1
00:00:00,150 --> 00:00:05,430
Another tool for active reconnaissance called Though Nyko, the very useful application, getting to

2
00:00:05,550 --> 00:00:09,690
actually find vulnerabilities and weaknesses that exist on, you know, Web servers, even though some

3
00:00:09,690 --> 00:00:15,540
Web application scanner, you can actually use it against servers and you might find some, you know,

4
00:00:15,540 --> 00:00:20,520
vulnerabilities that you could potentially exploit, you know, on these servers.

5
00:00:20,780 --> 00:00:26,100
Right now, we're going to hold off until we get to the Web application contesting sections, actually

6
00:00:26,250 --> 00:00:29,930
look at McDo and see what it can actually find because it'll be more useful there.

7
00:00:30,930 --> 00:00:35,280
Another tool that kind of combines multiple tools into one is called Spartan.

8
00:00:35,310 --> 00:00:40,590
It just puts everything together like one interface so that you can see everything is automated and

9
00:00:40,590 --> 00:00:45,370
makes the information gathering portion of your reconnaissance pretty, pretty easy.

10
00:00:45,390 --> 00:00:51,360
Some of the tools that it actually includes in it is and map McDo, like we just went over Hydra, which

11
00:00:51,360 --> 00:00:55,090
is like a brute forcing tool and also a HGP screenshot tool.

12
00:00:55,090 --> 00:01:00,840
So actually go through and screenshot what it sees, like if you want to access a certain address over

13
00:01:00,840 --> 00:01:02,660
a certain point in a browser.

14
00:01:02,670 --> 00:01:03,570
So it's pretty useful.

15
00:01:03,600 --> 00:01:09,330
You can do these port scans, web application scans and brute force all by just, you know, typing

16
00:01:09,330 --> 00:01:11,350
in the IP addresses that you want to target was part of.

17
00:01:11,520 --> 00:01:14,790
So let's go ahead and check out Spada and how to use it back in the car Linux machine.

18
00:01:14,820 --> 00:01:20,670
So one thing that I noticed, I wanted to note that if you have the 20, 20 version of Linux, Fatah

19
00:01:20,670 --> 00:01:23,310
is not going to be included on it and you won't be able to download it.

20
00:01:23,310 --> 00:01:29,670
From what I know, at least not by no means, because it relies on an earlier version of Python and

21
00:01:29,670 --> 00:01:34,350
they took out tools that relied upon that version of Python in this version of Linux.

22
00:01:34,710 --> 00:01:36,750
So there's another to the exact same thing.

23
00:01:36,750 --> 00:01:37,700
It's called Legian.

24
00:01:37,860 --> 00:01:42,540
So if you can check to see if you have it or not, or if you use an early version of colonics and you

25
00:01:42,540 --> 00:01:47,550
want to be beyond exactly what we're using, you should install Lesin.

26
00:01:47,820 --> 00:01:52,110
And I believe that this just comes with it on there so we can just type in Legian, hit, enter and

27
00:01:52,110 --> 00:01:58,680
let's give it a minute, is going to pop up with a nice little GUI so we can go ahead and actually conduct

28
00:01:58,680 --> 00:02:02,100
our scanning so we could just click here and add our host to the scope.

29
00:02:02,100 --> 00:02:04,740
We're just going to do one just for the sake of time.

30
00:02:04,770 --> 00:02:08,300
So we're going one or two, one, six, eight, five, six.

31
00:02:08,310 --> 00:02:13,440
And right here you put zeros last twenty four if you want to do a whole subnet for your own purposes.

32
00:02:13,470 --> 00:02:18,480
Right now we only have limited Hosai anyway, so that would just waste time and resources on that one

33
00:02:18,480 --> 00:02:19,010
laptop.

34
00:02:19,350 --> 00:02:24,930
So I'm going to do one of four for the machine and then it's going to run a map post discoveries.

35
00:02:24,940 --> 00:02:29,520
I was going to check these hosts up and then also was going to run a stage and map scan, which is going

36
00:02:29,520 --> 00:02:33,540
to take a layered and map scan that is like pretty efficiently.

37
00:02:33,540 --> 00:02:39,240
And then it's also going to be running nikto and we can optionally run like the brute force tool if

38
00:02:39,240 --> 00:02:39,930
we wanted to.

39
00:02:39,940 --> 00:02:40,860
We're not going to do that here.

40
00:02:40,860 --> 00:02:42,510
But you can play with that on your own if you want to do.

41
00:02:42,730 --> 00:02:48,120
And it's also going to do the screenshot where it's going to take screenshots of, you know, some potentially

42
00:02:48,120 --> 00:02:49,050
open ports and stuff.

