1
00:00:00,150 --> 00:00:04,000
‫At last, we are ready to start a NASA's vulnerability scan.

2
00:00:04,740 --> 00:00:08,010
‫This is the main page of the Nessus Web interface.

3
00:00:08,220 --> 00:00:10,890
‫We are in my scan section of scans tab.

4
00:00:11,930 --> 00:00:14,360
‫At the upper left corner click new newschannel.

5
00:00:15,540 --> 00:00:18,150
‫First, Nessa's asks for the scanner.

6
00:00:19,270 --> 00:00:25,450
‫We have seen them before, so here we can choose the most suitable one for our skin, but in the home

7
00:00:25,450 --> 00:00:28,950
‫version of Nessus, unfortunately, some scans are disabled.

8
00:00:29,710 --> 00:00:35,350
‫If you click internal PCI network scan, for example, the application redirects you to the Nessa's

9
00:00:35,350 --> 00:00:37,150
‫website, to Nessa's professional.

10
00:00:37,910 --> 00:00:45,220
‫There are also available scanners like basic network scan or alternatively go to user defined tab and

11
00:00:45,220 --> 00:00:46,390
‫select your own policy.

12
00:00:47,140 --> 00:00:51,340
‫This is the policy we defined in the previous lecture, so I chose this.

13
00:00:51,850 --> 00:00:53,920
‫Now give a name to your scan.

14
00:00:54,640 --> 00:00:59,560
‫As you can see on the right side of the name Feel, the required fields are identified by Nessa's.

15
00:01:02,240 --> 00:01:03,820
‫So write a description if you want.

16
00:01:06,610 --> 00:01:14,320
‫Select a folder for the outputs and define the targets, you can list the host in target field one by

17
00:01:14,320 --> 00:01:14,620
‫one.

18
00:01:15,460 --> 00:01:20,950
‫I want to scan my two systems now nine nine one three nine is a WASP bwa.

19
00:01:22,150 --> 00:01:25,600
‫And nine nine two zero six as my immediate employable system.

20
00:01:26,260 --> 00:01:28,780
‫So if you want a multiple IP addresses.

21
00:01:29,840 --> 00:01:31,470
‫Just put a comma in between them.

22
00:01:32,330 --> 00:01:34,970
‫You can also define an IP block or a range.

23
00:01:36,320 --> 00:01:42,170
‫Just as you remember the unmap lectures or alternatively, if you have a file that contains a list of

24
00:01:42,200 --> 00:01:48,890
‫the hosts that we also covered earlier, you can have that file using the add file link in the upload

25
00:01:48,890 --> 00:01:49,640
‫targets field.

26
00:01:50,390 --> 00:01:56,900
‫So now we're ready to launch the scan at the bottom of the page, select save or click the down arrow

27
00:01:56,900 --> 00:01:59,780
‫button and select launch to start the scan immediately.

28
00:02:00,360 --> 00:02:04,660
‫I choose, launch it first, save the scanned and then launched immediately.

29
00:02:05,450 --> 00:02:08,390
‫So while scanning, let's see some of the parts of Nessa's interface.

30
00:02:09,370 --> 00:02:12,850
‫At the left, you see the folders next to my scans folder.

31
00:02:12,880 --> 00:02:16,750
‫It says that I have one active scan and then my scans page.

32
00:02:16,750 --> 00:02:18,410
‫You see the scan that we just started.

33
00:02:18,700 --> 00:02:21,100
‫If you click on it, you see the scan details.

34
00:02:22,030 --> 00:02:26,080
‫There are three tabs here hosts vulnerabilities and history.

35
00:02:27,130 --> 00:02:32,310
‫When you click on the Vulnerabilities tab, you see the vulnerabilities found during the scan here,

36
00:02:32,320 --> 00:02:33,750
‫we already have some results.

37
00:02:34,680 --> 00:02:37,290
‫Now click the hosts tab to turn back.

38
00:02:38,480 --> 00:02:45,770
‫These are the systems that we defined as targets or WASP, BWA and Métis voidable at the right, you

39
00:02:45,770 --> 00:02:48,140
‫see the severity levels of the vulnerabilities.

40
00:02:48,560 --> 00:02:51,650
‫Nessa's classifies vulnerabilities into five levels.

41
00:02:52,340 --> 00:02:59,210
‫Informational level quickly identifies non-voter ability information, which is, well, nice to know

42
00:02:59,480 --> 00:03:05,180
‫and separates them from the vulnerability detail, which is need to know.

43
00:03:05,450 --> 00:03:05,770
‫Right?

44
00:03:07,130 --> 00:03:13,460
‫Low level identifies the flaws that might help an attacker to better refine his attack, but by itself,

45
00:03:13,460 --> 00:03:15,890
‫that flaw won't be sufficient for a compromise.

46
00:03:16,130 --> 00:03:18,360
‫Medium level identifies it.

