Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
Key Takeaways
This video covers the basics of scanning tools and tactics in cybersecurity, including the use of Nmap, Nessus, BurpSuite, and Metasploit for network scanning, vulnerability scanning, and web application security testing. The video also discusses the importance of enumeration and exploitation in penetration testing.
Full Transcript
Shalom Shalom how's it going everybody starting a little early a little early I'll do a little chit chatting until the rest of the people get here I don't know if I'm a man myth or a legend but I appreciate the the comments mmm I'm tired already we haven't got started trying to drink some energy drink here I'm dad I'll be your dad I'll adopt you J Delta even though you break my stuff we'll try to start right at 8:00 tonight I guess it's not gonna be too jam-packed we're actually gonna have a pretty chill chill chat I hope what's up sick in the mind how you doing uh nicked oh yeah nikto is gonna be on the schedule you know and well that's awesome I feel like I know somebody that used to work with him does he did he at one point work at GE does that ring a bell Harvey a sec hey Rory you know I I applied to talk at Harvey a sec and I'm an idiot and submitted a 30-minute talk the guidelines that it's supposed to be an hour so everybody I know that submitted it got picked up which is cool a couple of my ex co-workers got picked up I mean I could turn my talk into an hour but I definitely submitted I talked to my ex coworker today he said you need a message is this Jake guy somebody is a Jake or info at and and talked to them but I haven't uh I haven't done that quite yet because I haven't gotten the the reject yeah I've just gotten the I have I'm in the waiting period I feel like they they're still waiting to see who accepts and who rejects and they may move on to some other ones I feel like I'm in that waiting period on on the other ones you could put in a good word I'd love to come up to our be a sec I'd be in debt to you all right we're gonna get started so as always a little death by PowerPoint not too bad I've got three slides tonight I swear it's getting smaller and smaller as we go let's see where we got it and this is one out of three slide so tonight's agenda we are going to be talking about scanning mostly so we're gonna be doing some scanning in order to talk about scanning we need to talk about some protocols those protocols are TCP and UDP we're just gonna briefly cover what those are we're gonna talk about the 3-way handshake which is important because you need to know how we're scanning in terms of stealth scanning with nmap and how that works out so something you might see come up in an interview they may ask you to explain the three-way handshake or to explain how a stealth handshake exists or stealth scanning exists so after we do that we're gonna go right into scanning tools and tactics got quite a bit of tools so I want to cover for you tonight some that I don't see covered a lot like burp suite in terms of scanning just show you some of the benefits of burp row and kind of go from there but you'll also see necess I was going to show you my nessus Pro but it looks like they actually have a free version out for 16 or less hosts so I'm just gonna show you that and we're gonna we're gonna learn how to install a bunch of that stuff of course we're gonna cover an map we're gonna cover some Metasploit we're gonna get into your first lesson or introduction to Metasploit which is a tool we haven't seen yet but we will use a lot so we'll cover quite a bit okay let's talk tcp versus UDP real quick so when we do port scanning typically we're gonna be scanning on the TCP side however it is would be incorrect of you to not scan the UDP side as well there are some some tools that only run on UDP some protocols that only run the UDP that would be important that you would not want to miss if you are if you're doing some scanning so when we talk about tcp tcp is connection or it has a handshake right so we're talking about that three-way handshake so we're going to talk about that we're gonna see a live view we're gonna use Wireshark tonight and see what that looks like and it's used on applications requiring high reliability so some examples of that would be HTTP FTP telnet anything that you would need some sort of connection to write on the other hand you have UDP which is connectionless it doesn't have a handshake and basically it's using applications that require a fast connection so DNS DHCP SNMP really we don't need high reliability for these protocols right we just need some sort of fast connection so with that much said we're gonna cover TCP and UDP UDP more in depth as we go along let's just get right into it so let's kill this I've got my Callie session up here we're gonna go fullscreen the jokes I love the jokes and I realized that I just did that whole PowerPoint presentation and didn't switch the screen cuz I'm terrible person terrible I'm I'm off my game tonight you don't need the PowerPoint I'll throw it up for a quick quick second though just so you guys can see there's the cute little chart I made for you guys yeah I'm a pro streamer so here's your little chart if you need to see that you could pause the video later on Cheers okay so now going into our lesson first we're gonna talk about the 3-way handshake and to do that we're gonna open up Wireshark so let's do Wireshark and let's chip in an ampersand after that and we're doing this just so we could start up a process and run it and if you get an error that's completely fine know that link isn't valid I realized that I need to change that link sorry guys here I'll shoot you a discord link right now I've made some minor changes actually if you go to the website you can you go if you go there you can get the discord link right off the front page if not I'll send it out later okay so we're in Wireshark all we're gonna do here is just hit start capturing make sure you're on your eat zero you're gonna see a bunch of stuff starting to come through but this is UDP protocol we need to make some sort of connection so what we're gonna do is we're just going to go out to the interwebs and we're gonna just go to a website our favorite probably Tesla comm right from last week we'll make that connection okay and it came through in here there we go okay so my guess is that one seven 2.21 7.16 4.7 - is the tesla website just on a hunch so when we're using wireshark what we're doing right now is intercepting traffic if you've never seen that we're just kind of listening in and capturing all the traffic that's coming through so when we talk about this TCP handshake we're talking about a process that goes syn syn ack ack so what happens is over TCP you see right here where we're starting you see my IP address of 192.168.0.1 to nine is reaching out to this destination and saying hey I want to connect to you so this is what is considered a syn packet we send a syn packet out now the application reaches back out to us and it says hey I see a request and I'm also going to acknowledge it so here's the ACK and this is where syn ACK comes from once we get that acknowledgment we know hey that port is open we can make that connection we're gonna go ahead and send an ACK back to the client one more time here and we're gonna say ok the client says hello meaning we've fully established that