43
00:02:49,290 --> 00:02:54,480
So hit submit and then it's going to start the process, going to start to cook stuff up and you're

44
00:02:54,480 --> 00:02:57,450
going to see stuff on the screen and then we could check out the results.

45
00:02:57,450 --> 00:02:58,990
So let's just give it a minute and we'll come back.

46
00:02:59,070 --> 00:03:03,750
So now we have some results in here so we can actually go ahead and start to look at the results and

47
00:03:03,750 --> 00:03:04,830
see what's going on.

48
00:03:04,860 --> 00:03:09,900
As you can see, it found that a lot of the open ports that we found before, we believe still doing

49
00:03:09,900 --> 00:03:11,580
some things, but it can take a while.

50
00:03:12,000 --> 00:03:13,800
So many Stage IV scans could take a while.

51
00:03:13,920 --> 00:03:18,510
It also ran some like a enumeration stuff like some of the tools from and map.

52
00:03:18,520 --> 00:03:20,510
So to actually look for vulnerabilities for us.

53
00:03:20,520 --> 00:03:21,400
So that's pretty neat.

54
00:03:21,420 --> 00:03:26,160
So what we can do is see that, hey, these ports are open and is running these services.

55
00:03:26,310 --> 00:03:28,520
So it kind of automates the process for you.

56
00:03:28,560 --> 00:03:35,070
I prefer to use this and in combination with and map because I like to do some, you know, some hands

57
00:03:35,070 --> 00:03:37,920
on stuff myself with and map of some very specific things.

58
00:03:37,920 --> 00:03:38,960
But this is a good tool.

59
00:03:38,970 --> 00:03:41,730
The lays it out so you can see everything.

60
00:03:41,880 --> 00:03:44,000
And it kind of like like I said, it does it for you.

61
00:03:44,010 --> 00:03:46,230
So like I said, it does the Nikitas scan.

62
00:03:46,380 --> 00:03:48,780
This is what output from McDo will look like.

63
00:03:49,080 --> 00:03:50,880
We'll also see that a little bit later on.

64
00:03:51,150 --> 00:03:55,800
But it's actually seeing that there's a lot of stuff that we can potentially take advantage of.

65
00:03:55,950 --> 00:03:59,340
And these are things that we can search up and probably find.

66
00:03:59,340 --> 00:04:04,610
Like, for example, you know, the PSP environment is something that's very commonly found, that's

67
00:04:04,620 --> 00:04:09,750
exploitable and can be an issue that I something we'll look into once we get into that section.

68
00:04:10,140 --> 00:04:13,320
So we found a lot of vulnerabilities and then they did a screenshot.

69
00:04:13,320 --> 00:04:17,430
I don't think that it has anything close to it right now for Haiti, but it would hit on a screenshot

70
00:04:17,820 --> 00:04:19,950
of the Web page if you would have found something.

71
00:04:20,220 --> 00:04:23,580
And let's see around these other Allscripts.

72
00:04:24,000 --> 00:04:32,970
And these didn't have any input output for the SMTP one, but it does have some help for the SMB enumeration.

73
00:04:33,240 --> 00:04:39,360
And it's kind of what we did before we used the it found like, you know, the SMB share that it's connected

74
00:04:39,360 --> 00:04:39,960
to and such.

75
00:04:39,960 --> 00:04:45,600
So you can play with this and look through the different stuff like, hey, we ran the Postgrads a default

76
00:04:45,600 --> 00:04:47,630
script to see, doesn't it.

77
00:04:48,000 --> 00:04:48,330
Yeah.

78
00:04:48,330 --> 00:04:50,160
So it found a valid password actually.

79
00:04:50,160 --> 00:04:54,240
And, you know, Hijau actually went through it and figured out what the parser was.

80
00:04:54,240 --> 00:04:55,550
So that's pretty good.

81
00:04:55,560 --> 00:04:57,930
So it kind of automates a lot of the process for you.

82
00:04:57,930 --> 00:05:03,300
So I really recommend that you look into this and try to see the different stuff that you can actually

83
00:05:03,300 --> 00:05:03,960
find.

84
00:05:04,230 --> 00:05:08,610
And like once again here, you know, it found a valid password as well.

85
00:05:08,850 --> 00:05:12,480
Pretty much like right here is FTP Anonymous log on is allowed.

86
00:05:12,480 --> 00:05:13,350
So that's pretty neat.

87
00:05:13,650 --> 00:05:17,280
Very powerful tool automates everything for you for the most part.

88
00:05:17,460 --> 00:05:19,950
So you can use this or you can do the command line stuff.

89
00:05:19,950 --> 00:05:23,790
If you want to be a little more hands on specific, go ahead and check out Legian.

90
00:05:23,790 --> 00:05:29,250
But it's definitely something that I use on every assessment in combination with other things that we

91
00:05:29,250 --> 00:05:30,030
talked about as well.