1
00:00:00,150 --> 00:00:03,970
At last, we are ready to start and assess vulnerability scan.

2
00:00:04,710 --> 00:00:07,980
This is the main page of the Nessus Web interface.

3
00:00:08,190 --> 00:00:10,890
We are in my scan section of scans tab.

4
00:00:11,900 --> 00:00:14,330
At the upper left corner, click new Skåne.

5
00:00:15,500 --> 00:00:18,110
First, Nessa's asks for the scanner.

6
00:00:19,240 --> 00:00:25,420
We have seen them before, so here we can choose the most suitable one for our skin, but in the home

7
00:00:25,420 --> 00:00:28,920
version of Nessus, unfortunately, some scans are disabled.

8
00:00:29,680 --> 00:00:35,320
If you click internal PCI network scan, for example, the application redirects you to the Nessa's

9
00:00:35,320 --> 00:00:37,120
website to buy Nessa's professional.

10
00:00:37,900 --> 00:00:45,190
There are also available scanners like basic network scan or alternatively go to user defined tab and

11
00:00:45,190 --> 00:00:46,390
select your own policy.

12
00:00:47,140 --> 00:00:51,310
This is the policy we defined in the previous lecture, so I chose this.

13
00:00:51,820 --> 00:00:53,890
Now give a name to your scan.

14
00:00:54,610 --> 00:00:59,530
As you can see on the right side of the name Feel, the required fields are identified by Nessa's.

15
00:01:02,210 --> 00:01:03,790
So write a description if you want.

16
00:01:06,580 --> 00:01:14,290
Select a folder for the outputs and define the targets, you can list the host in target field one by

17
00:01:14,290 --> 00:01:14,620
one.

18
00:01:15,430 --> 00:01:20,950
I want to scan my two systems now nine nine eight one three nine is a WASP BBWAA.

19
00:01:22,120 --> 00:01:28,750
And nine nine two zero six as my meds employable system, so if you want a multiple IP addresses.

20
00:01:29,810 --> 00:01:31,440
Just put a comma in between them.

21
00:01:32,300 --> 00:01:34,940
You can also define an IP block or a range.

22
00:01:36,300 --> 00:01:42,150
Just as you remember the unmap lectures or alternatively, if you have a file that contains a list of

23
00:01:42,180 --> 00:01:48,870
the hosts that we also covered earlier, you can have that file using the add file link in the upload

24
00:01:48,870 --> 00:01:49,620
targets field.

25
00:01:50,370 --> 00:01:56,850
So now we're ready to launch the scan at the bottom of the page, select save or click the down arrow

26
00:01:56,850 --> 00:01:59,750
button and select launch to start the scan immediately.

27
00:02:00,330 --> 00:02:04,640
I choose, launch it first, save the scanned and then launched immediately.

28
00:02:05,430 --> 00:02:08,340
So while scanning, let's see some of the parts of Nessus interface.

29
00:02:09,350 --> 00:02:15,870
At the left, you see the folders next to my scans folder, it says that I have one active scan and

30
00:02:15,870 --> 00:02:18,390
in my scans page you see the scan that we just started.

31
00:02:18,680 --> 00:02:21,080
If you click on it, you see the scan details.

32
00:02:22,020 --> 00:02:26,040
There are three tabs here hosts vulnerabilities and history.

33
00:02:27,100 --> 00:02:32,260
When you click on the Vulnerabilities tab, you see the vulnerabilities found during the scan here,

34
00:02:32,290 --> 00:02:33,730
we already have some results.

35
00:02:34,650 --> 00:02:37,290
Now click the hosts tab to turn back.

36
00:02:38,460 --> 00:02:46,020
These are the systems that we defined as targets, WASP, W8 and voidable at the right, you see the

37
00:02:46,020 --> 00:02:48,120
severity levels of the vulnerabilities.

38
00:02:48,540 --> 00:02:51,630
Nessa's classifies vulnerabilities into five levels.

39
00:02:52,320 --> 00:02:59,190
Informational level quickly identifies non vulnerability information, which is, well, nice to know

40
00:02:59,430 --> 00:03:05,160
and separates them from the vulnerability detail, which is need to know.

41
00:03:05,400 --> 00:03:05,750
Right?

42
00:03:07,100 --> 00:03:13,430
Low level identifies the flaws that might help an attacker to better refine his attack, but by itself,

43
00:03:13,430 --> 00:03:15,860
that flaw won't be sufficient for a compromise.

