Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:01
Hello, everybody. Welcome to the episode number seven Off the icy speakers
00:05
England.
00:07
My name is Sandra Gina and I'll be your instructor for today's session.
00:11
The learning objectives is to understand some basic Emma commands on options and combine those options to execute useful, poor scanning techniques.
00:21
Well, let's get a stalker.
00:25
They mean what's again
00:28
clear here and
00:30
well, as you can imagine. And man haps has a basic command. Would you can, you know, just execute and see you know, some results. Let's get started with the simple command to, like, kind of a pink
00:45
command to see which I think are alive Internet work. So I will just type them up
00:52
menace minds or Dasha s SP
00:58
And I be rich, as you can see through the course I'm really bad at memorizing Take. I pay. So
01:06
I will have to stop this
01:08
and I am up again.
01:14
Sorry.
01:15
And the I p uh, well, I will enter the local I p a use, but you know, you can actually use any other i p arrange a fight beasts.
01:30
So I'll scan for the whole 2 55 numbers and see which ones are responding
01:41
to this technique.
01:44
Uh, so, uh, out for it is kind of messy. Little messy eso remember that We have we saw in previous media's how to you can actually pipe this to another result and get more useful results so you can play with that command. So let's see.
02:02
First, we will
02:04
tell and my to throw this to a grapple output,
02:08
which is cheap by the dash o g man. And then we will pipe That too, will all supposed to tell my what's the file that we want to throw these two after the dash o G option. But in this case is we went to actually implement that technique
02:28
over,
02:30
um,
02:31
these same terminal or the same command line will tell that just to pipe it to thes another man So a deal decay talk, and
02:43
I'll just tell it to search for the word up
02:49
and
02:51
to print, actually print
02:53
Oh, sorry
02:55
to print
02:58
the second field
03:00
and that's it.
03:02
And we wait for the results again and that you have since is in this
03:09
and the other one replying. It's actually my Windows server. We'll have more machines as they are. The curse goes through But in this case, we just have that. So again, em up. And yeah, as you can imagine, we can also use other commands in combination with em up. So this is really useful.
03:28
Other options, you know, there are really useful. For example, is that, uh,
03:32
that's six.
03:35
Ah, and you just type the hyper V six address after that? This is just you know, So you can,
03:42
uh, do the same commands over an I p v six i p
03:46
Ah. If you want to trace all the packages going from your machine to the remote mission, you can use the dash, dash packet,
03:57
dashed race
03:59
and just type baby,
04:01
in this case, my Windows server. And as you can see ghosts, it shows you all the baggage is
04:11
okay. Um, you can also actually used up
04:16
also minus wolf. You can see the boards are up in here, but you don't actually see any version of them. I mean, what FTP server is being executed? Were Shh service actually being executed.
04:31
Ah, well, you can achieve that by using the option Dash s V.
04:38
It will print all the versions. It seems we already know that. What sports are up and we just use all also the dash p option and just put the com separated ports, huh? Just 21 to me, too. And 80. And we just hit that run
04:56
and which were for results. These will print. I mean, there was This will take a little bit longer because, you know, it's proving for every version, and you have Aborigine database like kind of for signature database will compare that, and we'll throw you the best result in this case and Microsoft F d p d. Which is correct opera necessity for Windows
05:15
Correct Again.
05:16
And Microsoft I s H TBD conversion 10. Correct again. Ah, And it will tell you already which os eyes being used which you know, pretty obvious from the results. But, you know, for other ports, scanning might not be that obvious. And the school
05:33
can also lead to really normal, really several false positives. I mean, sometimes this is just a best guess sometimes,
05:44
and since his signature race in my now show you accurate results. But this is pretty close to accurate, so yeah.
05:51
Ah,
05:54
but, you know, maybe you don't have time.
05:57
They're two type of penetration Destin's or tree types. But let's say that you're actually performing a print oration testing that everyone is aware off
06:04
s so you don't want to be a stealthy. You just want to get that things down are to see the controls so you can use several options to speed this up. I mean, to spit the poor scanning up S o
06:19
just Dashti flack, This it will take, You know, they will tell you to take a longer or to go easy over Target server, for example, I will live the packet trays option on so you can see how slow can be
06:36
so by default A map throws the poor scanning
06:41
with the dash tea tree option which is here.
06:46
This is, like kind of the normal spit on you see the speed going on here and will take a while.
