1
00:00:06,593 --> 00:00:08,682
- For vulnerability scanning,
we're gonna break this out

2
00:00:08,682 --> 00:00:10,814
into network vulnerability scanners and

3
00:00:10,814 --> 00:00:12,337
web vulnerability scanners.

4
00:00:12,337 --> 00:00:14,137
You're probably gonna
use a mixture of both

5
00:00:14,137 --> 00:00:18,251
in your engagements, so we
want to cover everything.

6
00:00:18,251 --> 00:00:20,890
Let's start with the network
vulnerability scanners.

7
00:00:20,890 --> 00:00:24,545
OpenVAS, free open
source, it's a great tool.

8
00:00:24,545 --> 00:00:28,506
We're actually gonna demo this
so you can see how it works.

9
00:00:28,506 --> 00:00:31,827
Nessus is one of the
defacto standards in the

10
00:00:31,827 --> 00:00:34,997
vulnerability scanning
industry, but unfortunately

11
00:00:34,997 --> 00:00:38,152
it does cost money, as
well as Nexpose and Qualys.

12
00:00:38,152 --> 00:00:40,251
Those are all popular
vulnerability scanners

13
00:00:40,251 --> 00:00:41,748
that cost money.

14
00:00:41,748 --> 00:00:45,832
So if you do not have the
resources, you want to try

15
00:00:45,832 --> 00:00:48,605
something completely free,
OpenVAS is your tool.

16
00:00:48,605 --> 00:00:51,029
If you're using it in a
professional environment,

17
00:00:51,029 --> 00:00:54,302
you probably will end up
stepping up to one of the

18
00:00:54,302 --> 00:00:57,979
more professional
versions because of speed

19
00:00:57,979 --> 00:01:00,231
and for efficiency.

20
00:01:00,231 --> 00:01:03,675
The Nessus and Nexpose and
Qualys tend to give you that.

21
00:01:03,675 --> 00:01:05,733
There's also Nmap.

22
00:01:05,733 --> 00:01:09,743
We're saying Nmap here for a
limited vulnerability scanner.

23
00:01:09,743 --> 00:01:11,583
We covered it previously.

24
00:01:11,583 --> 00:01:14,297
You can see how it's an
amazing port scanner,

25
00:01:14,297 --> 00:01:16,581
but it also has some limited
vulnerability scanning

26
00:01:16,581 --> 00:01:18,594
capabilities as well.

27
00:01:18,594 --> 00:01:20,906
There's particular vulnerabilities
it can actually scan for,

28
00:01:20,906 --> 00:01:23,244
and it can let you know that
these systems are vulnerable.

29
00:01:23,244 --> 00:01:26,035
There's numerous Nmap
scripts which we'll cover

30
00:01:26,035 --> 00:01:27,903
in the demo section.

31
00:01:27,903 --> 00:01:31,943
For the web vulnerability
scanners, Nikto is an all-time

32
00:01:31,943 --> 00:01:34,838
favorite, it's been available for years.

33
00:01:34,838 --> 00:01:38,296
It's an easy-to-use web
vulnerability scanner,

34
00:01:38,296 --> 00:01:40,384
which we'll cover shortly.

35
00:01:40,384 --> 00:01:44,551
WPScan is a web vulnerability
scanner that is specific

36
00:01:45,520 --> 00:01:47,577
to WordPress websites.

37
00:01:47,577 --> 00:01:51,744
There's also SQLMap, which
is for penetration testing

38
00:01:52,633 --> 00:01:56,716
on databases and doing
SQL injection on websites,

39
00:01:57,695 --> 00:02:00,164
and so it's a really good
tool for actually doing

40
00:02:00,164 --> 00:02:03,378
SQL injection and
clearing these databases.

41
00:02:03,378 --> 00:02:07,221
Burp Suite, which will be
covered in the web application

42
00:02:07,221 --> 00:02:11,332
penetration testing section,
it is one of the standards

43
00:02:11,332 --> 00:02:13,712
in penetration testing, web applications.

44
00:02:13,712 --> 00:02:15,968
It's probably one of
the most popular tools,

45
00:02:15,968 --> 00:02:19,930
if not the most popular web
vulnerability scanner suite.

46
00:02:19,930 --> 00:02:22,502
So, it does have a scanning
section to it, but it is an

47
00:02:22,502 --> 00:02:25,275
overall web application proxy as well,

48
00:02:25,275 --> 00:02:26,630
so it has a lot of functionality,

49
00:02:26,630 --> 00:02:29,343
but there is a vulnerability section.

50
00:02:29,343 --> 00:02:31,249
The same with Zed Attack Proxy.

51
00:02:31,249 --> 00:02:33,735
It's similar to Burp,
but it's completely free.

52
00:02:33,735 --> 00:02:37,101
It has vulnerability
scanning portions of it,

53
00:02:37,101 --> 00:02:40,257
but is also an overall
proxy that you can use

54
00:02:40,257 --> 00:02:42,340
to test web applications.

55
00:02:43,347 --> 00:02:47,998
So now let's look at the
Nmap script engine in action.

56
00:02:47,998 --> 00:02:51,074
So we looked at Nmap as
the port scanner before,

57
00:02:51,074 --> 00:02:53,667
but you can also do
some vulnerability scans

58
00:02:53,667 --> 00:02:55,167
with Nmap as well.

