Introduction To Pentesting - Enumeration

HackerSploit · Intermediate ·🔐 Cybersecurity ·6y ago

Key Takeaways

The video demonstrates service enumeration techniques using Nmap scripts on a vulnerable Linux virtual machine, Metasploitable2, and covers various tools and methods for penetration testing, including network discovery, port scanning, and password cracking.

Full Transcript

hey guys hackersploit here back again with another video i hope that each and every one of you is doing well during this pandemic and i hope that you're keeping safe now in this particular video we're going to be taking a look at an introduction to penetration testing as uh we've already been uh continuing with the penetration testing boot camp uh the purpose of this video and this series of videos is to introduce you to penetration testing concepts that are previously really not covered and focused on an example of this is enumeration it's something that a lot of penetration testers talk about but no one really explains uh and demonstrates so the purpose of this set of videos is to explain and break down each step now the way we will be will be doing this is by taking a look at you know various vulnerable boxes on hack the box and vonhub in today's video we'll be looking at one of the ogs in the series which is metasploitable 2. now the reason i'm covering this box is primarily not because of how easy it is to exploit but mainly because it covers a lot of areas or aspects that are very important to take into consideration when you know developing your pen testing methodology all right now as i said we're going to be using metasploitable 2 and i've already set up a nat network for my virtual hacking lab here and you can do that by going to preferences under virtualbox and you can go to your network you can see i've created my virtual hacking lab the only reason i'm showing you this is uh the fact that it's using its own network cidr and of course range and of course it supports dhcp so i just want to make sure that that is clear so this is my network range here and this is the network we're going to be operating under uh so we're not we're no longer going to be using the standard addresses that we've been using before like 192 168. uh 0.1 etc all right so let's go back into kali and we can get started so the first area or section of penetration testing once we've established our target is network discovery now there's tons of techniques and tools that you can use for network discovery many people will jump to nmap however if you are on a local area network then using a tech techniques that involve arp or the address resolution protocol uh can can be very useful so in this case we can use a tool called net discover all right so we can say net discover and it comes pre-packaged with kali and to use it we need to specify an interface that we want to use and an interface can be found by using the ifconfig command and you want to look for the interface that where you have your ipv4 address and it's going to be labeled here in our case the interface name is ethernet 0 all right so the interface is going to be ethernet 0 so we just want to type that out ethernet 0 and then we can specify a network range that we want to scan for and given that we're using that we can probably use the default network range and cidr but again we can specify it to save a lot of time so what i'm going to do is i'm just going to specify it so it's 10.0.0 and like we can start off from one and we specify the range of 24 right and we're going to hit enter so with uh using net discover this is going to take a few seconds and it's going to say it's going to be completed however with the current version of net discover this seems to be an issue with displaying the results so i'm just going to wait for this scan to complete usually takes about a few minutes although this scan is quite quick uh if i use typically do not specify a range and that would would mean that i would scan my entire network you know both class c and d ranges that would take quite a while so again specifying the range is very important so i'm just going to wait for this to complete all right so the scan is complete as you can see it captured uh the response packets about four response packets from four hosts so it tells us that all right we have four devices on our uh virtual hacking lab network here and uh one the one that stands out is going to be uh this ip address right over here now uh our kali ip address is not going to be listed and that's because it is the host and that has an ip of 10.0.0.4 all right so we just want to keep that in mind of course in your case it's going to be different um so now that we've established that we can now you know get started with performing port scanning so on and so forth however i also want to cover network and host discovery using nmap alright so with nmap we can perform a ping scan to discover hosts that are online on a network and to do this we can you know again use the sn option or the ping option and we don't want to ping only so again we can then specify the entire network range here so 10.0.0.1 forward slash 24 so i'll just specify that right now and again this will be much faster because it does not use the address resolution protocol as you can see we get our results uh much quicker and we have the meta exploitable 2 box right over here and the cali box right over here all right so now that we've established what device is online we have now selected our target and we can now perform port scanning and identification either through service version identification or operating system identification or altogether all right so in terms of port scanning we can run a default nmap scan which will scan a thousand of the most common ports on the target and uh yeah so if we type in nmap 10.10 10.0.0.8 which is the target ip and just hit enter you can see we have a plethora of services that are currently available on the target however this is not extensive given that we're only scanning a thousand of the most common ports they're about 65 535 tcp ports available and it really is not a good idea to only scan a thousand of the most common ports you have to be extremely extensive and exhaustive with your scans so you need to ensure that you've scanned all your your tcp ports as well as udp ports because they are and could be services running uh on udp so that's something you need to take into consideration now in this case you can see we have plenty of services and the way the results are sorted out are as follows you have port state in service however these results just give us a brief idea of what we're working with to get a clearer picture we can start enumerating more information about the services and about the box itself the information we're looking for are service versions uh the operating system that's currently running so on and so forth all right so to do this we're going to run a uh quite an extensive scan so we're going to say nmap and we're going to run a stealth scan or a syn scan to speed up uh the amount or to reduce the amount of time the scan will take we can also use a timing template or the timing option sorry um so we can say t4 or t5 for a much faster scan and you can slow it down if you're dealing with a box that has a firewall or if you're trying to evade uh intrusion detection systems all right so uh to then specify the entire port uh range which is the entire 65535 ports we can specify p hyphen p hyphen if we want to specify a custom range of ports we can specify uh you know a specific port maybe like port 21 or an entire range like port 21 to 443 and that's only going to scan those ranges but we want to scan the entire range to be exhaustive and in addition to this we want to run an aggressive scan now an aggressive scan combines three types of scans it's going to combine a service version detection scan an operating system detection scan and it's going to run a default nmap scripts scan so again when i talk about the default uh nmap script scan it's referring to the default nmap script category of scripts that nmap will typically run when specified so again we can now specify our target so 10.0.0.8 and we can then output this in to a normal uh format and we can output it to a txt file so we'll just call this metasploitable too and we can say underscore nmap.txt just to keep things nice and clear and we can then hit enter now given that this is going to perform a script scan it's going to run all the default scripts within the default nmap script category this is going to take a few minutes so i'm just going to start the scan and i'll wait for this scan to complete all right so the scan is complete and that took about 215 seconds which is modest and of course you can increase uh the aggressiveness of your scan but that's something you need to keep into consideration when you're dealing with firewalls intrusion detection systems and potentially devices that could be overwhelmed by the amount of requests you're sending uh you're sending to them all right so you can see we have a ton of uh information that has been returned to us uh you know quite in in quite uh stuck contrast to the results we got earlier right over here so the first thing you'll notice is um you'll get an additional column where we have the version and that's where we're dealing with service version detection and enumeration so again this will help us detect the exact service version that is running on a particular port so for example if we have ftp running on its respective port and that is port 21 we need to know what version of the ftp service that's running because we know we have many types of ftp servers available out there many open source we also have paid versions and based and depending on the operating system you're dealing with whether you're dealing with linux and windows this can be very important because you again the service version detection helps you understand and apply your attacks much better and will also help with vulnerability uh scanning and analysis all right so just below that particular port scan you will now uh the the defaults nmap script scan begins where the first script that that is run is the ftp and onscript and the ftp annual script uh is uh is essentially responsible for trying to perform an anonymous ftp login on the target and to test if the anonymous ftp login will be successful in this case it tells us that indeed the anonymous ftp login is allowed and it gives us the ftp code to actually uh actually confirm that or to provide proof rather or that that was successful the next ftp script that is run is the ftp syst script which gives us information regarding the ftp server and the type of parameters we're dealing with so you can see that the type we're dealing with here is ascii which is great and the other important information is the session bandwidth limit if there is any and the timeout uh because if you do engage the target through ftp you need to know what the default timeout is if you know if you're dealing with a particular exploit and not and you do not have an actual password so that's very important and then at the bottom we get the service version which tells us we're dealing with vs ftbd 2.3.4 now when dealing with a default nmap script scan you must know that this is not an extensive set of scripts that are that is being run on the you know against the target so uh for each port we need to perform uh you know its own enumeration now you can see we have other uh important ports uh that you know we could use for entry like ssh which is running open sh 4.7 p1 we also have an smtp port and a telnet port which is excellent we can all try and run various commands against it and as as for the smtp port we can see that the smtp commands that we can run are verify which we can actually use to enumerate user names uh and i'll show you how to do that in a few seconds we also have a dns port a web server running on port 80. this is running apache http 2.2.8 and we get a bit of os information so it tells us running ubuntu and then the scripts that have been run are the http server header which tells us running apache and then the http title tells us we're dealing with the title essentially states metasploitable to linux and then of course we have uh smb ports here running samba and let's see a few other important services uh we have a mysql and for the mysql info script it just displays uh the salt it also displays uh the protocol and the version running so we can perform you know vulnerability analysis and scanning uh we also have vnc which is great um postgresql etc etc so there's a ton of services and as i said metasploitable 2 is designed to be intentionally vulnerable and it is a system that's not really difficult to exploit it is one that is used to demonstrate the plethora of services that you could be dealing with and how you would go up about exploiting them and of course it's very important to understand how to deal with a particular protocol and service before you know you get into more complex boxes so for the operating system detection you can see we are dealing with a kernel of version 2.6 which is fine and it really doesn't give us more information regarding um the the the actual version of the operating system but we know it's ubuntu uh in in in in the least right so now that we have an idea of all the services that are running we can now begin with uh the enumeration we'll start off with the most important parts right because these are the ones that are going to you know these are the ones where that actually providing us the best opportunities for access now one of them immediately is going to be the ftp port and you can see the reason for that is because we have ftp we have anonymous ftp logins allowed now when i as i said we have plenty of other nmap ftp scripts that you can run against your target to perform ftp enumeration so if i list the user share nmap scripts directory and i can then pipe the output and say grip and we'll say the expression we want we're looking for is ftp and we're looking for essentially what we're doing is we're looking for all the ftp scripts you can see that the default and nmap script category only ran the ftp anon script and the ftp system script however if you look closely we can see that we have a few vulnerability scanning vulnerability based scripts that actually test for a particular vulnerability like this one right over here it gives us the cve and then we also have a backdoor script now the thing about nmap scripts is many of the backdoor and the vulnerability scripts could be intrusive in that they could run an exploit on the target and that's something you want to take into consideration during your assessments and your pen test because you may not be ready to start engaging with the target now from our results here you can see that the target is running vs ftpd and the script that was not run that is available is this script right over here the ftp vs ftpd backdoor script so we can actually run this against the target to see if our if our target is vulnerable to this particular vulnerability and we can actually get a back door so to do this we say nmap and again we'll use the sv option here to you know enumerate the service version and then we specify the port and that's because we're now dealing with one port as opposed to all the ports so we specify the port number which is going to be port 21 we say script and then we paste in the script and we do not need to specify the extension the nse extension and then we specify the target here and we get we can then just hit enter and this should just take a few seconds and there we are it tells us that for this particular script that this service is vulnerable and it is exploitable and then it gives us the cve code cve stands for common vulnerabilities and exposures so it gives us the the code and the disclosure date as well as when this exploit was reported now you can see that this script is intrusive because it actually performs the exploit and it it executes a shell command on the target and the command that it executes is the id command which will display the user id in this case the user id is root which means we can get root access using this particular using this particular exploit so then it gives us the references that we have so it gives us references to the disclosures to proof of concepts etc and at the bottom here you can see that we have a module for this particular exploit so again if we use search exploit which again it allows us to access the exploit db database or we can say search split and we can type in the service that we're dealing with in this case we can enter vsftpd and hit enter and as you can see at the bottom we have the version that we're looking for and that is vsftpd 2.3.4 and we have a backdoor command execution and this is a metasploit module so again we can run metasploit with this so we can type in msf console hit enter and that's going to start up the metasploit console for us where we can then search for this particular module and see whether we can get root access all right so i'm just going to start this up and uh when we're talking about ftp i'm just going to touch upon ftp enumeration there's a multiple ways we can again try and access this as i said we have not taken a look at anonymous ftp access yet so let's actually do that before we move on to the metasploit module so an anonymous ftp access essentially means that you can access a the ftp server on a target using anonymous credentials so if we say ftp and we enter the address here and we type in anonymous and hit enter and we we just hit enter on a on a null password you can see we were able to log in successfully and if we list the files within here we don't have any any files or directories here so when interacting with ftp you can use an ftp client like filezilla or you can actually use your browser to access ftp sorry i think i launched y-shock there let me just close that up so if i open up my browser i can specify the protocol we're looking for and this will allow us to easily navigate the files that are within the ftp directory that might not be listed within the ftp terminal utility so if i say ftp and then i say 10.0.0.8 and i hit enter you can see it actually lists the ftp directory for us and now we have a much better way of accessing the files if any you can see we can also go up to a higher level directory and it actually lists that for us here and you can see that we currently cannot go any higher and that's probably because it's blocked we also know that we have a web server running so let's see if we already know that the ftp server is really not correlated to the web server because we do not have any listings here of any files so if we try and access the web server so 10.0.0.8 and we're using http now you can see that that is a metasploitable tool and it tells us that we should never um we should never expose this vm to an untrusted network etc we also get credentials telling us you can log in with msf admin and password of msf admin to get started and right over here we have uh various vulnerable web applications that we can use and we also have phpmyadmin which is interesting so you can see that the ftp server really does not give us access to the web directory um or the apache directory as we might have expected so that might not give us anything but going back to the metasploit module here so if we search for vsftpd and i hit enter you can see we have the module there that is vsfd 2.3.4 and that's the back door so we can copy that module and we can just say use paste it in here and if we list the options available to us you can see the only option we need to specify the r hosts and the r port which is the target ip address and the target port on which we have the ftp server running so again we can set the r hosts to 10.0.0.8 so that is the target ip the target port is set correctly we know that it's running on port 21 and all we need to do is type run all right now that we've typed in where we've typed in run we can actually uh we get a command shell so it's going to open up a commercial we don't get a meterpreter session however we get we know that we have root access on the system um so if i type in something like ls you can see we have we can actually list the directory here and we type in id we know that we're currently the root user so we pretty much have a total control but i'm not going to stop here we're going to touch upon other services that we can also exploit here and we will talk about enumeration a little bit more now you can see that i do not have uh a proper shell and if i want to spawn a tty session or a tty shell based on the environment that i have i can either use you know something like if i say bin bash something like a bin bash i you can see i get a bash session here and there are plenty of ways you can spawn atty session you can use python so it's entirely based on your environment and this is primarily dealing with linux environments now you can see i get a bash session but we don't have job control and i already have access here so we're going to maintain access through this through this particular service now let's take a look at the other services that we have available to us so you can see we have ssh and uh this version of ssh i think is vulnerable to user name enumeration so we can actually run that so let me just exit here say search exploit um open ssh 4.7 and we know it's 4.7 p1 um and let me just check that one more time to make sure that i'm i've got that correct so it's open sh 4.7 p1 uh so you can see that yeah we do not have it looks like we can only perform username enumeration which is really not helpful because ssh is one of those protocols that you need to brute force to actually access so let's see if we can actually access this so i'm going to say we'll say ssh and we'll say let's try and access root we know that we have the username of msf admin that we can try and access and let's see if that works so we'll start off with msf admin at 10.0.0.8 and we hit enter and i'm going to accept and if we type in msf admin and hit enter you can see we can access the msf admin user but since we already have root access this is really not that that better as uh except for the fact that we're now dealing with ssh which is a much more stable and reliable protocol for establishing a remote session all right um so that is one way if we try and access the root user and uh you know we can try default credentials and try brute forcing which is also another way let's try and access telnet just to see if that works as well so we can try telnet um so telnet and sorry we can just hit the target ip right over here and you can see we get a banner with telnet and the banner tells us that we can log in with msf admin msf admin so of course this is not something you'd find in the in the world um looks like we got a bit of an error there so msf admin and we can log in with msf admin so again this is not something you'd come you know you'd come across in the world but i'm just taking you through the the typical methodology that you want to follow um so with telnet you can see we got a banner that gave us the password which again is something we might not get on our own but again if we uh if we try and use the ssh connection with the user msf admin and we type in 10.0.0.8 and let me just type in the password which is going to be a msf admin here you can see that we pretty much have access here and we list the id we get that as well if we list the files within this we can see we have a vulnerable folder which contains all the vulnerable web applications so again since we already have ssh access uh we can then use multiple scripts to gain access to the root user but we already have that the other thing we could do is we could try and crack the linux password so before we do that let's just see what version of ubuntu is running here because i we do know for a fact that it is running ubuntu so cat etsy issue the banner is changed if we try release uh you can see it tells us is running ubuntu 8.04 which is a very old version of buntu so you name our so there might be a lot of privilege escalation um exploits uh or privilege escalation uh exploits that we can run on the target so that's one method however if we take a look at the other services i'll just go through a few other services like smtp we can actually uh use smtp to enumerate usernames believe it or not so when performing smtp enumeration so what we can do is we'll use the smtp enum script which is i think you can actually install it by typing in apt install smtp tp enum is it called smtp user enum there we are so i already have that installed so to use it we say smtp uh user enum and then uh we specify the mode which in this case uh we have one mode that we can use which is verify um so let's actually use that so i'll go back here and we'll say v rfy and we then need to specify a user list so you we can specify that using user and then we go to the word list directory on cali which is under user share word lists and we can use the metasploit word lists which are great and we can then look for unix usernames or users.txt and we specify the target ip which is going to be 10.0.0 10.0.0.8 and we can hit enter and that is going to enumerate uh users and you can see that it tells us we have a few users that we might have guessed existed postgresql user the root user exists um we can also run a few other word lists like if we go under metasploit and let's see what other word lists we can use or the user list rather that we can use so let's look for user lists that uh that we can use here uh one of the most common ones was the one that we just used um so let's see if we can find one so we can use the root user pass here so that might be one that we can use our common roots so that is one we can use but in any case typically we can enumerate user names from smtp using the smtp user enum script or utility and this can be used to execute or or launch brute force attacks on ssh and remote access protocols uh it's very rare that you'll run into telnet once you know you have ssh running on the server so that is smtp and we pretty much already have established a foothold now in terms of performing vulnerability analysis on particular services like for example samba or smb and any of the other services that remain that's something that i want to cover when i when i will not be covering you know vulnerability scanning tools like nieces and and openvia an openvas or you know any of the other ones available and since we're not dealing with web applications particularly in this video uh we're going to skip through that and we're going to work through our system we'll be