connection so when we do scanning we're gonna be using nmap now nmap works a little differently by default it's running something called stealth scan and you might have seen it something like SS right with the stealth scan in the past we don't have to use that anymore somebody here taught me that a few streams back so when we we do a scan here let me open up just a little leaf pad we we did the original right we did a syn we did syn ACK and then we did act okay when we do stealth scanning we say sin the port comes back and says sin AK and we sent a message out that says rst for reset basically we say just kidding now this is no longer that stealthy maybe it was stealthy back in the day it gets picked up but this is the most common way of scanning is sending that reset so what we're doing is we're reaching out for connection the client says yeah that ports open I'll let you connect and we just say hey just kidding I don't want to connect but nmap will come back and it'll say ok well that ports definitely open so here you go I'm gonna report on that all right J Delta I will I'll get ahold of you after that I'll message you somewhere all right ok so let's go ahead and look at our first scanning tool so the most common scanning tool you're gonna be seeing is going to be nmap so it stands to earn it work mapper I believe and we can just type in and map like this do - - help and we can see all the resources and let me blow this up for you guys here we can see all the resources that and map has to offer so I'm already seeing it come through in the chat people have their ideas of what they like to run they run different things I'm gonna show you the the cyber mentors method it is not the best method it's not the worst method it's my method right so you might see some other ones come through check them out find what works for you I'm gonna give you some tips and tricks and ideas that I like to think about and you can kind of take my ideas and go wild so when we're looking through here we've got a few things that we can do we can do a ping scan like a port or a ping sweep you've got a few things like this capital P n I've used before just to treat all the hosts online really where we're curious about scanning techniques the most common like I talked about is the stealth scan in here but they've got a quite a bit that you can search from same thing the UDP scan has its own flag they've got some special ones like the Christmas scan that's in here so really we're gonna focus on just my syntax but if you need help with syntax you can come through here and look at some of this stuff one of the more important ones too is this output if you want to save your stuff to a file a - o n we'll put it out to normal file or a txt file you could do a - Oh a to put everything out to all the formats and we'll talk about that in just a little bit somebody asked is there going to be a Q&A session after the course yes there will be a Q&A session alright so what I'm going to be doing is I'm going to be scanning an IP in my network and then later on we're gonna be attacking Tesla again staying in scope of course so first and foremost we need to find what IP addresses might be up in our network so we're gonna do what is called a ping sweep if you remember from the first video we built out our own ping sweeper and you'll notice that when we use n Maps ping sweep sometimes it's not all that reliable so I'm gonna just sweep my whole network something like this so all I'm saying is n map I like to think of SN a sweep Network I don't know what it stands for and then I put in an IP address here and all we're gonna be doing is sending out those ICMP packets and saying hey are you up and we're gonna go ahead and send that out it should be relatively quick some of these we're gonna let just just scan off right and they're gonna take some time okay so if you look at how this looks it says everything is up right two for two two for three I don't have this many devices in my network I do know for a fact 254 is up because 254 is my router you guys can see that I'm on lovely AT&T here somebody said if you don't understand the slash 24 after my IP speak up you are more than welcome to ask about that if you need I have a video on subnetting insider notation that you you can watch but the prereq to this course is some basic networking knowledge so hopefully you all get that okay so for the purpose of this video I'm gonna be targeting my router sitting here at 192.168.1.254 so I'm just going to run by default very very very basic scan this isn't the scan that I would run normally this is just a show of proof of concept okay so I'm running nmap I'm running this t4 thing and then I'm putting in an IP address okay I hit enter and it's gonna do a scan so I didn't put in some important information and we're gonna develop and build our our nmap scan as we go some important information that's missing well let's talk about what's here first so we see the t4 the t4 is a speed so we can put t1 through t5 now t1 is very slow t1 is incredibly fast the faster you scan the more likely you are to miss something and perhaps be detected but this isn't really the stealthiest of scanning as it is another thing that we didn't enter in is we didn't enter in any ports so there is a switch of P when we want to use ports that we can define our range you know there's one through 65,000 I don't know the whole number but when you have that range you can define it but if you don't define it then all its gonna do is search through the top 1,000 common ports so we just searched the the common 1,000 but if I do just the common 1,000 somebody said 65 355 thank you for that so if we search the the top 1,000 we're gonna miss quite a bit what if I got an open port on this router or this machine that's sitting at like 47,000 just as an example if I scan the top 1,000 I'm gonna miss that so you're only hurting yourself if you don't scan every single port in the tcp range so we are scanning TCP right now we're gonna be covering UDP here in a minute 65 535 is actually the answer okay so what we have done is we've found at least what kind of ports are open and we can start building information here based on what we see right well we're running DNS okay we're running a web server we're running HTTP web server we've got some filtered shell here and filtered RPC bind when it says filtered you know I'm not certain that that's actually open it could be false positive or it could be open but it truly is filtered and we have no access to it so looking at this I would probably want to scan this more in-depth so when we're looking at it let's start adding some things that may may add depth to this now I'm gonna show you just as a time-saver the method that I use typically for hack the box or for for anything even if I'm doing a quick scan while I'm in a network this is pretty much my all-inclusive go to have memorized etc and it's not very complicated at all so my scan looks something like this now I'm gonna hit enter on this this will take who knows how long this could take over an hour depending on how long it's going to scan and we're gonna talk theories and methods here in a second on how we can improve upon this okay so what I'm doing here is we're doing nmap and we're doing it with that T for scanning right so the T 4 is the speed I like to use T 4 I don't usually use T 5 or T 3 I just I've learned on T 4 and it