1 00:00:01,050 --> 00:00:02,250 -: Okay, 2 00:00:02,250 --> 00:00:05,160 that was loading for over an hour 3 00:00:05,160 --> 00:00:06,660 but it is finally over. 4 00:00:06,660 --> 00:00:10,020 So we are ready to explore the Nessus tool. 5 00:00:10,020 --> 00:00:12,120 It is pretty simple to use. 6 00:00:12,120 --> 00:00:13,890 Your page should be blank 7 00:00:13,890 --> 00:00:16,650 since you haven't performed any scan yet. 8 00:00:16,650 --> 00:00:19,200 So we can click right here on this X button 9 00:00:19,200 --> 00:00:21,420 just to see better this page. 10 00:00:21,420 --> 00:00:23,310 And all we want to do from here 11 00:00:23,310 --> 00:00:24,993 is go to the new scan button. 12 00:00:25,876 --> 00:00:28,893 Right here, we will see all of the available options 13 00:00:28,893 --> 00:00:31,740 that we can do for our scans. 14 00:00:31,740 --> 00:00:34,260 So we got basic network scan, 15 00:00:34,260 --> 00:00:38,010 as it says a full system scan suitable for any host. 16 00:00:38,010 --> 00:00:40,740 We got the advanced scan, configure a scan 17 00:00:40,740 --> 00:00:43,110 without using any recommendations, 18 00:00:43,110 --> 00:00:45,780 and we got a bunch of the other options, 19 00:00:45,780 --> 00:00:47,040 and for some of them 20 00:00:47,040 --> 00:00:49,080 we need the Nessus professional version 21 00:00:49,080 --> 00:00:49,964 in order to use 22 00:00:49,964 --> 00:00:51,570 such as this one, 23 00:00:51,570 --> 00:00:52,470 this one, 24 00:00:52,470 --> 00:00:53,303 this one, 25 00:00:53,303 --> 00:00:56,610 and all of these that have the upgrade on them. 26 00:00:56,610 --> 00:00:58,380 Now as I already talked about 27 00:00:58,380 --> 00:01:00,660 witness essentials, we're only going to 28 00:01:00,660 --> 00:01:03,630 be able to scan local IP addresses. 29 00:01:03,630 --> 00:01:06,030 Inside of a company, you could use this tool 30 00:01:06,030 --> 00:01:09,300 to scan their networks for vulnerabilities. 31 00:01:09,300 --> 00:01:13,860 However, you cannot scan an external IP address with this. 32 00:01:13,860 --> 00:01:16,680 So scanning a website is not going to work, 33 00:01:16,680 --> 00:01:18,543 unless it's inside of your network. 34 00:01:19,410 --> 00:01:20,627 Another thing to remind you is that 35 00:01:20,627 --> 00:01:25,605 we can scan with the free version up to 16 IP addresses. 36 00:01:25,605 --> 00:01:27,270 And if I'm not mistaken, 37 00:01:27,270 --> 00:01:30,600 those 16 IP addresses clean after 90 days. 38 00:01:30,600 --> 00:01:34,530 So after 90 days you will be able to scan more IP addresses, 39 00:01:34,530 --> 00:01:36,420 but I'm not sure about that. 40 00:01:36,420 --> 00:01:38,010 And if you have a free version, 41 00:01:38,010 --> 00:01:40,260 and you have more than 16 targets, 42 00:01:40,260 --> 00:01:44,220 you'll have to scan that network with multiple Nessus scans. 43 00:01:44,220 --> 00:01:48,840 So scanning big enterprise networks for big companies 44 00:01:48,840 --> 00:01:51,870 will require Nessus professional version. 45 00:01:51,870 --> 00:01:54,840 But what we want to do here to learn Nessus 46 00:01:54,840 --> 00:01:56,010 and how to use it. 47 00:01:56,010 --> 00:01:58,713 We want to go onto the basic network scan, 48 00:01:59,700 --> 00:02:04,260 and this basic scan will require us to specify some options. 49 00:02:04,260 --> 00:02:07,590 Now for our first scan, we'll be scanning only 50 00:02:07,590 --> 00:02:08,850 metasploitable, 51 00:02:08,850 --> 00:02:10,680 so turn it on. 52 00:02:10,680 --> 00:02:12,480 If you haven't already, 53 00:02:12,480 --> 00:02:14,640 check out the IP address of metasploitable. 