1
00:00:01,020 --> 00:00:06,610
OK, that was loading for over an hour, but it is finally over.

2
00:00:06,660 --> 00:00:14,250
So we are ready to explore the necesito it is pretty simple to use your page should be blank since you

3
00:00:14,250 --> 00:00:15,990
haven't performed any scan yet.

4
00:00:16,620 --> 00:00:20,880
So we can click right here on this X button just to see better this page.

5
00:00:21,330 --> 00:00:24,900
And all you want to do from here is go to the new scan button.

6
00:00:26,210 --> 00:00:33,020
Right here, we will see all of the available options that we can do for our scans, so we got basic

7
00:00:33,020 --> 00:00:37,380
network scan, as it says, a full system scan suitable for any host.

8
00:00:38,000 --> 00:00:44,600
We got the advance scan, configure a scan without using any recommendations, and we got a bunch of

9
00:00:44,600 --> 00:00:45,500
the other options.

10
00:00:45,720 --> 00:00:51,860
And for some of them, we need the less professional version in order to use, such as this one, this

11
00:00:51,860 --> 00:00:55,920
one, this one, and all of these that have the upgrade on them.

12
00:00:56,590 --> 00:00:59,540
Now, it's already talked about witness centrals.

13
00:00:59,780 --> 00:01:04,640
We're only going to be able to scan local IP addresses inside of a company.

14
00:01:04,790 --> 00:01:08,460
You could use this tool to scan their networks for vulnerabilities.

15
00:01:09,290 --> 00:01:17,150
However, you cannot scan an external IP address with this scanning a website is not going to work unless

16
00:01:17,150 --> 00:01:18,430
it's inside of your network.

17
00:01:19,330 --> 00:01:26,380
Another thing to remind you is that we can scan with the free version up to 16 IP addresses, and if

18
00:01:26,380 --> 00:01:30,620
I'm not mistaken, those 16 IP addresses clean after 90 days.

19
00:01:30,640 --> 00:01:35,790
So after 90 days, you will be able to scan more IP addresses, but I'm not sure about that.

20
00:01:36,370 --> 00:01:41,920
And if you have a free version and you have more than 16 targets, you will have to scan that network

21
00:01:41,920 --> 00:01:43,680
with multiple Nessa's scans.

22
00:01:44,230 --> 00:01:51,310
So scanning big enterprise networks for big companies will require NASA's professional version.

23
00:01:51,830 --> 00:01:58,300
But what we want to do here to learn Nessus and how to use it, we want to go on to the basic networks

24
00:01:58,300 --> 00:01:58,600
can.

25
00:01:59,630 --> 00:02:06,830
And this basic scan will require us to specify some options now for our first scan will be scanning

26
00:02:06,980 --> 00:02:07,550
only.

27
00:02:08,840 --> 00:02:10,640
So turn it on.

28
00:02:10,670 --> 00:02:14,610
If you haven't already, check out the iPad to submit depletable.

29
00:02:14,630 --> 00:02:17,660
In my case, it is 190 to date, 168 at one point for.

30
00:02:18,750 --> 00:02:25,200
And once you do that, we can proceed to specify our options in the general tab under the name, you

31
00:02:25,200 --> 00:02:26,760
could specify anything you want.

32
00:02:26,790 --> 00:02:31,110
I will simply just type method exploitable under the description.

33
00:02:31,140 --> 00:02:32,590
I will just leave this empty.

34
00:02:32,610 --> 00:02:34,310
There is nothing really to specify here.

35
00:02:34,650 --> 00:02:36,360
You can put anything you want here.

36
00:02:36,360 --> 00:02:42,260
Just you can recognize which type of scan you did and on which target you did it in the folder.

37
00:02:42,390 --> 00:02:48,900
We will leave it on my scans and in the targets we specify the IP address of our target machine, since

38
00:02:48,900 --> 00:02:50,760
right now we are only scanning one machine.

39
00:02:50,970 --> 00:02:53,490
We will specify the IP address of metal plate.

40
00:02:54,090 --> 00:02:57,870
But if you were to scan on network, you would specify something like this.

41
00:02:58,140 --> 00:03:03,990
Wanted to do that 168 at one point one twenty four in case it is a 24 network.

42
00:03:04,170 --> 00:03:06,720
I believe you can also specified like this.

