1
00:00:00,870 --> 00:00:12,060
‫HTP is a stateless application layer protocol generally uses TCP Port 80 and exchanges data over the

2
00:00:12,060 --> 00:00:13,040
‫World Wide Web.

3
00:00:14,800 --> 00:00:21,070
‫You can fingerprint the FTP service and gain a whole lot of information about the target system.

4
00:00:22,950 --> 00:00:26,910
‫To accomplish this, MSF has some HDB module's.

5
00:00:27,930 --> 00:00:36,030
‫I was hired to MSF modules enumerating the FTP service information, they will also help you looking

6
00:00:36,030 --> 00:00:42,720
‫at backup files on the Web server, listing directories, checking the validity of SSL certificates,

7
00:00:42,720 --> 00:00:44,100
‫presenting on the Web server.

8
00:00:46,420 --> 00:00:54,640
‫But mainly reconnaissance related auxiliary modules will be listed under the auxiliary scanner HTTP.

9
00:00:56,880 --> 00:01:02,400
‫And one more thing about the ports is that HTP uses 80.

10
00:01:03,420 --> 00:01:14,160
‫And when it comes as https, it uses port four for three, but both ports are not mandatory.

11
00:01:15,330 --> 00:01:16,390
‫Why is that, you ask?

12
00:01:17,070 --> 00:01:23,550
‫Well, administrators can easily change the port that the Web application is served on, so be careful.

13
00:01:24,450 --> 00:01:28,080
‫You may see a Web app serving on board 6500.

14
00:01:29,070 --> 00:01:31,260
‫That's nothing new for Appen Testor.

15
00:01:32,980 --> 00:01:35,230
‫So let's jump into a practice session.

16
00:01:37,830 --> 00:01:43,140
‫So I think you probably have many HDTV services running on your target.

17
00:01:44,540 --> 00:01:48,110
‫So let's view them using the services command.

18
00:01:50,690 --> 00:01:57,940
‫And you see there are a lot of HDTV services and let's have a look at the numbers in the real world,

19
00:01:58,070 --> 00:01:59,780
‫it is the same.

20
00:02:01,070 --> 00:02:11,600
‫But here there are only HTP services, right, so I can also look for HDB with SSL like the.

21
00:02:13,780 --> 00:02:15,910
‫There, another report number comes up.

22
00:02:18,330 --> 00:02:26,370
‫And just like I did before, I will search for HTP related auxiliaries.

23
00:02:27,970 --> 00:02:28,360
‫Whoa.

24
00:02:28,840 --> 00:02:38,830
‫OK, so there are too many modules, some of them are for applications that use HTTP or https, so it's

25
00:02:38,830 --> 00:02:43,540
‫kind of hard to find some of the core modules for HTP itself.

26
00:02:44,770 --> 00:02:46,540
‫So why don't we make a short list?

27
00:02:47,430 --> 00:02:53,280
‫That's going to be a handy shortcut for you to start with, enumerating HTP.

28
00:02:55,580 --> 00:02:57,380
‫So let's go back to services.

29
00:02:59,910 --> 00:03:04,320
‫Hmm, OK, so now I want to show you something, look what you have here.

30
00:03:05,350 --> 00:03:13,870
‫A Web dev service, now, this might look kind of old school to you, but you can see in the local networks.

31
00:03:15,190 --> 00:03:21,670
‫This is Métis Voidable three Web dev service is also available on Métis deployable to.

32
00:03:23,690 --> 00:03:31,340
‫So you can use all these modules in the lab to improve your skills, but I'll intentionally choose HTP

33
00:03:31,730 --> 00:03:33,020
‫put module.

34
00:03:34,770 --> 00:03:36,210
‫Show me the options.

35
00:03:37,110 --> 00:03:46,020
‫Right, so this module will use http put as the method to test if the Web server allows for uploading

36
00:03:46,020 --> 00:03:46,740
‫a junk file.

37
00:03:48,790 --> 00:03:56,740
‫But the module one's a path variable, so I can try every possible path on the server.

38
00:03:58,150 --> 00:03:59,970
‫Let's try to find a reasonable path.

39
00:04:02,500 --> 00:04:05,710
‫So at this point, I'll use another module.

40
00:04:07,410 --> 00:04:08,190
‫Crawler.

41
00:04:10,380 --> 00:04:15,960
‫And then this module will crawl pages and lists the pads on the server.

42
00:04:17,820 --> 00:04:19,470
‫Show me the options.

43
00:04:23,200 --> 00:04:24,730
‫And I'll quickly set the variables.

44
00:04:28,520 --> 00:04:31,310
‫Our port to 85, 85.

45
00:04:35,660 --> 00:04:36,530
‫All right, so let's check.

46
00:04:39,810 --> 00:04:41,490
‫And run the majo.

47
00:04:47,870 --> 00:04:52,240
‫So as it finishes up, you have discovered a few paths.

48
00:04:54,130 --> 00:04:58,830
‫And here, the uploads path probably is what you were looking for.

49
00:05:02,590 --> 00:05:05,110
‫So what I'm going to do is I'll use this path.

50
00:05:08,380 --> 00:05:11,710
‫And I'll turn back to the HDP put modu.

51
00:05:17,920 --> 00:05:19,210
‫So the options again.

52
00:05:20,830 --> 00:05:23,950
‫Just going to set our hosts as my variable.

53
00:05:26,150 --> 00:05:28,400
‫Set path to upload.

54
00:05:31,080 --> 00:05:32,390
‫Everything looks good.

55
00:05:33,680 --> 00:05:34,850
‫So let's run the module.

56
00:05:36,060 --> 00:05:37,530
‫And it happens very quickly.

57
00:05:37,770 --> 00:05:39,330
‫There it is, your successful.

58
00:05:41,040 --> 00:05:48,630
‫So now you can upload a malicious file to the Web server and call this file to get a session on the

59
00:05:48,630 --> 00:05:49,080
‫server.

60
00:05:50,340 --> 00:05:53,070
‫So if you follow the link, you will get this page.

61
00:05:54,630 --> 00:06:01,860
‫And this proves that one can easily upload something to the server, that is what a vulnerability is.