59
00:02:57,093 --> 00:02:59,640
So we could see, if you
just type in Nmap by itself,

60
00:02:59,640 --> 00:03:04,211
you see all the command
line options, the dash SC

61
00:03:04,211 --> 00:03:06,205
is the script scan.

62
00:03:06,205 --> 00:03:08,995
There's a whole list of scripts
that you can run with Nmap.

63
00:03:08,995 --> 00:03:12,495
And that is the script scan functionality.

64
00:03:13,731 --> 00:03:17,230
We'll see exactly what
that looks like though.

65
00:03:17,230 --> 00:03:21,397
So if you go to the user
share Nmap scripts folder,

66
00:03:22,693 --> 00:03:25,741
that is the list of all the Nmap scripts.

67
00:03:25,741 --> 00:03:30,007
So you can see there is
a large number of scripts

68
00:03:30,007 --> 00:03:33,390
that you can run on your system,
run against other systems.

69
00:03:33,390 --> 00:03:36,313
This section right here,
you can see, shows various

70
00:03:36,313 --> 00:03:38,954
smb vulnerabilities that you can scan for

71
00:03:38,954 --> 00:03:40,621
in your environment.

72
00:03:42,807 --> 00:03:44,666
There's a lot of different
ACP vulnerabilities

73
00:03:44,666 --> 00:03:46,464
that you can scan for as well.

74
00:03:46,464 --> 00:03:50,631
The actual full list of Nmap
scripts is on the Nmap website,

75
00:03:51,798 --> 00:03:54,841
and it's broken out into
different categories.

76
00:03:54,841 --> 00:03:58,924
You can see it's the NSE
doc part of the website,

77
00:04:01,824 --> 00:04:05,991
so there are vulnerabilities,
there are scans for malware,

78
00:04:07,493 --> 00:04:10,345
there are intrusive scans,
there's exploit scans,

79
00:04:10,345 --> 00:04:12,630
discovery scans, of course.

80
00:04:12,630 --> 00:04:15,709
But we're going to count
straight of course on the

81
00:04:15,709 --> 00:04:17,019
vulnerability scans.

82
00:04:17,019 --> 00:04:18,160
So looking at the vulnerability scans,

83
00:04:18,160 --> 00:04:20,137
there are a lot of different
vulnerabilities that

84
00:04:20,137 --> 00:04:22,823
you can scan for with Nmap.

85
00:04:22,823 --> 00:04:27,255
We're gonna concentrate on the
smb vulnerability from 2017,

86
00:04:27,255 --> 00:04:28,886
which is actually the
vulnerability that the

87
00:04:28,886 --> 00:04:33,872
wannacry ransomware and the
petya ransomware exploited.

88
00:04:33,872 --> 00:04:36,855
So what's really neat about this is,

89
00:04:36,855 --> 00:04:40,956
with Nmap, you could
scan your entire network

90
00:04:40,956 --> 00:04:43,348
to see which machines are vulnerable

91
00:04:43,348 --> 00:04:44,681
to this exploit.

92
00:04:46,398 --> 00:04:48,662
So without even using a
full-blown vulnerability scanner,

93
00:04:48,662 --> 00:04:51,134
you can just run a couple
of command line tools

94
00:04:51,134 --> 00:04:54,365
to actually scan your
entire network very quickly

95
00:04:54,365 --> 00:04:56,948
to look for vulnerable systems.

96
00:04:58,223 --> 00:05:00,356
You can see you download the script right

97
00:05:00,356 --> 00:05:03,539
from Nmap's website, and you
can download it into your

98
00:05:03,539 --> 00:05:05,872
Nmap script's directory.

99
00:05:05,872 --> 00:05:08,079
And it tells you exactly
how to run the command.

100
00:05:08,079 --> 00:05:11,662
You run Nmap on port
445, which is the smb,

101
00:05:13,290 --> 00:05:17,402
and you do dash dash
script, and the script name,

102
00:05:17,402 --> 00:05:19,130
and then the target systems.

103
00:05:19,130 --> 00:05:21,122
So you can put specific systems in there,

104
00:05:21,122 --> 00:05:22,909
or you can put entire
networks in there as well.

105
00:05:22,909 --> 00:05:27,076
So let's copy that and run it
against one of our systems.

106
00:05:28,851 --> 00:05:32,184
I'm gonna run it against 192, 168, 3.19,

107
00:05:33,101 --> 00:05:37,354
and we can see very
quickly that the system

108
00:05:37,354 --> 00:05:40,232
is vulnerable to that exploit.

109
00:05:40,232 --> 00:05:43,571
So you see 3.19, you see
it says it's vulnerable

110
00:05:43,571 --> 00:05:47,738
and critical remote code
execution, vulnerability exists.

111
00:05:49,101 --> 00:05:51,830
This is one that you can
patch using your regular

112
00:05:51,830 --> 00:05:54,190
Windows, Microsoft patches,

113
00:05:54,190 --> 00:05:57,893
but it's really handy to
quickly scan your entire network

114
00:05:57,893 --> 00:06:01,393
with Nmap looking for this vulnerability.