seemed to work just fine for me this - a now this - a is for all now if we scroll back up through my whole list here and we go back to the - - help if you look at - a - a enables OS detection version detection script scanning and traceroute basically what we're doing is we're doing a lot of these that are already in here like a - oh that's OS detection so we can aggregate a lot of what we're finding here into one switch of a - a so basically all I'm asking for is as much information as possible and then I put in a - P for port but if I cap it off with another - like this then I'm asking for all ports now you could write this with the - P and then throw in a specific port which I'll show you here in a second but in this instance I like to scan every single thing on TCP now and then I put in the IP address and that's what we're gonna scan let me go ahead and open up a new tab and we're gonna talk theory okay actually let's look at this here so I scan this Network and I scan the top 1000 and then we came down here and I scan this network and I'm scanning intensely this - a is intense right we're doing quite a bit of heavy heavy work here we're doing it against all ports and we're scanning here now what we're looking for is a way to maybe improve upon the scan and the tactic that we can use to improve upon the scan is something called staging when we talk about staging we talked about first scanning quickly and then scanning more technically right so I would want to do something instead of running this let's just copy this and let's talk about how we can improve and we'll do a theoretical little leaf pad here instead of doing this first what if I said I just had em at t4 ports okay - a is not all ports - P - is all ports - a is all-inclusive more so than just OS version - I was OS version okay so when we come into here and since there's some confusion from the chat about - a let's let's go back to help - a is OS detection version detection script scanning and traceroute there are individual things in here for that there's OS detection right - OH version detection is - SV so it kind of combines a lot of these probes that you would see in some other scans - ages does it all for you now - a is doing four different things at once which is heavy lifting and this is what we're talking about the heavy lifting so when we talk about staging what if I were to scan like so let's say I scanned with this syntax right I scanned the - P - I scan all ports the t4 but I didn't include this - a so it's not as intensive well let's say let's just copy this here let's say that it returned this scan here we see these ports okay so if I come in here and I want to get a detailed scan it would make a lot more sense to me that instead of putting the ports here of all ports and scanning every port with in depth you'd want to stage it out right so instead maybe 53 81 11 4 4 3 5 1 4 so if we scan everything it's going to take a lot of time if we scan the five ports that we found open it's going to take significantly less time so if you're working on like a capture the flag or you're working hack the box you're doing some sort of race against the time this is probably to go to now I will admit to you that I often come through here and I just run this really quick when I'm running a scam there's nothing wrong with this it's just tedious now for those of you who are overachievers we can make this even better we could do something along the lines of taking this right and we'll come down here and what if we put it into an output of all and you just say whatever you just give it a name of client right so it'll it'll give you a client text the client XML let's see what the output all gives you gives you a three major so a dot txt an XML and a script Kitty script Kitty and graphical format so it gives you four it looks like well it says three major I don't think the script kiddies a major one okay so it gives you those those three right and you can take these results now that they're stored again they come out and they come into these files now you could build something that says okay we'll find the results that come out of this scan in particular looking for this client name or whatever we entered in here could be a dollar sign one for a variable or an entry right that we talked about in previous weeks you could take that logic and you can say grep through a file search through a file for all open ports that you found and then append those into this list here and then search so you could do your own staging script to make this work these are just some advanced thoughts we're not going to get into that today but these are things you should be thinking about is how to stage how to improve in ways that you can just do things a little bit faster so in my job we have something that was built before my time but basically it does something similar to this and then it goes out and it it runs a bunch of if statements right so say for example it says if port 80 is open I want to run nikto scans on it I might run some kind of dirt Buster order bond it and we'll talk about those tools here in a little bit but you can start adding and chaining more and more and more and build out these scripts to where you're letting it do all the work for you this is where scripting becomes super powerful so food for thought we're gonna move on ok so you can pretty much hit any button I typically hit the up arrow when I want to check on my scan it says we've got 33 minutes remaining we'll see we'll see how long that actually is you could also do a dash V for verbose and there's a status update every so many minutes one here as well I forget what that one is I never use those so the question is from sick in the mind that you've got a script that's similar to this and you want to share it you're absolutely welcome to share it save it for me too and I'll share in discord if you don't mind okay gonna take a drink real quick what kind of drink I've got a monster cuz I'm tired I don't sleep okay so we've talked about scanning the TCP side of the house question came in what's the difference between - a - P - and just - P - okay so - a is the all it's the intense scanning right we're intense scanning all ports so 65,000 ports here we don't know if they're open or they're not open now when we're just scanning the - P - we're not doing it intensely where this will be much quicker because we're not doing the - a the - a takes a lot more time so that's where the theory comes in that - a on a few ports that you find as opposed to a bunch of ports at once will save you quite a bit of time the - a affects everything you tell it to scan the question is does the - I effect all ports it affects everything you tell to scan all right little sidetracked here so let's talk about scanning with UDP here so you've seen the - SS we don't have to use it anymore so if you wanted to scan a UDP the syntax looks something like this at least in my case and you could pretty much hit enter here I never use t5 Never okay so UDP is highly unreliable UDP takes forever as somebody already said and there's a big reason behind my syntax here I did not include the top or I don't know I did L included the top 1,000 ports as you can see it said we scanned a thousand ports if we were to try to scan 65,000 ports on UDP it would take hours just hours so also there's a lot of false positives that come up you really can't trust a UDP scan