06:53
But what happens if we put
06:56
Dashti one?
06:58
It will take longer that the tea tree because at the end we're telling Emma to take things low. Maybe we went to be stealthy. It's possible. Or maybe you just we just want you don't want the server to know or to find our or to be suspicious off our techniques
07:15
being used. And on the
07:17
other side, we can tell them to go as fast as possible. Maybe the T one option is used. Maybe if you're involved in a red team, for example, and you have the blue team Harvard, your shoulder watching all the time. So you tell. Okay, guys, let's be It's definitely it's possible
07:36
because at the end, we don't want the bread that the blue team or the defenders or the server or desist administrator to not Is or the Fire will sell itself for the i p s to report that we're actually trying to kind of the server. But if you're not concerned with that, you can use it. Ah, t five option.
07:57
And you can see that I will bow consume early Fuster
08:00
than the dash uh, 33 or 31 options. But yeah, just so you know,
08:05
then we have several options that will explain, for example, than minus a
08:11
Or did that shay
08:15
um you can also. But this option makes Emma to Megan, therefore, to identify the Target operated system Service's inversions. Theis Aid. It will perform at Trey's route and and you know applies some anise essays, scripts,
08:31
which which are on my purse scripts will cover that later in the curse
08:35
to take additional information. You know, this is again no see, actually, any port scanning is kind of nice. E
08:43
Ah, yeah. The dash is way nicer than the default options. You can combine this or just live alone, but you combine this with Dash Oh, um, thistles just kind of give it, uh,
09:00
I little bit of more complex city or more capabilities to the mat command this just, you know, based on many different factors when you add the dash Oh, um, you know, for example, whether it's the Windows operating system or units up a resistance,
09:18
the time to leave off detail of the packages change.
09:22
For example, Windows most of the time is 100 and 28. And when you Nick's eyes 64.
09:28
So these two combinations, this will be at really noisy em up
09:33
em up scan. But it will definitely tell you not definitely, but it will be as close as possible to tell you what operating system is being used
09:45
again. It will take a while custody in executing several task under the scenes s Oh, yeah, Way. We'll have to wait for that. You can't actually press enter to see if Emma piss actually running or how much time it will take
10:03
to finish. And as you can see,
10:05
it's Ah, it's run. It executed several things over. Did the
10:13
the server and its best guess is actually accurate
10:18
windows stay Windows 10. Um Ah, 64 Architecture's. So yeah, we're good with that again. Really nosy. So they gave me ground. You can just more stealthier techniques if you want to go on Maris
10:33
another really not really useful. But with simple man is that Dash s which will perform, you know, simple, normal, same connects. Can you know that through it, Julie handshake will be performed. This especially, especially not useful
10:52
when you're trying to be a stealth, because at the end,
10:56
most of the neighborhood network devices for temple firewalls I ps, even the writers are switches will save the connection if they can. Actually, the connection is actually finished or perform. In this case, Dash s s will perform a truly, truly had shake
11:15
to see if the port is open.
11:16
Um,
11:18
so yeah, this connection would be completed and it will be locked in in the server, the final server. So if you're trying to be a stealthy stealthy, it's possible this might not be the option to want to use
11:31
the dash. S u is for you to piss. Can't
11:35
nothing new here. You showing you Ah, it will go to through that you the reports and see which one. Which one reporting this. Needless to say, it has a lot of false positives. Because at the end, you to be is not a connection oriented protocol.
11:50
Um, he doesn't reply or send any, uh,
11:56
trays back to to the originator, saying that actually packed that the packet actually arrived or not. Yeah. Uh, so more advanced. Not that bands, but differently. Nexus, for example, Dash s and which will perform a Newell scan his options
12:16
sense TCP package with none
12:18
off the Mississippi flag. Enable.
12:22
You know,
12:22
this is especially useful when we have ah, session fire. Well, I mean, maybe fire will strain to the true man if the session is actually you're trying to reply to a session or initiate a session. Some firewalls get confusions, and by default, they re sent a package. They don't You know, Troy it away or blood the connection.
12:43
Uh, yeah. This this, um,
12:46
option is to send ah TCP package with none of the flags. Turn on.
12:52
And you can also execute that Christmas or ex miss, um
12:58
tps can. This is called Xmas because a ll The options are on all the TCP flax. I mean, so it's kind of resembles at X mystery, which
13:11
it has old it likes turn on kind of a joke, I guess.
13:15
Ah said gel. The package will have all the Mississippi flags on, you know, kind of the opposite of the neural scan. And finally, we already saw this. That dash has the option to actually
13:30
get the versions of the of the ports or the service is, as you can see, without that, Dash is V We don't have any versions, but when we apply, that dash is vey I'm just running again.
13:43
It will return, actually, diversions off each service run in in a port
13:50
on. Remember, we're always scanning the well known port or the most use sport. But you can tell him because I have seen several times where I didn't want to bother is counting all the ports or the assistant
14:05
with the 65,000 ports. Ah, but I think that was a really big mistake. It's at the end. Ah, sister Administrator changed for example, the S H port and is no longer in the 22 number. It's in day. I don't know, make up a number and that's where the poor is located.
14:22
So you can you do that
14:26
by day?
14:26
Dash Dash option. It will scan all all all the boards. This, of course, will take a long time. You know, I will cut that. You know, that's the idea of that lack.
14:39
And you can apply. Fire will bypassing scans, for example. You can use the the flak
14:48
Cordish of the option. That staff.
14:50
Um, it seems we already have. The boards were no reports. Word are open,
14:56
but just go with that.
14:58
And F command includes. Um
15:01
uh, it returned really fast because I don't have the fire will enable. And the the point with the dash F command is that includes or scan to deploy. Really small fragment. I'd be back. It's, you know, specifically or command uses.
15:18
Um
15:20
uh, packets that really small. So the firewall cannot, you know, actually see the entire packet a Kwan's and maybe try to detect it with a signature or something like that. Um, the size of the *** is 16 bites. So, uh,
15:35
you know, the number is really small. And you can also change that, Of course, with other options. Or tell him you know what I want. I don't want to be assistance. I want to be 64.
15:46
Whatever the number res, you can apply it to the package. The point is that this such as you could use to buy pants four walls that the anti firewalls will not actually see the entire package, or I p s will not see the entire package. And it will, you know, uh, send it back to the machine to to the machine can actually
16:04
put that old factors together and,
16:07
you know, way may have a reply.
16:11
Um, this way can also, you know, used Dash Dash,
16:19
But some option thesis includes our deployment. Often in politics. A p, the p I checks him for package, you know, which are being sent over the network. Um, you know, that's practically every host or peace tackle correctly drop the packages.
16:37
Each response accepted responsibility or originated from a firewall or intrusion detection operation system
16:45
that wasn't concerned with, you know, confirming the checks. And so things another tune you can use to bypass firewalls or are interested prevention systems or I p s, uh, nothing you hear? You can just send it over and we'll return to the reply.
17:02
But that's the point. You can you can have several techniques
17:06
and we even have the A map. A script enjoying, um,
17:11
which is a really powerful a tool. And you know, it's free, which is
17:17
the missing, I guess. Ah, yeah, We have seen several ah bowling ability Scanners claiming to have I will have a little capability and under the scenes there, just executing ah, map scripts. But we'll see later that we'll see that later in the course. No worries. Ah,
17:38
what can be performed by the end? My Dash six command Well, you can apply all the techniques we sell, but to an I p v six i p.
17:48
What is the result off executed em up 65 I pee well, you will execute poor scanning as fast as possible. This is especially useful when you know that the system or the or the system owner or the system administrator already knows that you're trying to have the system.
18:08
Ah, and you don't you're not concerned. Would be in a stealthy It's possible.
18:14
Can you actually use an and my option to bypass firewalls? Yeah. Your king actually Dash f, for example. Needless to say, this will throw some false positives. Maybe it will tell you a portly something, but it's not or or the other way around. It will tell you the poor disclose when he's actually open.
18:33
But you can use that to Nick as well. Um, in this video, we saw several a map commands to perform *** scanning. We executed some at my thick. Next, you understand? How can they help us? Inter penetration testing brushes
18:49
super into materials. Will. Any big Mac should check you can actually finding Google. Just go Google that and my chick it and whatever works for you. There are several tons of them, um, that you can take a look at and see what other options can you implement
19:08
in your penetration testing process?
19:11
Looking forward in the next video, we'll see the basics off the net. Katou.
19:17
Ah, well, that's it for today, folks. I hope you enjoyed the video and hope to see you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor