Running Scripts on Targets to Find Vulnerabilities with Nmap: Advanced Ethical Hacking Tutorial.

Hello everybody and welcome back. In this tutorial, I will show you some of the advanced uses of the Nmap which is basically using the scripts that are already preinstalled in Kali Linux.

If you find anything helpful in this post or funny, will you please leave a like because you will feel great helping other people find it?

Now, scripts can be used for anything. To discover, for example, SSH host key, to discover some of the vulnerabilities, to SSH brute force, to basically do a bunch of things.

As we will see right here, there are a bunch of scripts that are already in our Kali Linux machine.

So first of all in order to get to them, you just want to change your directory into the usr/share/nmap/.

If you go into that directory and type here ls, you will see a subdirectory called scripts.

If you change your directory to scripts and type here ls, you will see that it will print out bunch of these .nse files which are basically the already preinstalled Nmap scripts that you can use for basically any type of scan you want.

So, for example, let me just show you first of all how to use them.

So if you type here Nmap you will see the – – script option which is right here and then basically you type here = and then the name of the script.

It is as simple as that.

So in order for you to use the script, you just specify that option and then = and then you specify the name of any of the pre-installed scripts and you run them on your target IP.

Now, we will try out one of the script for now which will be the SSH brute force which will be also one of the first active attacks on the target.

A brute force will try out a bunch of passwords for the SSH on our target.

Now, for that target you can use any of the virtual machines you want. You cannot use scan.nmap.org website as it says do not try the website brute force SSH on the Nmap website.

So you want to either run your Metasploitable which I showed how to install in the previous videos or you can basically run any other machine that has the port 22 open.

Now, in my case I will run OWASP which I will show you how to install in some of the next tutorials.

For now on just run your Metasploitable since Metasploitable also has the SSH port open.

So let me just wait while this opens right here.

It doesn’t take long.

It will basically prompt me with username and password soon. It’s pretty similar to the Metasploitable. This is just a virtual machine that it runs a bunch of the vulnerable programs on it.

So as you can see ‘Starting AppArmor profiles, Starting Postgres SQL database’ and bunch of these other stuff.

This is the machine that we will use in the next section which would be WebPen testing. So let me just log in right here.

We just need to find out what the IP address of this machine is, which is 192.168.1.7.

So we only scan the host for now with the Nmap. So we do a basic scan.

You can see that it finishes relatively fast and it gives us a bunch of these ports open which are only TCP ports.

As you can see we have the 22 TCP SSH port open.

Now, while scanning Metasploitable you should also have this port open.

So as long as this port is open on the target machine, you can run the scan.

So the script that we are looking for, we want to find the SSH script. So in order to narrow our options, let us just type here ls and then we pipe that into grep SSH.

So it will only show us the scripts that have SSH in their name.

Now, from all of these we can use any of these, but for now on I will just use the sshbrute.nse.

We copy the name of the scripts and in order for you to run the script you type here nmap – – script = and then you paste the name of the script and then the only thing you need is the IP address which is 192.168.1.7 and just press here ENTER. As you can see it started brute forcing our target.

If it finds the username and password you will be able to SSH into that machine and basically do anything to it.

This is a very serious attack. It can get you into trouble especially if you find out the password and actually log in into that machine and start changing stuff.

So only use this on the machines that you do own. Now, for this specific machine I don’t think it will find the password, but we will just leave it to run just in case.

I don’t think that the password and username is stored in this list that it is using in order to brute force the SSH target.

So this can take some time. It depends on the list that you use. So let me just close this right here since I thought it would finish a little bit faster.

I will just type Ctrl + C in order to close and we start the brute force.

Now, let’s say once again we want to find that and you want to change the password list for example.

As you can see it has the specific password list that it uses in order to brute force the target.

So what you want to do is to nano the script that you are using which in my case is SSH brute.

What you want to change right here is the option where it gives us the password list.

It’s right here. So, pass.lst. I believe you change that and it will change the password list that you’re using.

So you can also change the port which is 22. Basically, SSH will most likely always run on the port 22, but there are cases where people run stuff on the other ports just to prevent the attacks. So you might be needing to change that as well.

So here you can see that the port rule is 22 and SSH.

You basically just change the 22 into any port number you want that runs SSH on it and you will be good to go.

So if there are any other options that you want to change right here you can change it in the file itself. If it requires that for example, the port and the password list, and once you do that you just type here Ctrl + O to save, ENTER to save under that name and Ctrl + X to exit and you will be good to go.

Now, you can run the script again and it should change your password list and port number.

Now, let’s say for example, you want to find out the SSH host key for that particular machine which isn’t really useful, but let’s just try it. Why not?

So nmap — script = ssh-host key and then the IP address of our target machine.

Now, as we can see it gave us the SSH host key which is basically just this DSA and RSA. It really isn’t that useful, but sometimes it possibly could be.

