Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,120 --> 00:00:07,640 Let's talk about this scan before we dive into any enumeration so this scan here we've got these open 2 00:00:07,640 --> 00:00:08,000 ports. 3 00:00:08,000 --> 00:00:13,280 We've got twenty two with SSA age and we've got 80 and 4 for 3 which are hosting Web sites and then 4 00:00:13,280 --> 00:00:17,210 we've got one thirty nine which has got a file share with Samba on it. 5 00:00:17,300 --> 00:00:24,230 And then you've got the one eleven and thirty two 768 which are our P.C. and related to the SMB. 6 00:00:24,320 --> 00:00:28,850 So we need to think about point of attack as an attacker. 7 00:00:28,910 --> 00:00:35,810 Now when I see this scan I light up with 80 and 4 for three and I light up with one thirty nine and 8 00:00:35,810 --> 00:00:42,260 sometimes you'll see four forty five with it as well I light up from those because those are commonly 9 00:00:42,260 --> 00:00:44,090 found with exploits. 10 00:00:44,090 --> 00:00:51,170 If we think back about all of the exploits that have been out there for a Web site for example or if 11 00:00:51,170 --> 00:00:58,090 we think to samba or SMB related exploits just recently right now it's recording in twenty nineteen 12 00:00:58,580 --> 00:01:00,100 in twenty seventeen. 13 00:01:00,170 --> 00:01:06,590 There was malware that went around called want to cry and that was based off of something called Eternal 14 00:01:06,590 --> 00:01:10,310 Blue also known as M.S. 17 0 1 0. 15 00:01:10,310 --> 00:01:15,970 It was a pretty wicked exploit that utilized a flaw in SMB. 16 00:01:16,130 --> 00:01:21,940 S&P has been historically bad and Web sites have been historically bad. 17 00:01:21,950 --> 00:01:28,280 Now when we see something like port twenty two point twenty two as SS age and historically it hasn't 18 00:01:28,280 --> 00:01:30,030 really been that bad. 19 00:01:30,110 --> 00:01:33,450 Now we can try attacks against it like brute force attacks. 20 00:01:33,470 --> 00:01:39,170 We can try something like default credentials or route tor on it for example. 21 00:01:39,170 --> 00:01:44,480 But when we look at it we can maybe enumerate the version but there's not usually what we call remote 22 00:01:44,480 --> 00:01:51,380 code execution on SS H remote code execution being that we can run an exploit against it and get something 23 00:01:51,380 --> 00:01:56,430 called a shell back and we'll talk more about that when we get into the exploitation section. 24 00:01:56,540 --> 00:02:00,510 But for now just know that it's not really common to attack SSA age. 25 00:02:00,530 --> 00:02:07,850 So when I see SSA open we can do some things at it but when we talk about low hanging fruit and that's 26 00:02:07,850 --> 00:02:13,850 really what we're after as an attacker we're gonna see what's juiciest first and kind of go from there. 27 00:02:13,880 --> 00:02:21,440 So you'll develop your own methodology over time but I'm going to drill into your head at least my methodology 28 00:02:21,440 --> 00:02:27,620 why do things and there will be several videos of walkthrough machines in this course. 29 00:02:27,610 --> 00:02:31,490 So you're gonna get to see this over and over and over and I'm just going to explain my methodology 30 00:02:31,520 --> 00:02:37,460 repeatedly so that you can get introduced to new tools and new ideas and ways of thinking. 31 00:02:37,460 --> 00:02:44,810 So from here I do want to dive into my first thought process which is I want to investigate port 80 32 00:02:44,810 --> 00:02:46,190 and 4 or 4 3. 33 00:02:46,190 --> 00:02:52,130 I would either here I would do eighty four for three or I'd go right after one thirty nine so we'll 34 00:02:52,130 --> 00:02:55,770 do eighty four for three and start working towards those. 35 00:02:55,880 --> 00:02:58,720 Now let's go ahead and just do the first step. 36 00:02:58,730 --> 00:03:03,160 This is always my first step if I see a Web site I'm just to go out to the Web site. 37 00:03:03,170 --> 00:03:11,350 So I'm going to go ahead and just copy this here and I'm also going to go into a little hamburger and 38 00:03:11,350 --> 00:03:17,350 go to my preferences and I have not turned off my birth suite settings and it's possible that if you're 39 00:03:17,350 --> 00:03:19,960 just following along you haven't turned it off either. 