1
00:00:01,220 --> 00:00:08,210
Welcome back and in this video, I want to show you something that you will do every time you perform

2
00:00:08,210 --> 00:00:13,460
a penetration test, I want to show you how to manually search for vulnerabilities.

3
00:00:13,910 --> 00:00:15,980
And this is something that you will do a lot.

4
00:00:16,280 --> 00:00:19,520
You will use this more than any other tool that we covered.

5
00:00:20,780 --> 00:00:29,780
So what vulnerability analysis is, is us simply Googling the vulnerabilities, for example, suppose

6
00:00:29,780 --> 00:00:36,130
we are attacking a target and right here I just performed the version scan for the anticipatable imagine.

7
00:00:36,140 --> 00:00:40,430
But this is our target and we just performed this version scan.

8
00:00:41,060 --> 00:00:45,130
We got these different ports open and different versions.

9
00:00:45,980 --> 00:00:49,310
How do we know if they are vulnerable without using any tool?

10
00:00:50,300 --> 00:00:55,370
Well, what we can do is we can copy the name of the version that is running on an open port.

11
00:00:56,350 --> 00:01:03,430
Then go to Google and just paste that name and add explained.

12
00:01:06,060 --> 00:01:12,930
And here it is, we're already getting some response back Python exploit for this version, which is

13
00:01:12,930 --> 00:01:20,970
the exact version the Tagamet display has the feed, the exact version that we have Back-Door command

14
00:01:20,970 --> 00:01:21,720
execution.

15
00:01:22,320 --> 00:01:28,050
And what you would do is you would just go to these links and try to find the exploit for it.

16
00:01:29,140 --> 00:01:32,400
Down here, we already see that an exploit already exists.

17
00:01:34,000 --> 00:01:39,160
For which platform it is, we can see right here the source code if we want to.

18
00:01:40,920 --> 00:01:46,200
And here it is, the expert is quoted in Python in this case and.

19
00:01:47,140 --> 00:01:50,080
This is how you would do most of your vulnerability analysis.

20
00:01:50,390 --> 00:01:56,230
We also get the module options and what this module options are is something that people covering the

21
00:01:56,230 --> 00:01:57,170
exploitation section.

22
00:01:58,150 --> 00:02:00,820
This is how we can exploit the target using tools.

23
00:02:01,580 --> 00:02:03,410
We're going to cover that shortly for now.

24
00:02:03,670 --> 00:02:06,550
This is the way that you can find out how to exploit the target.

25
00:02:07,120 --> 00:02:12,790
You just go through a bunch of links and see whether someone already came up with the exploit for that

26
00:02:12,790 --> 00:02:18,310
specific version, in this case for the fifty two point three point four version.

27
00:02:18,850 --> 00:02:21,640
And you would do this for any version that you discover.

28
00:02:22,330 --> 00:02:27,520
For example, you can go right here, Apache HDD and copy the version.

29
00:02:27,640 --> 00:02:32,140
Make sure that you copy the number as well, which in our case is two point two point eight.

30
00:02:32,920 --> 00:02:37,950
Then go and paste the name of that version and exploit.

31
00:02:38,710 --> 00:02:42,820
And here we are to get output security vulnerabilities.

32
00:02:42,830 --> 00:02:50,800
If we click on it, we can see all of the vulnerabilities that this version of Apache has right here.

33
00:02:50,800 --> 00:02:55,240
We can see which score they have and the hard score, the stronger the vulnerability.

34
00:02:55,540 --> 00:03:01,330
Right here we can see the vulnerability ID which remember from the last video I told you, this format

35
00:03:01,540 --> 00:03:07,870
is used for vulnerabilities and you will see it a lot and we can see all the vulnerabilities that it

36
00:03:07,870 --> 00:03:08,190
has.

37
00:03:09,010 --> 00:03:12,450
This one, particularly if we are really interested in why?

38
00:03:12,610 --> 00:03:19,360
Well, because it has this core 10, that means that it is a really strong vulnerability, most likely

39
00:03:19,360 --> 00:03:22,330
execution of code or remote access to the target.

40
00:03:22,840 --> 00:03:26,830
And it indeed is it says right here, code execution.

41
00:03:27,460 --> 00:03:28,780
And if you click on it.

42
00:03:30,240 --> 00:03:32,610
You can see what this vulnerability does.

43
00:03:33,940 --> 00:03:41,710
You can see confidentiality impact his complete integrity, impact complete availability, impact complete.

44
00:03:42,070 --> 00:03:45,070
There is a total shutdown of the affected resource.

45
00:03:45,340 --> 00:03:47,860
The attacker can render the resource completely unavailable.

46
00:03:48,190 --> 00:03:50,860
So this also seems like some kind of a DOS attack.

47
00:03:51,340 --> 00:03:58,840
And down here, we can see that this will most likely work only for Windows, as I'm noticing windows

48
00:03:59,020 --> 00:04:02,400
right here, a lot of windows right here, windows right here.

