1
00:00:00,560 --> 00:00:01,880
‫OK, so let's get to it.

2
00:00:02,240 --> 00:00:09,920
‫NSA is activated with the s advocacy option or script, if you wish to specify a custom set of scripts.

3
00:00:10,420 --> 00:00:16,070
‫Script scanning is normally done in combination with a port scan because Grip's may be run or not run

4
00:00:16,070 --> 00:00:18,470
‫depending on the port states found by the scan.

5
00:00:20,230 --> 00:00:21,130
‫You can use S.

6
00:00:21,550 --> 00:00:29,260
‫C to perform a script scan using the default set of scripts, it is equivalent to script equals default.

7
00:00:30,380 --> 00:00:32,450
‫Now, wait a second now, what is this default?

8
00:00:32,780 --> 00:00:36,660
‫Well, it is one of the categories of unmap script.

9
00:00:37,400 --> 00:00:37,970
‫Let me show you.

10
00:00:39,310 --> 00:00:44,380
‫And map scripting engine, NSC script define a list of categories that they belong to.

11
00:00:44,830 --> 00:00:50,320
‫So currently defined categories are off broadcast brute default.

12
00:00:51,210 --> 00:01:03,480
‫Discovery does exploit external foser, intrusive malware, safe version and vom category names are

13
00:01:03,480 --> 00:01:04,500
‫not case sensitive.

14
00:01:04,950 --> 00:01:06,130
‫So let's give you a little detail.

15
00:01:06,270 --> 00:01:13,470
‫Default scripts are the default set and are run when using the SRK see, rather than listing scripts

16
00:01:13,470 --> 00:01:14,430
‫with script.

17
00:01:15,300 --> 00:01:21,060
‫This category can also be specified explicitly, like any other, using script equals default.

18
00:01:22,560 --> 00:01:29,760
‫Off script deal with authentication credentials or coincidentally bypassing them on the target system.

19
00:01:30,420 --> 00:01:33,480
‫Examples include Oracle enum users.

20
00:01:35,120 --> 00:01:41,430
‫Bruta script used brute force attacks to guess authentication credentials of a remote server and map

21
00:01:41,450 --> 00:01:48,500
‫contained scripts for brute, forcing dozens of protocols including HTTP, brute, oracle, brute,

22
00:01:48,980 --> 00:01:51,170
‫S&P, bruta, etc..

23
00:01:51,680 --> 00:01:55,060
‫DOS scripts may cause a denial of service.

24
00:01:55,790 --> 00:02:01,730
‫Sometimes this is done to test vulnerability to a denial of service method, but more commonly it's

25
00:02:01,730 --> 00:02:07,250
‫an undesired by necessary side effect of testing for a traditional vulnerability.

26
00:02:08,030 --> 00:02:11,240
‫These tests sometimes crash vulnerable services.

27
00:02:12,550 --> 00:02:23,320
‫Export scripts aim to actively exploit some vulnerability, examples include HTP, shell shock Allscripts,

28
00:02:23,320 --> 00:02:29,440
‫which weren't designed to crash services, use large amounts of network bandwidth or other resources,

29
00:02:29,650 --> 00:02:34,240
‫or exploit security holes that are usually categorized as safe.

30
00:02:35,630 --> 00:02:42,170
‫Intrusive scripts are those that cannot be classified in the safe category because the risks are just

31
00:02:42,170 --> 00:02:47,690
‫too high, that they're going to crash the target system, use up significant resources on the target

32
00:02:47,690 --> 00:02:54,650
‫host such as bandwidth or CPU time or otherwise be perceived as malicious by the target system administrators.

33
00:02:56,090 --> 00:03:03,200
‫Malware scripts test whether the target platform is infected by malware or back doors.

34
00:03:04,700 --> 00:03:11,930
‫Version scripts are an extension to the version detection feature and cannot be selected explicitly,

35
00:03:12,650 --> 00:03:20,900
‫they're selected to run only if version detection that's s uppercase V was requested and VOLLEN scripts

36
00:03:21,650 --> 00:03:26,630
‫check for specific known vulnerabilities and generally only report results if they're found.

37
00:03:27,020 --> 00:03:33,260
‫You can't alternatively use script parameter to run a script scan using the comma separated list of

38
00:03:33,260 --> 00:03:35,840
‫file names, script categories and directories.

39
00:03:36,650 --> 00:03:42,890
‫Each element in the list may also be a boolean expression describing a more complex set of scripts.

40
00:03:43,340 --> 00:03:49,490
‫For example, if you use script parameter using the default and safe expression, the scripts which

41
00:03:49,490 --> 00:03:53,720
‫are in both default and safe categories, run that makes it.

