Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,220 --> 00:00:08,210 Welcome back and in this video, I want to show you something that you will do every time you perform 2 00:00:08,210 --> 00:00:13,460 a penetration test, I want to show you how to manually search for vulnerabilities. 3 00:00:13,910 --> 00:00:15,980 And this is something that you will do a lot. 4 00:00:16,280 --> 00:00:19,520 You will use this more than any other tool that we covered. 5 00:00:20,780 --> 00:00:29,780 So what vulnerability analysis is, is us simply Googling the vulnerabilities, for example, suppose 6 00:00:29,780 --> 00:00:36,130 we are attacking a target and right here I just performed the version scan for the anticipatable imagine. 7 00:00:36,140 --> 00:00:40,430 But this is our target and we just performed this version scan. 8 00:00:41,060 --> 00:00:45,130 We got these different ports open and different versions. 9 00:00:45,980 --> 00:00:49,310 How do we know if they are vulnerable without using any tool? 10 00:00:50,300 --> 00:00:55,370 Well, what we can do is we can copy the name of the version that is running on an open port. 11 00:00:56,350 --> 00:01:03,430 Then go to Google and just paste that name and add explained. 12 00:01:06,060 --> 00:01:12,930 And here it is, we're already getting some response back Python exploit for this version, which is 13 00:01:12,930 --> 00:01:20,970 the exact version the Tagamet display has the feed, the exact version that we have Back-Door command 14 00:01:20,970 --> 00:01:21,720 execution. 15 00:01:22,320 --> 00:01:28,050 And what you would do is you would just go to these links and try to find the exploit for it. 16 00:01:29,140 --> 00:01:32,400 Down here, we already see that an exploit already exists. 17 00:01:34,000 --> 00:01:39,160 For which platform it is, we can see right here the source code if we want to. 18 00:01:40,920 --> 00:01:46,200 And here it is, the expert is quoted in Python in this case and. 19 00:01:47,140 --> 00:01:50,080 This is how you would do most of your vulnerability analysis. 20 00:01:50,390 --> 00:01:56,230 We also get the module options and what this module options are is something that people covering the 21 00:01:56,230 --> 00:01:57,170 exploitation section. 22 00:01:58,150 --> 00:02:00,820 This is how we can exploit the target using tools. 23 00:02:01,580 --> 00:02:03,410 We're going to cover that shortly for now. 24 00:02:03,670 --> 00:02:06,550 This is the way that you can find out how to exploit the target. 25 00:02:07,120 --> 00:02:12,790 You just go through a bunch of links and see whether someone already came up with the exploit for that 26 00:02:12,790 --> 00:02:18,310 specific version, in this case for the fifty two point three point four version. 27 00:02:18,850 --> 00:02:21,640 And you would do this for any version that you discover. 28 00:02:22,330 --> 00:02:27,520 For example, you can go right here, Apache HDD and copy the version. 29 00:02:27,640 --> 00:02:32,140 Make sure that you copy the number as well, which in our case is two point two point eight. 30 00:02:32,920 --> 00:02:37,950 Then go and paste the name of that version and exploit. 31 00:02:38,710 --> 00:02:42,820 And here we are to get output security vulnerabilities. 32 00:02:42,830 --> 00:02:50,800 If we click on it, we can see all of the vulnerabilities that this version of Apache has right here. 33 00:02:50,800 --> 00:02:55,240 We can see which score they have and the hard score, the stronger the vulnerability. 34 00:02:55,540 --> 00:03:01,330 Right here we can see the vulnerability ID which remember from the last video I told you, this format 35 00:03:01,540 --> 00:03:07,870 is used for vulnerabilities and you will see it a lot and we can see all the vulnerabilities that it 36 00:03:07,870 --> 00:03:08,190 has. 37 00:03:09,010 --> 00:03:12,450 This one, particularly if we are really interested in why? 38 00:03:12,610 --> 00:03:19,360 Well, because it has this core 10, that means that it is a really strong vulnerability, most likely 39 00:03:19,360 --> 00:03:22,330 execution of code or remote access to the target. 40 00:03:22,840 --> 00:03:26,830 And it indeed is it says right here, code execution. 41 00:03:27,460 --> 00:03:28,780 And if you click on it. 42 00:03:30,240 --> 00:03:32,610 You can see what this vulnerability does. 43 00:03:33,940 --> 00:03:41,710 You can see confidentiality impact his complete integrity, impact complete availability, impact complete. 44 00:03:42,070 --> 00:03:45,070 There is a total shutdown of the affected resource. 45 00:03:45,340 --> 00:03:47,860 The attacker can render the resource completely unavailable. 46 00:03:48,190 --> 00:03:50,860 So this also seems like some kind of a DOS attack. 