40 00:03:19,960 --> 00:03:25,990 So go ahead and just select use system proxy settings and we'll just say OK and now we should be able 41 00:03:25,990 --> 00:03:27,270 to navigate to our Web site. 42 00:03:27,280 --> 00:03:33,400 All this opened up a new tab just in case there's something like this good that worked and then we'll 43 00:03:33,400 --> 00:03:38,700 do the p s version because there's also four four three. 44 00:03:38,770 --> 00:03:40,990 You might get something saying your connections aren't secure. 45 00:03:40,990 --> 00:03:48,110 Just go ahead and say advanced and add an exception here confirm it and you'll see this OK. 46 00:03:48,120 --> 00:03:57,140 So what we have here on both of these is we have a default web page now when we talk about performing 47 00:03:57,230 --> 00:04:03,460 a network penetration test or even a web application penetration test. 48 00:04:03,560 --> 00:04:08,510 If we see a default web page like this this is an automatic finding. 49 00:04:08,510 --> 00:04:09,870 Now why is this the finding. 50 00:04:09,920 --> 00:04:11,420 Is it explainable. 51 00:04:11,420 --> 00:04:12,800 No not really. 52 00:04:12,920 --> 00:04:18,830 But it tells us a little bit of something about the architecture that's running behind the scenes and 53 00:04:18,830 --> 00:04:23,900 it tells us a little bit about the client's potential hygiene. 54 00:04:23,900 --> 00:04:28,490 So if we see this well we know that it's running a patchy. 55 00:04:28,490 --> 00:04:35,090 We know that potentially the box is running red hat Linux and we're just getting ideas of what's going 56 00:04:35,090 --> 00:04:41,600 on behind the scenes more so if a client is running a default web page. 57 00:04:41,600 --> 00:04:43,390 It brings up two questions. 58 00:04:43,390 --> 00:04:44,400 One. 59 00:04:44,660 --> 00:04:48,090 Are there other web directories behind this. 60 00:04:48,140 --> 00:04:53,570 So we'll show you something here in a second where we do directory busting and attempt to find a directory 61 00:04:53,580 --> 00:04:58,520 like say we're looking at this and we do having them click on what we say you know slash AB and maybe 62 00:04:58,520 --> 00:05:00,620 that directory is there OK. 63 00:05:00,620 --> 00:05:02,810 Are they hosting a Web site somewhere else. 64 00:05:02,810 --> 00:05:06,220 That's just not at this IP address on this base. 65 00:05:06,500 --> 00:05:14,690 Or maybe they aren't hosting any Web site and they just left for 4 3 and 80 open for no reason and put 66 00:05:14,690 --> 00:05:16,810 those default web page out there. 67 00:05:16,820 --> 00:05:22,280 Now when you think about that that signals to an attacker poor hygiene and I'm gonna think to myself 68 00:05:22,280 --> 00:05:29,390 as an attacker if a company or a client is willing to just put this out there willy nilly. 69 00:05:29,390 --> 00:05:36,230 What else are they doing what potential vulnerabilities might they have if they're doing this. 70 00:05:36,260 --> 00:05:38,750 So this immediately signals poor hygiene. 71 00:05:38,750 --> 00:05:42,940 We would write this up on a test and I'm going to show you guys my notes. 72 00:05:42,980 --> 00:05:48,200 Once we kind of get towards the end of the enumeration so make sure you're taking good notes and we 73 00:05:48,200 --> 00:05:53,360 can do that and like a little notepad here and kind of what we're doing I think this is useful and then 74 00:05:53,390 --> 00:05:57,860 I'll make a nice little keep no or you you can make a cherry tree and make your own notes of this and 75 00:05:57,860 --> 00:06:02,680 we'll show you what it looks like toward the end of the enumeration but we can say something like eighty 76 00:06:02,690 --> 00:06:03,850 four four three. 77 00:06:04,340 --> 00:06:06,490 And then you can put the IP address. 