1
00:00:00,120 --> 00:00:07,640
Let's talk about this scan before we dive into any enumeration so this scan here we've got these open

2
00:00:07,640 --> 00:00:08,000
ports.

3
00:00:08,000 --> 00:00:13,280
We've got twenty two with SSA age and we've got 80 and 4 for 3 which are hosting Web sites and then

4
00:00:13,280 --> 00:00:17,210
we've got one thirty nine which has got a file share with Samba on it.

5
00:00:17,300 --> 00:00:24,230
And then you've got the one eleven and thirty two 768 which are our P.C. and related to the SMB.

6
00:00:24,320 --> 00:00:28,850
So we need to think about point of attack as an attacker.

7
00:00:28,910 --> 00:00:35,810
Now when I see this scan I light up with 80 and 4 for three and I light up with one thirty nine and

8
00:00:35,810 --> 00:00:42,260
sometimes you'll see four forty five with it as well I light up from those because those are commonly

9
00:00:42,260 --> 00:00:44,090
found with exploits.

10
00:00:44,090 --> 00:00:51,170
If we think back about all of the exploits that have been out there for a Web site for example or if

11
00:00:51,170 --> 00:00:58,090
we think to samba or SMB related exploits just recently right now it's recording in twenty nineteen

12
00:00:58,580 --> 00:01:00,100
in twenty seventeen.

13
00:01:00,170 --> 00:01:06,590
There was malware that went around called want to cry and that was based off of something called Eternal

14
00:01:06,590 --> 00:01:10,310
Blue also known as M.S. 17 0 1 0.

15
00:01:10,310 --> 00:01:15,970
It was a pretty wicked exploit that utilized a flaw in SMB.

16
00:01:16,130 --> 00:01:21,940
S&amp;P has been historically bad and Web sites have been historically bad.

17
00:01:21,950 --> 00:01:28,280
Now when we see something like port twenty two point twenty two as SS age and historically it hasn't

18
00:01:28,280 --> 00:01:30,030
really been that bad.

19
00:01:30,110 --> 00:01:33,450
Now we can try attacks against it like brute force attacks.

20
00:01:33,470 --> 00:01:39,170
We can try something like default credentials or route tor on it for example.

21
00:01:39,170 --> 00:01:44,480
But when we look at it we can maybe enumerate the version but there's not usually what we call remote

22
00:01:44,480 --> 00:01:51,380
code execution on SS H remote code execution being that we can run an exploit against it and get something

23
00:01:51,380 --> 00:01:56,430
called a shell back and we'll talk more about that when we get into the exploitation section.

24
00:01:56,540 --> 00:02:00,510
But for now just know that it's not really common to attack SSA age.

25
00:02:00,530 --> 00:02:07,850
So when I see SSA open we can do some things at it but when we talk about low hanging fruit and that's

26
00:02:07,850 --> 00:02:13,850
really what we're after as an attacker we're gonna see what's juiciest first and kind of go from there.

27
00:02:13,880 --> 00:02:21,440
So you'll develop your own methodology over time but I'm going to drill into your head at least my methodology

28
00:02:21,440 --> 00:02:27,620
why do things and there will be several videos of walkthrough machines in this course.

29
00:02:27,610 --> 00:02:31,490
So you're gonna get to see this over and over and over and I'm just going to explain my methodology

30
00:02:31,520 --> 00:02:37,460
repeatedly so that you can get introduced to new tools and new ideas and ways of thinking.

31
00:02:37,460 --> 00:02:44,810
So from here I do want to dive into my first thought process which is I want to investigate port 80

32
00:02:44,810 --> 00:02:46,190
and 4 or 4 3.

33
00:02:46,190 --> 00:02:52,130
I would either here I would do eighty four for three or I'd go right after one thirty nine so we'll

34
00:02:52,130 --> 00:02:55,770
do eighty four for three and start working towards those.

35
00:02:55,880 --> 00:02:58,720
Now let's go ahead and just do the first step.

36
00:02:58,730 --> 00:03:03,160
This is always my first step if I see a Web site I'm just to go out to the Web site.