not to say that UDP scans are not important you can find some interesting information on that side but typically they're hard to trust right and they're time-consuming basically when I'm doing scanning I let neces try to find that if necessary can find interesting information like SNMP and have a public community string things like that that could become really fun if we can find some things on UDP just know that 95% of your works gonna be on TCP however if you're taking something like the O SCP or you're doing hack the Box or even real-life environment you should not neglect UDP because there will be something there and if you miss it you're gonna miss it so just know to to look under all the stones don't just focus every time on on TCP or you're gonna miss things all right other than that one more thing with nmap I want to show you then we're gonna move on so if we LS user share and map scripts now this is all the scripts that are available to us via and map we have a script feature that I'm going to show you we could pick any one of these scripts or we can do a dash all for these as well to try to do some vulnerability scanning some really cool stuff in here if you look through it I some of these from time to time there's one that I really like to use and I'm going to show you but say for example you think that there is eternal blue running on a computer you see a Windows 7 machine it's got SMB you have a hunch right you have a hunch that eternal blues running and if you don't know eternal blue is that's fine just say you have a hunch on the vulnerability this vulnerability specifically is MS 17 dash 0 1 0 and you want to know if it's if the machine is vulnerable if it thinks it is you can grab the script and try to run it and see what nmap thinks there's quite a few things if you just scroll through here I couldn't tell you what 90% of them do but a quick google on something in here might help you if and that's where it's going to come in to enumeration we're gonna talk about enumeration next week and this becomes way way more important so we're going to use one script just for the fun of it and this is a script that I use on pretty much every web app assessment the path is user share and map scripts I don't know what Voldemort info NSC is you can check that out and let us know the numeration is the most important thing you'll ever need in your hacking career if you cannot enumerate you will not be successful as a penetration tester it just comes down to that honestly boils down to that people want to jump right into the exploitation but if you cannot do the research you cannot look around you're gonna have a lot of problems alright so let's use one of my favorite scripts so I like to check for ciphers when I'm doing a webpage assessment I like to see what kind of ciphers they're running typically you're not gonna find anything that's gonna be super exploitable most of the cipher exploitations require some sort of man-in-the-middle attack you're not gonna get that lucky but it's good for reporting right so what we can do is we can scan and let's just look at let's do port 443 and the script is we just do - - script like this we could say equals now if we wanted to run all scripts against a host and I do not recommend doing this against the host we're about to use but you can do it on your own or against a hack the box or vol hub if you want you can do equals all it'll run all the scripts in that folder that'll be some time time consumption the one I like to use in particular is SSL anoon ciphers just like that and we're gonna go ahead and just say Tesla comm hit enter this is gonna sit here in scan Tesla comm for all the ciphers what it's gonna look for is a Alzheimer's it has it's going to give you a rating on all the ciphers and then it's going to give you the least strength of a cipher if you look at this you can see that Tesla does a very very good job of keeping their ciphers up-to-date and it shows what returns back on all of these so everything looks like it's TLS it's got all the different types of ciphers and the the key of least strength here I mean we're still dealing with an a so very very impressive on their behalf usually you see something in there that's a C or a D for a lot of websites that you look at so but yeah that's that's scripts you there's also tools on the web that can do this but just know that nmap is fully capable doing a lot of things that you can go out on the web all right that is all I have for nmap we're gonna move into other products now let's go ahead and download necess we're gonna need to spend some time with neces and get that running that way we can do a scan and work on some other tools as well so I have intentionally not downloaded necess on this machine let's go ahead and go out to the website here I missing to go Google and the necess home there's a free home version out there now you do need to put in your name first name last name email address to register I'm going to use random stuff here because I have an activation code somewhere floating around here just register once you register it'll give you the option to go to the download page go ahead and click download I need to grab my key real quick while we're talking alright so what we're doing is we need to download we're using Debbie and right Debbie and Kali so we're gonna download our Debian file here just click on this button agree to their terms save the file let that download some of you may have slower connections so I'll give you a minute and then I'm going to pull up my key as well uno momento for for okay so let's go to our downloads folder wherever you downloaded it LS should be in there right we've got the necess file here so if you've never installed a dot DB file here we are going to do D package like this - I Nessus and I downloaded the wrong one because I'm an idiot so give me a second I download the 32-bit don't be like me there should be a 64 bit floating around somewhere or I could be way off base here there it is a little bit down the page guys all right let's try it again he package - ah and that's this and we are using amd64 okay now this is installing this will take just a second and it's done alright so you can see it tells you to start your necess canner by typing in this etsy init.d necess t start we covered what that does in week one right and now we're going to navigate out to http kali 8 8 3 4 this is pretty default you can also use your localhost if you'd like add the exception confirm the exception all right you can create an account now and we're installing the home professional or manager we're going to use the activation code that we downloaded and that's not it I can't copy paste to this workstation I forgot about that so we're gonna type it out the old-fashioned way bonus points if you can steal my activation go all right setups complete yep this is gonna be a long part so we're gonna actually skip around bounce around here for a minute all this is going print screen you can have this this one this is the Home version thanks to the sub Po and I appreciate it okay so this will take a minute and let's check on our scan over here we're still at 25 minutes and 17 minutes has gone by but we've only lost eight minutes which is not a good sign for us you want a hack Facebook you need social engineering for the most part there's other methods that would probably be your easiest route all right