NMAP

Course
Time
7 hours 1 minute
Difficulty
Beginner
CEU/CPE
7

Video Transcription

00:00
Okay. Welcome to the end. Map OS detection in fingerprinting lab.
00:04
I already told you what Os detection and fingerprinting is an end map and why it's relevant. So let's get right to it.
00:10
The only thing I wanted to mention is that when scans take a really long time, I'll cut the video in order to save you some time. But I'll try to let you know when a skin takes awhile so that you could be prepared if you decide to run them along with me.
00:24
All right. To start with, just to get our bearings, I'm going to do a thing sweep so we'll do an map. Dash S. N
00:31
of my local network.
00:35
You've seen this before?
00:41
All right, so I've got 25 hosts up
00:44
and you can see all their Mac addresses and I p addresses and so forth
00:48
and again like I have in the past, I'm going toe stick to this 19 to 1 68 1.0 which is a del machine. Happens to be a Dell server.
01:00
So let me
01:00
clear the screen
01:03
and we'll just start out with the main OS detection scan, which is in map dash capital O
01:15
The skin doesn't take very long,
01:18
and there you have it.
01:19
I'll scroll up so that you can see the results of the port scan.
01:26
And there you have. It
01:29
took less than five seconds and shows that it's running Microsoft Windows 2012
01:34
or seven or 8.1,
01:37
and the C p E. Here is Server 2012 r two.
01:42
The server is actually running server 2020 12 r two essentials,
01:48
so it's pretty close to accurate.
01:53
So what I want to show you next, Waas adding the dash
01:57
the
01:57
for verbosity
02:00
option.
02:01
We've seen it before, but,
02:04
um, when you're doing always detection, it's nice to see
02:07
the output as it's determining what's going on. So we'll do an map
02:13
Dash Capital O Dash, Lower Case T,
02:21
and you can see what it's doing as it's doing. It
02:25
takes the same amount of time
02:28
so it doesn't affect the time.
02:30
But you get to see what it's doing as going along.
02:34
Um,
02:36
one thing I wanted to show you is that one thing that verbosity ads is up time,
02:44
and that's actually very accurate.
02:46
So verbosity not only shows you details as it's going along. But it also does add some extra information that you otherwise wouldn't have known.
03:00
All right, so now I'm gonna show you one of my favorite
03:02
OS discovery strategies. And this is especially effective on Windows Network
03:09
because S and B is so prevalent.
03:12
And that is an
03:14
and Matt
03:15
Dash Capital O,
03:25
well, actually leave the verbosity off this time.
03:30
So it's running an NSC script called SMB Dash O s Dash Discovery against this host that we just scanned. And I'm running os detection
03:40
even though you don't have to run the s detection.
03:44
Um, we've already done that, so it's gonna provide the same information it did before, but it's gonna add some details using this NSC script.
04:01
Okay, so I'm not gonna screw all the way up, But what I want to show you is the script results here S and B O s discovery.
04:10
Like I said before, this server is actually a server 2012 r two essentials and the regular OS detection scan didn't pick up on that detail. But S and B
04:23
OS Discovery scripts can did
04:26
also gives me the computer's name,
04:29
which you can obtain doing other things
04:31
um tells me the domain name
04:33
and the full of fully qualified domain name
04:36
and also the system time.
04:39
So that's a really, really good scan to remember
04:42
in case you are scanning a Windows network.
04:46
All right, clear skin again.
04:50
And now I want to do and a skin that we just did. But I'm gonna do it against a different target. That is
04:58
a mad dash capital O Dash V.
05:05
Okay, so this is against the Cisco switch toe layer to traditional switch. And what I want you to see is it's doing this lowest detection. It's showing you the number of tries against the target.
05:20
I'll scroll up
05:23
it. Did the Mac address determine the Mac address? It knows it's isco device,
05:30
but it shows, you know, exact matches for hosts
05:33
and gives you the fingerprint in case you want to submit it.
05:36
But it also shows you how many tries it
05:39
attempted against that device to determine the OS.
05:44
So
05:46
the reason why I wanted to show you that
05:48
is because we talked about an option called Max Os Tries
05:54
s o. I'll show you what that does do and map
05:57
dash capital o.
06:04
All right, So I've added the dash dash Max OS tries and I put the number one there
06:12
against the same target
06:15
before it tried five times to determine the host.
06:18
The less of the host
06:20
That time you saw, I think if you were watching quick,
06:26
carefully
06:27
initiating always detection, try number one. So it only tried it one time.
06:31
So that's one way that you can make your scans faster.
06:35
And theoretically, it's not gonna be as accurate. But
06:40
in this case, I'm on a local network. So in most cases,
06:44
on a local area network
06:46
limiting the number of tries to just one is gonna be sufficient.
06:53
And again, that says no exactly.
06:55
OS matches for host.
07:01
So we're gonna do a very similar skin again,
07:05
uh,
07:06
clear the screen. I'll do the up, up arrow.
07:12
And this time, what we're gonna d'oh
