Service and Application Version Detection Part 2 - NM

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
7 hours 1 minute
Difficulty
Beginner
CEU/CPE
7
Video Transcription
00:01
and we'll do. And
00:03
a more targeted and sophisticated application service version detection scan will do and map Dash s s since Can Dash s Capitol you for UDP scan
00:15
Desh es
00:17
Dash
00:18
p
00:21
and we'll do port Will do TCP ports.
00:28
80
00:29
88
00:30
1 35
00:32
1 39
00:35
3 89
00:37
And for 43. Then you dp ports 1 23 and one
00:44
37.
00:46
And we'll make it a version detection scan
00:50
of 1 92 That 1 68 that 1.10.
00:54
And
00:56
we'll compare the differences in the in the amount of time it takes to run the scan versus the previous simple scan.
01:07
Okay, so there's the results. So we scanned more stuff or more critical stuff in 18.71 seconds compared to the 142 seconds it took to do the simple dash s v scan of the same machine. And we've got a lot more information under version. You can see
01:26
uh,
01:27
definitely that it's a Microsoft server.
01:30
Um, and it's running active directory. L doubt
01:34
you can see the name of the domain.
01:38
And also you can see the UDP service is running NTP version three and Windows Net bios on, and then it provides the workgroup two.
01:48
So that's great information if you're doing
01:51
an inventory or if you're doing preparing for a penetration test.
01:57
All right, so
02:00
that was, um, one type of service inversion detection scan. Now, if we want, I wanted to cover a couple of the additional command lines, which is that we can add to that so we'll do the same scan.
02:15
But what will do this time is, well,
02:20
adjust the version intensity,
02:28
and then we'll compare the time that it takes and
02:31
talk a little bit about the information that it provides.
02:35
As I mentioned before, I mentioned in the lesson
02:38
the default version intensity for ah version detection scan is a seven on That's the scale from one toe nine.
02:49
So theoretically, this should be faster,
02:52
but in some cases it might
02:53
provide a little bit less information, so that took 17.8 seconds
02:59
provides pretty much all the same information. In fact, I've checked it before, and it is exactly the same information in this servers case.
03:07
So it was about a second faster
03:09
by adjusting the version intensity down to a five from a seven.
03:15
All right, so and then I'm gonna cover one other command.
03:19
And that is
03:22
just shorthand
03:24
for switching the version detection down even further.
03:30
That's version light.
03:30
And then we'll compare the time that this scan takes and the results.
03:49
Okay, so that one took 14.8 seconds, and it actually shows the exact same information. So these are common
03:57
ports, and service is so in map has a lot easier time matching him up against their database.
04:03
And you can also see here the C P. E.
04:08
From the CPD database and operating system is Microsoft Windows gives you the host name
04:15
and
04:16
Mac address and everything else, just like other scans have.
04:20
All right, so now I want No, we've gone through a couple of those commands and I've showed you how targeted scans are much better than a standard service inversion detection scan.
04:32
I want to compare some simple banner grabbing techniques to and maps application and service version detection.
04:39
So one
04:42
common and, um, very basic but very available type of banner grabbing that people do
04:49
is telling that command. So you can obviously tell that ports other than just telling that port.
04:57
Um,
04:58
and then look at the results. So will tell that
05:00
two
05:02
ah server that sits in my d m z on my network. And that is just one that I already know. I'm not going to run you through
05:11
a pink sweep or anything like that.
05:16
I know this one is running a mail server.
05:21
All right, so
05:24
there you go. That's basically the results. Uh,
05:29
quit
05:30
in some mail servers, You're gonna have a lot more information. If you tell that Thio Port 25 or 5 87 or whatever port A some TP is running on,
05:42
you'll have a lot more information than that. In this case, my mail server doesn't provide information in the banner.
05:48
So when you when you connect to it, there's not gonna be a lot of information. And so that type of banner grabbing technique doesn't really do you any good. Um,
05:59
you could do ah telling that against
06:03
G e mails, SMTP Server
06:12
and Gmail actually provides a little bit more information. You know that its g g mail SMTP server. And so if you know how to attack that or or whatever, at least that's a little bit more information than my mail server. But
06:27
neither one of them really provides you with a lot of details about that mail server.
06:30
And so
06:32
what I wanted to do was just compare,
06:34
you know, old school banner grabbing, too.
06:40
What and Map could do. So
06:43
we'll do a an end map
06:46
since can
06:50
make it fast.
06:53
And it's UDP scan of that same server that sits in my DMC.
07:08
Okay, and so now you're seeing a lot more service, is there? Well, I didn't really do a scan before, so you see all the service is available. There are no UDP port open on that on that machine,
07:19
so I'll go and do a more targeted scan against it so we can see if we can get version information, especially on that mail server.
07:31
Then we'll compare that against the old school. Tell that approach
07:39
scroll up.
07:49
I could just do it against Port 25 but I wanted to show you a little bit more of the power of and map
08:05
grabbing a whole bunch of those ports,
08:16
and you'll notice here to that.
08:18
I'm not doing the UDP scan because that adds to the time and also
08:24
there were no UDP port open.
08:26
So
08:28
if you're just doing a sin, scan a dash p
08:33
followed by a space and then the TCP ports is all that you need to put. You don't need to put a tea or you there.
08:46
Okay, there you have it. Um, so the mail server that is in my *** Z
08:52
is an H mail server. So that's really good information. You can look up H mail server and see if you can find
09:00
potential weaknesses in it.
09:03
Um, and
09:05
work harder, Thio Penetrate it if if or exploited. If that's what you're trying to D'oh! Uh, also you can see,
09:13
um,
09:13
SMTP is also run on 4 65 with h e mail server and you can see that I'm running a file Zillah FTP server.
09:22
And
09:22
also it's a Microsoft Web server. So
09:28
that's all really good information. I hope that you ah, you agree?
09:33
And I hope it all makes sense. And I really appreciate you going through this lab with me and I'll see in the next one.
09:39
This lesson was all about service and application version detection using in map.
09:45
First we talked about what service an application version detection is
09:48
second. We discussed why it is both relevant and important.
09:52
Third, we talked about when and how to use it, including the most important command line option, and you need to know.
09:58
Then I provided a couple other command line options that are available,
10:03
and we finished up this lesson with a lab that demonstrated all of the concepts and commands discussed in this lesson.
10:09
Thanks so much for walking through this lesson, and I'll talk to you again in the next one.
Up Next