Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,120 --> 00:00:07,640
Let's talk about this scan before we dive into any enumeration so this scan here we've got these open
2
00:00:07,640 --> 00:00:08,000
ports.
3
00:00:08,000 --> 00:00:13,280
We've got twenty two with SSA age and we've got 80 and 4 for 3 which are hosting Web sites and then
4
00:00:13,280 --> 00:00:17,210
we've got one thirty nine which has got a file share with Samba on it.
5
00:00:17,300 --> 00:00:24,230
And then you've got the one eleven and thirty two 768 which are our P.C. and related to the SMB.
6
00:00:24,320 --> 00:00:28,850
So we need to think about point of attack as an attacker.
7
00:00:28,910 --> 00:00:35,810
Now when I see this scan I light up with 80 and 4 for three and I light up with one thirty nine and
8
00:00:35,810 --> 00:00:42,260
sometimes you'll see four forty five with it as well I light up from those because those are commonly
9
00:00:42,260 --> 00:00:44,090
found with exploits.
10
00:00:44,090 --> 00:00:51,170
If we think back about all of the exploits that have been out there for a Web site for example or if
11
00:00:51,170 --> 00:00:58,090
we think to samba or SMB related exploits just recently right now it's recording in twenty nineteen
12
00:00:58,580 --> 00:01:00,100
in twenty seventeen.
13
00:01:00,170 --> 00:01:06,590
There was malware that went around called want to cry and that was based off of something called Eternal
14
00:01:06,590 --> 00:01:10,310
Blue also known as M.S. 17 0 1 0.
15
00:01:10,310 --> 00:01:15,970
It was a pretty wicked exploit that utilized a flaw in SMB.
16
00:01:16,130 --> 00:01:21,940
S&P has been historically bad and Web sites have been historically bad.
17
00:01:21,950 --> 00:01:28,280
Now when we see something like port twenty two point twenty two as SS age and historically it hasn't
18
00:01:28,280 --> 00:01:30,030
really been that bad.
19
00:01:30,110 --> 00:01:33,450
Now we can try attacks against it like brute force attacks.
20
00:01:33,470 --> 00:01:39,170
We can try something like default credentials or route tor on it for example.
21
00:01:39,170 --> 00:01:44,480
But when we look at it we can maybe enumerate the version but there's not usually what we call remote
22
00:01:44,480 --> 00:01:51,380
code execution on SS H remote code execution being that we can run an exploit against it and get something
23
00:01:51,380 --> 00:01:56,430
called a shell back and we'll talk more about that when we get into the exploitation section.
24
00:01:56,540 --> 00:02:00,510
But for now just know that it's not really common to attack SSA age.
25
00:02:00,530 --> 00:02:07,850
So when I see SSA open we can do some things at it but when we talk about low hanging fruit and that's
26
00:02:07,850 --> 00:02:13,850
really what we're after as an attacker we're gonna see what's juiciest first and kind of go from there.
27
00:02:13,880 --> 00:02:21,440
So you'll develop your own methodology over time but I'm going to drill into your head at least my methodology
28
00:02:21,440 --> 00:02:27,620
why do things and there will be several videos of walkthrough machines in this course.
29
00:02:27,610 --> 00:02:31,490
So you're gonna get to see this over and over and over and I'm just going to explain my methodology
30
00:02:31,520 --> 00:02:37,460
repeatedly so that you can get introduced to new tools and new ideas and ways of thinking.
31
00:02:37,460 --> 00:02:44,810
So from here I do want to dive into my first thought process which is I want to investigate port 80
32
00:02:44,810 --> 00:02:46,190
and 4 or 4 3.
33
00:02:46,190 --> 00:02:52,130
I would either here I would do eighty four for three or I'd go right after one thirty nine so we'll
34
00:02:52,130 --> 00:02:55,770
do eighty four for three and start working towards those.
35
00:02:55,880 --> 00:02:58,720
Now let's go ahead and just do the first step.
36
00:02:58,730 --> 00:03:03,160
This is always my first step if I see a Web site I'm just to go out to the Web site.
