1
00:00:02,160 --> 00:00:04,260
Welcome to part one of this module

2
00:00:07,070 --> 00:00:10,280
to kick off the section on vulnerability analysis.

3
00:00:10,280 --> 00:00:13,670
We're going to be starting off by taking a look at Nick toe

4
00:00:17,240 --> 00:00:25,580
Nick toe is an open source GPL web server scanner which performs comprehensive tests against web servers

5
00:00:26,060 --> 00:00:32,480
for multiple items including over six thousand seven hundred potentially dangerous files and programs

6
00:00:33,140 --> 00:00:39,140
checks for outdated versions of over twelve hundred and fifty servers and versions specific problems

7
00:00:39,140 --> 00:00:42,020
and over two hundred and seventy servers.

8
00:00:42,020 --> 00:00:49,490
It also checks for server configuration items such as the presence of multiple index files each TTP

9
00:00:49,490 --> 00:00:57,460
server options and will attempt to identify installed web servers and software scanned items and plugins

10
00:00:57,470 --> 00:01:06,360
are frequently updated and can be updated automatically Nick to is not designed as a stealthy tool.

11
00:01:06,360 --> 00:01:13,470
It will test a web server in the quickest time possible and is obvious in log files or to an ISP or

12
00:01:13,610 --> 00:01:20,480
IBS so if this is a concern please see the modules pertaining to the subject of anonymity.

13
00:01:20,520 --> 00:01:26,410
For more information not every check that Nick two runs is a security problem.

14
00:01:26,420 --> 00:01:33,740
Although most are there are some items that are classified as info only type checks that look for things

15
00:01:33,740 --> 00:01:36,110
that may not have a security flaw.

16
00:01:36,140 --> 00:01:41,250
But the webmaster or security engineer may not know are present on the server.

17
00:01:41,390 --> 00:01:46,220
These items are usually marked appropriately in the information that it prints.

18
00:01:46,220 --> 00:01:52,950
There are also some checks for unknown items which have been scanned for in long files.

19
00:01:53,040 --> 00:02:02,540
NICTA comes prepackaged with Kelly 2.0 and is located in applications near vulnerability analysis.

20
00:02:02,550 --> 00:02:11,770
Nick Toh can also be opened from the terminal window by typing Toh and I'm going to do it this way so

21
00:02:11,770 --> 00:02:13,930
as to bring up the Help options

22
00:02:19,260 --> 00:02:27,640
for this we simply type Nick to dash dash or TAC tack help.

23
00:02:27,700 --> 00:02:30,510
I do not wish to be unkind when I say this.

24
00:02:30,580 --> 00:02:37,090
However it is a fact that most of the time the system administrators who setup a particular website

25
00:02:37,720 --> 00:02:42,860
or service don't necessarily know what they're doing.

26
00:02:42,880 --> 00:02:51,760
This comes in the form of leaving subdomains wide open for people to find and leverage but it also takes

27
00:02:51,760 --> 00:02:57,710
the shape of small random server mis configurations of ports or services.

28
00:02:57,720 --> 00:03:03,090
NICK too is very good at finding these sorts of things.

29
00:03:03,100 --> 00:03:07,780
I understand that there are some who feel that WordPress is perhaps better.

30
00:03:08,320 --> 00:03:16,570
However WordPress scan is limited to sites that use WordPress whereas Nick too can be used on just about

31
00:03:16,570 --> 00:03:17,970
anything.

32
00:03:17,980 --> 00:03:24,450
This tool is well supported and kept up to date by a very active user base.

33
00:03:24,550 --> 00:03:32,290
We'll be using Nick toe to look for any vulnerabilities on a target Web site for demonstration purposes.

34
00:03:32,290 --> 00:03:38,260
I have once again set up a virtual machine running met a split bill with Web services which is sure

35
00:03:38,260 --> 00:03:42,260
to have a great many vulnerabilities to show off as always.

36
00:03:42,280 --> 00:03:48,190
Never run this program against any Web site or target that you do not personally own or have written

37
00:03:48,190 --> 00:03:49,700
permission to pen test.

38
00:03:49,840 --> 00:03:51,870
Otherwise you could be breaking the law.

39
00:03:53,280 --> 00:03:59,730
So looking over the menu let's look at once some of these switches do right from the beginning we can

40
00:03:59,730 --> 00:04:01,950
see that it is sorted really well.

41
00:04:02,890 --> 00:04:09,260
Some more experienced students might be wondering at this point why someone would use Nick toe over

42
00:04:09,260 --> 00:04:13,290
WordPress scans since they essentially do the same thing now.

43
00:04:13,300 --> 00:04:18,880
Like I said the reason is that while WordPress is very good against WordPress sites Nick too excels

44
00:04:19,210 --> 00:04:22,050
because it works on any Web site or web server.