talking about uh you know post exploitation and cracking password so on and so forth all right so if we've already established a foothold on the system right so if we take a look at this you can see we have root access but in terms of passwords um you can see that if we list the the shadow file here because we are already logged in as the root user uh you can see that the password we we do not have access to right now so um we we can see that the hash is going to be of type md5 and that is denoted by the one option here and the strength of linux passwords it goes from one all the way to six one being the weakest which is md5 and six being the strongest which i think is sha 256 or sha 512 being you know almost impossible to crack so we can crack the root password if possible uh but one thing to note is we can also change the password so again i uh right now we're currently i don't know what session we're currently using right now this is probably yeah this is ssh here so again we can use uh the because i'm i believe we can use the msf admin user to execute root commands so we can say something like sudo password and then we can change the the password for the root user so we can say sudo password root and hit enter and then we can enter the password for msf admin which is msf admin and then we can enter a new unix password for the root user so again i can just i'll just terminate that and we're not going to change that however we can do that if we want so what i'll do is i'll just do that one more time and i'll change it to something simple like password right and the reason for that is i'm going to be covering how to crack linux passwords so um i'll just hit enter and we'll type in password one two three you know something a bit lengthy and we'll hit enter and the password has been updated successfully so let's say we we were in a particular scenario where you know we wanted to crack the root password um so of course we can and now we cat etsy um shadow uh let's see if we can access the shadow file so again we can use sudo cat etsy shadow and then we can copy all of this and we can then use something like john the ripper to actually crack this because this is using md5 here so um we'll say cat etsy shadow and we'll just copy this right and let me just see where we are here and we can actually use this right now so what what i'll do is um i will close this up and we will head over to our desktop here and i will say vim this is the shadow file or what is this this is the shadow file yes it's the shadow file shadow dot txt and i will then paste the results here and you can see we have ton of user accounts that we can crack we have k log uh msf admin we already know we have the postgresql service running here or postgres ql and then of course we have the user we have a user account a service etc etc so there's a ton of accounts that we can try and crack including the the root user so we'll save that now let's get the password file so again we can then say cat etsy password hit enter and this is just going to give us a list of all the user accounts so we can then use this um uh let me just look for where we typed this in so there we are this is right over here cat etsy password we'll just copy that and again vim uh we'll say password dot txt right and um we can then just hit enter here and i will paste that in there and and now what we're going to do now when cracking this apologies for that um when cracking this is uh we want to actually um we want to use john to to unshadow the file first of all and we're going to be cracking all the accounts so we're going to use john to unshadow the file and then we're going to be taking a look at um we'll then use john to crack it and the word list we'll be using is the raw keyword list so uh doing this is going to be very easy the first thing we need to do now given that we have pasted we've got both the shadow and the password file is we now need to we need to unshadow this file or both the files here so we'll say unshadow so on shadow i believe it comes pre-installed or pre-packaged with john so we'll say on shadow i will say password dot txt and shadow.txt and we'll export this to hashes or yeah we'll just because these are still hashes so we'll say hashes.txt and if we display the hashes.txt file you can now see we have um we have the hashes here and we can now perform the cracking so again to crack this it's very simple we just say john and john will automatically crack this so we'll say john word will automatically detect the type of hash we're dealing with so the world is going to be user share word lists and this is going to be rock u dot txt and that's done now and you can just specify the hashes.txt i'm going to hit enter and you can see it's going to start that and it's going to us it's going to automatically detect that the format is md5 crypt uh and immediately we're able to crack the the root user and that's because i changed it to demonstrate how you can crack these passwords and that's a fairly simple password to crack because again it's really not that complex so we know that the password for the root user is password one two three and it's still cracking the other the other passwords now this is going to take a lot of cpu power and you know any other hardware that you can you can actually assign to this and because i'm running this in a vm you can see looks like we didn't get any other password we we weren't able to crack any of the other password hashes so we can use uh some other word lists that are available to us so if we list a use share word lists and we use the metasploit directory here which has some very good ones we can use some some common ones here we can use the password list right over here or we can look for the unix the unix passwords are right over here we can use that so we can we can do that right now so we can say user share word lists metasploit and we say unix unix passwords passwords.passwords.txt and hit enter and we can just hit enter and we do not get any any other passwords for the other hashes so let's try a few other word lists that we can use here we can try commonroots.txt so we can try that right now so common roots and that dot txt and again that runs and it looks like we aren't able to get any other any other passwords for the hashes but we get the root user password so that is how to crack linux past now again based on the hash that you're dealing with the type of encryption you're dealing with some passwords will be nearly impossible to crack however uh i will be covering you know how to use tools like hash cat for you know a bit more intensive cracking using rainbow tables and stuff like that uh but essentially we can now you know say switch user to root and we can enter the password that we just cracked right over here so let me just do that one more time password one two three hit enter and we now have root access and again the objective of this video was to cover you know it was to give you an introduction to pen testing how to approach various services and i know we haven't talked about uh other service enumerations so again we can use for example for http here uh we can use nmap scripts to to perform enumeration so let me just exit here and i believe this was using metasploit so let me just terminate that and we'll say exit and we're back here so we can say nmap if i list these scripts using within the nmap scripts directory here and i'll pipe and we'll say http and we hit enter you can see we have a ton of http scripts that we can actually run some of the interesting ones that we can use are going to be http enum uh if i can find it right over here http uh let me just scroll all the way to the top here it's one of the scripts that will allow us to enumerate some directories here so we can run that script for example and again the reason i'm not covering all the other services because i'm going to be having individual uh other videos that you know will be dealing with this so uh port 80 and the script is going to be uh script is http enum and um 10.0.0 uh 0.8 and we can then just hit enter and that's gonna you know run the http enum script and we can also run all http scripts under the nmap scripts directory to test it for you know potential vulnerabilities so you can see it gives us all the directories here it essentially enumerates the directories that we already saw so we have tiki wiki phpmyadmin uh the document icons etc so if we want to run all http scripts we can say script and then we can say let's see http and we can use the wildcard option here and hit enter that's going to run all http scripts now this is going to take a while because as you can see from this listing here we have a ton of http scripts that again based on what they do some may be intrusive which i don't you know again if you are not ready to engage your target actively i don't recommend that you actually run some of them so we have ton of uh you know a ton of wordpress ones uh which i'll be covering when we'll be dealing with wordpress boxes but again enumeration of services is quite simple to understand and for the most case can be done using uh tools like nmap and of course if you know what you're doing with a particular protocol there's tons of ways you can you know you start enumerating directories stuff like that which we'll be talking about we'll be dealing with web app pen testing um so that is how to that is an introduction to pen testing as i said there's tons of other services here that we'll be taking a look at and for the most part our goal for this video was to get access and to get root access to the system we're not you know looking for any particular flags so that's going to be it for this video as i said this is just an introduction uh to pen testing on linux boxes we'll be covering a whole lot more to do with windows windows boxes web application pen testing and i would love to hear your feedback regarding what i should cover more especially in terms of enumeration post exploitation stuff like that because i think it's very important that students are introduced to this early so that you know they get a grip on it much quicker so again let me know your feedback in the comments section you can connect with us on our social networks on twitter linkedin and you can also you can also discuss or engage with us on our forum at hackersploitforum.hackerexploit.org and i'll be seeing you in the next video [Music] you

Original Description

In this video, I demonstrate how to perform service enumeration with Nmap scripts. The target box that is used in this video is Metasploitable2. Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques. Metasploitable2: https://sourceforge.net/projects/metasploitable/files/Metasploitable2/ 📈 SUPPORT US: Patreon: https://www.patreon.com/hackersploit Merchandise: https://teespring.com/en-GB/stores/hackersploitofficial SOCIAL NETWORKS: Twitter: https://twitter.com/HackerSploit Instagram: https://www.instagram.com/hackersploit/ LinkedIn: https://www.linkedin.com/company/18713892 WHERE YOU CAN FIND US ONLINE: HackerSploit - Open Source Cybersecurity Training: https://hackersploit.org/ HackerSploit Academy: https://www.hackersploit.academy HackerSploit Forum: https://forum.hackersploit.org LISTEN TO THE CYBERTALK PODCAST: Spotify: https://open.spotify.com/show/6j0RhRiofxkt39AskIpwP7 We hope you enjoyed the video and found value in the content. We value your feedback. If you have any questions or suggestions feel free to post them in the comments section or contact us directly via our social networks. Thanks for watching! Благодарю за просмотр! Kiitos katsomisesta Danke fürs Zuschauen! 感谢您观看 Merci d'avoir regardé Obrigado por assistir دیکھنے کے لیے شکریہ देखने के लिए धन्यवाद Grazie per la visione Gracias por ver شكرا للمشاهدة #Pentesting#Infosec
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from HackerSploit · HackerSploit · 0 of 60

← Previous Next →
1 How To Install Kali Linux 2.0 On Virtual Box
How To Install Kali Linux 2.0 On Virtual Box
HackerSploit
2 100 Subscriber Q&A! - How I Learned Ethical Hacking
100 Subscriber Q&A! - How I Learned Ethical Hacking
HackerSploit
3 BlackArch Linux Review - Better Than Kali Linux?
BlackArch Linux Review - Better Than Kali Linux?
HackerSploit
4 How to Access the Deep Web Safely | Deep Web Starter Guide 1.0
How to Access the Deep Web Safely | Deep Web Starter Guide 1.0
HackerSploit
5 Wireshark Tutorial for Beginners - Installation
Wireshark Tutorial for Beginners - Installation
HackerSploit
6 Wireshark Tutorial for Beginners - Overview of the environment
Wireshark Tutorial for Beginners - Overview of the environment
HackerSploit
7 Wireshark Tutorial for Beginners - Capture options
Wireshark Tutorial for Beginners - Capture options
HackerSploit
8 Wireshark Tutorial for Beginners - Filters
Wireshark Tutorial for Beginners - Filters
HackerSploit
9 Complete Ethical Hacking Course - Become a Hacker Today - #1 Hacking Terminology
Complete Ethical Hacking Course - Become a Hacker Today - #1 Hacking Terminology
HackerSploit
10 Complete Ethical Hacking Course #2 - Installing Kali Linux
Complete Ethical Hacking Course #2 - Installing Kali Linux
HackerSploit
11 Parrot OS 3.5 Review | The Best Kali Linux Alternative
Parrot OS 3.5 Review | The Best Kali Linux Alternative
HackerSploit
12 Nmap Tutorial For Beginners - 1 - What is Nmap?
Nmap Tutorial For Beginners - 1 - What is Nmap?
