Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:01,220 --> 00:00:08,210
Welcome back and in this video, I want to show you something that you will do every time you perform
2
00:00:08,210 --> 00:00:13,460
a penetration test, I want to show you how to manually search for vulnerabilities.
3
00:00:13,910 --> 00:00:15,980
And this is something that you will do a lot.
4
00:00:16,280 --> 00:00:19,520
You will use this more than any other tool that we covered.
5
00:00:20,780 --> 00:00:29,780
So what vulnerability analysis is, is us simply Googling the vulnerabilities, for example, suppose
6
00:00:29,780 --> 00:00:36,130
we are attacking a target and right here I just performed the version scan for the anticipatable imagine.
7
00:00:36,140 --> 00:00:40,430
But this is our target and we just performed this version scan.
8
00:00:41,060 --> 00:00:45,130
We got these different ports open and different versions.
9
00:00:45,980 --> 00:00:49,310
How do we know if they are vulnerable without using any tool?
10
00:00:50,300 --> 00:00:55,370
Well, what we can do is we can copy the name of the version that is running on an open port.
11
00:00:56,350 --> 00:01:03,430
Then go to Google and just paste that name and add explained.
12
00:01:06,060 --> 00:01:12,930
And here it is, we're already getting some response back Python exploit for this version, which is
13
00:01:12,930 --> 00:01:20,970
the exact version the Tagamet display has the feed, the exact version that we have Back-Door command
14
00:01:20,970 --> 00:01:21,720
execution.
15
00:01:22,320 --> 00:01:28,050
And what you would do is you would just go to these links and try to find the exploit for it.
16
00:01:29,140 --> 00:01:32,400
Down here, we already see that an exploit already exists.
17
00:01:34,000 --> 00:01:39,160
For which platform it is, we can see right here the source code if we want to.
18
00:01:40,920 --> 00:01:46,200
And here it is, the expert is quoted in Python in this case and.
19
00:01:47,140 --> 00:01:50,080
This is how you would do most of your vulnerability analysis.
20
00:01:50,390 --> 00:01:56,230
We also get the module options and what this module options are is something that people covering the
21
00:01:56,230 --> 00:01:57,170
exploitation section.
22
00:01:58,150 --> 00:02:00,820
This is how we can exploit the target using tools.
23
00:02:01,580 --> 00:02:03,410
We're going to cover that shortly for now.
24
00:02:03,670 --> 00:02:06,550
This is the way that you can find out how to exploit the target.
25
00:02:07,120 --> 00:02:12,790
You just go through a bunch of links and see whether someone already came up with the exploit for that
26
00:02:12,790 --> 00:02:18,310
specific version, in this case for the fifty two point three point four version.
27
00:02:18,850 --> 00:02:21,640
And you would do this for any version that you discover.
28
00:02:22,330 --> 00:02:27,520
For example, you can go right here, Apache HDD and copy the version.
29
00:02:27,640 --> 00:02:32,140
Make sure that you copy the number as well, which in our case is two point two point eight.
30
00:02:32,920 --> 00:02:37,950
Then go and paste the name of that version and exploit.
31
00:02:38,710 --> 00:02:42,820
And here we are to get output security vulnerabilities.
32
00:02:42,830 --> 00:02:50,800
If we click on it, we can see all of the vulnerabilities that this version of Apache has right here.
33
00:02:50,800 --> 00:02:55,240
We can see which score they have and the hard score, the stronger the vulnerability.
34
00:02:55,540 --> 00:03:01,330
Right here we can see the vulnerability ID which remember from the last video I told you, this format
35
00:03:01,540 --> 00:03:07,870
is used for vulnerabilities and you will see it a lot and we can see all the vulnerabilities that it
36
00:03:07,870 --> 00:03:08,190
has.
37
00:03:09,010 --> 00:03:12,450
This one, particularly if we are really interested in why?
38
00:03:12,610 --> 00:03:19,360
Well, because it has this core 10, that means that it is a really strong vulnerability, most likely
39
00:03:19,360 --> 00:03:22,330
execution of code or remote access to the target.
40
00:03:22,840 --> 00:03:26,830
And it indeed is it says right here, code execution.
41
00:03:27,460 --> 00:03:28,780
And if you click on it.
42
00:03:30,240 --> 00:03:32,610
You can see what this vulnerability does.
43
00:03:33,940 --> 00:03:41,710
You can see confidentiality impact his complete integrity, impact complete availability, impact complete.
44
00:03:42,070 --> 00:03:45,070
There is a total shutdown of the affected resource.
45
00:03:45,340 --> 00:03:47,860
The attacker can render the resource completely unavailable.
46
00:03:48,190 --> 00:03:50,860
So this also seems like some kind of a DOS attack.
47
00:03:51,340 --> 00:03:58,840
And down here, we can see that this will most likely work only for Windows, as I'm noticing windows
48
00:03:59,020 --> 00:04:02,400
right here, a lot of windows right here, windows right here.