54 00:02:14,640 --> 00:02:18,475 In my case it is 192 dot 168 dot one dot four. 55 00:02:18,475 --> 00:02:22,920 And once you do that, we can proceed to specify our options. 56 00:02:22,920 --> 00:02:24,210 In the general tab, 57 00:02:24,210 --> 00:02:26,790 under the name you can specify anything you want. 58 00:02:26,790 --> 00:02:28,740 I will simply just type metasploitable. 59 00:02:29,697 --> 00:02:32,550 Under the description, I will just leave this empty. 60 00:02:32,550 --> 00:02:34,680 There is nothing ready to specify here. 61 00:02:34,680 --> 00:02:36,330 You can put anything you want here, 62 00:02:36,330 --> 00:02:39,150 just so you can recognize which type of scan you did, 63 00:02:39,150 --> 00:02:41,520 and on which target you did it. 64 00:02:41,520 --> 00:02:44,040 In the folder, we will leave it on My Scans, 65 00:02:44,040 --> 00:02:46,770 and in the targets we specify the IP address 66 00:02:46,770 --> 00:02:48,420 of our target machine. 67 00:02:48,420 --> 00:02:50,910 Since right now we are only scanning one machine 68 00:02:50,910 --> 00:02:54,120 we will specify the IP address of metasploitable. 69 00:02:54,120 --> 00:02:56,250 But if you were to scan a network, 70 00:02:56,250 --> 00:02:57,900 you would specify something like this 71 00:02:57,900 --> 00:03:00,146 192 168 dot one dot one 72 00:03:00,146 --> 00:03:01,890 slash 24, 73 00:03:01,890 --> 00:03:04,200 in case it is a slash 24 network. 74 00:03:04,200 --> 00:03:06,720 I believe you can also specify it like this, 75 00:03:06,720 --> 00:03:10,670 so dash 192 dot one 68 dot one dot two 55. 76 00:03:10,670 --> 00:03:14,850 But right now let us just go with our metasploit, 77 00:03:14,850 --> 00:03:19,020 and with the free version, we can't even scan 255 hosts. 78 00:03:19,020 --> 00:03:21,093 Remember? We can only scan 16. 79 00:03:22,080 --> 00:03:23,640 Once you specify this, 80 00:03:23,640 --> 00:03:25,650 we want to proceed to the schedule tab, 81 00:03:25,650 --> 00:03:27,840 and here this schedule tab is useful 82 00:03:27,840 --> 00:03:29,400 once you want to schedule your scans 83 00:03:29,400 --> 00:03:30,960 in certain period of time, 84 00:03:30,960 --> 00:03:32,790 or you just want to schedule a scan 85 00:03:32,790 --> 00:03:35,610 while you're doing something else on the site. 86 00:03:35,610 --> 00:03:37,529 For now, we're going to leave it off 87 00:03:37,529 --> 00:03:39,240 under the notifications. 88 00:03:39,240 --> 00:03:41,430 You can choose if you want to send results 89 00:03:41,430 --> 00:03:44,160 to some emails over SMTP server. 90 00:03:44,160 --> 00:03:46,650 We're not going to be doing that right now. 91 00:03:46,650 --> 00:03:49,413 In the discovery tab, this is the important stuff. 92 00:03:50,250 --> 00:03:54,300 Here we choose how many and which ports we want to scan. 93 00:03:54,300 --> 00:03:58,290 We have an option of scanning common ports, 94 00:03:58,290 --> 00:04:01,770 and this is similar to Nmap default port scan. 95 00:04:01,770 --> 00:04:04,860 It'll only scan most popular ports, 96 00:04:04,860 --> 00:04:07,890 or you can select scan (all ports) 97 00:04:07,890 --> 00:04:09,750 which we're going to use right now 98 00:04:09,750 --> 00:04:13,110 to scan all 65,000 ports in our metasploitable. 99 00:04:13,110 --> 00:04:15,510 And if you want, there is a custom option 100 00:04:15,510 --> 00:04:17,130 which is the third option right here, 101 00:04:17,130 --> 00:04:18,779 but we are pretty satisfied 102 00:04:18,779 --> 00:04:21,510 with this scan (all ports) option. 103 00:04:21,510 --> 00:04:23,700 If we read the settings, the general settings 104 00:04:23,700 --> 00:04:25,680 always test the Nessus local host, 105 00:04:25,680 --> 00:04:27,180 Use fast network discovery. 