Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
how everybody and welcome to the episode number 13 off the speakers
00:05
board. Scanning
00:07
My name is Alejandro Gonna and I'll be your instructor for today's session.
00:11
The learning operatives of the session is to understand some port scanning techniques and to understand the most common poor scanning tools and commands. So let's get started.
00:24
Uh, you know, we can't start bright pink sweeping, um, or network and, you know, being straight business process of thinking and try a wrench of network I P addresses to find out which ones are the online or alive systems. You know em up. It's an accident. Excellent tool to do this
00:42
quickly and effectively. I believe you know the command. This Willis simple. Let me just copy pays that,
00:50
um, tour command line.
00:54
And as you can see, I'm just pinging my entire
01:00
network.
01:02
Um
01:03
and, you know, this might take a while. Ah, but nothing again might not. But you know the outfit really messy. So we will be using a command. We So Ellie, early in other bid ius, um, which is really just grabbing the output and bring in the second field.
01:22
And that's it. I mean, I'm just telling and my to produce a grapple output.
01:27
And then, um, you know, cutting the output. And I'm just printing the ones that said, They say they're up and I just want to print the field number two. That's it. I mean, nothing fancy here and executed and then gives me a number wrench off a piece or a list of ideas that are actually a life in the system.
01:47
And as you can see, I have ah, couple off beautiful machines running
01:53
again. I'm really bad with a basic, you know, that that eight is that Colin likes. So these other tree missions are actually alive in the system, and we can start playing with a little bit, so we'll use or with those expedition at the end, just to give you an idea. So far, we have four missions.
02:13
We haven't Windows XB mission.
02:15
We have a debut motion.
02:16
We have Ah, this be box machine, which contains the big web application. Really bullet vilification. And we have a window stand. Mission window stands true enough, but we have the other traditions respond. You know, Ryan s So we'll use the Windows XB machine,
02:37
which is that Doc Ford
02:38
Ah, this one right here.
02:40
Ah,
02:43
with him. Start by just executing a simple and my command
02:47
again.
02:50
Ah, it will just execute the command. Soon as you can see, the has all the servers are these? I'm sorry. Service is responding. So, uh,
03:00
let's start wash. We're shirt. I know, I know. I've been telling you that we don't We're not supposed to use graphic user interface applications, but
03:13
I guess we can make an exception with war shark because the washer at the end will be using that inner side and for packet analysis. That's one of those tools. But then again, we'll see later, huh? Of course. How can we use DeSipio time and T shirt? But look at me
03:31
getting ahead of myself. But, you know, just simple tipple type
03:36
wire, shark and start application. So
03:38
there are two main filters in wire. Shark one is the capture filter, and the other one is the display filter their other filters, but that those are the two main ones. I believe, uh, we can start, You know, if you are not sure what you're looking for,
03:57
you can just, you know, said that the interface you want to capture package from.
04:01
And this will put your that inter phrase if from his cruise mode, which, you know, all that means is that if a package comes away, it will not. Uh, and he was supposed to go to another I p you will not ignore it. It will actually keep it, and it will analyze it. And that's it.
04:20
Way can just
04:24
type here a scene. Blast sounds poor. I'm sorry. Or the ports open again. 25. Okay, let's go with 25 for 25.
04:34
25. And you know that's it. Start capturing, as you can see. If I, for example, go to a Web h
04:44
test,
04:45
it will not show the results in the cup in the packet capture. Because I'm not capturing anything in the port 80. I'm just capturing something to port
04:58
25. So let's run another tribunal, son. Mm. Comments. So let me explain that to you and my dash s s Capital s
05:10
port. That sport 25 this will actually perform. Ah, Syn eyes can. Meaning that. You know this, uh, seen the AC in the scene AC package will be actually, you know, the triple way handshake TP handshake
05:30
will live before that solid minutes.
05:31
This is not our stealthy ist sounds, because at the end, most of the I B s is and firewalls and you know, all the appliances overall, they loved their successful connections. Often, they don't love the unsuccessful connections, meaning that maybe they send back the act acknowledgement package.
05:51
But, you know, a singing act didn't came back, so
05:55
they didn't care about lugging in some of them. I'm gonna say all of them, but some of them don't Don't don't care about that. So if you're actually completing the tree with handshake, your connection will be locked in. So you're trying to be a stealthy. That might be the good they they go to AA maps can. But, you know,
06:14
that's just fired that bad boy.
06:15
And as you can see, it would capture the same the sing act and the same the same knack packages. So it would. It captured entire tippy trace. So yeah, Mom, much easy. They hear the trade that the TV flax.
06:34
Ah, but what happens
06:36
if I actually, uh
06:40
a um
06:41
Sorry about that, Actually. Try. I'm Nak, uh Scott.