47
00:03:18,380 --> 00:03:21,110
‫Some information is leaking from the remote host.

48
00:03:21,710 --> 00:03:25,640
‫An attacker might be able to read a file he should not have access to.

49
00:03:26,000 --> 00:03:32,960
‫High level identifies of the attacker, can read arbitrary files on the remote host and or can execute

50
00:03:32,960 --> 00:03:33,770
‫commands on it.

51
00:03:33,770 --> 00:03:38,210
‫And critical level vulnerabilities are the most important vulnerabilities for us.

52
00:03:38,870 --> 00:03:44,960
‫These vulnerabilities can be exploited by a tool and in most cases the attacker does not need to make

53
00:03:44,960 --> 00:03:46,880
‫an extra effort to exploit them.

54
00:03:47,270 --> 00:03:48,740
‫So let's fast forward the scan.

55
00:03:52,080 --> 00:03:59,100
‫Now, on the right side of each Ostro, you can see the status of the scan of that post 100 percent

56
00:03:59,100 --> 00:04:01,530
‫means the scan of that hostas complete.

57
00:04:06,800 --> 00:04:10,540
‫Did you know you can ping the hosts sometimes to understand that they're still alive?

58
00:04:19,880 --> 00:04:26,090
‫And finally, our scan is completed in four minutes, which is a very fast scan for a vulnerability

59
00:04:26,090 --> 00:04:26,480
‫scan.

60
00:04:27,520 --> 00:04:31,300
‫Now, let's collect the meta voidable to go to the vulnerabilities of that host.

61
00:04:32,610 --> 00:04:36,400
‫Here are the vulnerabilities of the Métis voidable machine found by this scam.

62
00:04:37,140 --> 00:04:42,510
‫Please note that there might be other vulnerabilities that cannot be found by Nessus with a policy that

63
00:04:42,510 --> 00:04:43,260
‫we used.

64
00:04:43,350 --> 00:04:48,350
‫The vulnerabilities are ordered by severity levels, by default, and I think that's a good idea.

65
00:04:49,420 --> 00:04:54,110
‫The vulnerabilities in a critical severity level are the most important ones for us again.

66
00:04:54,370 --> 00:04:57,230
‫So click on a vulnerability to see the details of it.

67
00:04:57,670 --> 00:05:01,540
‫So here we have the name of the vulnerability, a brief description.

68
00:05:04,000 --> 00:05:11,020
‫A solution method and the links to learn more about it, and last, the host and the port where the

69
00:05:11,020 --> 00:05:17,860
‫vulnerability lives at the right side of the screen, you see some additional and important information

70
00:05:17,860 --> 00:05:18,910
‫about the vulnerability.

71
00:05:19,690 --> 00:05:25,480
‫So for this particular vulnerability, Nessus says that we can exploit it using core impact, which

72
00:05:25,480 --> 00:05:28,890
‫is a commercial and very powerful exploitation tool.

73
00:05:30,010 --> 00:05:35,740
‫And here are the scores of this vulnerability, 10 dot zero is perfect for us.

74
00:05:37,000 --> 00:05:41,800
‫So quick, back to vulnerabilities, you go back to the list of the vulnerabilities.

75
00:05:42,850 --> 00:05:49,210
‫Here there is another vulnerability which says the Ovens server is running on the host and its password

76
00:05:49,210 --> 00:05:50,370
‫is password.

77
00:05:51,100 --> 00:05:58,360
‫If that's true and if there's no additional measure to protect the host, we can access that host very

78
00:05:58,360 --> 00:05:58,870
‫easily.

79
00:05:59,480 --> 00:05:59,950
‫Show you.

80
00:05:59,950 --> 00:06:08,100
‫Let's test it, go to the terminal screen and run the BNC viewer by typing X Vincey viewer and hit enter.

81
00:06:08,680 --> 00:06:17,380
‫If you don't have VMC viewer installed on your Colly type Apte Dash get install x vincey viewer and

82
00:06:17,380 --> 00:06:17,860
‫hit enter.

83
00:06:21,110 --> 00:06:25,940
‫Take the IP address of medicine, voidable as the Vincey server and hit enter.

84
00:06:27,870 --> 00:06:32,220
‫And now type password as the password and hit enter again.

85
00:06:34,700 --> 00:06:36,940
‫And voila, we are in the system.

86
00:06:38,230 --> 00:06:48,280
‫I use the WAMI Linux command to learn the user that I've caught and you name Dash A to learn the operating

87
00:06:48,280 --> 00:06:55,510
‫system and the kernel details if config to see the information about the network interfaces, etc..

88
00:06:58,460 --> 00:07:05,840
‫Now, type R.M. Dash, R.F. Slash, no, no, no, no, just kidding, don't don't do that.

89
00:07:06,050 --> 00:07:06,380
‫Don't.