Host Discovery Part 2 - NM

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
7 hours 1 minute
Difficulty
Beginner
CEU/CPE
7
Video Transcription
00:00
Okay. Welcome to the end. Map OS detection in fingerprinting lab.
00:04
I already told you what Os detection and fingerprinting is an end map and why it's relevant. So let's get right to it.
00:10
The only thing I wanted to mention is that when scans take a really long time, I'll cut the video in order to save you some time. But I'll try to let you know when a skin takes awhile so that you could be prepared if you decide to run them along with me.
00:24
All right. To start with, just to get our bearings, I'm going to do a thing sweep so we'll do an map. Dash S. N
00:31
of my local network.
00:35
You've seen this before?
00:41
All right, so I've got 25 hosts up
00:44
and you can see all their Mac addresses and I p addresses and so forth
00:48
and again like I have in the past, I'm going toe stick to this 19 to 1 68 1.0 which is a del machine. Happens to be a Dell server.
01:00
So let me
01:00
clear the screen
01:03
and we'll just start out with the main OS detection scan, which is in map dash capital O
01:15
The skin doesn't take very long,
01:18
and there you have it.
01:19
I'll scroll up so that you can see the results of the port scan.
01:26
And there you have. It
01:29
took less than five seconds and shows that it's running Microsoft Windows 2012
01:34
or seven or 8.1,
01:37
and the C p E. Here is Server 2012 r two.
01:42
The server is actually running server 2020 12 r two essentials,
01:48
so it's pretty close to accurate.
01:53
So what I want to show you next, Waas adding the dash
01:57
the
01:57
for verbosity
02:00
option.
02:01
We've seen it before, but,
02:04
um, when you're doing always detection, it's nice to see
02:07
the output as it's determining what's going on. So we'll do an map
02:13
Dash Capital O Dash, Lower Case T,
02:21
and you can see what it's doing as it's doing. It
02:25
takes the same amount of time
02:28
so it doesn't affect the time.
02:30
But you get to see what it's doing as going along.
02:34
Um,
02:36
one thing I wanted to show you is that one thing that verbosity ads is up time,
02:44
and that's actually very accurate.
02:46
So verbosity not only shows you details as it's going along. But it also does add some extra information that you otherwise wouldn't have known.
03:00
All right, so now I'm gonna show you one of my favorite
03:02
OS discovery strategies. And this is especially effective on Windows Network
03:09
because S and B is so prevalent.
03:12
And that is an
03:14
and Matt
03:15
Dash Capital O,
03:25
well, actually leave the verbosity off this time.
03:30
So it's running an NSC script called SMB Dash O s Dash Discovery against this host that we just scanned. And I'm running os detection
03:40
even though you don't have to run the s detection.
03:44
Um, we've already done that, so it's gonna provide the same information it did before, but it's gonna add some details using this NSC script.
04:01
Okay, so I'm not gonna screw all the way up, But what I want to show you is the script results here S and B O s discovery.
04:10
Like I said before, this server is actually a server 2012 r two essentials and the regular OS detection scan didn't pick up on that detail. But S and B
04:23
OS Discovery scripts can did
04:26
also gives me the computer's name,
04:29
which you can obtain doing other things
04:31
um tells me the domain name
04:33
and the full of fully qualified domain name
04:36
and also the system time.
04:39
So that's a really, really good scan to remember
04:42
in case you are scanning a Windows network.
04:46
All right, clear skin again.
04:50
And now I want to do and a skin that we just did. But I'm gonna do it against a different target. That is
04:58
a mad dash capital O Dash V.
05:05
Okay, so this is against the Cisco switch toe layer to traditional switch. And what I want you to see is it's doing this lowest detection. It's showing you the number of tries against the target.
05:20
I'll scroll up
05:23
it. Did the Mac address determine the Mac address? It knows it's isco device,
05:30
but it shows, you know, exact matches for hosts
05:33
and gives you the fingerprint in case you want to submit it.
05:36
But it also shows you how many tries it
05:39
attempted against that device to determine the OS.
05:44
So
05:46
the reason why I wanted to show you that
05:48
is because we talked about an option called Max Os Tries
05:54
s o. I'll show you what that does do and map
05:57
dash capital o.
06:04
All right, So I've added the dash dash Max OS tries and I put the number one there
06:12
against the same target
06:15
before it tried five times to determine the host.
06:18
The less of the host
06:20
That time you saw, I think if you were watching quick,
06:26
carefully
06:27
initiating always detection, try number one. So it only tried it one time.
06:31
So that's one way that you can make your scans faster.
06:35
And theoretically, it's not gonna be as accurate. But
06:40
in this case, I'm on a local network. So in most cases,
06:44
on a local area network
06:46
limiting the number of tries to just one is gonna be sufficient.
06:53
And again, that says no exactly.