37
00:03:03,170 --> 00:03:11,350
So I'm going to go ahead and just copy this here and I'm also going to go into a little hamburger and

38
00:03:11,350 --> 00:03:17,350
go to my preferences and I have not turned off my birth suite settings and it's possible that if you're

39
00:03:17,350 --> 00:03:19,960
just following along you haven't turned it off either.

40
00:03:19,960 --> 00:03:25,990
So go ahead and just select use system proxy settings and we'll just say OK and now we should be able

41
00:03:25,990 --> 00:03:27,270
to navigate to our Web site.

42
00:03:27,280 --> 00:03:33,400
All this opened up a new tab just in case there's something like this good that worked and then we'll

43
00:03:33,400 --> 00:03:38,700
do the p s version because there's also four four three.

44
00:03:38,770 --> 00:03:40,990
You might get something saying your connections aren't secure.

45
00:03:40,990 --> 00:03:48,110
Just go ahead and say advanced and add an exception here confirm it and you'll see this OK.

46
00:03:48,120 --> 00:03:57,140
So what we have here on both of these is we have a default web page now when we talk about performing

47
00:03:57,230 --> 00:04:03,460
a network penetration test or even a web application penetration test.

48
00:04:03,560 --> 00:04:08,510
If we see a default web page like this this is an automatic finding.

49
00:04:08,510 --> 00:04:09,870
Now why is this the finding.

50
00:04:09,920 --> 00:04:11,420
Is it explainable.

51
00:04:11,420 --> 00:04:12,800
No not really.

52
00:04:12,920 --> 00:04:18,830
But it tells us a little bit of something about the architecture that's running behind the scenes and

53
00:04:18,830 --> 00:04:23,900
it tells us a little bit about the client's potential hygiene.

54
00:04:23,900 --> 00:04:28,490
So if we see this well we know that it's running a patchy.

55
00:04:28,490 --> 00:04:35,090
We know that potentially the box is running red hat Linux and we're just getting ideas of what's going

56
00:04:35,090 --> 00:04:41,600
on behind the scenes more so if a client is running a default web page.

57
00:04:41,600 --> 00:04:43,390
It brings up two questions.

58
00:04:43,390 --> 00:04:44,400
One.

59
00:04:44,660 --> 00:04:48,090
Are there other web directories behind this.

60
00:04:48,140 --> 00:04:53,570
So we'll show you something here in a second where we do directory busting and attempt to find a directory

61
00:04:53,580 --> 00:04:58,520
like say we're looking at this and we do having them click on what we say you know slash AB and maybe

62
00:04:58,520 --> 00:05:00,620
that directory is there OK.

63
00:05:00,620 --> 00:05:02,810
Are they hosting a Web site somewhere else.

64
00:05:02,810 --> 00:05:06,220
That's just not at this IP address on this base.

65
00:05:06,500 --> 00:05:14,690
Or maybe they aren't hosting any Web site and they just left for 4 3 and 80 open for no reason and put

66
00:05:14,690 --> 00:05:16,810
those default web page out there.

67
00:05:16,820 --> 00:05:22,280
Now when you think about that that signals to an attacker poor hygiene and I'm gonna think to myself

68
00:05:22,280 --> 00:05:29,390
as an attacker if a company or a client is willing to just put this out there willy nilly.

69
00:05:29,390 --> 00:05:36,230
What else are they doing what potential vulnerabilities might they have if they're doing this.

70
00:05:36,260 --> 00:05:38,750
So this immediately signals poor hygiene.

71
00:05:38,750 --> 00:05:42,940
We would write this up on a test and I'm going to show you guys my notes.

72
00:05:42,980 --> 00:05:48,200
Once we kind of get towards the end of the enumeration so make sure you're taking good notes and we

73
00:05:48,200 --> 00:05:53,360
can do that and like a little notepad here and kind of what we're doing I think this is useful and then

74
00:05:53,390 --> 00:05:57,860
I'll make a nice little keep no or you you can make a cherry tree and make your own notes of this and

75
00:05:57,860 --> 00:06:02,680
we'll show you what it looks like toward the end of the enumeration but we can say something like eighty

76
00:06:02,690 --> 00:06:03,850
four four three.

77
00:06:04,340 --> 00:06:06,490
And then you can put the IP address.