49
00:04:02,590 --> 00:04:07,150
Now, of course, you would rip through this other a bit more detailed, but for now, this doesn't
50
00:04:07,150 --> 00:04:13,450
seem as an exploit that would work on our anticipatable because the is running on Linux.
51
00:04:13,630 --> 00:04:17,540
And this is what you would do most of your time researching for mobility.
52
00:04:18,140 --> 00:04:19,270
This is how you find them.
53
00:04:19,570 --> 00:04:24,400
And then you search for the exploit created by someone else that you can use to exploit the target.
54
00:04:25,470 --> 00:04:33,990
Another thing that you can do is you can use a tool inside of the clinic called search plate and search
55
00:04:34,200 --> 00:04:36,570
it if I type that to help.
56
00:04:37,770 --> 00:04:43,500
Simply takes the input of the version of software and then it searches through Callinan's database,
57
00:04:43,680 --> 00:04:49,080
through all of the experts that Kalanick has and tries to find an expert that will work for that specific
58
00:04:49,080 --> 00:04:49,360
version.
59
00:04:50,280 --> 00:04:55,420
Right here, we have some usage examples, but we don't need to perform these complicated commands.
60
00:04:55,440 --> 00:04:58,560
All we can do is copy, for example, some version.
61
00:04:58,800 --> 00:05:05,310
Let's say we copy this version of software on real I.R.S. and copy this.
62
00:05:05,790 --> 00:05:13,680
And what we can do once we copy that version is type Searsport and then paste the version name and we
63
00:05:13,680 --> 00:05:14,430
get the result.
64
00:05:15,090 --> 00:05:15,700
It will tell us.
65
00:05:15,720 --> 00:05:19,980
Right here, there are already some existing experts for the unveiled RC.
66
00:05:20,250 --> 00:05:22,860
We also get which version are the exploits for.
67
00:05:23,520 --> 00:05:25,860
One of them are Back-Door command execution.
68
00:05:26,100 --> 00:05:28,700
The second one is local configuration stack overflow.
69
00:05:29,040 --> 00:05:37,350
We also get the denial of service exploit and on the right side we get the path to those exploits right
70
00:05:37,350 --> 00:05:37,710
here.
71
00:05:37,740 --> 00:05:43,290
This one is under Linux remote and it is named one six nine two two dot RB.
72
00:05:43,920 --> 00:05:46,620
And this RB simply stands for Ruby.
73
00:05:46,980 --> 00:05:49,260
This is coded in the ruby language.
74
00:05:50,130 --> 00:05:53,220
One of them is for Windows, one of them is for Linux.
75
00:05:53,550 --> 00:05:58,020
Since we're running the display table, we would only be interested in the Linux exploits.
76
00:05:58,740 --> 00:06:02,460
So let's try to navigate here how we can find this exploit.
77
00:06:03,000 --> 00:06:05,010
Well, we can copy the name of the exploit.
78
00:06:06,210 --> 00:06:15,090
And use locate command to find where exactly this exploit is located on our machine, and it is in this
79
00:06:15,090 --> 00:06:16,320
path right here.
80
00:06:17,260 --> 00:06:26,050
So you can copy to this directory CD and then paste the directory name, and if I were to Nannerl one
81
00:06:26,050 --> 00:06:34,270
six nine two two dot RB, this will open and exploit that we would use to attack that unreal RC open
82
00:06:34,270 --> 00:06:34,660
port.
83
00:06:34,840 --> 00:06:37,760
As we can see, it also tells us that this is a backdoor program.
84
00:06:38,410 --> 00:06:44,170
This file is also part of metal plate fabric and metal plate is one of the biggest tools that we are
85
00:06:44,170 --> 00:06:45,670
going to cover in the next section.
86
00:06:46,020 --> 00:06:51,430
We'll cover all of the basics of it and we will also cover how we can run exploits and attack different
87
00:06:51,430 --> 00:06:54,250
machines using this display framework.
88
00:06:55,000 --> 00:06:55,670
OK, cool.
89
00:06:56,560 --> 00:07:00,720
We found an exploit for this specific software using search plate.
90
00:07:01,000 --> 00:07:05,340
So now we know we got exploit for that version of software that we have on display.
91
00:07:05,710 --> 00:07:11,410
So this is usually how you would perform most of your vulnerability analysis to either use tools like
92
00:07:11,590 --> 00:07:18,100
exploit or you manually try to find and exploit on Google to see whether anyone has exploited it before.
93
00:07:18,220 --> 00:07:20,410
And if they have, how did they do that?
94
00:07:21,190 --> 00:07:27,400
You would also use and map scripts sometimes, but I personally rarely use AdMob scripts for vulnerability
95
00:07:27,400 --> 00:07:27,940
analysis.
96
00:07:28,630 --> 00:07:33,400
And the last tool that we are going to cover for the vulnerability analysis is going to be Nessa's,
97
00:07:33,430 --> 00:07:35,140
which we will see in the next section.
98
00:07:35,410 --> 00:07:40,160
That tool is huge and you will use it a lot in your vulnerability analysis.
99
00:07:40,600 --> 00:07:41,140
See you there.
10343
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.