37
00:03:03,170 --> 00:03:11,350
So I'm going to go ahead and just copy this here and I'm also going to go into a little hamburger and
38
00:03:11,350 --> 00:03:17,350
go to my preferences and I have not turned off my birth suite settings and it's possible that if you're
39
00:03:17,350 --> 00:03:19,960
just following along you haven't turned it off either.
40
00:03:19,960 --> 00:03:25,990
So go ahead and just select use system proxy settings and we'll just say OK and now we should be able
41
00:03:25,990 --> 00:03:27,270
to navigate to our Web site.
42
00:03:27,280 --> 00:03:33,400
All this opened up a new tab just in case there's something like this good that worked and then we'll
43
00:03:33,400 --> 00:03:38,700
do the p s version because there's also four four three.
44
00:03:38,770 --> 00:03:40,990
You might get something saying your connections aren't secure.
45
00:03:40,990 --> 00:03:48,110
Just go ahead and say advanced and add an exception here confirm it and you'll see this OK.
46
00:03:48,120 --> 00:03:57,140
So what we have here on both of these is we have a default web page now when we talk about performing
47
00:03:57,230 --> 00:04:03,460
a network penetration test or even a web application penetration test.
48
00:04:03,560 --> 00:04:08,510
If we see a default web page like this this is an automatic finding.
49
00:04:08,510 --> 00:04:09,870
Now why is this the finding.
50
00:04:09,920 --> 00:04:11,420
Is it explainable.
51
00:04:11,420 --> 00:04:12,800
No not really.
52
00:04:12,920 --> 00:04:18,830
But it tells us a little bit of something about the architecture that's running behind the scenes and
53
00:04:18,830 --> 00:04:23,900
it tells us a little bit about the client's potential hygiene.
54
00:04:23,900 --> 00:04:28,490
So if we see this well we know that it's running a patchy.
55
00:04:28,490 --> 00:04:35,090
We know that potentially the box is running red hat Linux and we're just getting ideas of what's going
56
00:04:35,090 --> 00:04:41,600
on behind the scenes more so if a client is running a default web page.
57
00:04:41,600 --> 00:04:43,390
It brings up two questions.
58
00:04:43,390 --> 00:04:44,400
One.
59
00:04:44,660 --> 00:04:48,090
Are there other web directories behind this.
60
00:04:48,140 --> 00:04:53,570
So we'll show you something here in a second where we do directory busting and attempt to find a directory
61
00:04:53,580 --> 00:04:58,520
like say we're looking at this and we do having them click on what we say you know slash AB and maybe
62
00:04:58,520 --> 00:05:00,620
that directory is there OK.
63
00:05:00,620 --> 00:05:02,810
Are they hosting a Web site somewhere else.
64
00:05:02,810 --> 00:05:06,220
That's just not at this IP address on this base.
65
00:05:06,500 --> 00:05:14,690
Or maybe they aren't hosting any Web site and they just left for 4 3 and 80 open for no reason and put
66
00:05:14,690 --> 00:05:16,810
those default web page out there.
67
00:05:16,820 --> 00:05:22,280
Now when you think about that that signals to an attacker poor hygiene and I'm gonna think to myself
68
00:05:22,280 --> 00:05:29,390
as an attacker if a company or a client is willing to just put this out there willy nilly.
69
00:05:29,390 --> 00:05:36,230
What else are they doing what potential vulnerabilities might they have if they're doing this.
70
00:05:36,260 --> 00:05:38,750
So this immediately signals poor hygiene.
71
00:05:38,750 --> 00:05:42,940
We would write this up on a test and I'm going to show you guys my notes.
72
00:05:42,980 --> 00:05:48,200
Once we kind of get towards the end of the enumeration so make sure you're taking good notes and we
73
00:05:48,200 --> 00:05:53,360
can do that and like a little notepad here and kind of what we're doing I think this is useful and then
74
00:05:53,390 --> 00:05:57,860
I'll make a nice little keep no or you you can make a cherry tree and make your own notes of this and
75
00:05:57,860 --> 00:06:02,680
we'll show you what it looks like toward the end of the enumeration but we can say something like eighty
76
00:06:02,690 --> 00:06:03,850
four four three.
77
00:06:04,340 --> 00:06:06,490
And then you can put the IP address.
78
00:06:06,770 --> 00:06:11,840
And sometimes people like to put notes like what time they did this so you could see up here it's twenty
79
00:06:11,840 --> 00:06:20,490
to fifty eight or ten fifty eight p.m. nighttime and we could take that and we can just say default
80
00:06:20,520 --> 00:06:30,570
web page and we can say Apache and we could tell that it's running potentially HP and we'll get behind
81
00:06:30,690 --> 00:06:32,430
this as well.
82
00:06:32,430 --> 00:06:36,180
And we just have these little notes so we know that we navigated to it right.
83
00:06:36,180 --> 00:06:40,490
At least this is part of the enumeration here and you don't have to timestamp everything.
84
00:06:40,490 --> 00:06:41,900
I'm just giving you that for an example.
85
00:06:41,910 --> 00:06:48,070
But we can see that it's running this default web page so we have a default web page.
86
00:06:48,110 --> 00:06:50,460
There's nothing really for us to click on.
87
00:06:50,510 --> 00:06:53,300
I mean we've got the documentation.
88
00:06:53,300 --> 00:06:53,860
We can go to.
89
00:06:53,930 --> 00:07:00,400
It looks like the manual might be here and this here we just clicked on a link and it was a bad link.
90
00:07:00,410 --> 00:07:05,000
Now this is also what's called information disclosure.
91
00:07:05,000 --> 00:07:10,960
So this will be another one to bring up but we see here that we have an error page and this error page
92
00:07:10,960 --> 00:07:12,800
is saying hey it's not found.
93
00:07:12,800 --> 00:07:19,880
Now this is typical of what's called a four or four and when you see a for a four you think OK.
94
00:07:19,910 --> 00:07:23,580
It usually redirects you to a page it's like hey we can't find this.
95
00:07:23,640 --> 00:07:28,060
This is giving us a little bit more information than we should be getting.
96
00:07:28,280 --> 00:07:34,010
We're seeing here that we're getting a patchy version one point three point two zero.
97
00:07:34,010 --> 00:07:39,380
So now if we didn't know already we do know that we're running a patchy one point three point to zero
98
00:07:40,190 --> 00:07:47,810
and we got a hostname here capturing stock level one that is a internal information hostname.
99
00:07:47,810 --> 00:07:48,080
Right.
100
00:07:48,080 --> 00:07:50,610
So we can get a naming convention out of a client.
101
00:07:50,750 --> 00:07:55,730
We could potentially know how they are utilizing naming conventions on their internal networks.
102
00:07:55,910 --> 00:08:00,260
And we've got some version enumeration or information disclosure.
103
00:08:00,380 --> 00:08:03,340
So this would be a screenshot as well that would take a picture of.
104
00:08:03,470 --> 00:08:06,920
And you can also notate that in your notes and say something like
105
00:08:11,110 --> 00:08:12,840
you'd say information
106
00:08:14,830 --> 00:08:15,820
disclosure.
107
00:08:23,210 --> 00:08:30,800
And then you could say something like four or four page and then you would just have your your notes
108
00:08:30,800 --> 00:08:35,900
or a screenshot of this and then that would indicate to you what you can write up on the report and
109
00:08:35,900 --> 00:08:37,750
kind of where you've found it.
110
00:08:37,750 --> 00:08:46,120
So we can click around on this page or we can do a little bit of what I like to do which is vulnerability
111
00:08:46,120 --> 00:08:46,570
scanning.
112
00:08:46,570 --> 00:08:52,320
So I'm going to introduce you to a another tool which is called Nick doe.
113
00:08:52,360 --> 00:08:55,510
So let's open up a new tab with close these two tabs out.
114
00:08:55,540 --> 00:09:01,610
If you've got extra tabs like I2 and this tool is called Nick Doe.
115
00:09:01,610 --> 00:09:02,990
It's just like this.
116
00:09:03,110 --> 00:09:08,090
So Nick DOE is what is known as a web vulnerability scanner.
117
00:09:08,090 --> 00:09:14,600
This is a great tool when you're learning the beginning stuff when you're practicing against phone hub
118
00:09:14,600 --> 00:09:20,750
or you're practicing on a CTF or something like a hack the box which I haven't introduced you yet but
119
00:09:20,930 --> 00:09:24,680
it will help you do vulnerability scanning against a Web site.