78
00:06:06,770 --> 00:06:11,840
And sometimes people like to put notes like what time they did this so you could see up here it's twenty

79
00:06:11,840 --> 00:06:20,490
to fifty eight or ten fifty eight p.m. nighttime and we could take that and we can just say default

80
00:06:20,520 --> 00:06:30,570
web page and we can say Apache and we could tell that it's running potentially HP and we'll get behind

81
00:06:30,690 --> 00:06:32,430
this as well.

82
00:06:32,430 --> 00:06:36,180
And we just have these little notes so we know that we navigated to it right.

83
00:06:36,180 --> 00:06:40,490
At least this is part of the enumeration here and you don't have to timestamp everything.

84
00:06:40,490 --> 00:06:41,900
I'm just giving you that for an example.

85
00:06:41,910 --> 00:06:48,070
But we can see that it's running this default web page so we have a default web page.

86
00:06:48,110 --> 00:06:50,460
There's nothing really for us to click on.

87
00:06:50,510 --> 00:06:53,300
I mean we've got the documentation.

88
00:06:53,300 --> 00:06:53,860
We can go to.

89
00:06:53,930 --> 00:07:00,400
It looks like the manual might be here and this here we just clicked on a link and it was a bad link.

90
00:07:00,410 --> 00:07:05,000
Now this is also what's called information disclosure.

91
00:07:05,000 --> 00:07:10,960
So this will be another one to bring up but we see here that we have an error page and this error page

92
00:07:10,960 --> 00:07:12,800
is saying hey it's not found.

93
00:07:12,800 --> 00:07:19,880
Now this is typical of what's called a four or four and when you see a for a four you think OK.

94
00:07:19,910 --> 00:07:23,580
It usually redirects you to a page it's like hey we can't find this.

95
00:07:23,640 --> 00:07:28,060
This is giving us a little bit more information than we should be getting.

96
00:07:28,280 --> 00:07:34,010
We're seeing here that we're getting a patchy version one point three point two zero.

97
00:07:34,010 --> 00:07:39,380
So now if we didn't know already we do know that we're running a patchy one point three point to zero

98
00:07:40,190 --> 00:07:47,810
and we got a hostname here capturing stock level one that is a internal information hostname.

99
00:07:47,810 --> 00:07:48,080
Right.

100
00:07:48,080 --> 00:07:50,610
So we can get a naming convention out of a client.

101
00:07:50,750 --> 00:07:55,730
We could potentially know how they are utilizing naming conventions on their internal networks.

102
00:07:55,910 --> 00:08:00,260
And we've got some version enumeration or information disclosure.

103
00:08:00,380 --> 00:08:03,340
So this would be a screenshot as well that would take a picture of.

104
00:08:03,470 --> 00:08:06,920
And you can also notate that in your notes and say something like

105
00:08:11,110 --> 00:08:12,840
you'd say information

106
00:08:14,830 --> 00:08:15,820
disclosure.

107
00:08:23,210 --> 00:08:30,800
And then you could say something like four or four page and then you would just have your your notes

108
00:08:30,800 --> 00:08:35,900
or a screenshot of this and then that would indicate to you what you can write up on the report and

109
00:08:35,900 --> 00:08:37,750
kind of where you've found it.

110
00:08:37,750 --> 00:08:46,120
So we can click around on this page or we can do a little bit of what I like to do which is vulnerability

111
00:08:46,120 --> 00:08:46,570
scanning.

112
00:08:46,570 --> 00:08:52,320
So I'm going to introduce you to a another tool which is called Nick doe.

113
00:08:52,360 --> 00:08:55,510
So let's open up a new tab with close these two tabs out.

114
00:08:55,540 --> 00:09:01,610
If you've got extra tabs like I2 and this tool is called Nick Doe.

115
00:09:01,610 --> 00:09:02,990
It's just like this.

116
00:09:03,110 --> 00:09:08,090
So Nick DOE is what is known as a web vulnerability scanner.

117
00:09:08,090 --> 00:09:14,600
This is a great tool when you're learning the beginning stuff when you're practicing against phone hub

118
00:09:14,600 --> 00:09:20,750
or you're practicing on a CTF or something like a hack the box which I haven't introduced you yet but

119
00:09:20,930 --> 00:09:24,680
it will help you do vulnerability scanning against a Web site.