while we wait we are going to look at Metasploit as a tool it is a fantastic scanner of all sorts we're going to be talking about using its port scan feature which I don't really use I'm just doing as a proof-of-concept but we're gonna talk more importantly about the auxilary feature and the fact that there is a scanner in Metasploit I will open this thank you for sharing that I appreciate it okay so in order to start up Metasploit we're gonna just type in MSF console not in all caps that's bad this will also take a quick second to spin up depending if it's your first time or not I don't even know if this is our first time on this machine it may be okay so there are quite a few different features for Metasploit I think there's five different types of model types I'm not sure how many model types are the important ones to know is that there's the auxilary which is kind of like your beforehand like your enumeration your scanning there is the exploitation which is exactly what it sounds like their exploit modules and there's post exploit which are things you can do once you have a session so we'll be covering all of these if we need to as we go through the course and you'll get it to work okay so now let's just go ahead and we're gonna type in the word use actually I'm gonna show you a search first we're gonna search port scan and you can see there's a few different port scanners in here if you look at Auberge scanner so it kind of goes by category right the first category is auxilary the second one is scanning and then it tells you what it's going to do well this is on HTTP and this is a wordpress pingback access the one we're looking for is we want to do a scan right we can either do a TCP scan or a sin scan it's got a bunch of different ones here and we could just copy and paste this so we're gonna say use we'll paste this in here a couple things we can do here if we want to find out what a module is all about when we go into it we can say info gives us a little bit of information on it so it says the TCP syn port scanner tells you who it was built by and it gives you some of the basic options description here is enumerate open TCP services using a ross in scan now we can also just type in options doesn't give us the whole shebang on the description if you already know what you're you need then we just kind of want to see what options we have it's important to look through these and see what's already set and is required and what you still need to set so if we look this is scanning 1 through 1,000 on ports we might need to change that if we don't want to it's scanning no our host right now so our host is the remote host we need to be able to set this the number of threads if we want to increase them or a threading that we do here to increase the speed of these scans we can it looks like they've got delays batch size etc importantly what we're just going to be doing for basic syntax right now is we are gonna say set and then ports and I'm just gonna change it to 1 to 65535 and then we're gonna set in our host so set our hosts and we're just gonna say 192.168.1.254 so you'll notice as we go along that there's our host and there's our hosts our host is when you can only supply one address in the situation where you see an S on the end of it you can apply multiple you can apply arrange some sort of Sider identifier as it says here we were just going to be scanning one address which is absolutely fine and we can type in now run or you can type in exploit if you want to feel cool and this will start scanning as well now all this is gonna do is tell you if a port is open or if a port is closed and with all this traffic going to my router if I deny myself service it was nice knowing you guys will see what my my router can really hold up to okay I'm actually gonna kill this just want to show you proof of concept on how to run something in here most importantly though if we go back to use let me just double tab there's 3800 possibilities ah now we won't do it will do auxilary and then we'll double tab there's still a thousand auxilary all right so if you come through here you can see all the different types of things that it does auxilary admin you just hit space auxilary denial of service windows auxilary fuzzing gather information gathering here scanning all kinds of stuff there is so much that Metasploit can do it's amazing what you want to know and hit q if you want to get out of this situation that you're in what you want to know is what you're looking for so say for example we found a tomcat server and this really falls under enumeration that we're gonna cover next week but say we found a tomcat server and we're looking for exploits you want to narrow it down just like search tomcat okay then we can see what kind of things we have to maybe work with tomcat administration tool default access there's a directory traversal there's a denial of service there's Tomcat and user enumeration there's a manager login there's a bunch of stuff in here so you might have to do some research as to what they are and that's all part of the enumeration let's go back and check on our necess see how far we are oh we're logged in nice okay so we get to scan up to 16 devices in our network perfect or only scanning one at least I am you can scan as many as you want now you can see what kind of what kind of things are prevented from being scanned here a lot of this has to deal with compliance and auditing so if you don't have the pro version to do compliance and auditing it's fine most of the time we can use this basic network scan you can also dive around in the advanced skin if you want and see what that's like I used to use the advanced scan pretty heavily and now I've gone to just the basis skin so I feel like it still catches everything that I need so on this tab we've got our settings which we're going to be setting here in a second we've got credentials if we need to send an authenticated session say SSH or Windows and we want to scan internally on a machine we can supply credentials and get a little bit more information out of that machine and then there's also different types of plugins that we have that we can run for you can see all the different types of things is looking for it tells you plug-in information as you click on it so it's looking for example for Cisco it's looking for a vulnerability in the iOS firewall it tells you more information so these are the plugins it's best to keep your plugins up to date if you can so that you're scanning the latest and the greatest so typically when you're doing a penetration test and you're you're scanning at least on the external side you're not going to be given credentials they're trying to make it as realistic as possible even if we're on the internal side typically not given credentials the only time we're ever really given credentials is for web apps and that's a whole different story and a whole different beast so we have to earn our credentials and we're typically this is more for like an auditing purpose or I've used this in the past when I've been in other role to run em apps can fully onto a system so when we look at this this basis scam let's just give it a name you can name it whatever you want I'm gonna name it my first scan and I tend to just copy and paste that into the description as well it gives you a folder you want to select I just leave it as a default my scans and then lastly