44
00:03:16,100 --> 00:03:21,080
Medium level identifies that some information is leaking from the remote host.

45
00:03:21,710 --> 00:03:27,470
An attacker might be able to read a file he should not have access to high level identifiers of the

46
00:03:27,470 --> 00:03:33,740
attacker, can read arbitrary files on the remote host and or can execute commands on it.

47
00:03:33,740 --> 00:03:38,180
And critical level vulnerabilities are the most important vulnerabilities for us.

48
00:03:38,840 --> 00:03:44,930
These vulnerabilities can be exploited by a tool and in most cases the attacker does not need to make

49
00:03:44,930 --> 00:03:46,850
an extra effort to exploit them.

50
00:03:47,240 --> 00:03:48,740
So let's fast forward the scan.

51
00:03:52,080 --> 00:03:59,070
Now, on the right side of each host row, you can see the status of the scan of that host 100 percent

52
00:03:59,070 --> 00:04:01,500
means the scan of that host is complete.

53
00:04:06,750 --> 00:04:10,490
Did you know you can ping the host sometimes to understand that they're still alive?

54
00:04:19,860 --> 00:04:26,070
And finally, our scan is completed in four minutes, which is a very fast scan for a vulnerability

55
00:04:26,070 --> 00:04:26,430
scan.

56
00:04:27,510 --> 00:04:31,290
Now, let's click the meta voidable to go to the vulnerabilities of that host.

57
00:04:32,580 --> 00:04:36,360
Here are the vulnerabilities of the Métis voidable machine found by this scam.

58
00:04:37,110 --> 00:04:42,480
Please note that there might be other vulnerabilities that cannot be found by Nessus with a policy that

59
00:04:42,480 --> 00:04:43,230
we used.

60
00:04:43,320 --> 00:04:48,320
The vulnerabilities are ordered by severity levels, by default, and I think that's a good idea.

61
00:04:49,390 --> 00:04:54,110
The vulnerabilities in a critical severity level are the most important ones for us again.

62
00:04:54,340 --> 00:04:57,200
So click on a vulnerability to see the details of it.

63
00:04:57,640 --> 00:05:01,510
So here we have the name of the vulnerability, a brief description.

64
00:05:03,970 --> 00:05:10,990
A solution method and the links to learn more about it, and last, the host and the port where the

65
00:05:10,990 --> 00:05:17,830
vulnerability lives at the right side of the screen, you see some additional and important information

66
00:05:17,830 --> 00:05:21,730
about the vulnerability over this particular vulnerability.

67
00:05:21,730 --> 00:05:28,390
Nessus says that we can exploit it using core impact, which is a commercial and very powerful exploitation

68
00:05:28,390 --> 00:05:28,870
tool.

69
00:05:29,980 --> 00:05:35,740
And here are the scores of this vulnerability, 10 dot zero is perfect for us.

70
00:05:36,980 --> 00:05:43,400
So quick, back to vulnerabilities, you go back to the list of the vulnerabilities here, there is

71
00:05:43,400 --> 00:05:50,330
another vulnerability which says the Vincey server is running on the host and its password is password.

72
00:05:51,080 --> 00:05:58,340
If that's true and if there's no additional measure to protect the host, we can access that host very

73
00:05:58,340 --> 00:05:58,850
easily.

74
00:05:59,450 --> 00:05:59,930
Show you.

75
00:05:59,930 --> 00:06:08,060
Let's test it, go to the terminal screen and run the BNC viewer by typing X Vincey viewer and hit enter.

76
00:06:08,630 --> 00:06:16,490
If you don't have the fancy viewer installed on your Colly type apte dash get install x vincey viewer

77
00:06:17,120 --> 00:06:17,840
and hit enter.

78
00:06:21,060 --> 00:06:25,920
Take the IP address of Métis Voidable as the Vincey server and hit enter.

79
00:06:27,840 --> 00:06:32,190
And now type password as the password and hit enter again.

80
00:06:34,700 --> 00:06:36,910
And voila, we are in the system.

81
00:06:38,200 --> 00:06:48,280
I use the WAMI Linux command to learn the user that I've caught and you name Dash A to learn the operating

82
00:06:48,280 --> 00:06:55,470
system and the kernel details if config to see the information about the network interfaces, etc..

83
00:06:58,430 --> 00:07:05,810
Now, type R.M. Dash, R.F. Slash, no, no, no, no, just kidding, don't don't do that.

84
00:07:06,020 --> 00:07:06,350
Don't.