1 00:00:00,950 --> 00:00:08,450 Discovering hidden files and directories on web servers is not only essential but can also be a thrilling 2 00:00:08,450 --> 00:00:13,100 part of a penetration testers job in the realm of digital espionage. 3 00:00:13,520 --> 00:00:19,130 Uncovering valuable information can be the difference between success and failure. 4 00:00:19,220 --> 00:00:22,100 Luckily, there is a powerful tool. 5 00:00:23,000 --> 00:00:28,910 At our disposal Nmap with its robust database and versatile capabilities. 6 00:00:29,330 --> 00:00:37,730 Nmap shines as a web scanner, enabling us to unearth integrating files, directories and even vulnerable 7 00:00:37,730 --> 00:00:38,780 web applications. 8 00:00:38,780 --> 00:00:46,340 So let's embark on a journey to explore the depths of web server and unravel their secrets. 9 00:00:46,370 --> 00:00:51,350 Imagine you are tasked with assessing the security posture of a target web server. 10 00:00:51,380 --> 00:00:58,580 The first step is to initiate a scan using Nmap web scanning features. 11 00:00:58,610 --> 00:01:07,790 By employing the Http enum script so you with this script, you unlock a treasure trove of possibilities. 12 00:01:07,820 --> 00:01:15,650 The script leverages the Nmap extensive database, which encompasses a wide range of interesting files, 13 00:01:15,650 --> 00:01:19,010 directories and application vulnerabilities. 14 00:01:19,040 --> 00:01:26,490 Among the games you might stumble upon a Readme file database dumps, forgotten configuration backups, 15 00:01:26,610 --> 00:01:35,910 common administration panels and even attack payloads designed to exploit directory traversals in vulnerable 16 00:01:35,910 --> 00:01:37,020 web applications. 17 00:01:37,050 --> 00:01:41,580 The Http script is not just a simple file and directory enumerator. 18 00:01:41,580 --> 00:01:52,050 It's also supports advanced pattern matching, enabling it to identify specific versions of web applications. 19 00:01:52,080 --> 00:01:58,740 So to embark on the exciting web scanning adventure, open your terminal or command prompt and with 20 00:01:58,740 --> 00:02:07,710 Nmap at your fingertips execute this command here Nmap script http enum here and after that you will 21 00:02:07,710 --> 00:02:11,280 enter the SRV and then your target. 22 00:02:11,280 --> 00:02:14,520 In this case, our example target will be telecom. 23 00:02:14,550 --> 00:02:17,840 This is my website that I that uses on WordPress. 24 00:02:17,880 --> 00:02:23,610 It's a regular website, nothing special about nothing I made specially vulnerable. 25 00:02:23,610 --> 00:02:32,640 It's just a regular website that I just created and here you can use arrow keys to see the present of 26 00:02:32,700 --> 00:02:35,400 works and here. 27 00:02:36,040 --> 00:02:45,340 As the scan commences, Nmap will diligently explore the target web server, applying the Http script 28 00:02:45,340 --> 00:02:51,340 and performing version detection with SV here to gather as much information as possible. 29 00:03:00,320 --> 00:03:01,670 91 present. 30 00:03:02,880 --> 00:03:04,440 It's almost done. 31 00:03:11,890 --> 00:03:12,460 That's it. 32 00:03:12,490 --> 00:03:13,180 It's done. 33 00:03:14,560 --> 00:03:16,660 9.99%. 34 00:03:16,660 --> 00:03:18,520 It should be done right now. 35 00:03:18,550 --> 00:03:24,550 No, it's scanning again and say timing is 97.78%. 36 00:03:24,610 --> 00:03:29,560 Now it will show us the results and that will of our scanning. 37 00:04:08,720 --> 00:04:11,180 99.78%. 38 00:04:13,170 --> 00:04:14,730 I was stopped with you right here. 39 00:04:14,730 --> 00:04:16,230 It might take longer. 40 00:04:18,830 --> 00:04:20,960 The firewall of our code. 41 00:04:20,960 --> 00:04:26,240 Silicom has blocked our request since the is not completing now. 42 00:04:26,710 --> 00:04:29,600 Here waited almost. 43 00:04:33,310 --> 00:04:41,350 Almost ten minutes here, but now we are now executing a new scan with without the SRV here. 44 00:04:41,560 --> 00:04:45,880 Now, quickly, we will in three minutes we will get our results. 45 00:04:48,150 --> 00:04:55,620 And here, once the scan complete its mission, a comprehensive report will materialize before your 46 00:04:55,620 --> 00:04:56,330 eyes. 47 00:04:56,340 --> 00:04:59,910 So showcasing the secrets uncovered here. 48 00:04:59,910 --> 00:05:03,930 So let's delve into the an example to illustrate bond results. 49 00:05:03,930 --> 00:05:14,520 So this tantalizing output here reveals that an assortment of discoveries among them there are admin 50 00:05:14,520 --> 00:05:17,040 block, a directory, a test. 51 00:05:17,040 --> 00:05:20,490 Here we also have we have the potentially interesting folder. 