we need an IP address that we're going to be testing which for me is 1.25 4 now you can do all sorts of things you can do 192.168.1.0 /se 29 or or whatever here and you can do like Tesla comm you can set all sorts of different methods here as long as you're separating by a comma okay we can enable a schedule if we want this is a trick if you want to get your scans going at 8 a.m. if you know you can start your work at 8 a.m. a nice little trick is to have your scan email started or your pen test beginning email starts so typically we send out an email that says hey we're about to start a pen test just letting you know usually that goes out at the beginning of the day and at the end of the day it says hey we're we're stopping pen testing for the day so you could schedule an email to send out at 8 o'clock and you can also schedule your your scan to start at 8 o'clock as well so that they both start and you're doing doing a little bit of automated work all right so no schedule here you can also notify yourself if you wanted but you need SMTP setup discovery so the scan type by default is port scan on common ports we're gonna change this to port scan of all ports you see that it's going to use a syn scanner if necessary it's going to use net staff credentials are provided we're not going to do that using fast network discovery TCP ARP and it's going to try ICMP twice to find discovery this is very loud this is a so we are loud intentionally that's almost the the whole part of being a penetration tester versus a red teaming right we are intentionally loud we want you to see our scanning activity we want you to know we're there because we can help you tune your sim it can help get your blue team in line and if you're not seeing this these scans what else are you missing right so if you're not seeing the very loud scans that's absolutely gonna be a finding on a report so it's it's important as a pen tester to try to be loud to at least help the blue team you know catch some things and see what they're missing what they're not so we're gonna go ahead and say port scan all ports and we come in here I typically leave this default I have in the past scan for web vulnerabilities complex but if you're doing a network external it's really not important to even internal to be scanning for web vulnerabilities on the complex side unless you're doing a web app of some sort so we've talked about this in previous streams but I'll mention it here when we're doing an external assessment and it has a website like safe port 80 or port 443 s open which is kind of common your your job is not to be looking for issues with the website unless there's something that is particularly like out of place like if you're if you go to the website and it has a login screen then maybe you'll try to do password spraying like we talked about last week or you'll do credential stuffing like we talked about last week or you might try sequel injection but you're not going to create an account and go in there say hey can I find cross-site scripting you know what kind of headers are running on the server your your jobs not to do a web up assessment for that or else they're going to pay for web up a Cessna right there are two different things so what we're looking for is if it provides some sort of easy access via the web ok well that's kind of in scope if you're you're sitting there looking for specific vulnerabilities on the website that's really kind of out of scope so if we're doing network pentesting which is what we're focusing on we're gonna leave the scan type set to default you have override normal verbosity this is all default this is fine the advanced side let's see what's in here scan lobe if bandwidth links I just leave this to default typically we hit save and then you come to this screen where it says my first scan you hit this little launch button and launch off the scan what can you do with your points you want a t-shirt I don't have any t-shirts but well we'll have a raffle here soon enough I don't think you were around for the first raffle were you check this guy while we're at it too so another fifteen minutes have passed and we've actually only gone down about a minute so when I say network pentesting what I consider that being called host system pentesting yeah host or system pentesting is another way to say it donate for stickers I do have stickers I owe you a sticker ion but I emailed you never gave me your address so you don't want to sticker that bad nobody wants my merchandise all right so with our necess scan you can click in here and kind of watch it as it goes you see we're at 0% right now and you look at the vulnerabilities it's got a count of four it's starting to find some stuff like I found 53 I found 84 4 3 ah 10 9 9 9 I found an open port so it's got it's got some things here right and this is what these are the kind of things that we miss when we just scan with the Li top 1000 right so critical to just scan everything you can't now we're gonna let this run it's gonna be a minute it may even take the whole time what we'll do too is if we run out of time or whatever it is we'll go ahead and just check back in on the scans during the AMA and see if we can find any information because this guy is running slow all right so while we wait on these two guys we are going to do some web scanning so there's two really popular web scanners one is free one is kind of free so the popular is nikto and that is built into everything with with nmap here so it's built in or not mm sorry it's built into Kali and we're gonna be running nikto against tesla so go ahead and pull up Tesla if you want you don't really have to we're gonna close we're gonna exit out of this and you can run nikto from anywhere just type in nikto and if we hit enter it should give you some information okay we didn't specify a host that's fine see if we do a nikto - help like this same same stuff unknown feature a - H is for a host so we got a supply house ah capital H learn to read there you go I knew that didn't look right so there's quite a bit of features in here typically we're gonna be running this just as as is but do know that there's quite a bit of things in here that you can do if you wanted to get advanced so I want to run a scan against Tesla I'm gonna say Nick doe - H for host and then we're just gonna say HTTP unless it's HTTP then we run it against that I will just say Tesla calm and it'll start pulling information out at the end of the stream can I post a summary of what we did I do upload these videos the you have the option to watch it on Twitch or watch it on YouTube if you'd like so either of those would work out if you wanted to recap what we did I do try to timestamp on YouTube the best that I can I don't timestamp the AMA just cuz we go through so many questions but alright so we come in here and this is basically just going to run a scan against all of this so you see what it does for us it pulls out an IP address of - a 9.1 33 - at 79 s at 61 it's Tesla's comm port 443 it gives us the SSL info it gives us their certificate who the issue is what kind of ciphers are using so a lot of information there and then it's going to give us some more information so it says the anti clickjacking x frame options header isn't present if we're doing a web app that's like a low finding same with the cross-site scripting header that's a low finding there's no strict