120
00:09:24,680 --> 00:09:32,540
The issue is that if the Web site is running good security you might run into some issues with that
121
00:09:32,570 --> 00:09:35,060
and it might actually auto block it if it detects.
122
00:09:35,060 --> 00:09:38,860
Nick doe scans not always very commonly.
123
00:09:38,960 --> 00:09:45,290
That's not the case but if they've got good security or a good web application firewall it might actually
124
00:09:45,290 --> 00:09:49,570
block these scans so you have to kind of be wary when you use it and really use your hunch.
125
00:09:49,610 --> 00:09:55,550
If you think that this client is using a web application firewall or not and you'll really get a feel
126
00:09:55,550 --> 00:09:59,360
for the client just as you gain more practice and once you're getting in there and you're starting to
127
00:09:59,360 --> 00:10:03,140
notice vulnerabilities or not you're kind of understand whether or not they're running something like
128
00:10:03,140 --> 00:10:03,940
that.
129
00:10:03,950 --> 00:10:09,800
So from here we're just gonna say Nick DOE and you can always do a dash dash help but it's pretty straightforward.
130
00:10:09,800 --> 00:10:17,060
All we're gonna do is say a dash HD for host and then we're just gonna say something like HBP s and
131
00:10:17,060 --> 00:10:24,500
then we'll just paste are our address some like this and that one did not work.
132
00:10:26,030 --> 00:10:29,330
So let's go ahead and try HBP and see.
133
00:10:29,330 --> 00:10:30,410
There we go.
134
00:10:30,410 --> 00:10:33,380
For some reason it's not picking up the SSL on this.
135
00:10:33,410 --> 00:10:39,680
So I'm not sure why it's not discovering but now we can see our scans kicking back and immediately we
136
00:10:39,680 --> 00:10:42,150
can see that it's doing some detections here.
137
00:10:42,290 --> 00:10:46,690
It's detecting that these server Apache one point three point to zero is running.
138
00:10:46,850 --> 00:10:50,600
It sees this mod SSL with open SSL.
139
00:10:50,600 --> 00:10:53,090
It's giving us some vulnerabilities back.
140
00:10:53,240 --> 00:10:57,390
It's telling us what is missing in terms of protections.
141
00:10:57,440 --> 00:11:02,930
Now these protection headers if we're doing an external penetration test not really that important if
142
00:11:02,930 --> 00:11:07,550
we're doing it without penetration test these become more important but we don't have to worry about
143
00:11:07,550 --> 00:11:09,020
them right now.
144
00:11:09,020 --> 00:11:14,600
So when we come through we keep looking and we see a patchy one point three point two zero appears to
145
00:11:14,600 --> 00:11:16,050
be outdated.
146
00:11:16,070 --> 00:11:19,760
OK man SSL appears to be outdated open SSL appears got data.
147
00:11:19,760 --> 00:11:23,780
These are all findings depending on how outdated it is.
148
00:11:23,960 --> 00:11:29,250
A one point three point two zero to a two point four point thirty seven is pretty outdated.
149
00:11:29,300 --> 00:11:34,430
So these would be findings that we would notate on a report as well.
150
00:11:34,430 --> 00:11:39,830
We can look through and you can see what types of attacks this might be vulnerable to.
151
00:11:39,890 --> 00:11:45,860
So one if you're looking through there's this Apache here that says remote denial of service.
152
00:11:45,890 --> 00:11:49,220
Well typically denial service is out of scope when we're doing a pen test.
153
00:11:49,220 --> 00:11:52,890
So we're not interested in that possible code execution.
154
00:11:53,000 --> 00:11:55,370
So maybe interested in that.
155
00:11:55,370 --> 00:12:04,340
We are also potentially interested in a overflow and rewrite and this one says this is vulnerable to
156
00:12:04,370 --> 00:12:11,120
a remote buffer overflow remote being important which may allow remote shell so remote.
157
00:12:11,120 --> 00:12:12,710
Meaning we do not have to be local.
158
00:12:12,710 --> 00:12:15,460
So I skipped over this one where you see local.