120
00:09:24,680 --> 00:09:32,540
The issue is that if the Web site is running good security you might run into some issues with that

121
00:09:32,570 --> 00:09:35,060
and it might actually auto block it if it detects.

122
00:09:35,060 --> 00:09:38,860
Nick doe scans not always very commonly.

123
00:09:38,960 --> 00:09:45,290
That's not the case but if they've got good security or a good web application firewall it might actually

124
00:09:45,290 --> 00:09:49,570
block these scans so you have to kind of be wary when you use it and really use your hunch.

125
00:09:49,610 --> 00:09:55,550
If you think that this client is using a web application firewall or not and you'll really get a feel

126
00:09:55,550 --> 00:09:59,360
for the client just as you gain more practice and once you're getting in there and you're starting to

127
00:09:59,360 --> 00:10:03,140
notice vulnerabilities or not you're kind of understand whether or not they're running something like

128
00:10:03,140 --> 00:10:03,940
that.

129
00:10:03,950 --> 00:10:09,800
So from here we're just gonna say Nick DOE and you can always do a dash dash help but it's pretty straightforward.

130
00:10:09,800 --> 00:10:17,060
All we're gonna do is say a dash HD for host and then we're just gonna say something like HBP s and

131
00:10:17,060 --> 00:10:24,500
then we'll just paste are our address some like this and that one did not work.

132
00:10:26,030 --> 00:10:29,330
So let's go ahead and try HBP and see.

133
00:10:29,330 --> 00:10:30,410
There we go.

134
00:10:30,410 --> 00:10:33,380
For some reason it's not picking up the SSL on this.

135
00:10:33,410 --> 00:10:39,680
So I'm not sure why it's not discovering but now we can see our scans kicking back and immediately we

136
00:10:39,680 --> 00:10:42,150
can see that it's doing some detections here.

137
00:10:42,290 --> 00:10:46,690
It's detecting that these server Apache one point three point to zero is running.

138
00:10:46,850 --> 00:10:50,600
It sees this mod SSL with open SSL.

139
00:10:50,600 --> 00:10:53,090
It's giving us some vulnerabilities back.

140
00:10:53,240 --> 00:10:57,390
It's telling us what is missing in terms of protections.

141
00:10:57,440 --> 00:11:02,930
Now these protection headers if we're doing an external penetration test not really that important if

142
00:11:02,930 --> 00:11:07,550
we're doing it without penetration test these become more important but we don't have to worry about

143
00:11:07,550 --> 00:11:09,020
them right now.

144
00:11:09,020 --> 00:11:14,600
So when we come through we keep looking and we see a patchy one point three point two zero appears to

145
00:11:14,600 --> 00:11:16,050
be outdated.

146
00:11:16,070 --> 00:11:19,760
OK man SSL appears to be outdated open SSL appears got data.

147
00:11:19,760 --> 00:11:23,780
These are all findings depending on how outdated it is.

148
00:11:23,960 --> 00:11:29,250
A one point three point two zero to a two point four point thirty seven is pretty outdated.

149
00:11:29,300 --> 00:11:34,430
So these would be findings that we would notate on a report as well.

150
00:11:34,430 --> 00:11:39,830
We can look through and you can see what types of attacks this might be vulnerable to.

151
00:11:39,890 --> 00:11:45,860
So one if you're looking through there's this Apache here that says remote denial of service.

152
00:11:45,890 --> 00:11:49,220
Well typically denial service is out of scope when we're doing a pen test.

153
00:11:49,220 --> 00:11:52,890
So we're not interested in that possible code execution.

154
00:11:53,000 --> 00:11:55,370
So maybe interested in that.

155
00:11:55,370 --> 00:12:04,340
We are also potentially interested in a overflow and rewrite and this one says this is vulnerable to

156
00:12:04,370 --> 00:12:11,120
a remote buffer overflow remote being important which may allow remote shell so remote.

157
00:12:11,120 --> 00:12:12,710
Meaning we do not have to be local.

158
00:12:12,710 --> 00:12:15,460
So I skipped over this one where you see local.