47 00:03:51,340 --> 00:03:58,840 And down here, we can see that this will most likely work only for Windows, as I'm noticing windows 48 00:03:59,020 --> 00:04:02,400 right here, a lot of windows right here, windows right here. 49 00:04:02,590 --> 00:04:07,150 Now, of course, you would rip through this other a bit more detailed, but for now, this doesn't 50 00:04:07,150 --> 00:04:13,450 seem as an exploit that would work on our anticipatable because the is running on Linux. 51 00:04:13,630 --> 00:04:17,540 And this is what you would do most of your time researching for mobility. 52 00:04:18,140 --> 00:04:19,270 This is how you find them. 53 00:04:19,570 --> 00:04:24,400 And then you search for the exploit created by someone else that you can use to exploit the target. 54 00:04:25,470 --> 00:04:33,990 Another thing that you can do is you can use a tool inside of the clinic called search plate and search 55 00:04:34,200 --> 00:04:36,570 it if I type that to help. 56 00:04:37,770 --> 00:04:43,500 Simply takes the input of the version of software and then it searches through Callinan's database, 57 00:04:43,680 --> 00:04:49,080 through all of the experts that Kalanick has and tries to find an expert that will work for that specific 58 00:04:49,080 --> 00:04:49,360 version. 59 00:04:50,280 --> 00:04:55,420 Right here, we have some usage examples, but we don't need to perform these complicated commands. 60 00:04:55,440 --> 00:04:58,560 All we can do is copy, for example, some version. 61 00:04:58,800 --> 00:05:05,310 Let's say we copy this version of software on real I.R.S. and copy this. 62 00:05:05,790 --> 00:05:13,680 And what we can do once we copy that version is type Searsport and then paste the version name and we 63 00:05:13,680 --> 00:05:14,430 get the result. 64 00:05:15,090 --> 00:05:15,700 It will tell us. 65 00:05:15,720 --> 00:05:19,980 Right here, there are already some existing experts for the unveiled RC. 66 00:05:20,250 --> 00:05:22,860 We also get which version are the exploits for. 67 00:05:23,520 --> 00:05:25,860 One of them are Back-Door command execution. 68 00:05:26,100 --> 00:05:28,700 The second one is local configuration stack overflow. 69 00:05:29,040 --> 00:05:37,350 We also get the denial of service exploit and on the right side we get the path to those exploits right 70 00:05:37,350 --> 00:05:37,710 here. 71 00:05:37,740 --> 00:05:43,290 This one is under Linux remote and it is named one six nine two two dot RB. 72 00:05:43,920 --> 00:05:46,620 And this RB simply stands for Ruby. 73 00:05:46,980 --> 00:05:49,260 This is coded in the ruby language. 74 00:05:50,130 --> 00:05:53,220 One of them is for Windows, one of them is for Linux. 75 00:05:53,550 --> 00:05:58,020 Since we're running the display table, we would only be interested in the Linux exploits. 76 00:05:58,740 --> 00:06:02,460 So let's try to navigate here how we can find this exploit. 77 00:06:03,000 --> 00:06:05,010 Well, we can copy the name of the exploit. 78 00:06:06,210 --> 00:06:15,090 And use locate command to find where exactly this exploit is located on our machine, and it is in this 79 00:06:15,090 --> 00:06:16,320 path right here. 80 00:06:17,260 --> 00:06:26,050 So you can copy to this directory CD and then paste the directory name, and if I were to Nannerl one 81 00:06:26,050 --> 00:06:34,270 six nine two two dot RB, this will open and exploit that we would use to attack that unreal RC open 82 00:06:34,270 --> 00:06:34,660 port. 83 00:06:34,840 --> 00:06:37,760 As we can see, it also tells us that this is a backdoor program. 84 00:06:38,410 --> 00:06:44,170 This file is also part of metal plate fabric and metal plate is one of the biggest tools that we are 85 00:06:44,170 --> 00:06:45,670 going to cover in the next section. 86 00:06:46,020 --> 00:06:51,430 We'll cover all of the basics of it and we will also cover how we can run exploits and attack different 87 00:06:51,430 --> 00:06:54,250 machines using this display framework. 88 00:06:55,000 --> 00:06:55,670 OK, cool. 89 00:06:56,560 --> 00:07:00,720 We found an exploit for this specific software using search plate. 90 00:07:01,000 --> 00:07:05,340 So now we know we got exploit for that version of software that we have on display. 91 00:07:05,710 --> 00:07:11,410 So this is usually how you would perform most of your vulnerability analysis to either use tools like 92 00:07:11,590 --> 00:07:18,100 exploit or you manually try to find and exploit on Google to see whether anyone has exploited it before. 93 00:07:18,220 --> 00:07:20,410 And if they have, how did they do that? 94 00:07:21,190 --> 00:07:27,400 You would also use and map scripts sometimes, but I personally rarely use AdMob scripts for vulnerability 95 00:07:27,400 --> 00:07:27,940 analysis. 96 00:07:28,630 --> 00:07:33,400 And the last tool that we are going to cover for the vulnerability analysis is going to be Nessa's, 97 00:07:33,430 --> 00:07:35,140 which we will see in the next section. 98 00:07:35,410 --> 00:07:40,160 That tool is huge and you will use it a lot in your vulnerability analysis. 99 00:07:40,600 --> 00:07:41,140 See you there. 10343