159
00:12:15,560 --> 00:12:22,080
This one is remote meaning we can run that against a site sitting in our pajamas in our house.
160
00:12:22,090 --> 00:12:25,800
And that site's running somewhere else and we can do this all remotely.
161
00:12:26,540 --> 00:12:29,960
So immediately it's found potential vulnerabilities.
162
00:12:29,990 --> 00:12:35,150
So you've got this potential mod SSL vulnerability and it's come down here and it's looking at some
163
00:12:35,150 --> 00:12:41,180
other things you could see that this trace method is active in we're still haven't gotten into a web
164
00:12:41,180 --> 00:12:41,390
app.
165
00:12:41,390 --> 00:12:46,850
So we really don't need to talk about too much but trace is potentially vulnerable when you have something
166
00:12:46,850 --> 00:12:52,310
like cross site scripting which you see up here and that could lead to something called The Cross site
167
00:12:52,340 --> 00:12:54,560
tracing but you kind of need both of those.
168
00:12:54,590 --> 00:12:57,050
But again that's just informational at this point.
169
00:12:57,050 --> 00:12:59,560
You don't have to really be taking notes on that.
170
00:12:59,690 --> 00:13:00,740
So we're coming through.
171
00:13:00,740 --> 00:13:03,710
It does a little bit of directory busting for us.
172
00:13:04,100 --> 00:13:12,470
So what that means is it's just going to come through here and it's going to run like a word list and
173
00:13:12,470 --> 00:13:16,000
that word lists might have like ad man usage manual.
174
00:13:16,010 --> 00:13:16,300
Right.
175
00:13:16,310 --> 00:13:18,040
Test stop BHP.
176
00:13:18,080 --> 00:13:21,950
It's got all these different items that it found doing this word this.
177
00:13:21,950 --> 00:13:24,910
Now we're going to do a little bit of directory busting here in a second.
178
00:13:25,160 --> 00:13:33,260
So we'll save this scan and we'll keep this in our notes and we'll refer back to it here in a little
179
00:13:33,260 --> 00:13:34,260
bit.
180
00:13:34,400 --> 00:13:40,700
But what we need to know is we can all tab and we can get our text editor and we could say something
181
00:13:40,700 --> 00:13:45,560
about let's just copy and paste this line here that potentially this mod SSL is vulnerable.
182
00:13:45,560 --> 00:13:46,520
So let's copy that
183
00:13:49,420 --> 00:13:53,470
and we'll we'll put that into our text editor and we'll we'll make that as a note.
184
00:13:54,130 --> 00:13:58,600
So we're still doing enumeration we're not going to we're not going to do any exploitation till we get
185
00:13:58,600 --> 00:14:00,570
to the exploitation stage.
186
00:14:00,610 --> 00:14:07,030
So what we would do typically is we'll save this out to a file so you might want to like copy this all
187
00:14:07,030 --> 00:14:08,800
this right here to show what you ran.
188
00:14:09,340 --> 00:14:11,770
And if I could copy that would be really useful.
189
00:14:11,770 --> 00:14:18,670
So you copy this and you would just make maybe a directory and you can call this by key objects and
190
00:14:18,670 --> 00:14:25,660
then we can see these into key objects and then you could say gee edit Nick doe that texts and then
191
00:14:25,660 --> 00:14:27,040
you have your Nick does scan save.
192
00:14:27,070 --> 00:14:32,260
So this is part of being good pen Tester is saving all of your scans and having them available in case
193
00:14:32,290 --> 00:14:33,720
need to go back for notes.
194
00:14:33,850 --> 00:14:35,500
So we'll save that.
195
00:14:35,500 --> 00:14:38,900
And then what we're going to do is we're going to pause here.
196
00:14:38,980 --> 00:14:45,400
We're going to call this part 1 and then we'll go into Part 2 and talk a little bit more about directory
197
00:14:45,400 --> 00:14:50,440
busting and look at some other enumeration features that we have for this and then we'll start focusing
198
00:14:50,440 --> 00:14:55,640
on other ports and really enumerate this box thoroughly before we work on exploitation.
199
00:14:55,660 --> 00:15:00,280
So I will catch you over in part 2 of this video and I'll see you when you get over there.
21497
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.