So you can experiment with all of the pre-installed scripts. In the next tutorial I will show you how to download some of the scripts online from the GitHub repository that we will use in order to scan for specific vulnerabilities.

So let us just recap. In order to get to these scripts’ folder you just go to the usr/share/nmap/scripts directory and the syntax is basically nmap – – script = then the name of the script itself and you just specify the IP address.

So that’s about it for this tutorial it was rather short and in the next one as I said, we will download some of our own scripts.

Part Two: Downloading Our Own Scripts and Running them Against Targets.

Now, in this tutorial we will download some of our own scripts and we will run them against our target in order to discover some of the vulnerabilities it might have.

Now, once you finish this tutorial right here you will know more than 80% of people that use Nmap. It is really essential for you to get this tool right so you can perform your scans at the best.

So first of all let us change the directory to the Nmap scripts directory. So it is usr/share/nmap/scripts.

If you type here ls, we have here a bunch of scripts and mostly these right here which is cve2015 and then some number are certain vulnerabilities that were discovered in the age of this number.

But we want to discover all of the vulnerabilities that could occur in a certain target.

So for that we want to download some of our own scripts. So just open up Firefox and open up a new tab and just type here vulscan github.

Once it loads up the page, we want to click on the first link which will lead us to the GitHub repository for this script.

So just click here on the first link and here we are on the GitHub repository of this Nmap vulenarbilty scanner.

As you can see right here, we have the usage which we will cover after we download this script.

Now, in order to download this, I already showed you in the previous videos, you just copy the link right here and we will use the Git program that we already installed.

Let me just change my directory. It is in root. So that’s about it.

We want to type here git clone and then we paste the link that we copied and then we add .git.

Now, it will take some time to download this and once it finishes, we will have our script installed on our Kali Linux machine.

Here it is. If we type here ls we can see the vulscan is right here as a directory.

In order to go to it, we just type here cd Vulscan and we can see a bunch of the files that we got with it.

But this isn’t the only program I want to install. Right now we want to install another script. So open up your Firefox once again, add a second tab and just type here nmap-vulners and then once again type here github.

So it will once again lead you to this page and you just want to click here on the first link which is from the GitHub website.

The procedure is the same. So just copy the link of the page, go to your directory in the same directory where vulscan is and just type here git clone, paste your link right here and add .git to it.

It will also download the script into our directory and we will be good to go.

So as we can see this one has finished faster than the previous one.

So right now we should have both of these scripts in our directory. As we can see right here, we have vulscan and we also have nmap-vulners.

Now, let us make a directory nmapscripts in order to put them both into that directory so we don’t have them like this right here.

So let me just move vulscan in to nmapscripts and move the nmap-vulners into nmapscripts. Right here we should only have the nmapscripts file and if we change our directory to it, we’ll have our both scripts right here.

So now that we downloaded them now we can run them. So in order to run them, we use the same command that we used in the previous tutorial.

So nmap – -script and right here instead of typing the = sign which we would use in order to specify one script, we want to remove the = sign and just put here space and just type here vulscan and nmap-vulners.

As we can see right here, we specified two scripts instead of one and it will use both of them in order to discover the vulnerabilities.

So after this we want to add -sV in order to discover the version of the services running on open ports. And right here we want to also add the IP address of the target.

So here we type 192.168.1.7 and we let this run.

This could take some time, but not too long. It should finish relatively fast and it will print out a bunch of the vulnerabilities that it found on this target.

Now, I know that this target is vulnerable since it is made vulnerable in order for us to test it and we can see that we got a different output from previous scans.

So here we have open ports and these vulnerabilities, as it says right here, if you see ‘No findings’ it means it didn’t find any vulnerabilities on this specific port and basically uses a bunch of these websites in order to scan for the vulnerabilites.

And if you scroll up we can see that on the TCP open port which is running Apache, it found a bunch of vulnerabilities right here.

Now, you can test these scripts on your own machine in order to find out if your PC has some of the vulnerabilities, but basically even mine has some of the vulnerabilities that go up to five, sometimes 7.5.

But mostly these aren’t so dangerous, these that are low numbers. This is basically a mark for the vulnerabilities. So if it is 1.2 it is a really small vulnerability, but it is still there and if it 10.0 it is basically an easy exploited vulnerability.

So if you just find something like this, you need to update your device as soon as possible or in this case Apache 2, since it is found on the port 80.

Let us just see if there is anything else. We can see also on the SSH port it found some of the vulnerabilities which aren’t so highly rated, but they are still there.

Also once you find something like this, you can basically just copy this link right here which will lead you to a page on Firefox if you paste it.

You just open a new tab and paste the link from the vulnerability and it will open up the page where it will describe in greater details the vulnerability that it discovered.

So here we can see the mark which is 10, the access complexity is low, the confidentiality is complete, and the integrity is complete, and the availability is complete.

