1
00:00:00,590 --> 00:00:01,850
‫OK, so let's get to it.

2
00:00:02,260 --> 00:00:09,890
‫Nessie is activated with the surrogacy option or scrip if you wish to specify a custom set of scripts.

3
00:00:10,400 --> 00:00:16,070
‫Script scanning is normally done in combination with a port scan because grips may be run or not run,

4
00:00:16,070 --> 00:00:18,440
‫depending on the port states found by the scan.

5
00:00:20,260 --> 00:00:25,270
‫You can use s a C to perform a script scan using the default set of scripts.

6
00:00:25,900 --> 00:00:29,230
‫It is equivalent to script equals default.

7
00:00:30,440 --> 00:00:32,450
‫Now, wait a second now, what is this default?

8
00:00:32,780 --> 00:00:36,650
‫Well, it is one of the categories of map script.

9
00:00:37,430 --> 00:00:37,940
‫Let me show you.

10
00:00:39,310 --> 00:00:44,350
‫And map scripting engine NSC script define a list of categories that they belong to.

11
00:00:44,860 --> 00:00:50,290
‫So currently defined categories are off broadcast brut default.

12
00:00:51,240 --> 00:00:58,890
‫Discovery does exploit external, fuzzier, intrusive malware.

13
00:00:59,280 --> 00:01:06,150
‫Safe version and vom category names are not case sensitive, so let's give you a little detail.

14
00:01:06,270 --> 00:01:13,740
‫Default scripts are the default set and are run when using the RJC rather than listing scripts with

15
00:01:14,010 --> 00:01:14,400
‫script.

16
00:01:15,330 --> 00:01:21,030
‫This category can also be specified explicitly like any other using script equals default.

17
00:01:22,590 --> 00:01:29,760
‫Off script deal with authentication credentials or coincidentally bypassing them on the target system.

18
00:01:30,390 --> 00:01:33,450
‫Examples include Oracle Enum users.

19
00:01:35,120 --> 00:01:41,990
‫Boot script use brute force attacks to guess authentication credentials of a remote server and map contains

20
00:01:41,990 --> 00:01:46,850
‫scripts for brute forcing dozens of protocols, including HTTP.

21
00:01:47,030 --> 00:01:47,420
‫Brute.

22
00:01:47,690 --> 00:01:48,470
‫Oracle Brute.

23
00:01:48,980 --> 00:01:55,040
‫S&P Brute, etc. The scripts may cause a denial of service.

24
00:01:55,790 --> 00:02:01,700
‫Sometimes this is done to test vulnerability to a denial of service method, but more commonly it's

25
00:02:01,700 --> 00:02:07,250
‫an undesired by necessary side effect of testing for a traditional vulnerability.

26
00:02:08,030 --> 00:02:11,180
‫These tests sometimes crash vulnerable services.

27
00:02:12,580 --> 00:02:18,640
‫Export scripts aim to actively exploit some vulnerability.

28
00:02:19,420 --> 00:02:27,190
‫Examples include HTP Shellshock now, scripts which weren't designed to crash services use large amounts

29
00:02:27,190 --> 00:02:33,760
‫of network bandwidth or other resources, or exploit security holes that are usually categorized as

30
00:02:33,760 --> 00:02:34,240
‫safe.

31
00:02:35,660 --> 00:02:42,140
‫Intrusive scripts are those that cannot be classified in the safe category because the risks are just

32
00:02:42,140 --> 00:02:44,810
‫too high that they're going to crash the target system.

33
00:02:44,900 --> 00:02:52,070
‫Use up significant resources on the target host, such as bandwidth or CPU time or otherwise be perceived

34
00:02:52,070 --> 00:02:54,620
‫as malicious by the target system administrators.

35
00:02:56,090 --> 00:03:03,170
‫Malware script test, whether the target platform is infected by malware or backdoors.

36
00:03:04,700 --> 00:03:11,930
‫Version scripts are an extension to the version detection feature and cannot be selected explicitly,

37
00:03:12,680 --> 00:03:20,870
‫they're selected to run only if version detection that s uppercase v was requested and volun script

38
00:03:21,650 --> 00:03:26,600
‫check for specific known vulnerabilities and generally only report results if they're found.

39
00:03:27,020 --> 00:03:33,590
‫You can alternatively use script parameter to run a script scan using the comma separated list of file

40
00:03:33,590 --> 00:03:35,810
‫names, script categories and directories.

41
00:03:36,650 --> 00:03:42,860
‫Each element in the list may also be a Boolean expression, describing a more complex set of scripts.

42
00:03:43,310 --> 00:03:49,460
‫For example, if you use script parameter using the default and safe expression, the scripts which

43
00:03:49,460 --> 00:03:53,680
‫are in both default and safe categories, run that makes sense.