43
00:03:06,720 --> 00:03:10,440
So want to add to the 168 that one dot two fifty five.

44
00:03:11,010 --> 00:03:17,490
But right now let us just go with our metal plate and with the free version we can even scan two hundred

45
00:03:17,490 --> 00:03:18,570
and fifty five hosts.

46
00:03:18,990 --> 00:03:21,000
Remember we can only scan 16.

47
00:03:22,050 --> 00:03:27,840
Once you specify this, we want to proceed to the schedule tab and here this schedule tab is useful

48
00:03:27,840 --> 00:03:32,760
once you want to schedule their scans on a certain period of time or you just want to schedule a scan

49
00:03:32,760 --> 00:03:35,050
while you're doing something else on the site.

50
00:03:35,610 --> 00:03:39,110
For now, we're going to leave it off under the notifications.

51
00:03:39,240 --> 00:03:43,570
You can choose if you want to send results to some emails over SMTP server.

52
00:03:44,110 --> 00:03:47,890
We are not going to be doing that right now in the Discovery tab.

53
00:03:47,940 --> 00:03:49,320
This is the important stuff.

54
00:03:50,240 --> 00:03:57,560
Here we choose how many and which ports we want to scan, we have an option of scanning common ports

55
00:03:58,250 --> 00:04:00,990
and this is similar to a map default ports.

56
00:04:01,760 --> 00:04:09,200
It will only scan most popular ports or you can select scan all ports, which we are going to use right

57
00:04:09,200 --> 00:04:12,650
now to scan all sixty five thousand ports, no exploitable.

58
00:04:13,040 --> 00:04:16,940
And if you want, there is a custom option, which is the third option right here.

59
00:04:17,150 --> 00:04:21,020
But we are pretty satisfied with this scan all ports option.

60
00:04:21,470 --> 00:04:27,230
If you read the settings, the general settings always tells the Nexus localhost use Fastnet for discovery

61
00:04:27,230 --> 00:04:28,790
and of the ports or settings.

62
00:04:28,790 --> 00:04:35,210
We have scanned all ports usenet's that if credentials are provided use since scanner if necessary,

63
00:04:35,810 --> 00:04:40,340
and we're pinging hosts using TCP, AAFP and ICMP.

64
00:04:41,270 --> 00:04:41,600
Good.

65
00:04:42,410 --> 00:04:49,280
Once you set this to scan all ports, you can go to the assessment and in the assessment tab we can

66
00:04:49,280 --> 00:04:50,900
choose what we want to scan for.

67
00:04:51,530 --> 00:04:53,180
So there are a few options.

68
00:04:53,210 --> 00:04:59,390
If I click right here on this can type, we have scanned for known web vulnerabilities, scan for all

69
00:04:59,390 --> 00:05:03,590
web and abilities and scan for all Verbruggen abilities complex.

70
00:05:04,010 --> 00:05:08,620
For the purposes of this tutorial, we will be scanning for known Web vulnerabilities.

71
00:05:08,840 --> 00:05:09,250
Why?

72
00:05:09,530 --> 00:05:12,290
Well, this will just take lesser time to finish.

73
00:05:12,890 --> 00:05:18,560
When you run scan for complex web vulnerabilities, it usually takes a lot more time and we can see

74
00:05:18,560 --> 00:05:25,460
right here and the general settings avoid potential false alarms enabled by scanning and web applications.

75
00:05:25,790 --> 00:05:31,970
We will crawl up to one thousand pages, up to six directories, and we will test for known vulnerabilities

76
00:05:31,970 --> 00:05:33,830
in commonly used Web applications.

77
00:05:34,040 --> 00:05:36,500
These are our assessment settings.

78
00:05:37,460 --> 00:05:42,650
But also, keep in mind that if we discover some vulnerabilities, we will see how to attack them in

79
00:05:42,650 --> 00:05:46,700
the Web penetration testing section that will come right after the exploitation section.

80
00:05:47,150 --> 00:05:53,900
For now, let us just see whether Nessus will find something juicy right after we go to the report settings.

81
00:05:54,410 --> 00:05:56,570
And usually you want to leave this on default.

82
00:05:56,580 --> 00:05:58,970
So we are not going to be changing anything right here.

83
00:05:59,300 --> 00:06:05,210
And finally, in the advanced that we will leave it on default for now and proceed to click on Save.

84
00:06:05,540 --> 00:06:07,550
So click on Save right here.

85
00:06:08,980 --> 00:06:10,810
And you should have your skin right here.

86
00:06:11,840 --> 00:06:19,100
Now you will notice that it does not automatically start, we must launch it and we do that by clicking

87
00:06:19,100 --> 00:06:22,970
on this arrow right here, which says launch, click on it.

88
00:06:25,550 --> 00:06:31,820
In just a few seconds, here it is, these green arrows will start spinning and our skin has officially

89
00:06:31,820 --> 00:06:32,300
started.

90
00:06:33,170 --> 00:06:37,940
This will try to discover all the vulnerabilities it can find for the political machine.

91
00:06:38,990 --> 00:06:43,480
Now, keep in mind that these scans can take a lot longer then and map scans.

92
00:06:43,730 --> 00:06:49,940
You can always check the current status scan by clicking on the scan name, in our case on the anticipatable.

93
00:06:51,590 --> 00:06:57,980
And you will be able to see what it managed to find for now during the scan, different vulnerabilities

94
00:06:58,220 --> 00:07:00,140
will be marked with different colors.

95
00:07:00,890 --> 00:07:04,310
We will have blue color, which means information, disclosure.

96
00:07:04,940 --> 00:07:10,670
And what that is, is it possibly managed to find some information that should be private or it managed

97
00:07:10,670 --> 00:07:16,010
to find the service version or something similar that allows us to find out more information about the

98
00:07:16,010 --> 00:07:16,490
target?

99
00:07:16,640 --> 00:07:19,610
It doesn't necessarily mean that the information is useful, though.

100
00:07:20,150 --> 00:07:26,500
Then we have green, yellow and orange vulnerabilities or also known as low, medium and high vulnerabilities.

101
00:07:26,750 --> 00:07:32,450
And at the end we get the most interesting vulnerabilities which are critical vulnerabilities.

102
00:07:33,610 --> 00:07:37,270
This usually includes remote code execution or something similar.

103
00:07:38,440 --> 00:07:44,170
So what you can also do, you can click on them, and this is just what it managed to find at this current

104
00:07:44,170 --> 00:07:45,420
point of scan.

105
00:07:46,240 --> 00:07:48,780
So we got one critical vulnerability for now.

106
00:07:49,210 --> 00:07:55,450
We got to mix vulnerabilities, one medium vulnerability and some information disclosure right here.

107
00:07:56,610 --> 00:08:02,040
Let's go back and we're going to wait for this to finish, and once it's done, we will get back to

108
00:08:02,040 --> 00:08:03,210
it and see the results.

109
00:08:03,750 --> 00:08:04,590
All right.

110
00:08:04,830 --> 00:08:06,630
It is finally over.

111
00:08:06,930 --> 00:08:14,040
And we can see if I click on the scan that it managed to discover a bunch of vulnerabilities, all kinds

112
00:08:14,040 --> 00:08:14,310
of them.

113
00:08:15,000 --> 00:08:18,540
Let us go through these results and see some of the vulnerabilities it found.

114
00:08:19,260 --> 00:08:23,360
Remember, we are most interested in critical and high vulnerabilities.

115
00:08:24,060 --> 00:08:27,740
Others can also be useful, but these two are the main ones.

116
00:08:28,290 --> 00:08:34,070
First thing we see is that it managed to find seven critical motability, 11 vulnerabilities.

117
00:08:34,560 --> 00:08:41,790
Thirty six medium vulnerabilities, seven low and one hundred and forty eight information disclosure.

118
00:08:42,660 --> 00:08:43,980
Let us click on the scan.

119
00:08:44,980 --> 00:08:51,190
Right here, we can order the vulnerabilities by their severity, so if I click on this arrow, it will

120
00:08:51,190 --> 00:08:55,940
go from the information to the critical, but mostly we are interested in critical vulnerabilities.

121
00:08:55,950 --> 00:08:59,410
So click it once again and let's go with any one of them.

122
00:08:59,630 --> 00:09:02,290
We're going to see an example of each vulnerability.

123
00:09:02,320 --> 00:09:08,350
We're going to check one critical, one high, one medium, one low and one information disclosure.

124
00:09:08,650 --> 00:09:11,200
Let's go, for example, with this one.

125
00:09:12,230 --> 00:09:19,460
So it says Neff's exported share information, disclosure, this is a critical vulnerability down here,

126
00:09:19,460 --> 00:09:24,950
we can see the description and it says at least one of the NAFS shares exported by the remote server

127
00:09:25,310 --> 00:09:31,420
could be mounted by the scanning host and attacker may be able to leverage this to read and possibly

128
00:09:31,420 --> 00:09:33,020
Vereide files on remote host.

129
00:09:33,590 --> 00:09:38,450
He tells us what is the solution to fix this vulnerability, as it says Conficker nafs on the remote

130
00:09:38,450 --> 00:09:42,260
coast so that only authorized hosts can mount its remote shares.

131
00:09:43,160 --> 00:09:43,760
Down here.

132
00:09:43,760 --> 00:09:46,070
It tells us where it found the vulnerability.

133
00:09:46,370 --> 00:09:51,740
It found it on our display table on the two thousand forty nine UDP port.

134
00:09:52,580 --> 00:09:57,560
And what you would do, for example, is you would then Google this vulnerability, which we learned

135
00:09:57,560 --> 00:10:02,330
in the previous video, were recovered Googling vulnerabilities and search it and you would see how

136
00:10:02,330 --> 00:10:03,200
you would exploit this.

137
00:10:03,380 --> 00:10:05,760
For now, we know that this exists.

138
00:10:06,260 --> 00:10:08,330
Let's check another critical vulnerability.

139
00:10:08,930 --> 00:10:13,580
Let's go, for example, onto this one, bandshell, factor detection.

140
00:10:15,270 --> 00:10:20,910
It says a shell is listing on the remote port without any notification being required, an attacker

141
00:10:20,910 --> 00:10:24,700
may use it by connecting to the remote port and sending commands directly.

142
00:10:25,210 --> 00:10:25,590
Hmm.

143
00:10:26,130 --> 00:10:28,070
This seems like a really big problem.

144
00:10:28,650 --> 00:10:33,910
And we're going to see in the next section how we can actually gain access from this critical vulnerability.

145
00:10:34,500 --> 00:10:36,780
It is very, very easy, trust me.

146
00:10:37,260 --> 00:10:41,310
But these types of misconfiguration happen often down here.

147
00:10:41,310 --> 00:10:46,970
We can see the solution, verify the remote coast has been compromised and reinstall the system if necessary.

148
00:10:47,400 --> 00:10:53,450
And the actual motability is found on the port one five to four over Tsipi.

149
00:10:54,330 --> 00:10:57,360
Now, since critical vulnerabilities are most important.

150
00:10:57,390 --> 00:10:58,650
Let us check another one.

151
00:10:59,580 --> 00:11:03,600
Let's go on to this one free and see server password is password.

152
00:11:03,940 --> 00:11:09,150
So it seems that we get the default credentials for some software running on our anticipatable.

153
00:11:09,420 --> 00:11:14,250
As it says, the server running on the remote coast is secured with a weak password.

154
00:11:14,520 --> 00:11:18,510
And this type of vulnerability is something that you will find the most.

155
00:11:19,020 --> 00:11:24,810
Now, it doesn't have to be anything connected to the BNC server, but weak credentials are something

156
00:11:24,810 --> 00:11:26,850
that even the biggest companies have.

157
00:11:27,360 --> 00:11:29,670
And you can have all the security in the world.

158
00:11:29,670 --> 00:11:32,830
But if your password is weak, none of that security will matter.

159
00:11:33,510 --> 00:11:37,290
Down here, we see the Nessus logged in using a password password.

160
00:11:37,620 --> 00:11:38,940
And what was it on?

161
00:11:39,090 --> 00:11:46,380
It was port five thousand and nine hundred over TSIPI So we will see how we can exploit all of this.

162
00:11:46,650 --> 00:11:49,380
But let us also check out some other vulnerabilities as well.

163
00:11:50,340 --> 00:11:53,700
Pache, Tomcat, HP, Connecter, request injection.

164
00:11:54,180 --> 00:11:54,990
Let's click on it.

165
00:11:55,140 --> 00:12:00,330
This seems to be a high vulnerability and it tells us a fault for inclusion.

166
00:12:00,330 --> 00:12:02,580
Motability was found in HP Connecter.

167
00:12:02,850 --> 00:12:08,790
Our remote unauthenticated attacker could exploit this vulnerability to read Web application files from

168
00:12:08,790 --> 00:12:10,070
a vulnerable server.

169
00:12:10,620 --> 00:12:15,330
It tells us that the solution is to actually upgrade Tomcat server to the newer version.

170
00:12:16,020 --> 00:12:21,810
And down here it tells us over which port did it find a vulnerability, which is Port 29.

171
00:12:22,770 --> 00:12:27,960
On the right side, we can also see some additional vulnerability information, such as what is the

172
00:12:27,960 --> 00:12:28,770
vulnerability for?

173
00:12:28,770 --> 00:12:29,940
It is for Apache attack.

174
00:12:29,940 --> 00:12:32,010
It is the exploit available.

175
00:12:32,040 --> 00:12:35,160
Yes, the exploit exists for this and they are available.

176
00:12:35,580 --> 00:12:42,540
The patch was published on March 1st, 2020, and vulnerability was also published on that same day.

177
00:12:42,750 --> 00:12:49,290
And Nessus managed to successfully exploit it, reference information and here the vulnerability names.

178
00:12:50,100 --> 00:12:54,910
She would just type this search for an exploit for it and you would manage to exploit them at this point,

179
00:12:54,920 --> 00:12:55,500
the machine.

180
00:12:56,430 --> 00:13:01,110
Let's check out a few more vulnerabilities and then we are going to wrap up with this tutorial.

181
00:13:01,110 --> 00:13:06,870
Let's go to a medium one and let's go, for example, to this one.

182
00:13:06,870 --> 00:13:09,000
SMB signing not required.

183
00:13:09,450 --> 00:13:13,990
Signing is not required under both SMB server and authenticated remote.

184
00:13:13,990 --> 00:13:19,110
Tacker can exploit this to conduct man in the middle attacks against the SMB server.

185
00:13:19,920 --> 00:13:26,010
Now we have not covered many in the middle yet, but later in the course we will be devoting an entire

186
00:13:26,010 --> 00:13:29,910
section to this attack to the man in the middle attack.

187
00:13:30,420 --> 00:13:36,990
So for now, we just know that the S&amp;P support, which is running on Port four for five, is vulnerable

188
00:13:36,990 --> 00:13:38,490
to the man in the middle attacks.

189
00:13:39,540 --> 00:13:43,560
OK, let us also check out some information disclosure.

190
00:13:44,340 --> 00:13:51,000
So right here we can open a cell detection service detection, get request SSL DL's version supported

191
00:13:51,210 --> 00:13:54,900
so we can check out which SSL and versions are supported.

192
00:13:55,440 --> 00:14:00,270
This plug into text, which are some Thaler's versions, are supported by the Remote Service for Encrypting

193
00:14:00,270 --> 00:14:07,080
Communications, and this port seems to be running SSL version two as Salvacion three and version one.

194
00:14:07,320 --> 00:14:12,750
And these are just different protocols used for encryption of the data that is being transferred over

195
00:14:12,750 --> 00:14:13,350
this port.

196
00:14:13,980 --> 00:14:18,900
And once again, you will see that SSL is vulnerable to the man in the middle attack.

197
00:14:18,900 --> 00:14:22,080
We can decrypt this data using that specific attack.

198
00:14:23,020 --> 00:14:27,460
However, don't worry, if you fully don't understand what I'm talking about, this is once again something

199
00:14:27,460 --> 00:14:29,140
that we will cover in a later section.

200
00:14:29,650 --> 00:14:30,430
OK, great.

201
00:14:31,390 --> 00:14:34,810
Do you see right now how amazing this NSA scandal is?

202
00:14:35,790 --> 00:14:40,890
It literally gave us most of the vulnerabilities just from a single scan in the next section.

203
00:14:40,920 --> 00:14:46,140
We will see how to exploit most of these vulnerabilities on them at this point, but on other targets

204
00:14:46,140 --> 00:14:46,500
as well.

205
00:14:47,350 --> 00:14:53,370
In the next video, we're going to scan other machine using Nessus and we're going to see what results

206
00:14:53,370 --> 00:14:55,170
we get see in the next.