106 00:04:27,180 --> 00:04:30,600 Under the Port Scanner Settings, we have Scan all ports, 107 00:04:30,600 --> 00:04:33,420 Use netstat if credentials are provided. 108 00:04:33,420 --> 00:04:35,880 Use SYN scanner if necessary, 109 00:04:35,880 --> 00:04:37,330 and we are pinging hosts 110 00:04:38,357 --> 00:04:41,250 using TCP, ARP and ICMP. 111 00:04:41,250 --> 00:04:44,670 Good. Once you set this to scan all ports, 112 00:04:44,670 --> 00:04:47,040 you can go to the assessment, 113 00:04:47,040 --> 00:04:48,960 and in the assessment tab 114 00:04:48,960 --> 00:04:51,510 we can choose what we want to scan for. 115 00:04:51,510 --> 00:04:53,190 So there are a few options. 116 00:04:53,190 --> 00:04:55,260 If I click right here on this scan type, 117 00:04:55,260 --> 00:04:58,350 we have Scan for known web vulnerabilities, 118 00:04:58,350 --> 00:05:00,630 Scan for all web vulnerabilities, 119 00:05:00,630 --> 00:05:03,117 and Scan for all web vulnerabilities (complex). 120 00:05:03,990 --> 00:05:05,670 For the purposes of this tutorial, 121 00:05:05,670 --> 00:05:08,850 we'll be scanning for known web vulnerabilities. 122 00:05:08,850 --> 00:05:12,900 Why? Well, this will just take lesser time to finish. 123 00:05:12,900 --> 00:05:15,630 When you run scan for complex web vulnerabilities 124 00:05:15,630 --> 00:05:17,730 it usually takes a lot more time, 125 00:05:17,730 --> 00:05:20,520 and we can see right here under the General Settings: 126 00:05:20,520 --> 00:05:22,380 Avoid potential false alarms, 127 00:05:22,380 --> 00:05:24,210 Enable CGI scanning, 128 00:05:24,210 --> 00:05:28,530 and Web Applications will Crawl up to 1000 pages, 129 00:05:28,530 --> 00:05:30,090 up to six directories, 130 00:05:30,090 --> 00:05:31,980 and we will test for non vulnerabilities 131 00:05:31,980 --> 00:05:34,020 in commonly used web applications. 132 00:05:34,020 --> 00:05:36,633 These are our assessment settings, 133 00:05:37,470 --> 00:05:38,790 but also keep in mind 134 00:05:38,790 --> 00:05:41,100 that if we discover some web vulnerabilities 135 00:05:41,100 --> 00:05:42,510 we will see how to attack them 136 00:05:42,510 --> 00:05:44,280 in the web penetration testing section. 137 00:05:44,280 --> 00:05:47,160 That will come right after the exploitation section. 138 00:05:47,160 --> 00:05:48,510 For now, let us just see 139 00:05:48,510 --> 00:05:51,390 whether Nessus will find something juicy. 140 00:05:51,390 --> 00:05:54,176 Right after, we go to the report settings, 141 00:05:54,176 --> 00:05:56,580 and usually you want to leave this on default 142 00:05:56,580 --> 00:05:59,340 so we are are not going to be changing anything right here. 143 00:05:59,340 --> 00:06:01,470 And finally in the advanced tab, 144 00:06:01,470 --> 00:06:03,210 we will leave it on default for now, 145 00:06:03,210 --> 00:06:05,520 and proceed to click on save. 146 00:06:05,520 --> 00:06:07,713 So click on save right here, 147 00:06:09,030 --> 00:06:11,850 and you should have your scan right here. 148 00:06:11,850 --> 00:06:15,450 Now you will notice that it does not automatically start, 149 00:06:15,450 --> 00:06:17,010 we must launch it. 150 00:06:17,010 --> 00:06:18,450 And we do that 151 00:06:18,450 --> 00:06:22,350 by clicking on this arrow right here which says launch. 152 00:06:22,350 --> 00:06:23,183 Click on it. 153 00:06:25,560 --> 00:06:26,880 In just a few seconds, 154 00:06:26,880 --> 00:06:28,080 here it is. 155 00:06:28,080 --> 00:06:30,090 These green arrows will start spinning 156 00:06:30,090 --> 00:06:33,150 and our scan has officially started. 157 00:06:33,150 --> 00:06:35,790 This will try to discover all the vulnerabilities 158 00:06:35,790 --> 00:06:38,103 it can find for the metasploitable machine. 159 00:06:39,000 --> 00:06:42,180 Now keep in mind that these scans can take a lot longer 160 00:06:42,180 --> 00:06:43,740 than Nmap scans. 161 00:06:43,740 --> 00:06:46,290 You can always check the current state of scan 162 00:06:46,290 --> 00:06:48,270 by clicking on the scan name, 163 00:06:48,270 --> 00:06:50,603 in our case, on the metasploitable. 164 00:06:51,630 --> 00:06:54,510 And you will be able to see what it managed to find 165 00:06:54,510 --> 00:06:56,760 for now during the scan. 166 00:06:56,760 --> 00:06:59,190 Different vulnerabilities will be marked 167 00:06:59,190 --> 00:07:00,840 with different colors. 168 00:07:00,840 --> 00:07:04,980 We will have blue color which means information disclosure. 169 00:07:04,980 --> 00:07:06,540 And what that is, 170 00:07:06,540 --> 00:07:07,650 it possibly managed to 171 00:07:07,650 --> 00:07:10,050 find some information that should be private, 172 00:07:10,050 --> 00:07:11,970 or it managed to find this service version, 173 00:07:11,970 --> 00:07:13,650 or something similar that allows us 174 00:07:13,650 --> 00:07:16,620 to find out more information about the target. 175 00:07:16,620 --> 00:07:17,820 It doesn't necessarily mean 176 00:07:17,820 --> 00:07:20,160 that the information is useful though. 177 00:07:20,160 --> 00:07:21,570 Then we have green, yellow 178 00:07:21,570 --> 00:07:24,810 and orange vulnerabilities are also known as low 179 00:07:24,810 --> 00:07:26,820 medium and high vulnerabilities. 180 00:07:26,820 --> 00:07:30,540 And at the end, we get the most interesting vulnerabilities 181 00:07:30,540 --> 00:07:32,583 which are critical vulnerabilities. 182 00:07:33,600 --> 00:07:36,210 This usually includes remote code execution 183 00:07:36,210 --> 00:07:37,413 or something similar. 184 00:07:38,460 --> 00:07:39,480 So what you can also do, 185 00:07:39,480 --> 00:07:41,040 you can click on them 186 00:07:41,040 --> 00:07:43,350 and this is just what it managed to find 187 00:07:43,350 --> 00:07:46,230 at this current point of scan. 188 00:07:46,230 --> 00:07:49,200 So we got one critical vulnerability for now. 189 00:07:49,200 --> 00:07:51,360 We got two mixed vulnerabilities, 190 00:07:51,360 --> 00:07:53,070 one medium vulnerability 191 00:07:53,070 --> 00:07:55,563 and some information disclosure right here. 192 00:07:56,610 --> 00:07:59,940 Let's go back and we're going to wait for this to finish, 193 00:07:59,940 --> 00:08:00,773 and once it's done 194 00:08:00,773 --> 00:08:03,810 we will get back to it and see the results. 195 00:08:03,810 --> 00:08:04,830 Alright. 196 00:08:04,830 --> 00:08:06,960 It is finally over. 197 00:08:06,960 --> 00:08:09,896 And we can see, if I click on the scan 198 00:08:09,896 --> 00:08:13,440 that it managed to discover a bunch of vulnerabilities, 199 00:08:13,440 --> 00:08:15,030 all kinds of them. 200 00:08:15,030 --> 00:08:16,560 Let us go through these results, 201 00:08:16,560 --> 00:08:19,260 and see some of the vulnerabilities it found. 202 00:08:19,260 --> 00:08:22,110 Remember, we are most interested in critical 203 00:08:22,110 --> 00:08:24,120 and high vulnerabilities. 204 00:08:24,120 --> 00:08:28,290 Others can also be useful, but these two are the main ones. 205 00:08:28,290 --> 00:08:30,780 First thing we see is that it managed to find 206 00:08:30,780 --> 00:08:32,789 seven critical vulnerabilities, 207 00:08:32,789 --> 00:08:34,559 11 high vulnerabilities, 208 00:08:34,559 --> 00:08:36,840 36 medium vulnerabilities, 209 00:08:36,840 --> 00:08:38,070 seven low, 210 00:08:38,070 --> 00:08:40,010 and 148 211 00:08:40,010 --> 00:08:42,630 information disclosure. 212 00:08:42,630 --> 00:08:44,102 Let us click on the scan. 213 00:08:44,970 --> 00:08:47,850 Right here we can order the vulnerabilities 214 00:08:47,850 --> 00:08:49,200 by their severity. 215 00:08:49,200 --> 00:08:50,880 So if I click on this arrow, 216 00:08:50,880 --> 00:08:53,520 it'll go from the information to the critical, 217 00:08:53,520 --> 00:08:55,890 but mostly we are interested in critical vulnerabilities. 218 00:08:55,890 --> 00:08:57,390 So I will click it once again, 219 00:08:57,390 --> 00:08:59,670 and let's go with any one of them. 220 00:08:59,670 --> 00:09:02,370 We're going to see an example of each vulnerability. 221 00:09:02,370 --> 00:09:04,920 We're going to check one critical, one high, 222 00:09:04,920 --> 00:09:08,670 one medium, one low, and one information disclosure. 223 00:09:08,670 --> 00:09:11,927 Let's go for example with this one. 224 00:09:11,927 --> 00:09:16,680 So it says NFS Exported Share Information Disclosure. 225 00:09:16,680 --> 00:09:18,900 This is a critical vulnerability. 226 00:09:18,900 --> 00:09:20,670 Down here we can see the description, 227 00:09:20,670 --> 00:09:24,000 and it says, "At least one of the NFS shares exported 228 00:09:24,000 --> 00:09:27,690 by the remote server could be mounted by the scanning host. 229 00:09:27,690 --> 00:09:30,750 An attacker may be able to leverage this to read 230 00:09:30,750 --> 00:09:33,600 and possibly write files on remote host." 231 00:09:33,600 --> 00:09:36,330 It tells us what is the solution to fix this vulnerability. 232 00:09:36,330 --> 00:09:39,060 As it says, "configure NFS on the remote host 233 00:09:39,060 --> 00:09:43,170 so that only authorized hosts can mount its remote shares." 234 00:09:43,170 --> 00:09:46,012 Down here it tells us where it found the vulnerability. 235 00:09:46,012 --> 00:09:48,720 It found it on our metasploitable 236 00:09:48,720 --> 00:09:52,650 on the 2049 UDP port. 237 00:09:52,650 --> 00:09:54,600 And what you would do for example, 238 00:09:54,600 --> 00:09:56,910 is you would then google this vulnerability 239 00:09:56,910 --> 00:09:58,470 which we learned in the previous video 240 00:09:58,470 --> 00:10:00,240 where we covered Googling vulnerabilities 241 00:10:00,240 --> 00:10:01,350 and search exploit, 242 00:10:01,350 --> 00:10:03,420 and you would see how you would exploit this. 243 00:10:03,420 --> 00:10:06,240 From now on, we know that this exists. 244 00:10:06,240 --> 00:10:08,940 Let's check another critical vulnerability. 245 00:10:08,940 --> 00:10:11,430 Let's go for example onto this one. 246 00:10:11,430 --> 00:10:13,713 Bind shell backdoor detection. 247 00:10:15,300 --> 00:10:17,790 It says, "a shell is listening on remote port 248 00:10:17,790 --> 00:10:20,310 without any authentication being required. 249 00:10:20,310 --> 00:10:22,140 An attacker may use it by connecting 250 00:10:22,140 --> 00:10:25,260 to the remote port and sending commands directly." 251 00:10:25,260 --> 00:10:28,560 Hmm, this seems like a really big problem. 252 00:10:28,560 --> 00:10:30,450 And we are going to see in the next section 253 00:10:30,450 --> 00:10:32,166 how we can actually gain access 254 00:10:32,166 --> 00:10:34,530 from this critical vulnerability. 255 00:10:34,530 --> 00:10:37,290 It is very, very easy, trust me. 256 00:10:37,290 --> 00:10:40,800 But these types of misconfiguration happen often, 257 00:10:40,800 --> 00:10:42,450 down here we can see the solution, 258 00:10:42,450 --> 00:10:44,730 verify the remote host has been compromised, 259 00:10:44,730 --> 00:10:47,490 and reinstall the system if necessary. 260 00:10:47,490 --> 00:10:50,130 And the actual vulnerability is found 261 00:10:50,130 --> 00:10:54,360 on the port one five two four over tcp. 262 00:10:54,360 --> 00:10:57,330 Now since critical vulnerabilities are most important, 263 00:10:57,330 --> 00:10:59,580 let us check another one. 264 00:10:59,580 --> 00:11:01,110 Let's go onto this one. 265 00:11:01,110 --> 00:11:03,960 VNC server password is password. 266 00:11:03,960 --> 00:11:06,960 So it seems that we get to the default credentials 267 00:11:06,960 --> 00:11:09,450 for some software running on our metasploitable. 268 00:11:09,450 --> 00:11:11,880 As it says, "the VNC server running on the remote host 269 00:11:11,880 --> 00:11:14,580 is secured with a week password" 270 00:11:14,580 --> 00:11:16,980 and this type vulnerability is something 271 00:11:16,980 --> 00:11:19,050 that you will find the most. 272 00:11:19,050 --> 00:11:21,210 Now, it doesn't have to be anything connected 273 00:11:21,210 --> 00:11:22,650 to the VNC server, 274 00:11:22,650 --> 00:11:24,780 but weak credentials are something 275 00:11:24,780 --> 00:11:27,420 that even the biggest companies have. 276 00:11:27,420 --> 00:11:29,700 And you can have all the security in the world, 277 00:11:29,700 --> 00:11:31,350 but if your password is weak, 278 00:11:31,350 --> 00:11:33,510 none of that security will matter. 279 00:11:33,510 --> 00:11:36,780 Down here we see the Nessus logged in using a password. 280 00:11:36,780 --> 00:11:39,093 Password, and what port was it on? 281 00:11:40,034 --> 00:11:42,240 It was port 5,900 282 00:11:42,240 --> 00:11:43,203 over tcp. 283 00:11:44,100 --> 00:11:46,680 So we'll see how we can exploit all of this 284 00:11:46,680 --> 00:11:47,700 but let us also check 285 00:11:47,700 --> 00:11:50,340 out some other vulnerabilities as well. 286 00:11:50,340 --> 00:11:54,180 Apache Tomcat AJP connector Request Injection. 287 00:11:54,180 --> 00:11:55,110 Let's click on it. 288 00:11:55,110 --> 00:11:57,570 This seems to be a high vulnerability 289 00:11:57,570 --> 00:11:58,493 and it tells us, 290 00:11:58,493 --> 00:12:01,350 "A file read/inclusion vulnerability was found 291 00:12:01,350 --> 00:12:03,000 in AGP connector. 292 00:12:03,000 --> 00:12:05,214 A remote, unauthenticated attacker could exploit 293 00:12:05,214 --> 00:12:08,460 this vulnerability to read web application files 294 00:12:08,460 --> 00:12:10,620 from a vulnerable server." 295 00:12:10,620 --> 00:12:12,930 It tells us that solution is to actually 296 00:12:12,930 --> 00:12:16,110 upgrade the Tomcat server to the newer version. 297 00:12:16,110 --> 00:12:17,490 And down here it tells us 298 00:12:17,490 --> 00:12:20,070 over which port did it find the vulnerability, 299 00:12:20,070 --> 00:12:22,428 which is port 8009. 300 00:12:22,428 --> 00:12:23,670 On the right side, 301 00:12:23,670 --> 00:12:27,150 we can also see some additional vulnerability information, 302 00:12:27,150 --> 00:12:28,740 such as what is the vulnerability for, 303 00:12:28,740 --> 00:12:30,510 it is for Apache Tomcat. 304 00:12:30,510 --> 00:12:32,040 Is the Exploit available? 305 00:12:32,040 --> 00:12:35,610 Yes, the exploit exists for this, and they're available. 306 00:12:35,610 --> 00:12:39,097 The patch was published on March 1st, 2020, 307 00:12:39,097 --> 00:12:42,780 and vulnerability was also published on that same day, 308 00:12:42,780 --> 00:12:46,530 and Nessus managed to successfully exploit it, 309 00:12:46,530 --> 00:12:50,070 Reference Information, and here are the vulnerability names. 310 00:12:50,070 --> 00:12:51,180 So you would just type this, 311 00:12:51,180 --> 00:12:52,620 search for an exploit for it, 312 00:12:52,620 --> 00:12:53,961 and you would manage to exploit 313 00:12:53,961 --> 00:12:56,430 the metasploitable machine. 314 00:12:56,430 --> 00:12:58,860 Let's check out a few more vulnerabilities, 315 00:12:58,860 --> 00:13:01,110 and then we are going to wrap up with this tutorial. 316 00:13:01,110 --> 00:13:02,820 Let's go to a medium one, 317 00:13:02,820 --> 00:13:04,960 and let's go for example 318 00:13:06,149 --> 00:13:06,982 to this one. 319 00:13:06,982 --> 00:13:09,450 SMB signing, not required. 320 00:13:09,450 --> 00:13:12,329 Signing is not required on remote SMB server. 321 00:13:12,329 --> 00:13:15,330 An authenticated remote attacker can exploit this 322 00:13:15,330 --> 00:13:19,950 to conduct man-in-the-middle attacks against the SMB server. 323 00:13:19,950 --> 00:13:22,920 Now we have not covered man-in-the-middle yet, 324 00:13:22,920 --> 00:13:24,390 but later in the course, 325 00:13:24,390 --> 00:13:26,820 we will be devoting an entire section 326 00:13:26,820 --> 00:13:28,620 to this attack, 327 00:13:28,620 --> 00:13:30,420 to the man-in-the-middle attack. 328 00:13:30,420 --> 00:13:33,810 So for now, we just know that the SMB port, 329 00:13:33,810 --> 00:13:35,779 which is running on port 445, 330 00:13:35,779 --> 00:13:38,613 is vulnerable to the man-in-the-middle attacks. 331 00:13:39,570 --> 00:13:44,370 Okay, let us also check out some information disclosure. 332 00:13:44,370 --> 00:13:46,800 So right here we can see OpenSSL Detection, 333 00:13:46,800 --> 00:13:48,843 Service Detection (GET request), 334 00:13:48,843 --> 00:13:51,240 SSL TLS Versions Supported. 335 00:13:51,240 --> 00:13:52,110 So we can check out 336 00:13:52,110 --> 00:13:55,410 which SSL and TLS versions are supported. 337 00:13:55,410 --> 00:13:58,560 This plugin detects which SSL and TLS versions are supported 338 00:13:58,560 --> 00:14:01,380 by the remote service for encrypting communications, 339 00:14:01,380 --> 00:14:04,410 and this port seems to be running SSL version two 340 00:14:04,410 --> 00:14:07,410 SSL version three and TLS version one. 341 00:14:07,410 --> 00:14:09,090 And these are just different protocols 342 00:14:09,090 --> 00:14:10,920 used for encryption of the data 343 00:14:10,920 --> 00:14:14,040 that is being transferred over this port. 344 00:14:14,040 --> 00:14:15,690 And once again you will see 345 00:14:15,690 --> 00:14:18,870 that SSL is vulnerable to the man-in-the-middle attack. 346 00:14:18,870 --> 00:14:22,173 We can decrypt this data using that specific attack. 347 00:14:23,040 --> 00:14:25,140 However, don't worry if you fully don't understand 348 00:14:25,140 --> 00:14:26,190 what I'm talking about. 349 00:14:26,190 --> 00:14:28,170 This is once again something that we will cover 350 00:14:28,170 --> 00:14:29,640 in a later section. 351 00:14:29,640 --> 00:14:31,380 Okay, great. 352 00:14:31,380 --> 00:14:34,923 Do you see right now how amazing this Nessus scanner is? 353 00:14:35,820 --> 00:14:38,250 It literally gave us most of the vulnerabilities 354 00:14:38,250 --> 00:14:40,110 just from a single scan. 355 00:14:40,110 --> 00:14:42,270 In next section, we will see how to exploit 356 00:14:42,270 --> 00:14:44,880 most of these vulnerabilities on the metasploitable, 357 00:14:44,880 --> 00:14:47,400 but on other targets as well. 358 00:14:47,400 --> 00:14:48,540 In the next video, 359 00:14:48,540 --> 00:14:50,460 we're going to scan other machine 360 00:14:50,460 --> 00:14:51,690 using Nessus, 361 00:14:51,690 --> 00:14:54,540 and we're going to see what results we get. 362 00:14:54,540 --> 00:14:55,540 See you in the next.