44
00:03:56,480 --> 00:04:03,980
‫Script update DB option updates, the script database found in script slash script that DB, which is

45
00:04:03,980 --> 00:04:09,380
‫used by in map to determine the available default scripts and categories, it's only necessary to update

46
00:04:09,380 --> 00:04:16,070
‫the database if you have added or removed NSC scripts from the default scripts directory, or if you've

47
00:04:16,070 --> 00:04:17,630
‫changed the categories of any script.

48
00:04:18,510 --> 00:04:20,640
‫This option is used by itself without arguments.

49
00:04:21,900 --> 00:04:25,170
‫OK, so let's see some of these scripts and try to use them.

50
00:04:28,440 --> 00:04:30,150
‫Open a terminal screening collie.

51
00:04:31,220 --> 00:04:37,250
‫To find out the scripts used to locate the next command since the file extension and been map scripts

52
00:04:37,250 --> 00:04:42,770
‫are NSC type, locate, asterisk, dot, nrsi and hit enter.

53
00:04:43,340 --> 00:04:45,980
‫It'll locate the files, which end with Dot Nrsi.

54
00:04:46,670 --> 00:04:49,820
‫This is where the end map scripts are located in college by default.

55
00:04:50,480 --> 00:04:56,420
‫Go to the folder using the CD command, I select the path and press the middle button of my mouse to

56
00:04:56,420 --> 00:04:58,670
‫copy and paste it and hit Enter.

57
00:04:59,090 --> 00:05:00,100
‫Now let's look at the script.

58
00:05:00,290 --> 00:05:03,650
‫DB File First, which is a script database used by end map.

59
00:05:04,370 --> 00:05:05,360
‫It's in this folder.

60
00:05:06,350 --> 00:05:10,310
‫I use less command to look at the content of the file.

61
00:05:11,210 --> 00:05:17,780
‫Every row contains a script, file name and its categories, so now we can see the usage of and map

62
00:05:17,780 --> 00:05:18,200
‫scripts.

63
00:05:18,950 --> 00:05:25,170
‫I want to try S.H. scripts on my Metasploit able VM first with the help of Linux grep command.

64
00:05:25,190 --> 00:05:28,310
‫Once again, I want to list the S-H script.

65
00:05:29,240 --> 00:05:32,660
‫Here are the scripts that have the each word in their names.

66
00:05:33,660 --> 00:05:36,810
‫To analyze the content of a script, I use less command.

67
00:05:37,350 --> 00:05:43,620
‫Now let's look at a file, for example, each host I didn't see the script file has a description.

68
00:05:45,510 --> 00:05:48,330
‫A usage section and many more lines.

69
00:05:48,720 --> 00:05:53,370
‫I want to show you the category section of the script in the last command, you can use it slash key

70
00:05:53,370 --> 00:05:57,810
‫to search a word press slash type Kate and hit enter.

71
00:05:58,720 --> 00:06:01,690
‫Here it found Kate in the word duplicate.

72
00:06:02,900 --> 00:06:04,670
‫This is not what we're looking for it.

73
00:06:05,060 --> 00:06:11,060
‫So pressing and key to find the next Kate word again, duplicate press and once again.

74
00:06:11,930 --> 00:06:13,940
‫And we found a category section.

75
00:06:15,070 --> 00:06:21,280
‫Alternatively, you can use this script help and map parameter to get help about an end map, script

76
00:06:21,760 --> 00:06:23,020
‫type and map.

77
00:06:23,930 --> 00:06:25,340
‫Script help.

78
00:06:26,520 --> 00:06:29,970
‫And then the script name file extension is optional here.

79
00:06:30,390 --> 00:06:32,100
‫It's OK if you don't use the extension.

80
00:06:33,060 --> 00:06:39,300
‫Here's a brief summary of the speech host key script script name a link to learn more about it and the

81
00:06:39,300 --> 00:06:40,350
‫description of the script.

82
00:06:41,160 --> 00:06:44,310
‫Now, look at the description of the Sage host key script.

83
00:06:44,940 --> 00:06:51,390
‫It shows the target SSA servers, key fingerprint and with high enough verbosity level, the public

84
00:06:51,390 --> 00:06:52,140
‫key itself.

85
00:06:53,070 --> 00:06:56,640
‫Now, let's run a few and map commands and use some scripts.

86
00:06:57,240 --> 00:07:00,450
‫Prepare the map command TCP Syn scan.

87
00:07:02,770 --> 00:07:05,590
‫Don't forget to find the port of your interest.

88
00:07:06,340 --> 00:07:11,560
‫First, I want to run the default SSA scripts using the sobriquet C parameter.

89
00:07:12,460 --> 00:07:15,850
‫SSA host is the default script for SSA service.

90
00:07:16,330 --> 00:07:22,570
‫And here are the target SSA servers, key fingerprints In the description of the script, we saw that

91
00:07:22,570 --> 00:07:28,630
‫if the verbosity level is high enough, the script will show the public key itself to see it.

92
00:07:29,320 --> 00:07:37,090
‫I want to run the map command again, but this time I use the Turbo V to increase the verbosity level.

93
00:07:39,500 --> 00:07:42,770
‫Now we have the public keys as well as the fingerprints.