HackerSploit
13 Katoolin | How To Install Pentesting Tools On Any Linux Distro
Katoolin | How To Install Pentesting Tools On Any Linux Distro
HackerSploit
14 Nmap Tutorial For Beginners - 2 - Advanced Scanning
Nmap Tutorial For Beginners - 2 - Advanced Scanning
HackerSploit
15 Nmap Tutorial For Beginners - 3 - Aggressive Scanning
Nmap Tutorial For Beginners - 3 - Aggressive Scanning
HackerSploit
16 Zenmap Tutorial For Beginners
Zenmap Tutorial For Beginners
HackerSploit
17 How To Setup Proxychains In Kali Linux - #1 - Stay Anonymous
How To Setup Proxychains In Kali Linux - #1 - Stay Anonymous
HackerSploit
18 How To Setup Proxychains In Kali Linux - #2 - Change Your IP
How To Setup Proxychains In Kali Linux - #2 - Change Your IP
HackerSploit
19 How To Change Mac Address In Kali Linux | Macchanger
How To Change Mac Address In Kali Linux | Macchanger
HackerSploit
20 How To Setup And Use anonsurf On Kali Linux | Stay Anonymous
How To Setup And Use anonsurf On Kali Linux | Stay Anonymous
HackerSploit
21 Ubuntu 17.04 "Zesty Zapus" Review - Bye Unity
Ubuntu 17.04 "Zesty Zapus" Review - Bye Unity
HackerSploit
22 VPN And DNS For Beginners | Kali Linux
VPN And DNS For Beginners | Kali Linux
HackerSploit
23 Tails OS Installation And Review - Access The Deep Web/Dark Net
Tails OS Installation And Review - Access The Deep Web/Dark Net
HackerSploit
24 Steganography Tutorial - Hide Messages In Images
Steganography Tutorial - Hide Messages In Images
HackerSploit
25 The Lazy Script - Kali Linux 2017.1 - Automate Penetration Testing!
The Lazy Script - Kali Linux 2017.1 - Automate Penetration Testing!
HackerSploit
26 Best Linux Distributions For Penetration Testing
Best Linux Distributions For Penetration Testing
HackerSploit
27 Netcat Tutorial - The Swiss Army Knife Of Networking - Reverse Shell
Netcat Tutorial - The Swiss Army Knife Of Networking - Reverse Shell
HackerSploit
28 Gaining Access - Web Server Hacking - Metasploitable - #1
Gaining Access - Web Server Hacking - Metasploitable - #1
HackerSploit
29 Web Server Hacking - FTP Backdoor Command Execution With Metasploit - #2
Web Server Hacking - FTP Backdoor Command Execution With Metasploit - #2
HackerSploit
30 How To Install Kali Linux On VMware  - Complete Guide 2018
How To Install Kali Linux On VMware - Complete Guide 2018
HackerSploit
31 Q&A #1 - Best Cyber-security Certifications?
Q&A #1 - Best Cyber-security Certifications?
HackerSploit
32 Terminator - Kali Linux - Multiple Terminals
Terminator - Kali Linux - Multiple Terminals
HackerSploit
33 Shodan Search Engine Tutorial - Access Routers,Servers,Webcams + Install CLI
Shodan Search Engine Tutorial - Access Routers,Servers,Webcams + Install CLI
HackerSploit
34 Q&A #2 - Mr Robot?
Q&A #2 - Mr Robot?