159
00:12:15,560 --> 00:12:22,080
This one is remote meaning we can run that against a site sitting in our pajamas in our house.

160
00:12:22,090 --> 00:12:25,800
And that site's running somewhere else and we can do this all remotely.

161
00:12:26,540 --> 00:12:29,960
So immediately it's found potential vulnerabilities.

162
00:12:29,990 --> 00:12:35,150
So you've got this potential mod SSL vulnerability and it's come down here and it's looking at some

163
00:12:35,150 --> 00:12:41,180
other things you could see that this trace method is active in we're still haven't gotten into a web

164
00:12:41,180 --> 00:12:41,390
app.

165
00:12:41,390 --> 00:12:46,850
So we really don't need to talk about too much but trace is potentially vulnerable when you have something

166
00:12:46,850 --> 00:12:52,310
like cross site scripting which you see up here and that could lead to something called The Cross site

167
00:12:52,340 --> 00:12:54,560
tracing but you kind of need both of those.

168
00:12:54,590 --> 00:12:57,050
But again that's just informational at this point.

169
00:12:57,050 --> 00:12:59,560
You don't have to really be taking notes on that.

170
00:12:59,690 --> 00:13:00,740
So we're coming through.

171
00:13:00,740 --> 00:13:03,710
It does a little bit of directory busting for us.

172
00:13:04,100 --> 00:13:12,470
So what that means is it's just going to come through here and it's going to run like a word list and

173
00:13:12,470 --> 00:13:16,000
that word lists might have like ad man usage manual.

174
00:13:16,010 --> 00:13:16,300
Right.

175
00:13:16,310 --> 00:13:18,040
Test stop BHP.

176
00:13:18,080 --> 00:13:21,950
It's got all these different items that it found doing this word this.

177
00:13:21,950 --> 00:13:24,910
Now we're going to do a little bit of directory busting here in a second.

178
00:13:25,160 --> 00:13:33,260
So we'll save this scan and we'll keep this in our notes and we'll refer back to it here in a little

179
00:13:33,260 --> 00:13:34,260
bit.

180
00:13:34,400 --> 00:13:40,700
But what we need to know is we can all tab and we can get our text editor and we could say something

181
00:13:40,700 --> 00:13:45,560
about let's just copy and paste this line here that potentially this mod SSL is vulnerable.

182
00:13:45,560 --> 00:13:46,520
So let's copy that

183
00:13:49,420 --> 00:13:53,470
and we'll we'll put that into our text editor and we'll we'll make that as a note.

184
00:13:54,130 --> 00:13:58,600
So we're still doing enumeration we're not going to we're not going to do any exploitation till we get

185
00:13:58,600 --> 00:14:00,570
to the exploitation stage.

186
00:14:00,610 --> 00:14:07,030
So what we would do typically is we'll save this out to a file so you might want to like copy this all

187
00:14:07,030 --> 00:14:08,800
this right here to show what you ran.

188
00:14:09,340 --> 00:14:11,770
And if I could copy that would be really useful.

189
00:14:11,770 --> 00:14:18,670
So you copy this and you would just make maybe a directory and you can call this by key objects and

190
00:14:18,670 --> 00:14:25,660
then we can see these into key objects and then you could say gee edit Nick doe that texts and then

191
00:14:25,660 --> 00:14:27,040
you have your Nick does scan save.

192
00:14:27,070 --> 00:14:32,260
So this is part of being good pen Tester is saving all of your scans and having them available in case

193
00:14:32,290 --> 00:14:33,720
need to go back for notes.

194
00:14:33,850 --> 00:14:35,500
So we'll save that.

195
00:14:35,500 --> 00:14:38,900
And then what we're going to do is we're going to pause here.

196
00:14:38,980 --> 00:14:45,400
We're going to call this part 1 and then we'll go into Part 2 and talk a little bit more about directory

197
00:14:45,400 --> 00:14:50,440
busting and look at some other enumeration features that we have for this and then we'll start focusing

198
00:14:50,440 --> 00:14:55,640
on other ports and really enumerate this box thoroughly before we work on exploitation.

199
00:14:55,660 --> 00:15:00,280
So I will catch you over in part 2 of this video and I'll see you when you get over there.