18:20,540 --> 00:18:23,870 KVI, and that found to be very critical at that moment. 227 00:18:23,900 --> 00:18:30,740 You can get those KBE and you can scan all your net worth against that CB number and can get to know 228 00:18:30,740 --> 00:18:34,610 if any of your host is affected with that or not. 229 00:18:34,940 --> 00:18:37,310 OK, so that's all about it. 230 00:18:37,320 --> 00:18:47,540 And this is all available as a basic part for the new script and the in the next lecture and the next 231 00:18:47,540 --> 00:18:55,850 section will talk in detail about several vulnerabilities and, you know, exploitation of those vulnerabilities 232 00:18:55,850 --> 00:18:56,180 as well. 233 00:18:56,210 --> 00:19:01,670 So next lecture, next section would be very, very interesting from now. 234 00:19:02,030 --> 00:19:02,420 All right. 235 00:19:02,510 --> 00:19:03,020 Thank you.