In the description you can check out what the vulnerabilities which in this case is modules/arch/win32, “When running on Windows, does not ensure that request processing is complete before calling isapi_unload for an ISAPI.dll module, which allows remote attackers to execute arbitrary code via unspecified vectors related to a crafted request, a reset packet and “orphaned callback pointers”.

Now, this is basically a vulnerability and if you wanted to for example, exploit it, you would basically just copy the name of the vulnerability which in our case is this one.

So just copy and you can just go on to Google, paste that vulnerability and type exploit and hope that you will find something or someone that already has written an exploit for this vulnerability.

So we can just try to find it. We can click on any link for example, and try to find if anyone has written any exploit for this.

There probably is something, but we won’t really spend so much time trying to find it. I will just check out some of the links right here.

So we can just check here ‘Available Exploits’ and we have the module name for the Metasploit program that we haven’t still covered so we won’t be showing it right now.

But it is basically an auxiliary module which allows us to scan the vulnerability that we just discovered in the Metasploit framework.

Now, we can also try to find the vulnerability with the name of the vulnerability itself like this. Apache mod_isapi exploit. And you can try to find something.

Here we found something which is basically a C++ program that probably exploits this vulnerability. So here it is. You could just copy this entire program and just paste it into a C++ file, compile that file and run it and you would exploit the vulnerability.

Of course, you will need to change some of these certain things right here for example, ports, IP addresses and so on. But if you wanted to, you could do that.

Not really sure what it would give you, but I believe it will give you a reverse shell. Not really sure what this vulnerability is so we won’t be exploiting it right now since it requires an auxiliary module from the Metasploit framework.

For now on we will just leave it on here where we have all of these scans completed and you can also try to research all these other vulnerabilities and see if there are any exploits written for them that you can use.

But we will cover the exploitation in some of the future lectures. For now on we just wanted to see how we can scan the target for certain vulnerabilities and we did that.

So that’s about it for this.

Now, before I close this lecture and close the Nmap lectures, I just want to show you that there is another tool that you can use if you want to.

It is basically almost the same as Nmap and it is called almost the same which is Amap.

Now, Amap is basically also a scanner. The difference is basically in just one letter. It has some of the different syntax for the scanning part, but if you want to you can check it out. I won’t be covering it since we covered a bigger tool which is Nmap and more useful tool.

You can check out some of these options by yourself and you can use this as well if you want to.

But that will be it for these Nmap tutorials. If you learn all of the stuff that we covered in previous videos, you will be having some of the intermediate to advanced knowledge of Nmap.

Now, maybe in the advanced section we will learn how to write some of our own Nmap scripts which will boost your knowledgeable about Nmap even more.

So in the next video, I will show you how to install the OWASP virtual machine that we’ll use for the Web Penetration testing.

It doesn’t take that long. It basically takes a few minutes. It might be taking longer to download since it is around, I believe, 1.5 gigabytes or something like that.

But once you download it, it will take only a few minutes to install. And then we will start Web Penetration testing which will be a longer section since there is a lot to cover and I hope I see you in the next lecture.

Take care.

Bye.

Final Words From Jerry Banfield.

Thank you very much for finishing this entire video. We are honoured you’ve spent this time here.

We’ve got a complete course I imagine you will love and enjoy named Master Ethical Hacking in 2019.

You can get this course on uthena.com.

You can also get it as a part of the Ethical Hacking Forever course bundle which has nearly 100 hours of video already. It’s got six different Ethical Hacking courses in it we imagine you will love and enjoy from several different instructors showing you the very best of Ethical Hacking.

You can get this Forever bundle meaning, when you buy it today, you get all the rest of the courses added for life.

I intend to add at least 20 courses to this bundle over its lifetime, new courses every year.

This course in particular is Master Ethical Hacking in 2019. You just watched a video from it for free which we’ve given you to both sell you the course and to give you a part of the course that we hope is helpful for whatever you are doing.

When you buy the course, you also get to have answers to questions from ethical hackers that can help you with anything from the basics into the advanced challenges you run into.

I find as a student, answers to questions from an instructor are the very most valuable part of a course. You get two different places, a Facebook group and a Discord Server to get answers to your questions.

Thank you very much for being here with us. We trust if you look around in the description on this video, you might even find resources that are more helpful to you than just buying the course by itself.

There may even be some specials and some deals in the descriptions you might really appreciate.

Thank you very much for watching this video, I’m Jerry Banfield the founder of Uthena.

Our purpose is to give you the very best professional education possible on the most in-demand subjects both on Uthena and on YouTube.

We love you.

You’re awesome.

Thanks for watching this and I imagine I’ll see you again soon. Especially if you subscribe, then you will be able to see more of these videos easy.

When you want to watch more videos with us, will you please hit that subscribe button on YouTube and go like the page on Facebook put ‘See first’ in your newsfeed.

Go really crazy, because you’ve got this far into this video I imagine you’ll love all the other videos we share for you every day here on my YouTube channel and on my Facebook page.

Love,

Jerry Banfield.