06:46
I'm just going to change here,
06:48
Dash A
06:53
Oh, what's happening? Okay, that's a, uh admits that I'm not actually sending a scene scan. I'm actually sending the AC packages in the first try, so the fire will think that there's actually a connection going on because I'm actually replying. So the firewall or they or their other clients will think that
07:12
someone inside the network already sent
07:15
us seen package. So I'm just replying to that most next generation firewalls or I P s is nowadays, actually, they support session administration or system session management. So if they're actually have, ah, registry
07:31
pointing that there wasa seen package or sing connection creative
07:35
from inside, they will just ignore this acknowledge package. But then again, we can try, right?
07:44
So let me just generate that and let's go back to or or or, uh, where shirt. As you can see these words, these three fear of packages were captured. Let me just see if I can put the time in
07:58
really
07:59
readable way. OK, Dunbar, about that, uh,
08:03
the point here is that way generated this to other packages.
08:09
There's one in this one on. As you can see, the AC acknowledge package was actually performed and as I don't have the firewall in the middle, just had the research baggage. So, you know,
08:22
that's the point with the dash as a options with Emma. And what happens if I put Christmas?
08:31
Well, this is a really interesting scan with us. This means it means that all the flags or participate flags will be on. I mean, the reset flag. The acknowledgment, flack, that the scene flag, all the flags will be on.
08:48
This will confuse some appliances that they will just, you know,
08:52
they don't want to deal with that packet, and they will just forward it to the victim
08:58
and let me just see where shot here. And as you can see, all the flags around Finn Bush urgent and all the flags saying that the rest of flags saying I reset All are on that Z actually called Christmas
09:16
because it resembles, you know, a Christmas tree
09:20
where all the lights are on. So in this case, or the flags are on, you know, kind of an inside joke, I guess, Uh, the new of the other side.
09:31
Let me just see if I can
09:33
Okay, back to number seven. That's the last package. So if I just go ahead and put the new rule is the con is the opposite. Off the Christmas scan, nothing will be actually enable. So as you can see, packet number eight has none flaxen able.
09:52
That's why Weiss called Nool.
09:54
No, uh, scared. And you can actually also let me just go by here. Back it. Nine. I'm just see if I can do this.
10:03
You can actually also a scan for you. Dp ports Just dash s u
10:09
uh, you know,
10:11
And since it doesn't actually perform any high shake, it will be just Ah, lonely, lonely packet.
10:18
Ah, here a cz. You mean this? Probably You already know this, But you know, Tess IPI is a connection oriented protocol. Meaning that you have to get a reply. You want to know that the package actually arrived to the other side? And you, tippy doesn't care about that. I mean, the unity just sent the packaging hope for the best.
10:35
Uh, but, you know, what's the point in? Well, some protocols are or some bang with
10:41
are limited, and maybe you don't want to cost um,
10:46
no, uh
10:48
and you know that the truth put, your network might be low so you don't want to cause traffic or, you know, swamp the network traffic. So maybe you want to go to a live wait option. Here comes UDP.
11:03
You can also its kind for versions.
11:07
Uh, remembered as you can see from all the scans right here. We don't have any actual versions. We just now that the port for 25 is closed or open.
11:18
Right?
11:20
And if we go,
11:22
that's me,
11:26
and you will sail sl male. Isn't it pretty?
11:31
Here you go.
11:31
So and it will just show me a lot of more information that you can see. Ah, way more information. What? Generated as we're we're trying to get the diversion. So
11:43
there you go. So, yeah, as you can imagine running. Ah, simple acknowledgement. Scam doesn't have the same impact as running abortionists can because, you know, the versions gun has to go through different several connections to actually get the Persian. Uh,
12:03
it's just, you know, giving you the different scenarios we have,
12:05
so you can decide which one is best for you.
12:09
But that's it. For example, let me just
12:13
give you a real quick here Ah,
12:16
we will run this.
12:18
Ah, TCP truck.
12:20
So you didn't Josh me using Onley wire shark. And this always, well is what this will do is that it will capture all the traffic in this interface, and it will wait for five seconds to actually set that. And port 25. That's it.
12:39
Oh,
12:41
what am I doing wrong to speak truck? I really style that. Come on, give me a break. TCP track.
12:48
Oh, I didn't have installed that. Okay, so? Well, well, I'm started. Let me just give you a really, really good command here, which is a pity Get installed. DeSipio track.
13:01
Yes, I want to start. Okay. Well, I'm sell this. Ah, let me just give you one other option. Hearing a map, which is the dash T dash T is for timing or trade or trading. Um,
13:18
you can go from number one to number five. I'm not really sure you can go from one there, syrup.