52 00:05:20,490 --> 00:05:27,330 It also have the the this descriptions for one of these folders. 53 00:05:27,330 --> 00:05:31,500 Each of these folders here we have possible admin folder here, possible admin folder. 54 00:05:31,500 --> 00:05:37,290 We have a patch tonk tomcat which is unauthorized to us. 55 00:05:37,320 --> 00:05:46,860 We have the key file upload so we can if we go to this here, we can upload files and so on. 56 00:05:46,860 --> 00:05:49,780 We also have open cart editor file upload. 57 00:05:49,930 --> 00:05:58,450 So here understanding the inner workings of the Http enum script, The deepens our appreciation for 58 00:05:58,450 --> 00:05:59,950 its trueness. 59 00:05:59,950 --> 00:06:10,660 So here the Nmap script http enum option acts as a catalyst signaling Nmap to activate the Http script 60 00:06:10,660 --> 00:06:17,260 whenever it detects a web server originally contributed by Ron, both this script primarily focused 61 00:06:17,260 --> 00:06:19,210 on directory discovery. 62 00:06:19,210 --> 00:06:24,790 Over time, the script has evolved as the community expanded its collection of fingerprints to include 63 00:06:24,790 --> 00:06:30,880 various files like version files, read and forgotten database backups. 64 00:06:30,910 --> 00:06:40,360 Notably, the script has enhanced to integrate a database further enriching its detection capabilities. 65 00:06:40,390 --> 00:06:48,520 And it's worth venturing into the intricacies of the fingerprint database used by the Http script. 66 00:06:48,520 --> 00:06:58,150 So the fingerprints reside in the Http fingerprints Rusa file securely stored in the NS lib data directory. 67 00:06:58,150 --> 00:07:03,400 So here we will scan in C lib. 68 00:07:03,400 --> 00:07:12,640 So we don't we can't actually reach it, but we will look at and look at it in the next lectures. 69 00:07:12,640 --> 00:07:17,110 So here this represented a law tables. 70 00:07:17,110 --> 00:07:23,110 Each entry contains a valuable information, including a specific file path patterns to match. 71 00:07:23,110 --> 00:07:28,600 And if you are feeling adventurous, you can contribute to this, to this database by appending your 72 00:07:28,720 --> 00:07:35,140 own entries or even employing an alternative fingerprint file using http dot fingerprint file script 73 00:07:35,140 --> 00:07:35,860 argument. 74 00:07:36,340 --> 00:07:44,950 For instance, you can do this in nmap script http http enum here, and after that you can enter the 75 00:07:44,950 --> 00:07:45,850 script arguments. 76 00:07:45,850 --> 00:07:55,690 Of course, as we always see script arguments and after that we will use the http enum dot fingerprint 77 00:07:55,690 --> 00:08:03,640 file here and here you will enter your fingerprint file and after that you will enter your target, 78 00:08:03,670 --> 00:08:05,140 the IP or domain. 79 00:08:05,140 --> 00:08:11,320 And in this command you replace the default fingerprint file with your own enabling customization and 80 00:08:11,320 --> 00:08:18,370 expanding the scope of your discoveries And the further enhance your reconnaissance, you can modify 81 00:08:18,370 --> 00:08:28,970 the base path of the scan by utilizing the http enum htp enum base path string argument of Sorry of 82 00:08:29,020 --> 00:08:29,410 sorry. 83 00:08:29,410 --> 00:08:30,580 Is my voice going now? 84 00:08:30,580 --> 00:08:31,120 Yes. 85 00:08:31,120 --> 00:08:38,110 So you can do this by enumerating http enum script argument here. 86 00:08:39,550 --> 00:08:49,540 And however, if you are a specific directories here, you can also sorry for this my microphone. 87 00:08:50,140 --> 00:08:51,880 It's actually going and coming here. 88 00:08:51,880 --> 00:08:52,420 Sorry. 89 00:08:54,310 --> 00:08:54,820 Okay. 90 00:08:55,850 --> 00:08:56,630 So. 91 00:09:01,330 --> 00:09:01,750 That's it. 92 00:09:03,060 --> 00:09:05,460 And here you can. 93 00:09:05,610 --> 00:09:13,530 As I said, this Http scripts script begins its exploration from the root directory and however, if 94 00:09:13,530 --> 00:09:22,650 you suspect specific directories holds secrets, you can interact Nmap to focus its efforts efforts 95 00:09:22,650 --> 00:09:23,520 accordingly here. 96 00:09:23,520 --> 00:09:27,210 So here you will enter after script arguments. 97 00:09:27,210 --> 00:09:31,890 We will use http enum enum. 98 00:09:32,880 --> 00:09:34,980 Of course you can use multiple arguments here. 99 00:09:34,980 --> 00:09:35,930 I'm just I was. 100 00:09:36,120 --> 00:09:36,510 I will. 101 00:09:36,600 --> 00:09:40,680 I'm just deleted the previous one because I want to show better here. 102 00:09:41,130 --> 00:09:49,560 So base path and here you can also use the web here and after that you can enter the target here. 103 00:09:49,560 --> 00:09:59,580 So we with this command Nmap will scrutinize the web directory, revealing any intriguing files or directories 104 00:09:59,610 --> 00:10:00,680 lurking within. 105 00:10:00,690 --> 00:10:02,130 But wait, there's more. 106 00:10:02,130 --> 00:10:09,730 So in a remarkable collaboration between Nmap and Nick Tom, an exciting feature was born. 107 00:10:09,760 --> 00:10:18,100 The Http enum script now supports parsing Nick to database files, which opens up a realm of possibilities 108 00:10:18,100 --> 00:10:25,300 by integrating the powerful Nick database, the script dynamically transforms nick entries into Lua 109 00:10:25,330 --> 00:10:29,950 tables and merges them with an existing fingerprint database. 110 00:10:29,950 --> 00:10:38,440 So this collaboration enables you to leverage the strengths of both tools and conduct more truth assessments. 111 00:10:38,440 --> 00:10:44,680 So the harness to harness this power, you can use the nmap here. 112 00:10:45,130 --> 00:10:53,500 Script http enum Nmap or nick here Nick to database path. 113 00:10:53,920 --> 00:10:55,300 This is a script argument. 114 00:10:55,510 --> 00:11:01,420 With this you can provide the a map the path to your database file. 115 00:11:02,210 --> 00:11:09,590 And here after that you will enter with equalities after Equitis and you will enter path to Nicto database 116 00:11:09,590 --> 00:11:09,890 file. 117 00:11:09,890 --> 00:11:15,020 And after that you will enter your target domain or IP address. 118 00:11:16,490 --> 00:11:22,340 And here, as you can see, there's no such path exists because I don't have the database right now. 119 00:11:22,340 --> 00:11:27,470 But you will learn that how to integrate and use that database index lectures. 120 00:11:27,470 --> 00:11:35,480 And here this amalgamation of Nmap and this capabilities offers unparalleled depth and precision in 121 00:11:35,480 --> 00:11:37,640 uncovering hidden vulnerabilities. 122 00:11:37,640 --> 00:11:46,040 So armed with armed with armed with Nmap web scanning pruners, you can venture into the digital wilderness 123 00:11:46,040 --> 00:11:51,350 on unearthing hidden files, directories and potential vulnerabilities. 124 00:11:51,380 --> 00:11:55,940 However, with great power comes with great responsibility. 125 00:11:56,330 --> 00:12:04,010 Always ensure you have a proper authorizations and consent before engaging in any security testing activities. 126 00:12:04,010 --> 00:12:10,010 Remember, penetration testing should be conducted ethically within legal boundaries. 127 00:12:10,010 --> 00:12:16,470 So before concluding our expedition, let's keep a few additional points in mind. 128 00:12:16,470 --> 00:12:27,690 The first is the first is regularly using the Http fingerprints, dot fingerprints, dot lua file with 129 00:12:27,690 --> 00:12:35,190 new fingerprints and patterns strengthens the accuracy and effectiveness of the Http enum script. 130 00:12:35,190 --> 00:12:41,610 So stay informed about the emerging web vulnerabilities and adapt your fingerprint database accordingly 131 00:12:41,610 --> 00:12:44,790 to stay ahead of potential threats. 132 00:12:45,570 --> 00:12:50,030 And here I have two more suggestions to keep in mind. 133 00:12:50,040 --> 00:12:53,670 So the second is file and directory. 134 00:12:53,670 --> 00:13:02,430 Discovery is only one phase of comprehensive web server security assessment to ensure holistic security 135 00:13:02,430 --> 00:13:03,500 evaluation. 136 00:13:03,510 --> 00:13:09,690 Compliment your scans with techniques such as vulnerability scanning, input validation testing and 137 00:13:09,690 --> 00:13:11,900 secure configuration assessment. 138 00:13:11,910 --> 00:13:20,730 And the second and the last suggestion is embrace the thrill of exploration, but always prioritize 139 00:13:20,730 --> 00:13:22,260 responsible disclosure. 140 00:13:22,260 --> 00:13:27,840 If you uncover sensitive information or vulnerabilities during your scans, handle them with care and 141 00:13:27,840 --> 00:13:33,630 report them to the relevant authorities or system owners to ensure proper remediation. 142 00:13:33,660 --> 00:13:39,930 Now, armed with Nmap and its formidable web scanning capabilities, go forth and uncover the hidden 143 00:13:39,930 --> 00:13:47,470 gems within Web servers, empowering organizations to strengthen their security and defend against potential 144 00:13:47,470 --> 00:13:47,950 threats. 145 00:13:47,980 --> 00:13:49,240 Happy scanning. 146 00:13:49,360 --> 00:13:50,620 See you in next lecture. 147 00:13:50,620 --> 00:13:51,610 My name is Typhoon.