Transport Security these would all probably be on one finding just that their headers are not set X content types aim thing so it just checks all the headers and then now this is going to go through and it's gonna look for it's gonna do some some vulnerability scanning it's gonna see if it can pull any sort of information based on what's running on the web and then it's gonna say hey you should look into this this this and this to see if you can exploit it it'll do it'll do scanning and try to offer some suggestions on what might be exploitable if it sees an each type of you know outdated frameworks or tools being run then it'll it'll kind of look into this so we'll let that run as well and we're gonna dive into burp suite a.m. how's it going so I'm going to show you I'm going to show you a burp suite on here and then I'm going to show you burp suite via my pentesting laptop or VM I should say so this is burp suite Community Edition and I haven't even set it up so let's see if it works oh this is 1.7 nice this is this old there on the - edition now so you're gonna see that mine looks just a little bit different this is the most important tool that you can own if you can invest four hundred dollars and you want it if you want to do web apps and you want to do web that's right you need to invest the four hundred dollars to get the Pro Edition it has most of the tools in here and we're not gonna be covering ninety percent of what this does because we're not doing a web app lesson right but burp suite pro has an active scanner so if you come into the scanner here you can see that you need a burp suite professional to do it it is the one of the most important tools that you can own that's on the professional side that and if you're if you're starting a pen test company and you need to purchase two things and two things only it's necess and it's burp suite and that will set you back maybe twenty five hundred dollars to start your company maybe three grand so it is a yearly fee everybody wants their licensing okay so this is kind of what it looks like I'm gonna introduce you to the pro version so we can actually talk about scanning hey I paid $400 for burp this here it was 350 last year 2500 for NASA sounds about right I don't know if they have a student discount or not yeah I went up again cobalt strike is 7k we have cobalt I didn't I have no idea how much it is but you don't need cobalt strike to do pen testing it's nice the only here we go with this bad boy up this does wonders for you two if you're doing hack the box or anything else along those lines you can't use burp suite pro on the OS CP if you're doing that so you can use it in the labs you just can't use it when it comes to the test okay so this is the beta version this is version 2 it's a little bit different you can see the scanner tabs gone I'm not sure how I feel about the new version quite yet I'm still trying to trying to decide but I've been using it on the last couple assess inside done these past couple weeks and it's been fine okay so we're gonna pick a target we're gonna pick Tesla again and you can see this intercept is on now we open up and we just say okay well that's not what I wanted to have happen let's go to Tesla let's see what happens all right so we're on the Tesla website but we need to make our browser talk to burp suite now you can absolutely do this if you're trying to follow along or just you know kind of get used to burp suite this is important anyway I have a tool called foxy proxy here that I set up that just allows me to quick change into burp however we're gonna do it the old-fashioned way just so you can see it because you probably don't have foxy proxy installed if we scroll down all the way down the bottom in the settings we're gonna go to our network settings you're gonna say manual proxy configuration go ahead and use the home address of one two seven zero zero one on port 8080 and make sure it's set for all protocols okay I'm gonna go ahead and just use my foxy proxy to do that okay now I've got this intercept on intercept on comes by default you'll see what this does Firefox is my preferred browser for doing assessments yes okay so we're refreshing the page you can see it's hung up if you look here it intercepted the request that's getting sent you can see that it's a get request and I don't want to dive too much into this I'm just showing you some of the very very basics we have a lot of things that we can do with this request we can sit here and alter it we've got these cookies that are kind of given to us by the site we could try altering things that are here you can see the user agent you can just see a bunch of header information and things like that we can hit forward and see what happens it looks like it's reaching out to Google Google ta or Google tag manager if I could read for that you can just keep foreign with a site like Tesla there's gonna be a million things so you can just turn the intercept off so if you come into target you can see a bunch of stuff in here that is loading in anything that is coming through from this site it's reaching out so one of the most important things that we need to do is we need to right-click on on the site we want to test and just say add to scope we'll hit yes to that and we're gonna come in here and we're gonna click on this bar this is filter and we're gonna say filter only in scope items so now Tesla comm is our in scope item we don't have to look at anything else now what you can see that it's doing for us is it's actually going through and kind of spidering passively it's looking
Original Description
*Special thanks to klauslippo for timestamping
0:00 - Introduction and TCP vs UDP
7:55 - 3-Way Handshake & Wireshark
12:38 - Scanning with Nmap
38:15 - Downloading and Installing Nessus
44:48 - Scanning with Metasploit
51:15 - Scanning with Nessus
1:02:00 - Scanning with Nikto
1:05:00 - Scanning with BurpSuite
Q&A / AMA
1:19:50 - Can you fall asleep drinking a Monster so late?
1:20:56 - Proxy settings
1:21:39 - Reviewing viewer's port scan script
1:21:55 - Do you build or tweak your Kali box or just use it straight from the site?
1:22:23 - Reviewing viewer's port scan script (continued)
1:24:36 - Running viewer's port scan script
1:26:54 - Checking in on Burp scan
1:27:48 - Do you use KeepNote?
1:28:59 - How many sodas do you drink in a day?
1:29:57 - Tesla on bugbounty
1:31:11 - Checking in on nmap scans
1:33:43 - Will you be covering enumeration in the series?
1:34:14 - Where can I find the homeworks?
1:35:20 - "You need to put more stuff on your site"
1:37:38 - Checking in on nmap scans
1:37:55 - Checking in on Burp scan
1:38:43 - Why are the majority of the people that work in InfoSec so threatened by people who they perceive could be more skilled than they are?
1:39:29 - They want a battle? Then they shall have one!
1:42:27 - Do you ever fear for your safety, like you're going to discover the wrong thing and have retribution taken against you?
1:43:27 - Finished portscan
1:44:09 - Story of the house-picture
1:45:36 - Checking the TCP dump file
1:46:45 - Keyboard warriors
1:50:10 - Router/network discussion
1:52:45 - Hackerboxes
1:53:15 - What does your desk setup look like?
1:54:58 - Analyzing finished nmap scan
1:56:38 - Going full Sherlock mode on port 10999
2:07:34 - Advanced Sherlock mode on port 10999
2:13:14 - How much HTML do I need to know?
2:13:46 - How soon do you upload?