13:24
Let me just confirm,
13:28
and yeah, you can go with number sirrah. Ah, but you know, just just want to fight. One means that this that this kind will go really, really low is low. I'm sorry
13:39
and, for example, you can just
13:43
enter or type any information here type any any any
13:48
keystroke. And it was supposed to tell you the divers down
13:54
the person back, uh,
13:56
completed of Otis can. As you can see, it's really slow. It's taking a long time s Oh, yeah, if you want to be a stealth,
14:05
Um and you know, you don't want to cause any alarm in the system server. Maybe you want to actually apply that technique. But if you are actually more interested in not carrying about, I mean tea tree, by the way, the default option to tree if you want to you by default. But if you don't actually care about
14:24
timing or impact on your network or being too no, you see you can use to five, which is the highest trading time in options you can use, and you can give him a second. See, it completed really fast.
14:39
Uh,
14:41
here
14:41
and let me see if I can get the oh, no, Houses up is not has nothing to do but let me just
14:48
used to one.
14:50
And as you can see, the difference is really, really there. It will take a long time to complete, and you know it will kill that. Okay on. Now that this is done and bars in part, it's over. I can actually
15:07
used this command be track, which at the end is just tearing the interface. It will hope for five seconds before resetting. Um,
15:15
let me just go with tens. I can switch windows.
15:20
Ah, did you go? And what happens if I
15:24
say to one?
15:28
Oops, sorry, sorry, sorry, sorry.
15:31
I want. And I want to say to one that's super slow
15:35
and the connection will register. And, you know,
15:37
some options were attract here. And as you can see, there was more than one connection. And what happens if I just type
15:48
Dash X
15:50
and
15:52
it doesn't register? Is that Dan is not Actually, I just go to the yes,
15:58
here
16:00
and again connection here so you can use the Pacific track to actually measure the banquet. Impact your casting off course I'm not. I'm just
16:08
pinking one port, and that doesn't actually get to
16:15
doesn't introduce to not too much noise in the network, but then again, you can, actually, if you're you know, is scanning on several several host
16:25
in my impact. Your network lets that song on say,
16:30
jumble and just see if this makes a difference.
16:37
There you go.
16:40
Yeah, it made a difference, But then again Ah, that's just an option. So you can use to actually tracked your your connections and the other tool I like to use these h pink tree. It's being like a man line or ah, TCP oriented packet assembler and an analyzer.
16:59
The interface is inspired in pink. Eight units coming,
17:02
but h being isn't, you know, on Lee able to Sendai CPM icmp I'm sorry. Echo request it supports disappeared. He p you know, all all the all the all the options that we saw on any map is their supporters on h being
17:18
when I like the h being tree is that it's mainly used as a security tool,
17:23
uh, in the past, but didn't know. Now it's used. I'm sorry. In the past, it was to use as a network tool, but now it is more uses spirito because it has commands to, for example, fireable testing Advance sports cannon manual path, Discovery
17:41
trace route, for example. Take a man that you can actually see. Actually, let me just
17:47
I secure trace route His example. You know, just, like tracer or trace route in Lennox to use I c m p pack adjusting, you know, increasing that time to leave so he can actually map something.
18:03
Two,
18:06
For example. Let me just go with cyber that come.
18:11
It will tell me a lot of information
18:18
from the h being, uh, images, kinds lab. And you can you know,
18:22
you several ports of Cyril commands to, actually, uh, for example, let me just copy Paste is here
18:30
and explain that to you.
18:33
Ah,
18:37
What this will do is that will send a sing packet to specify port in escape port 80 and we have go through also from which local poor will start this can. Maybe the remote host is expecting Onley requests from a specific port. So we were telling that in here
18:56
that we will actually be
18:56
are sending the scan from the port 50. You know,
19:03
that's a really useful tool you can actually form. And you can also perform no christmas and act scans. Just a stand up. You can actually perform additional scans like Smurfs. Can we just kind of ah DDOs attack, then help serves that attack. So, yeah, H being is kind of a more dance way
19:22
to test this. You know, I always go with maps. That's
19:26
I know I like that. Am I better?
19:30
Well, uh, is this information gathering technique considered passive or active? Well, active, as you can imagine. Why is performed, medical man, A map. Dash s x. Whoa, Christmas scan TS. All the flags are set.
19:45
What is performed by the command H being trace route. Well, as the name suggests, it will. It will execute a trace route. Oh, our tracer. That's the windows capability. And, you know, increasing the time feli packet so we can get a better understanding of the server.
20:02
It is video. We saw the most common port scan options to gather information,
20:07
and we executed some port scanning tools and commands to see the results. Ah, supplement materials. Any em up or h being tree chickens. You confined.
20:18
And in the next video, we'll cover some enumeration techniques. Well, that's it for today, folks. I hope in your the video and talk to you soon

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor