1
00:00:00,920 --> 00:00:09,650
All right, last tool before we get into persued and bug hunting, so McDo, what is it?

2
00:00:10,590 --> 00:00:17,880
NICTA is a tool that performs comprehensive tests against Web servers, it searches for service configurations,

3
00:00:18,030 --> 00:00:24,530
it checks for outdated versions of servers, it scans for dangerous files and programs on the Web page.

4
00:00:25,260 --> 00:00:29,350
It has many useful features that we can read at this page.

5
00:00:29,880 --> 00:00:36,430
This is a page on dot org website and it has anecdotal description on there.

6
00:00:36,500 --> 00:00:40,830
Here we have it features so we can read through them.

7
00:00:40,830 --> 00:00:48,240
It has a self-support, full HTP proxy support checks for outdated server components, which we already

8
00:00:48,240 --> 00:00:48,710
mentioned.

9
00:00:49,140 --> 00:00:53,670
You also have the option to save your reports in different file types.

10
00:00:54,480 --> 00:00:55,890
We can go all the way down.

11
00:00:55,890 --> 00:01:04,110
Identifiers installed softwares, your headers and files host authentication with basic and TLM subdomain

12
00:01:04,110 --> 00:01:04,550
guessing.

13
00:01:04,560 --> 00:01:09,970
So it pretty much performs website numeration and vulnerability assessment altogether.

14
00:01:10,410 --> 00:01:14,760
However, the most important thing that gives us is which softwares are outdated.

15
00:01:15,540 --> 00:01:17,910
OK, but we want to see the basic use of it.

16
00:01:18,120 --> 00:01:23,430
And if you find it still useful, feel free to check out all of the other options that you can use with

17
00:01:23,430 --> 00:01:24,840
the combination of your scans.

18
00:01:24,840 --> 00:01:29,550
And for us to run the tool help menu, we can open the terminal.

19
00:01:30,900 --> 00:01:32,760
And we can type NICTA.

20
00:01:35,380 --> 00:01:40,780
This will open a small health menu for us, and here we can see some of the options that we can use

21
00:01:40,780 --> 00:01:41,530
with this talk.

22
00:01:42,370 --> 00:01:48,310
However, for our basic scan, the most important option for us and the one that we must specify is

23
00:01:48,310 --> 00:01:55,930
the dish host option, as we can see, is description says the Dish host specifies target host or you

24
00:01:55,930 --> 00:01:56,240
are out.

25
00:01:56,800 --> 00:02:01,470
So let's scan our old WASP virtual machine.

26
00:02:02,080 --> 00:02:08,430
We're going to type Knechtel Bash host and then the IP address of your machine.

27
00:02:08,440 --> 00:02:11,020
In my case right now, it's one night to the 168.

28
00:02:11,020 --> 00:02:11,340
That one.

29
00:02:11,340 --> 00:02:11,830
That five.

30
00:02:12,690 --> 00:02:21,420
If you press enter, it'll start the Knechtel scan and NICTA tool is made to perform these scans fast

31
00:02:21,420 --> 00:02:26,310
so they will usually not take more than a couple of minutes at max.

32
00:02:27,490 --> 00:02:31,810
So let's wait for this to finish and then we're going to read through some of the information that we

33
00:02:31,810 --> 00:02:32,590
got right here.

34
00:02:33,470 --> 00:02:40,070
And it's that it took around 30 seconds and this is the output that we get at the very beginning.

35
00:02:40,100 --> 00:02:44,690
We got some target information as well as the server configuration.

36
00:02:44,690 --> 00:02:47,530
It tells us which version is it using.

37
00:02:47,540 --> 00:02:52,040
And down here, it describes each of those versions and what it managed to find.

38
00:02:52,430 --> 00:02:55,860
That might be interesting for us, as we can see.

39
00:02:55,880 --> 00:02:59,230
Let's go from here the to click tracking extreme options.

40
00:02:59,240 --> 00:03:00,710
Heather is not present.

41
00:03:01,070 --> 00:03:03,950
The access protection Heather is not defined.

42
00:03:03,950 --> 00:03:07,160
And it gives us a description why this might be useful.

43
00:03:07,160 --> 00:03:14,510
As it says this Heather can hint to the user agent to protect against some forms of access and access

44
00:03:14,510 --> 00:03:15,620
is once again the attack.

45
00:03:15,620 --> 00:03:16,670
The will cover later.