HackerSploit
35 Metasploit Community Web GUI  - Installation And Overview
Metasploit Community Web GUI - Installation And Overview
HackerSploit
36 Linux Expl0rer - Forensics Toolbox - Installation & Configuration
Linux Expl0rer - Forensics Toolbox - Installation & Configuration
HackerSploit
37 QuasarRAT - The Best Windows RAT? - Remote Administration Tool for Windows
QuasarRAT - The Best Windows RAT? - Remote Administration Tool for Windows
HackerSploit
38 Metasploit For Beginners - #1 - The Basics - Modules, Exploits & Payloads
Metasploit For Beginners - #1 - The Basics - Modules, Exploits & Payloads
HackerSploit
39 Metasploit For Beginners - #2 - Understanding Metasploit Modules
Metasploit For Beginners - #2 - Understanding Metasploit Modules
HackerSploit
40 Kali Linux Quick Tips - #1 - Adding a non-root user
Kali Linux Quick Tips - #1 - Adding a non-root user
HackerSploit
41 Metasploit For Beginners - #3 - Information Gathering - Auxiliary Scanners
Metasploit For Beginners - #3 - Information Gathering - Auxiliary Scanners
HackerSploit
42 Spectre Meltdown Vulnerability  - How To Check Your System
Spectre Meltdown Vulnerability - How To Check Your System
HackerSploit
43 Metasploit For Beginners - #4 - Basic Exploitation
Metasploit For Beginners - #4 - Basic Exploitation
HackerSploit
44 ARP Spoofing With arpspoof - MITM
ARP Spoofing With arpspoof - MITM
HackerSploit
45 WordPress Vulnerability Scanning With WPScan
WordPress Vulnerability Scanning With WPScan
HackerSploit
46 Generating A PHP Backdoor with weevely
Generating A PHP Backdoor with weevely
HackerSploit
47 Nikto Web Vulnerability Scanner - Web Penetration Testing - #1
Nikto Web Vulnerability Scanner - Web Penetration Testing - #1
HackerSploit
48 How To Install Kali Linux On Windows 10 - Windows Subsystem For Linux
How To Install Kali Linux On Windows 10 - Windows Subsystem For Linux
HackerSploit
49 Stacer - System Optimizer And Monitoring Tool For Linux
Stacer - System Optimizer And Monitoring Tool For Linux
HackerSploit
50 Kali Linux 2018.1 - Kernel Updates & Patches
Kali Linux 2018.1 - Kernel Updates & Patches
HackerSploit
51 MITM With Ettercap - ARP Poisoning
MITM With Ettercap - ARP Poisoning
HackerSploit
52 Password Cracking With John The Ripper - RAR/ZIP & Linux Passwords
Password Cracking With John The Ripper - RAR/ZIP & Linux Passwords
HackerSploit
53 How To Detect Rootkits On Kali Linux - chkrootkit & rkhunter
How To Detect Rootkits On Kali Linux - chkrootkit & rkhunter
HackerSploit
54 Channel Updates - How To Post Questions & Video Suggestions
Channel Updates - How To Post Questions & Video Suggestions
HackerSploit
55 Web App Penetration Testing - #1 - Setting Up Burp Suite
Web App Penetration Testing - #1 - Setting Up Burp Suite
HackerSploit
56 Web App Penetration Testing - #2 - Spidering & DVWA
Web App Penetration Testing - #2 - Spidering & DVWA
HackerSploit
57 Cl0neMast3r - GitHub Repository Cloning Tool
Cl0neMast3r - GitHub Repository Cloning Tool
HackerSploit
58 Kali Linux On Windows 10 Official - WSL - Installation & Configuration
Kali Linux On Windows 10 Official - WSL - Installation & Configuration
HackerSploit
59 DoS/DDoS Protection - How To Enable ICMP, UDP & TCP Flood Filtering
DoS/DDoS Protection - How To Enable ICMP, UDP & TCP Flood Filtering
HackerSploit
60 Web App Penetration Testing - #3 - Brute Force With Burp Suite
Web App Penetration Testing - #3 - Brute Force With Burp Suite
HackerSploit

This video teaches viewers how to perform service enumeration using Nmap scripts on a vulnerable Linux virtual machine, and covers various tools and methods for penetration testing. It is essential for cybersecurity professionals to understand these techniques to identify and exploit vulnerabilities in systems.

Key Takeaways
  1. Configure a NAT network in VirtualBox
  2. Set up a virtual hacking lab in Kali Linux
  3. Use the net discover tool to scan a network range
  4. Run an aggressive Nmap scan
  5. Perform an anonymous FTP login using the ftp-anon script
  6. Retrieve FTP server information using the ftp-syst script
  7. Run the ftp vs ftpd backdoor script against the target
  8. Use Nmap with the sv option to enumerate the service version
  9. Search for the exploit in the exploit db database
💡 Service enumeration is a crucial step in penetration testing, and using tools like Nmap and Metasploit can help identify and exploit vulnerabilities in systems.

Related Reads

📰
Best Cyber Security Diploma Course After 12th With Certification
Learn about the best cyber security diploma courses after 12th with certification for a career with excellent growth opportunities
Medium · AI
📰
Best Cyber Security Diploma Course After 12th With Certification
Learn about the best cyber security diploma courses with certification after 12th grade and kickstart a career with excellent growth opportunities
Medium · Cybersecurity
📰
You migrated to post-quantum crypto. Is the implementation actually conformant?
Ensure post-quantum crypto implementation conformity with FIPS standards using Quantakrypto's sieve tool
Medium · Cybersecurity
📰
HTB Space Explorer Writeup
Learn to exploit flawed authentication logic in a cybersecurity challenge, Space Explorer, on HackTheBox
Medium · Cybersecurity
Up next
Best VPN for Mac 2026 — Top 3 Tested and Which ONE Wins
Tutorial Stack
Watch →