2:14:40 - Creating a commodity by teaching pentesting and the glamour of "hacking as a job"
2:16:20 - Reports
2:17:32 - The pentesting mentality and Heath's backup career in music
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from The Cyber Mentor · The Cyber Mentor · 32 of 60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
▶
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Buffer Overflows Made Easy - Part 1: Introduction
The Cyber Mentor
Buffer Overflows Made Easy - Part 2: Spiking
The Cyber Mentor
Buffer Overflows Made Easy - Part 3: Fuzzing
The Cyber Mentor
Buffer Overflows Made Easy - Part 4: Finding the Offset
The Cyber Mentor
Buffer Overflows Made Easy - Part 5: Overwriting the EIP
The Cyber Mentor
Buffer Overflows Made Easy - Part 6: Finding Bad Characters
The Cyber Mentor
Buffer Overflows Made Easy - Part 7: Finding the Right Module
The Cyber Mentor
Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
The Cyber Mentor
HackTheBox - Sunday Walkthrough (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Network Subnetting (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
The Cyber Mentor
HackTheBox - Fighter Walkthrough (Re-Up)
The Cyber Mentor
Beginner Linux for Ethical Hackers - Navigating the File System
The Cyber Mentor
Beginner Linux for Ethical Hackers - Users and Privileges
The Cyber Mentor
Beginner Linux for Ethical Hackers - Common Network Commands
The Cyber Mentor
Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
The Cyber Mentor
Beginner Linux for Ethical Hackers - Controlling Kali Services
The Cyber Mentor
Beginner Linux for Ethical Hackers - Scripting with Bash
The Cyber Mentor
Beginner Linux for Ethical Hackers - Installing and Updating Tools
The Cyber Mentor
Cracking Linux Password Hashes with Hashcat
The Cyber Mentor
Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
The Cyber Mentor
Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
The Cyber Mentor
Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
The Cyber Mentor
Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
The Cyber Mentor
New Zero to Hero Pentest Course, New Website, and 2K Subs?!
The Cyber Mentor
Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
The Cyber Mentor
Zero to Hero Pentesting: Episode 2 - Python 101
The Cyber Mentor
Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
The Cyber Mentor
Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
The Cyber Mentor
Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
The Cyber Mentor
Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
The Cyber Mentor
Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
The Cyber Mentor
Installing Windows Server 2016 on VMWare in 5 Minutes
The Cyber Mentor
Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
The Cyber Mentor
A Day in the Life of an Ethical Hacker / Penetration Tester
The Cyber Mentor
Active Directory Exploitation - LLMNR/NBT-NS Poisoning
The Cyber Mentor
Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
The Cyber Mentor
Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
The Cyber Mentor
Writing a Pentest Report
The Cyber Mentor
Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
The Cyber Mentor
The Complete Linux for Ethical Hackers Course for 2019
The Cyber Mentor
Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
The Cyber Mentor
Popping a Shell with SMB Relay and Empire
The Cyber Mentor
Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 2 - Lame
The Cyber Mentor
Pentesting for n00bs: Episode 3 - Blue
The Cyber Mentor
Web App Testing: Episode 1 - Enumeration
The Cyber Mentor
Pentesting for n00bs: Episode 4 - Devel
The Cyber Mentor
Pentesting for n00bs: Episode 5 - Jerry
The Cyber Mentor
Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
The Cyber Mentor
Pentesting for n00bs: Episode 6 - Nibbles
The Cyber Mentor
Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
The Cyber Mentor
How NOT to Approach a Cybersecurity Mentor
The Cyber Mentor
Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
The Cyber Mentor
Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 9 - Grandpa
The Cyber Mentor
Top 5 Internal Pentesting Methods
The Cyber Mentor
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
Bulk Assign Microsoft Entra External MFA Using Microsoft Graph PowerShell to Users — Custom Control…
Medium · Cybersecurity
DNS Zone Transfer (AXFR): como uma configuração incorreta pode expor toda a infraestrutura de uma…
Medium · Cybersecurity
The Security Liability of Memory Allocation in TEEs: A Design Decision Log
Dev.to · Theo Ezell (webMethodMan)
Singapore Built an Army of Cyber Defenders and the Hackers Came Anyway
Medium · Cybersecurity
Chapters (42)
Introduction and TCP vs UDP
7:55
3-Way Handshake & Wireshark
12:38
Scanning with Nmap
38:15
Downloading and Installing Nessus
44:48
Scanning with Metasploit
51:15
Scanning with Nessus
1:02:00
Scanning with Nikto
1:05:00
Scanning with BurpSuite
1:19:50
Can you fall asleep drinking a Monster so late?
1:20:56
Proxy settings
1:21:39
Reviewing viewer's port scan script
1:21:55
Do you build or tweak your Kali box or just use it straight from the site?
1:22:23
Reviewing viewer's port scan script (continued)
1:24:36
Running viewer's port scan script
1:26:54
Checking in on Burp scan
1:27:48
Do you use KeepNote?
1:28:59
How many sodas do you drink in a day?
1:29:57
Tesla on bugbounty
1:31:11
Checking in on nmap scans
1:33:43
Will you be covering enumeration in the series?
1:34:14
Where can I find the homeworks?
1:35:20
"You need to put more stuff on your site"
1:37:38
Checking in on nmap scans
1:37:55
Checking in on Burp scan
1:38:43
Why are the majority of the people that work in InfoSec so threatened by peopl
1:39:29
They want a battle? Then they shall have one!
1:42:27
Do you ever fear for your safety, like you're going to discover the wrong thin
1:43:27
Finished portscan
1:44:09
Story of the house-picture
1:45:36
Checking the TCP dump file
1:46:45
Keyboard warriors
1:50:10
Router/network discussion
1:52:45
Hackerboxes
1:53:15
What does your desk setup look like?
1:54:58
Analyzing finished nmap scan
1:56:38
Going full Sherlock mode on port 10999
2:07:34
Advanced Sherlock mode on port 10999
2:13:14
How much HTML do I need to know?
2:13:46
How soon do you upload?
2:14:40
Creating a commodity by teaching pentesting and the glamour of "hacking as a j
2:16:20
Reports
2:17:32
The pentesting mentality and Heath's backup career in music
🎓
Tutor Explanation
DeepCamp AI