78 00:06:06,770 --> 00:06:11,840 And sometimes people like to put notes like what time they did this so you could see up here it's twenty 79 00:06:11,840 --> 00:06:20,490 to fifty eight or ten fifty eight p.m. nighttime and we could take that and we can just say default 80 00:06:20,520 --> 00:06:30,570 web page and we can say Apache and we could tell that it's running potentially HP and we'll get behind 81 00:06:30,690 --> 00:06:32,430 this as well. 82 00:06:32,430 --> 00:06:36,180 And we just have these little notes so we know that we navigated to it right. 83 00:06:36,180 --> 00:06:40,490 At least this is part of the enumeration here and you don't have to timestamp everything. 84 00:06:40,490 --> 00:06:41,900 I'm just giving you that for an example. 85 00:06:41,910 --> 00:06:48,070 But we can see that it's running this default web page so we have a default web page. 86 00:06:48,110 --> 00:06:50,460 There's nothing really for us to click on. 87 00:06:50,510 --> 00:06:53,300 I mean we've got the documentation. 88 00:06:53,300 --> 00:06:53,860 We can go to. 89 00:06:53,930 --> 00:07:00,400 It looks like the manual might be here and this here we just clicked on a link and it was a bad link. 90 00:07:00,410 --> 00:07:05,000 Now this is also what's called information disclosure. 91 00:07:05,000 --> 00:07:10,960 So this will be another one to bring up but we see here that we have an error page and this error page 92 00:07:10,960 --> 00:07:12,800 is saying hey it's not found. 93 00:07:12,800 --> 00:07:19,880 Now this is typical of what's called a four or four and when you see a for a four you think OK. 94 00:07:19,910 --> 00:07:23,580 It usually redirects you to a page it's like hey we can't find this. 95 00:07:23,640 --> 00:07:28,060 This is giving us a little bit more information than we should be getting. 96 00:07:28,280 --> 00:07:34,010 We're seeing here that we're getting a patchy version one point three point two zero. 97 00:07:34,010 --> 00:07:39,380 So now if we didn't know already we do know that we're running a patchy one point three point to zero 98 00:07:40,190 --> 00:07:47,810 and we got a hostname here capturing stock level one that is a internal information hostname. 99 00:07:47,810 --> 00:07:48,080 Right. 100 00:07:48,080 --> 00:07:50,610 So we can get a naming convention out of a client. 101 00:07:50,750 --> 00:07:55,730 We could potentially know how they are utilizing naming conventions on their internal networks. 102 00:07:55,910 --> 00:08:00,260 And we've got some version enumeration or information disclosure. 103 00:08:00,380 --> 00:08:03,340 So this would be a screenshot as well that would take a picture of. 104 00:08:03,470 --> 00:08:06,920 And you can also notate that in your notes and say something like 105 00:08:11,110 --> 00:08:12,840 you'd say information 106 00:08:14,830 --> 00:08:15,820 disclosure. 107 00:08:23,210 --> 00:08:30,800 And then you could say something like four or four page and then you would just have your your notes 108 00:08:30,800 --> 00:08:35,900 or a screenshot of this and then that would indicate to you what you can write up on the report and 109 00:08:35,900 --> 00:08:37,750 kind of where you've found it. 110 00:08:37,750 --> 00:08:46,120 So we can click around on this page or we can do a little bit of what I like to do which is vulnerability 111 00:08:46,120 --> 00:08:46,570 scanning. 112 00:08:46,570 --> 00:08:52,320 So I'm going to introduce you to a another tool which is called Nick doe. 113 00:08:52,360 --> 00:08:55,510 So let's open up a new tab with close these two tabs out. 114 00:08:55,540 --> 00:09:01,610 If you've got extra tabs like I2 and this tool is called Nick Doe. 115 00:09:01,610 --> 00:09:02,990 It's just like this. 116 00:09:03,110 --> 00:09:08,090 So Nick DOE is what is known as a web vulnerability scanner. 117 00:09:08,090 --> 00:09:14,600 This is a great tool when you're learning the beginning stuff when you're practicing against phone hub 118 00:09:14,600 --> 00:09:20,750 or you're practicing on a CTF or something like a hack the box which I haven't introduced you yet but 119 00:09:20,930 --> 00:09:24,680 it will help you do vulnerability scanning against a Web site. 120 00:09:24,680 --> 00:09:32,540 The issue is that if the Web site is running good security you might run into some issues with that 121 00:09:32,570 --> 00:09:35,060 and it might actually auto block it if it detects. 