06:55
OS matches for host.
07:01
So we're gonna do a very similar skin again,
07:05
uh,
07:06
clear the screen. I'll do the up, up arrow.
07:12
And this time, what we're gonna d'oh
07:15
is I'll remove the verbosity.
07:20
I'm gonna add another command line switch that we talked about and that is OS
07:26
scan.
07:27
Guess
07:30
it's against the same target.
07:35
So we're doing a max always tries of one, and I'm telling and map to guess what operating system it iss based on that one. Try against the target
07:46
before it wasn't able to determine it, even though it did know that the Mac address was a Cisco device.
07:59
Okay, so here's the fingerprint.
08:03
It says no exact OS match for host. But
08:07
right above that, it says aggressive OS guesses. It says Cisco Catalyst, 29 50 Siri's switched 97%. 29 50. Switch
08:16
running IOS 12.1 96%
08:20
And
08:20
that is accurate. This happens to be a Cisco 29 50 Siri switch, and it is running IOS version 12.1
08:30
and with the Mac address of showing that it's a Cisco device. So
08:35
it's accurate. And it's very useful information in case you're doing inventory or getting ready for penetration test,
08:43
especially because this is Iowa's 12.1, which has some holes.
08:50
All right, so
08:52
clear this gun again. Okay, so now we're gonna do,
08:56
um,
08:56
another really useful strategy against hosts.
09:01
I'll choose a different one this time. I'm going to hit my firewall,
09:05
and that is combining ah vert application and service version detection with
09:11
the OS detection.
09:15
So do and map Dash s Capital V like in the last lesson,
09:20
dash capital O
09:24
against my firewall
09:28
scan takes a little bit of time
09:33
and there you have it.
09:35
I'll scroll up so you can see the results.
09:39
So the cool thing about this is that it not only did in OS detection, which I'll show you in a second,
09:45
but it also did a service inversion application version detection at the same time.
09:52
So that's a nice can Deron to save you some time. Maybe it's a little bit noisier,
09:58
but
09:58
showed me the work group that this device is in
10:03
shows me the versions of all the service is running on these ports
10:11
and shows me the operating system running on this device. Also,
10:16
this is actually a link sis
10:18
device.
10:20
A za firewall shows Belkin because I think that
10:24
Bilkin bought out lynxes from Cisco.
10:26
And it does show the CPD here also shows you the colonel of Lennox that it's running.
10:33
Okay, so I want to add to that, and
10:37
I'm kind of culminating with the probably one of the best scans and map will run against a single host does take a long time, so we'll cut the video
10:50
even longer than this last one, which was 47.77 seconds.
10:54
Um,
10:56
but that is an map. Dash capital A When I etude at 1 68 That 1.254 So this is what I call, uh,
11:05
advanced and aggressive Scan.
11:11
And I will have to cut the video on this. I think it takes about a minute
11:16
to a minute and 1/2
11:18
but I think that you'll be very satisfied and amazed at the results.
11:28
And there you have it. It's ah, took a minute to run that scan against a single host.
11:33
Um, well, scroll up, and I'll show you the details of this scan.
11:39
All right, So
11:41
it resolved its name,
11:43
and then it did a service in application version detection
11:48
and gave some even some additional details because it ran a script scan as well.
11:56
Even did a little bit of a banner grab.
11:58
No, that's ah, links this smart WiFi device, which the previous scan did not show
12:07
and so forth.
12:09
So you see that the dash capital A gives you
12:15
a lot of details and
12:20
really, what I want to show you was in order to get those same results.
12:26
If you didn't use the dash capital A,
12:30
you would have to do a command like this. Basically, you'd have to do an end map.
12:35
Dash s s
12:37
for a sin scan
12:39
s C
12:43
for a scrip scan.
12:43
Dash s V
12:46
for
12:46
a in application in, uh, service version detection dash capital O for unless detection
12:56
dash dash tracer out in order to do a trace route and then your target.
13:01
I'm not gonna show you the results. You can run on your own, but I assure you that the results are almost exactly the same Is the dash a dash capital A.
13:13
But it just takes a lot more command line options to get the same results. Or if I wanted to make it even longer,
13:20
I could D'oh.
13:26
Something like that
13:28
which basically, it doesn't script scan of
13:31
using all the default
13:33
scripts.
13:35
And there you have it. That's the end of the OS detection lab. And I look forward to seeing you in the next video.
13:43
In this lesson, we talked about what operating system detection and fingerprinting is.
13:48
Second, we discussed. White is both relevant and important
13:52
there. We talked about when and how to use it, including the most important command line option you need to know.
13:58
Then I provided a couple other command line options that are helpful.
14:03
And finally we wrapped up this lesson with a lab on operating system detection and fingerprinting
14:07
again. Thanks so much for working through this lesson with me, and I'll see you in the next one.
Up Next