07:15
is I'll remove the verbosity.
07:20
I'm gonna add another command line switch that we talked about and that is OS
07:26
scan.
07:27
Guess
07:30
it's against the same target.
07:35
So we're doing a max always tries of one, and I'm telling and map to guess what operating system it iss based on that one. Try against the target
07:46
before it wasn't able to determine it, even though it did know that the Mac address was a Cisco device.
07:59
Okay, so here's the fingerprint.
08:03
It says no exact OS match for host. But
08:07
right above that, it says aggressive OS guesses. It says Cisco Catalyst, 29 50 Siri's switched 97%. 29 50. Switch
08:16
running IOS 12.1 96%
08:20
And
08:20
that is accurate. This happens to be a Cisco 29 50 Siri switch, and it is running IOS version 12.1
08:30
and with the Mac address of showing that it's a Cisco device. So
08:35
it's accurate. And it's very useful information in case you're doing inventory or getting ready for penetration test,
08:43
especially because this is Iowa's 12.1, which has some holes.
08:50
All right, so
08:52
clear this gun again. Okay, so now we're gonna do,
08:56
um,
08:56
another really useful strategy against hosts.
09:01
I'll choose a different one this time. I'm going to hit my firewall,
09:05
and that is combining ah vert application and service version detection with
09:11
the OS detection.
09:15
So do and map Dash s Capital V like in the last lesson,
09:20
dash capital O
09:24
against my firewall
09:28
scan takes a little bit of time
09:33
and there you have it.
09:35
I'll scroll up so you can see the results.
09:39
So the cool thing about this is that it not only did in OS detection, which I'll show you in a second,
09:45
but it also did a service inversion application version detection at the same time.
09:52
So that's a nice can Deron to save you some time. Maybe it's a little bit noisier,
09:58
but
09:58
showed me the work group that this device is in
10:03
shows me the versions of all the service is running on these ports
10:11
and shows me the operating system running on this device. Also,
10:16
this is actually a link sis
10:18
device.
10:20
A za firewall shows Belkin because I think that
10:24
Bilkin bought out lynxes from Cisco.
10:26
And it does show the CPD here also shows you the colonel of Lennox that it's running.
10:33
Okay, so I want to add to that, and
10:37
I'm kind of culminating with the probably one of the best scans and map will run against a single host does take a long time, so we'll cut the video
10:50
even longer than this last one, which was 47.77 seconds.
10:54
Um,
10:56
but that is an map. Dash capital A When I etude at 1 68 That 1.254 So this is what I call, uh,
11:05
advanced and aggressive Scan.
11:11
And I will have to cut the video on this. I think it takes about a minute
11:16
to a minute and 1/2
11:18
but I think that you'll be very satisfied and amazed at the results.
11:28
And there you have it. It's ah, took a minute to run that scan against a single host.
11:33
Um, well, scroll up, and I'll show you the details of this scan.
11:39
All right, So
11:41
it resolved its name,
11:43
and then it did a service in application version detection
11:48
and gave some even some additional details because it ran a script scan as well.
11:56
Even did a little bit of a banner grab.
11:58
No, that's ah, links this smart WiFi device, which the previous scan did not show
12:07
and so forth.
12:09
So you see that the dash capital A gives you
12:15
a lot of details and
12:20
really, what I want to show you was in order to get those same results.
12:26
If you didn't use the dash capital A,
12:30
you would have to do a command like this. Basically, you'd have to do an end map.
12:35
Dash s s
12:37
for a sin scan
12:39
s C
12:43
for a scrip scan.
12:43
Dash s V
12:46
for
12:46
a in application in, uh, service version detection dash capital O for unless detection
12:56
dash dash tracer out in order to do a trace route and then your target.
13:01
I'm not gonna show you the results. You can run on your own, but I assure you that the results are almost exactly the same Is the dash a dash capital A.
13:13
But it just takes a lot more command line options to get the same results. Or if I wanted to make it even longer,
13:20
I could D'oh.
13:26
Something like that
13:28
which basically, it doesn't script scan of
13:31
using all the default
13:33
scripts.
13:35
And there you have it. That's the end of the OS detection lab. And I look forward to seeing you in the next video.
13:43
In this lesson, we talked about what operating system detection and fingerprinting is.
13:48
Second, we discussed. White is both relevant and important
13:52
there. We talked about when and how to use it, including the most important command line option you need to know.
13:58
Then I provided a couple other command line options that are helpful.
14:03
And finally we wrapped up this lesson with a lab on operating system detection and fingerprinting
14:07
again. Thanks so much for working through this lesson with me, and I'll see you in the next one.

Up Next

NMAP

The network mapper (NMAP) is one of the highest quality and powerful free network utilities in the cybersecurity professional's arsenal.

Instructed By

Instructor Profile Image
Rob Thurston
CIO at Integrated Machinery Solutions
Instructor