122 00:09:35,060 --> 00:09:38,860 Nick doe scans not always very commonly. 123 00:09:38,960 --> 00:09:45,290 That's not the case but if they've got good security or a good web application firewall it might actually 124 00:09:45,290 --> 00:09:49,570 block these scans so you have to kind of be wary when you use it and really use your hunch. 125 00:09:49,610 --> 00:09:55,550 If you think that this client is using a web application firewall or not and you'll really get a feel 126 00:09:55,550 --> 00:09:59,360 for the client just as you gain more practice and once you're getting in there and you're starting to 127 00:09:59,360 --> 00:10:03,140 notice vulnerabilities or not you're kind of understand whether or not they're running something like 128 00:10:03,140 --> 00:10:03,940 that. 129 00:10:03,950 --> 00:10:09,800 So from here we're just gonna say Nick DOE and you can always do a dash dash help but it's pretty straightforward. 130 00:10:09,800 --> 00:10:17,060 All we're gonna do is say a dash HD for host and then we're just gonna say something like HBP s and 131 00:10:17,060 --> 00:10:24,500 then we'll just paste are our address some like this and that one did not work. 132 00:10:26,030 --> 00:10:29,330 So let's go ahead and try HBP and see. 133 00:10:29,330 --> 00:10:30,410 There we go. 134 00:10:30,410 --> 00:10:33,380 For some reason it's not picking up the SSL on this. 135 00:10:33,410 --> 00:10:39,680 So I'm not sure why it's not discovering but now we can see our scans kicking back and immediately we 136 00:10:39,680 --> 00:10:42,150 can see that it's doing some detections here. 137 00:10:42,290 --> 00:10:46,690 It's detecting that these server Apache one point three point to zero is running. 138 00:10:46,850 --> 00:10:50,600 It sees this mod SSL with open SSL. 139 00:10:50,600 --> 00:10:53,090 It's giving us some vulnerabilities back. 140 00:10:53,240 --> 00:10:57,390 It's telling us what is missing in terms of protections. 141 00:10:57,440 --> 00:11:02,930 Now these protection headers if we're doing an external penetration test not really that important if 142 00:11:02,930 --> 00:11:07,550 we're doing it without penetration test these become more important but we don't have to worry about 143 00:11:07,550 --> 00:11:09,020 them right now. 144 00:11:09,020 --> 00:11:14,600 So when we come through we keep looking and we see a patchy one point three point two zero appears to 145 00:11:14,600 --> 00:11:16,050 be outdated. 146 00:11:16,070 --> 00:11:19,760 OK man SSL appears to be outdated open SSL appears got data. 147 00:11:19,760 --> 00:11:23,780 These are all findings depending on how outdated it is. 148 00:11:23,960 --> 00:11:29,250 A one point three point two zero to a two point four point thirty seven is pretty outdated. 149 00:11:29,300 --> 00:11:34,430 So these would be findings that we would notate on a report as well. 150 00:11:34,430 --> 00:11:39,830 We can look through and you can see what types of attacks this might be vulnerable to. 151 00:11:39,890 --> 00:11:45,860 So one if you're looking through there's this Apache here that says remote denial of service. 152 00:11:45,890 --> 00:11:49,220 Well typically denial service is out of scope when we're doing a pen test. 153 00:11:49,220 --> 00:11:52,890 So we're not interested in that possible code execution. 154 00:11:53,000 --> 00:11:55,370 So maybe interested in that. 155 00:11:55,370 --> 00:12:04,340 We are also potentially interested in a overflow and rewrite and this one says this is vulnerable to 156 00:12:04,370 --> 00:12:11,120 a remote buffer overflow remote being important which may allow remote shell so remote. 157 00:12:11,120 --> 00:12:12,710 Meaning we do not have to be local. 158 00:12:12,710 --> 00:12:15,460 So I skipped over this one where you see local. 