Custom Scan Profiles Part 2 - NM

00:00

So I'm gonna open up my email here.

00:05

This gets a little bit personal

00:08

and a lot of times in your junk mail, you'll see some strange stuff. So

00:14

I don't know who this review safety is. It's probably something that I looked up or bought at some point, but

00:21

your email clients gonna be different than this. Obviously,

00:24

I'll leave it up to you to decide. Oh, our determine how to get to your email headers. But in Microsoft Outlook,

00:32

you open up the email, click on file

00:35

properties

00:36

and here's your email headers right here.

00:40

One of things I like to do

00:42

when doing email header analysis is come through

00:46

and look for

00:48

I p addresses

00:49

so we can see that

00:51

the centers I p address is this address right here.

00:55

So copy it.

00:57

We'll close out of my email

01:02

and we'll add that is the target.

01:04

All right, so let's find out information about this I p address.

01:15

Okay, so here's the scan results. You can see all the detail here,

01:19

the i. P address resolved to this name,

01:23

and

01:23

here you can see who the I P address is registered to

01:29

and there

01:30

Organization in email address.

01:33

And so that's a pretty cool scan.

01:34

All right, so let's create another custom scan. This one is we're gonna call it.

01:42

We'll call this one who is domain.

01:52

I'm gonna clear out all these options.

01:57

And this one also is an NSC script.

02:00

Local gun scripting.

02:04

Start typing. Who is

02:06

she? Choose who is domain.

02:08

I'll uncheck. Who is I? P

02:15

and I'll leave all the other default options as they are.

02:21

Well,

02:22

save changes.

02:23

And in the drop down list, there's the Who has domain.

02:28

Clear out our last target.

02:30

And again, I'm gonna open up my email.

02:32

We'll go into our junk mail folder again and do a little email header. Analysis

02:38

Junk.

02:40

Do this. Ah, Trophy Depot.

02:50

All right, so this time we're gonna do who is on the domain itself instead of the I. P address.

03:00

We could just choose trophy depot dot com

03:08

clothes out of that again.

03:13

Make that our target.

03:15

And let's find out more information about trophy trophy depot dot com.

03:25

What the scandal do is return the information from the registrars who is database

03:39

again. The most important part about this is

03:44

not so much

03:45

what the skin does but the fact that

03:47

you can name your custom profiles and you can set all those options, so don't get too hung up in the in the other details.

03:57

So

03:58

here you can see that the registrar is that we're solutions.

04:02

Here's the abuse,

04:05

email and phone number,

04:08

and you could see that their D N s is hosted by Cloudflare.

04:12

So they have some Adidas protection.

04:15

Okay,

04:15

let's do one more custom profile.

04:19

New profile.

04:25

Clear out all these options.

04:29

Call this one

04:34

quick. Detailed

04:36

the less detection.

04:42

Okay, so the scan is pretty useful. I know the i p address of my server on this network, so I'm cheating a little bit because I already have that I'd be addressed. But,

04:53

um, again, when we're building out profiles, we leave the target blank, so this will work on any target.

05:00

So I'm first going to go to

05:04

scan

05:09

we're gonna do an OS detection,

05:15

and here I'm gonna choose the timing template

05:17

of aggressive

05:20

that makes it work a lot faster, but it is more intrusive. So if you're doing this to an outside or unknown I p address or target,

05:30

it could be flagged by an I D s

05:32

or firewall.

05:39

One other really useful OS detection

05:45

option is NSC script,

05:47

so it will goto scripting, and we'll do it.

05:51

SMB OS Discovery s and B O s discovery works really, really well, especially against Windows hosts.

06:03

So I'll save that.

06:10

Go to quick, detailed OS detection. You can see it's built out right here.

06:15

Changed the target to a server on my network. And that is at 1 92.1 68.1 dot 10.

06:25

That's Ah, 2012 server

06:30

hit scan.

06:34

The scan for all it does actually works pretty quick. The timing template of a T four helps with that

06:44

so you can see

06:46

a lot of details. It actually is. Ah,

06:48

Windows Server 2012 R two essentials.

06:53

And that's thanks to the S and B. O s discovery and a C script

06:57

appear.

07:00

You see all the ports that were open on that server

07:03

and

07:04

you'll get the Mac address.

07:06

I know that it's Adele. That's accurate.

07:11

It says the warning right here. O s scan results may be unreliable because we could not find at least one open and one close port,

07:18

and that's what I was talking about how the dash capital oh, is sometimes sometimes yields

07:27

less than perfect results. It did figure out that it's probably server 2012 or 2012 r two.

07:35

But like I said, the S and B O s discovery got it exactly right.

07:44

All right, that's the end of this lab. Thanks a lot for going through with me

07:49

in this lesson. We talked about what a Customs can profile is in Zen map.

07:54

Next, we discussed why they're important.

07:57

And finally we went through a lab on creating them.

08:00

That completes our lessons on in Matt basics. From now on, we'll dive a bit deeper and will cover many more useful scans.