45
00:04:23,520 --> 00:04:28,470
Literally any This makes it a far more versatile tool.

46
00:04:28,650 --> 00:04:32,460
So to start out with I'm going to look at some of the more important options we're going to highlight

47
00:04:33,480 --> 00:04:36,070
D.B. check all of these are called switches.

48
00:04:36,070 --> 00:04:43,730
By the way and this one will let you take a look at what some of these commands do.

49
00:04:43,860 --> 00:04:52,500
This command checks for database errors as well as other key files syntax errors format allows you to

50
00:04:52,500 --> 00:04:58,070
select what format you would like your results saved in when you use the dash o switch.

51
00:04:58,260 --> 00:05:05,100
For example a text file or each team it'll help is obviously self-explanatory.

52
00:05:05,280 --> 00:05:07,290
Host is your target data.

53
00:05:07,290 --> 00:05:13,190
The program will require you to specify an IP address a web address or a domain.

54
00:05:13,200 --> 00:05:15,630
This is what NICTA will be scanning against

55
00:05:19,440 --> 00:05:23,750
list plugins will show all of the currently available plugins.

56
00:05:23,790 --> 00:05:30,200
These can be updated either directly from within the tool or by updating the tool itself.

57
00:05:30,210 --> 00:05:31,890
When you conduct system updates

58
00:05:34,430 --> 00:05:45,480
output will simply write the output of your scans to a file no SSL will disable SSL fairly self-explanatory

59
00:05:47,550 --> 00:05:48,180
port

60
00:05:50,790 --> 00:05:54,920
simply specifies which port we will be using.

61
00:05:54,930 --> 00:05:57,080
Now you can change this if you want to.

62
00:05:57,120 --> 00:06:03,510
In this video you'll see me scan port 80 just for simplicity's sake but more involved or specific tests

63
00:06:03,540 --> 00:06:12,130
may call for other ports SSL will force SSL mode which is not that important.

64
00:06:12,140 --> 00:06:17,480
You won't come across this very often but it is provided in the rare instances when you have a need

65
00:06:17,480 --> 00:06:22,400
for it update is also self-explanatory as I mentioned.

66
00:06:22,410 --> 00:06:26,990
You can use this command to update the database and plugins to the latest versions.

67
00:06:27,000 --> 00:06:32,640
I suggest running this once a month although you should be conducting a regular app to get updates for

68
00:06:32,640 --> 00:06:38,340
your operating system anyway which should include the latest version of this tool making this particular

69
00:06:38,340 --> 00:06:41,930
command somewhat unnecessary.

70
00:06:42,080 --> 00:06:45,870
All right let's get started with the commands that we are going to be using.

71
00:06:45,890 --> 00:06:55,220
I'm going to clear this out for a fresh terminal window and here we go will begin by typing Nick to

72
00:07:00,230 --> 00:07:08,390
and then use the dash 8 switch to specify our host followed by our target information which in this

73
00:07:08,390 --> 00:07:14,640
case is going to be for my met a split able machine and I have running on my network.

74
00:07:14,930 --> 00:07:22,630
Again you could specify a website address or even a domain for that matter.

75
00:07:22,630 --> 00:07:27,670
Just remember that this is not a stealthy tool and scanning targets without permission can get you into

76
00:07:27,670 --> 00:07:28,700
trouble.

77
00:07:28,930 --> 00:07:38,640
Gash P will specify our port and as I mentioned leaves port 80 press enter and see what the tool comes

78
00:07:38,640 --> 00:07:39,240
back with

79
00:07:43,530 --> 00:07:44,270
right away.

80
00:07:44,280 --> 00:07:53,430
It's going to detect the web server which is Apache 2.0 2.8 we can already see that the cross site header

81
00:07:53,430 --> 00:08:02,200
is not defined as a very very big vulnerability that could be exploited which will be demonstrated in

82
00:08:02,200 --> 00:08:07,620
the relevant modules such as a burp sweet and met a split.

83
00:08:07,780 --> 00:08:13,720
Of course the problem with scanning and met hospitable machine is we're going to get back more possible

84
00:08:13,720 --> 00:08:16,510
attack vectors than we really know what to do with

85
00:08:20,430 --> 00:08:22,510
and we can just see there they're piling up

86
00:08:35,180 --> 00:08:40,000
I may make a small cut to the recording as this may take a few minutes

87
00:08:42,710 --> 00:08:43,180
okay.

88
00:08:45,050 --> 00:08:46,920
So this is a lot of information.

89
00:08:47,030 --> 00:08:52,560
We're gonna scroll up past all the gibberish

90
00:09:04,740 --> 00:09:08,790
so of course as I said the problem with scanning a Met is supportable machine as we're going to get

91
00:09:08,790 --> 00:09:10,170
back so much stuff

92
00:09:13,920 --> 00:09:19,050
and as I'm fond of saying your personal mileage will vary depending on the security practices of your

93
00:09:19,050 --> 00:09:19,630
target.