42
00:03:56,450 --> 00:04:04,190
‫Script update, DB option updates, the script database found in scripts script that DB, which is used

43
00:04:04,190 --> 00:04:07,400
‫by Unmap to determine the available default scripts and categories.

44
00:04:08,090 --> 00:04:14,210
‫It's only necessary to update the database if you have added or removed Tennesee scripts from the default

45
00:04:14,210 --> 00:04:17,630
‫scripts directory or if you changed the categories of any script.

46
00:04:18,510 --> 00:04:20,670
‫This option is used by itself without arguments.

47
00:04:21,900 --> 00:04:25,170
‫OK, so let's see some of these scripts and try to use them.

48
00:04:28,410 --> 00:04:30,150
‫Open a terminal screening, Colly.

49
00:04:31,220 --> 00:04:37,280
‫To find out the scripts, use the locate the next command, since the file extension of unmap scripts

50
00:04:37,280 --> 00:04:45,960
‫are NSC type, locate asterisked NSC and hit enter, it will locate the files which end with NSC.

51
00:04:46,670 --> 00:04:49,850
‫This is where the unmap scripts are located in COLLY by default.

52
00:04:50,480 --> 00:04:56,450
‫Go to the folder using the CD Command, iSelect the path and press the middle button on my mouse to

53
00:04:56,450 --> 00:04:58,650
‫copy and paste it and hit enter.

54
00:04:59,060 --> 00:05:03,680
‫Now let's look at the script DB file first, which is a script database used by EMAP.

55
00:05:04,340 --> 00:05:05,390
‫It's in this folder.

56
00:05:06,330 --> 00:05:10,330
‫I use less command to look at the content of the file.

57
00:05:11,180 --> 00:05:15,110
‫Every row contains a script, file, name and its categories.

58
00:05:15,950 --> 00:05:18,230
‫So now we can see the usage of unmap scripts.

59
00:05:18,920 --> 00:05:25,210
‫I want to try S.H. scripts on my medicine voidable VM first with the help of Linux grep command.

60
00:05:25,220 --> 00:05:28,340
‫Once again, I want to list the SS H script.

61
00:05:29,240 --> 00:05:32,720
‫Here are the scripts that have the S.H. word in their names.

62
00:05:33,660 --> 00:05:36,790
‫To analyze the content of a script, I use less command.

63
00:05:37,320 --> 00:05:43,650
‫Now let's look at a file, for example, S.H. host KeyData and the script file has a description.

64
00:05:45,480 --> 00:05:48,360
‫A used section and many more lines.

65
00:05:48,710 --> 00:05:53,850
‫I want to show you the category section of the script in the last command, you can use it key to search

66
00:05:53,850 --> 00:05:57,840
‫a word slash type Kate and hit enter.

67
00:05:58,720 --> 00:06:01,720
‫Here it found Kate in the word duplicate.

68
00:06:02,900 --> 00:06:04,630
‫This is not what we're looking for.

69
00:06:05,030 --> 00:06:12,800
‫So press and key to find the next Kate word again, duplicate press and once again and we found the

70
00:06:12,800 --> 00:06:13,970
‫category section.

71
00:06:15,040 --> 00:06:21,310
‫Alternatively, you can use this script help and map parameter to get help about an end map, script

72
00:06:21,790 --> 00:06:23,080
‫type and map.

73
00:06:26,520 --> 00:06:32,110
‫And then this group name file extension is optional here, it's OK if you don't use the extension.

74
00:06:32,940 --> 00:06:38,790
‫And here's a brief summary of the S.H. host case, script, script, name a link to learn more about

75
00:06:38,790 --> 00:06:40,370
‫it and the description of the script.

76
00:06:41,130 --> 00:06:44,330
‫Now, look at the description of the S.H. Husky script.

77
00:06:44,910 --> 00:06:52,170
‫It shows the target S.H. Server's key fingerprint and with high enough Abassi level the public key itself.

78
00:06:53,070 --> 00:07:00,480
‫Now let's run a few unmap commands and use some scripts, prepare the Inmet command DCPI since Skåne.

79
00:07:02,740 --> 00:07:05,600
‫Don't forget to define support of your interest.

80
00:07:06,340 --> 00:07:11,560
‫First, I want to run the default SSA scripts using the surrogacy parameter.

81
00:07:12,430 --> 00:07:19,780
‫SSA Koskie is the default script for S.H. Service, and here are the Target SSA servers, key fingerprints

82
00:07:20,440 --> 00:07:25,930
‫and the description of the script, we saw that if the veracity level is high enough, the script will

83
00:07:25,930 --> 00:07:28,660
‫show the public key itself to see it.

84
00:07:29,290 --> 00:07:37,120
‫I want to run the map command again, but this time I use the triple V to increase the verbosity level.

85
00:07:39,470 --> 00:07:42,800
‫Now we have the public keys as well as the fingerprints.