159 00:12:15,560 --> 00:12:22,080 This one is remote meaning we can run that against a site sitting in our pajamas in our house. 160 00:12:22,090 --> 00:12:25,800 And that site's running somewhere else and we can do this all remotely. 161 00:12:26,540 --> 00:12:29,960 So immediately it's found potential vulnerabilities. 162 00:12:29,990 --> 00:12:35,150 So you've got this potential mod SSL vulnerability and it's come down here and it's looking at some 163 00:12:35,150 --> 00:12:41,180 other things you could see that this trace method is active in we're still haven't gotten into a web 164 00:12:41,180 --> 00:12:41,390 app. 165 00:12:41,390 --> 00:12:46,850 So we really don't need to talk about too much but trace is potentially vulnerable when you have something 166 00:12:46,850 --> 00:12:52,310 like cross site scripting which you see up here and that could lead to something called The Cross site 167 00:12:52,340 --> 00:12:54,560 tracing but you kind of need both of those. 168 00:12:54,590 --> 00:12:57,050 But again that's just informational at this point. 169 00:12:57,050 --> 00:12:59,560 You don't have to really be taking notes on that. 170 00:12:59,690 --> 00:13:00,740 So we're coming through. 171 00:13:00,740 --> 00:13:03,710 It does a little bit of directory busting for us. 172 00:13:04,100 --> 00:13:12,470 So what that means is it's just going to come through here and it's going to run like a word list and 173 00:13:12,470 --> 00:13:16,000 that word lists might have like ad man usage manual. 174 00:13:16,010 --> 00:13:16,300 Right. 175 00:13:16,310 --> 00:13:18,040 Test stop BHP. 176 00:13:18,080 --> 00:13:21,950 It's got all these different items that it found doing this word this. 177 00:13:21,950 --> 00:13:24,910 Now we're going to do a little bit of directory busting here in a second. 178 00:13:25,160 --> 00:13:33,260 So we'll save this scan and we'll keep this in our notes and we'll refer back to it here in a little 179 00:13:33,260 --> 00:13:34,260 bit. 180 00:13:34,400 --> 00:13:40,700 But what we need to know is we can all tab and we can get our text editor and we could say something 181 00:13:40,700 --> 00:13:45,560 about let's just copy and paste this line here that potentially this mod SSL is vulnerable. 182 00:13:45,560 --> 00:13:46,520 So let's copy that 183 00:13:49,420 --> 00:13:53,470 and we'll we'll put that into our text editor and we'll we'll make that as a note. 184 00:13:54,130 --> 00:13:58,600 So we're still doing enumeration we're not going to we're not going to do any exploitation till we get 185 00:13:58,600 --> 00:14:00,570 to the exploitation stage. 186 00:14:00,610 --> 00:14:07,030 So what we would do typically is we'll save this out to a file so you might want to like copy this all 187 00:14:07,030 --> 00:14:08,800 this right here to show what you ran. 188 00:14:09,340 --> 00:14:11,770 And if I could copy that would be really useful. 189 00:14:11,770 --> 00:14:18,670 So you copy this and you would just make maybe a directory and you can call this by key objects and 190 00:14:18,670 --> 00:14:25,660 then we can see these into key objects and then you could say gee edit Nick doe that texts and then 191 00:14:25,660 --> 00:14:27,040 you have your Nick does scan save. 192 00:14:27,070 --> 00:14:32,260 So this is part of being good pen Tester is saving all of your scans and having them available in case 193 00:14:32,290 --> 00:14:33,720 need to go back for notes. 194 00:14:33,850 --> 00:14:35,500 So we'll save that. 195 00:14:35,500 --> 00:14:38,900 And then what we're going to do is we're going to pause here. 196 00:14:38,980 --> 00:14:45,400 We're going to call this part 1 and then we'll go into Part 2 and talk a little bit more about directory 197 00:14:45,400 --> 00:14:50,440 busting and look at some other enumeration features that we have for this and then we'll start focusing 198 00:14:50,440 --> 00:14:55,640 on other ports and really enumerate this box thoroughly before we work on exploitation. 199 00:14:55,660 --> 00:15:00,280 So I will catch you over in part 2 of this video and I'll see you when you get over there. 21497