94
00:09:19,860 --> 00:09:26,310
However the key point to take away here is that Nick toe is exceedingly thorough and all but it checks

95
00:09:29,620 --> 00:09:35,240
I'd like to try to keep each of these modules self-contained and not jump ahead.

96
00:09:35,350 --> 00:09:40,810
But this really is going to make your eyes widen when we get to the point of showing how to exploit

97
00:09:40,900 --> 00:09:42,760
all of these various vulnerabilities

98
00:09:46,200 --> 00:09:48,140
so as I said this is a lot of information.

99
00:09:48,150 --> 00:09:54,280
But let's look at another command which is the output command.

100
00:09:54,280 --> 00:10:00,310
So we want to be able to record the results of our scan unlike other tools Nick toe does not let us

101
00:10:00,310 --> 00:10:03,050
specify a file path.

102
00:10:03,070 --> 00:10:08,390
Instead we're going to need to switch to the directory that we want the output to be written to.

103
00:10:08,410 --> 00:10:13,510
So in this case I'm going to keep things simple and switch to the desktop

104
00:10:20,730 --> 00:10:21,720
I'll clear the terminal

105
00:10:27,080 --> 00:10:35,440
and now we'll use the same command as before which is going to be Nick to dash each for host.

106
00:10:35,610 --> 00:10:42,890
We'll give it the IP address of our virtual machine for met a split able and you would give whatever

107
00:10:42,890 --> 00:10:49,190
your target IP is your Web site or your domain will specify P. 80 for port 80

108
00:10:52,360 --> 00:11:00,310
and now we're going to add the switch dash 0 or TAC 0 to specify that we're using the output command

109
00:11:00,700 --> 00:11:08,660
and we'll give it a file name let's call it to these old s I suppose

110
00:11:11,530 --> 00:11:19,020
and we'll specify the file type by typing dash capital F and we'll get the file type.

111
00:11:19,020 --> 00:11:21,880
In this case I think I'll just make it a text file.

112
00:11:22,030 --> 00:11:24,310
You could do anything you want for example.

113
00:11:24,310 --> 00:11:26,140
Well okay let's see

114
00:11:30,990 --> 00:11:37,170
we could do anything we wanted here such as for example H TTP if we wanted to include it for an online

115
00:11:37,170 --> 00:11:39,450
report we'll hit enter

116
00:11:42,330 --> 00:11:47,050
and it's going to run the scan we just saw only this time it's going to be writing the scan results

117
00:11:47,080 --> 00:11:51,450
quietly in the background to the file that we specified.

118
00:11:51,850 --> 00:11:56,800
Once the process is complete the data will be saved to our desktop.

119
00:11:56,970 --> 00:12:04,610
Just give it a few seconds to complete the scan and as we can see as it goes here it's just loading

120
00:12:04,610 --> 00:12:05,990
up those vulnerabilities

121
00:12:09,750 --> 00:12:17,690
as before I'll make a short pause to this recording for time saving purposes all right the scan is finished

122
00:12:17,700 --> 00:12:24,190
I'm going to minimize Nick to Ben here we go our Nick to scan results I'm going to go ahead and open

123
00:12:24,190 --> 00:12:27,250
this file and there we have it the entire output

124
00:12:30,450 --> 00:12:35,860
and again we'll be looking at how to use these various vulnerabilities further down the line.

125
00:12:36,090 --> 00:12:42,420
But the important thing for now is to simply understand what we've got and how to gather this sort of

126
00:12:42,420 --> 00:12:47,220
information as this will be fundamental as we progress.

127
00:12:47,340 --> 00:12:52,190
These are the basics the foundation of penetration testing and ethical hacking.

128
00:12:52,260 --> 00:12:57,930
Knowledge is power and with even a single potential vulnerability in hand even if you don't know how

129
00:12:57,930 --> 00:13:04,800
to use it you have a place to begin researching online to see how others have used it.

130
00:13:04,860 --> 00:13:06,110
So as you can see.

131
00:13:06,300 --> 00:13:10,130
So as you can see we have a nicely created report here.

132
00:13:10,440 --> 00:13:20,250
And what I recommend doing is placing all of your reports into a folder that pertains to whatever target

133
00:13:20,250 --> 00:13:23,820
or penetration test you're running to keep things organized

134
00:13:33,450 --> 00:13:34,580
and all right.

135
00:13:34,620 --> 00:13:39,870
That will about do it for Nick tell an excellent and versatile tool and compared to some of the more

136
00:13:39,870 --> 00:13:44,490
switch having applications out there it really is quite simple to use.

137
00:13:44,560 --> 00:13:44,980
Thank you.