46
00:03:17,480 --> 00:03:23,260
Down here, it tells us some of the versions that it is running pretty much the same output that Apple

47
00:03:23,270 --> 00:03:23,700
gave us.

48
00:03:23,720 --> 00:03:30,140
We got the Apache 2.0 point fourteen, and it tells us that this version appears to be outdated.

49
00:03:30,560 --> 00:03:35,090
Current is at least Apache, two point four point thirty seven.

50
00:03:36,150 --> 00:03:43,680
It tells us pretty much for any plug that our always, Pazz, that it appears to be outdated and what

51
00:03:43,680 --> 00:03:46,450
does an outdated mean to a penetration tester?

52
00:03:46,950 --> 00:03:52,530
Well, it means probably a bunch of vulnerabilities, because most of the time a certain plugin gets

53
00:03:52,530 --> 00:03:58,610
updated and gets a newer version because of a previous bug or a previous vulnerability.

54
00:03:59,780 --> 00:04:05,720
If we go all the way down, it tells us that the Python version that it's running appears to be outdated,

55
00:04:05,720 --> 00:04:07,790
the Pearl version appears to be outdated.

56
00:04:07,790 --> 00:04:09,940
Pretty much everything is outdated.

57
00:04:10,670 --> 00:04:18,500
We get the allowed HDP methods, which is get ahead, post options and trace and down here, that would

58
00:04:18,500 --> 00:04:19,440
be pretty much it.

59
00:04:19,459 --> 00:04:26,000
It also gives us some output as to which directories might be interesting for us that Knechtel managed

60
00:04:26,000 --> 00:04:32,630
to discover, for example, this my admin is a directory that we already found and it tells us that

61
00:04:32,630 --> 00:04:35,420
this might be interesting for us down here.

62
00:04:36,830 --> 00:04:38,110
OK, awesome.

63
00:04:38,570 --> 00:04:45,050
And this would be a simple nick to scan, it gave us some information, mostly that many plug ins are

64
00:04:45,050 --> 00:04:45,620
outdated.

65
00:04:46,130 --> 00:04:52,130
And if you want to combine Nick Toscan with other options that thing offers us, feel free to use them.

66
00:04:52,730 --> 00:04:56,860
These other options are there in order to make a scan more precise.

67
00:04:56,870 --> 00:05:00,170
For example, if we run Nick Tomana once again.

68
00:05:01,210 --> 00:05:08,650
We can see, let's say this option port defines which port we are scanning by default it's set to port

69
00:05:08,650 --> 00:05:10,930
at, which is a default HTP port.

70
00:05:11,590 --> 00:05:19,300
But remember that our end maps can give us a result that there is HTP servers running also on Port 80

71
00:05:19,300 --> 00:05:19,800
81.

72
00:05:20,500 --> 00:05:22,480
Well, we can scan that as well.

73
00:05:22,480 --> 00:05:23,140
With Knechtel.

74
00:05:23,650 --> 00:05:29,620
All we have to do is type Knechtel, Dasch host and then the IP address of our target.

75
00:05:30,010 --> 00:05:35,650
And we can also add the dash port option and specify which port we want to scan.

76
00:05:37,260 --> 00:05:42,900
Once you press enter, it will target that port and it will print out the information about that port

77
00:05:42,900 --> 00:05:43,290
only.

78
00:05:44,410 --> 00:05:51,100
And here is the result, it's much less information than with our previous can, but we do got some

79
00:05:51,100 --> 00:05:51,980
things here as well.

80
00:05:52,390 --> 00:05:59,180
For example, this is the same as in the previous can we got that GETI version appears to be outdated.

81
00:05:59,440 --> 00:06:01,860
We also got which allowed HTP methods.

82
00:06:01,870 --> 00:06:02,440
Does it have?

83
00:06:02,980 --> 00:06:10,270
And we got some interesting directories, for example, slash admin, slash access slash admin dot index

84
00:06:10,280 --> 00:06:10,990
page, the amount.

85
00:06:10,990 --> 00:06:14,920
It tells us that it found an admin login page on this directory.

86
00:06:15,870 --> 00:06:16,830
OK, awesome.

87
00:06:17,370 --> 00:06:24,630
We are done with website enumeration, all we are left to do now is to set up our tool, get introduced

88
00:06:24,630 --> 00:06:30,410
to its basics and we are fully ready for discovering website vulnerabilities straight after that.

89
00:06:30,750 --> 00:06:31,680
Soon, the next video.