49
00:04:02,590 --> 00:04:07,150
Now, of course, you would rip through this other a bit more detailed, but for now, this doesn't

50
00:04:07,150 --> 00:04:13,450
seem as an exploit that would work on our anticipatable because the is running on Linux.

51
00:04:13,630 --> 00:04:17,540
And this is what you would do most of your time researching for mobility.

52
00:04:18,140 --> 00:04:19,270
This is how you find them.

53
00:04:19,570 --> 00:04:24,400
And then you search for the exploit created by someone else that you can use to exploit the target.

54
00:04:25,470 --> 00:04:33,990
Another thing that you can do is you can use a tool inside of the clinic called search plate and search

55
00:04:34,200 --> 00:04:36,570
it if I type that to help.

56
00:04:37,770 --> 00:04:43,500
Simply takes the input of the version of software and then it searches through Callinan's database,

57
00:04:43,680 --> 00:04:49,080
through all of the experts that Kalanick has and tries to find an expert that will work for that specific

58
00:04:49,080 --> 00:04:49,360
version.

59
00:04:50,280 --> 00:04:55,420
Right here, we have some usage examples, but we don't need to perform these complicated commands.

60
00:04:55,440 --> 00:04:58,560
All we can do is copy, for example, some version.

61
00:04:58,800 --> 00:05:05,310
Let's say we copy this version of software on real I.R.S. and copy this.

62
00:05:05,790 --> 00:05:13,680
And what we can do once we copy that version is type Searsport and then paste the version name and we

63
00:05:13,680 --> 00:05:14,430
get the result.

64
00:05:15,090 --> 00:05:15,700
It will tell us.

65
00:05:15,720 --> 00:05:19,980
Right here, there are already some existing experts for the unveiled RC.

66
00:05:20,250 --> 00:05:22,860
We also get which version are the exploits for.

67
00:05:23,520 --> 00:05:25,860
One of them are Back-Door command execution.

68
00:05:26,100 --> 00:05:28,700
The second one is local configuration stack overflow.

69
00:05:29,040 --> 00:05:37,350
We also get the denial of service exploit and on the right side we get the path to those exploits right

70
00:05:37,350 --> 00:05:37,710
here.

71
00:05:37,740 --> 00:05:43,290
This one is under Linux remote and it is named one six nine two two dot RB.

72
00:05:43,920 --> 00:05:46,620
And this RB simply stands for Ruby.

73
00:05:46,980 --> 00:05:49,260
This is coded in the ruby language.

74
00:05:50,130 --> 00:05:53,220
One of them is for Windows, one of them is for Linux.

75
00:05:53,550 --> 00:05:58,020
Since we're running the display table, we would only be interested in the Linux exploits.

76
00:05:58,740 --> 00:06:02,460
So let's try to navigate here how we can find this exploit.

77
00:06:03,000 --> 00:06:05,010
Well, we can copy the name of the exploit.

78
00:06:06,210 --> 00:06:15,090
And use locate command to find where exactly this exploit is located on our machine, and it is in this

79
00:06:15,090 --> 00:06:16,320
path right here.

80
00:06:17,260 --> 00:06:26,050
So you can copy to this directory CD and then paste the directory name, and if I were to Nannerl one

81
00:06:26,050 --> 00:06:34,270
six nine two two dot RB, this will open and exploit that we would use to attack that unreal RC open

82
00:06:34,270 --> 00:06:34,660
port.

83
00:06:34,840 --> 00:06:37,760
As we can see, it also tells us that this is a backdoor program.

84
00:06:38,410 --> 00:06:44,170
This file is also part of metal plate fabric and metal plate is one of the biggest tools that we are

85
00:06:44,170 --> 00:06:45,670
going to cover in the next section.

86
00:06:46,020 --> 00:06:51,430
We'll cover all of the basics of it and we will also cover how we can run exploits and attack different

87
00:06:51,430 --> 00:06:54,250
machines using this display framework.

88
00:06:55,000 --> 00:06:55,670
OK, cool.

89
00:06:56,560 --> 00:07:00,720
We found an exploit for this specific software using search plate.

90
00:07:01,000 --> 00:07:05,340
So now we know we got exploit for that version of software that we have on display.

91
00:07:05,710 --> 00:07:11,410
So this is usually how you would perform most of your vulnerability analysis to either use tools like

92
00:07:11,590 --> 00:07:18,100
exploit or you manually try to find and exploit on Google to see whether anyone has exploited it before.

93
00:07:18,220 --> 00:07:20,410
And if they have, how did they do that?

94
00:07:21,190 --> 00:07:27,400
You would also use and map scripts sometimes, but I personally rarely use AdMob scripts for vulnerability

95
00:07:27,400 --> 00:07:27,940
analysis.

96
00:07:28,630 --> 00:07:33,400
And the last tool that we are going to cover for the vulnerability analysis is going to be Nessa's,

97
00:07:33,430 --> 00:07:35,140
which we will see in the next section.

98
00:07:35,410 --> 00:07:40,160
That tool is huge and you will use it a lot in your vulnerability analysis.

99
00:07:40,600 --> 00:07:41,140
See you there.