Host Discovery Part 2 - NM

00:00

Okay. Welcome to the end. Map OS detection in fingerprinting lab.

00:04

I already told you what Os detection and fingerprinting is an end map and why it's relevant. So let's get right to it.

00:10

The only thing I wanted to mention is that when scans take a really long time, I'll cut the video in order to save you some time. But I'll try to let you know when a skin takes awhile so that you could be prepared if you decide to run them along with me.

00:24

All right. To start with, just to get our bearings, I'm going to do a thing sweep so we'll do an map. Dash S. N

00:31

of my local network.

00:35

You've seen this before?

00:41

All right, so I've got 25 hosts up

00:44

and you can see all their Mac addresses and I p addresses and so forth

00:48

and again like I have in the past, I'm going toe stick to this 19 to 1 68 1.0 which is a del machine. Happens to be a Dell server.

01:00

So let me

01:00

clear the screen

01:03

and we'll just start out with the main OS detection scan, which is in map dash capital O

01:15

The skin doesn't take very long,

01:18

and there you have it.

01:19

I'll scroll up so that you can see the results of the port scan.

01:26

And there you have. It

01:29

took less than five seconds and shows that it's running Microsoft Windows 2012

01:34

or seven or 8.1,

01:37

and the C p E. Here is Server 2012 r two.

01:42

The server is actually running server 2020 12 r two essentials,

01:48

so it's pretty close to accurate.

01:53

So what I want to show you next, Waas adding the dash

01:57

the

01:57

for verbosity

02:00

option.

02:01

We've seen it before, but,

02:04

um, when you're doing always detection, it's nice to see

02:07

the output as it's determining what's going on. So we'll do an map

02:13

Dash Capital O Dash, Lower Case T,

02:21

and you can see what it's doing as it's doing. It

02:25

takes the same amount of time

02:28

so it doesn't affect the time.

02:30

But you get to see what it's doing as going along.

02:34

Um,

02:36

one thing I wanted to show you is that one thing that verbosity ads is up time,

02:44

and that's actually very accurate.

02:46

So verbosity not only shows you details as it's going along. But it also does add some extra information that you otherwise wouldn't have known.

03:00

All right, so now I'm gonna show you one of my favorite

03:02

OS discovery strategies. And this is especially effective on Windows Network

03:09

because S and B is so prevalent.

03:12

And that is an

03:14

and Matt

03:15

Dash Capital O,

03:25

well, actually leave the verbosity off this time.

03:30

So it's running an NSC script called SMB Dash O s Dash Discovery against this host that we just scanned. And I'm running os detection

03:40

even though you don't have to run the s detection.

03:44

Um, we've already done that, so it's gonna provide the same information it did before, but it's gonna add some details using this NSC script.

04:01

Okay, so I'm not gonna screw all the way up, But what I want to show you is the script results here S and B O s discovery.

04:10

Like I said before, this server is actually a server 2012 r two essentials and the regular OS detection scan didn't pick up on that detail. But S and B

04:23

OS Discovery scripts can did

04:26

also gives me the computer's name,

04:29

which you can obtain doing other things

04:31

um tells me the domain name

04:33

and the full of fully qualified domain name

04:36

and also the system time.

04:39

So that's a really, really good scan to remember

04:42

in case you are scanning a Windows network.

04:46

All right, clear skin again.

04:50

And now I want to do and a skin that we just did. But I'm gonna do it against a different target. That is

04:58

a mad dash capital O Dash V.

05:05

Okay, so this is against the Cisco switch toe layer to traditional switch. And what I want you to see is it's doing this lowest detection. It's showing you the number of tries against the target.

05:20

I'll scroll up

05:23

it. Did the Mac address determine the Mac address? It knows it's isco device,

05:30

but it shows, you know, exact matches for hosts

05:33

and gives you the fingerprint in case you want to submit it.

05:36

But it also shows you how many tries it

05:39

attempted against that device to determine the OS.

05:44

So

05:46

the reason why I wanted to show you that

05:48

is because we talked about an option called Max Os Tries

05:54

s o. I'll show you what that does do and map

05:57

dash capital o.

06:04

All right, So I've added the dash dash Max OS tries and I put the number one there

06:12

against the same target

06:15

before it tried five times to determine the host.

06:18

The less of the host

06:20

That time you saw, I think if you were watching quick,

06:26

carefully

06:27

initiating always detection, try number one. So it only tried it one time.

06:31

So that's one way that you can make your scans faster.

06:35

And theoretically, it's not gonna be as accurate. But

06:40

in this case, I'm on a local network. So in most cases,

06:44

on a local area network

06:46

limiting the number of tries to just one is gonna be sufficient.

06:53

And again, that says no exactly.

06:55

OS matches for host.

07:01

So we're gonna do a very similar skin again,

07:05

uh,

07:06

clear the screen. I'll do the up, up arrow.

07:12

And this time, what we're gonna d'oh

07:15

is I'll remove the verbosity.

07:20

I'm gonna add another command line switch that we talked about and that is OS

07:26

scan.

07:27

Guess

07:30

it's against the same target.

07:35

So we're doing a max always tries of one, and I'm telling and map to guess what operating system it iss based on that one. Try against the target

07:46

before it wasn't able to determine it, even though it did know that the Mac address was a Cisco device.

07:59

Okay, so here's the fingerprint.

08:03

It says no exact OS match for host. But

08:07

right above that, it says aggressive OS guesses. It says Cisco Catalyst, 29 50 Siri's switched 97%. 29 50. Switch

08:16

running IOS 12.1 96%

08:20

And

08:20

that is accurate. This happens to be a Cisco 29 50 Siri switch, and it is running IOS version 12.1

08:30

and with the Mac address of showing that it's a Cisco device. So

08:35

it's accurate. And it's very useful information in case you're doing inventory or getting ready for penetration test,

08:43

especially because this is Iowa's 12.1, which has some holes.

08:50

All right, so

08:52

clear this gun again. Okay, so now we're gonna do,

08:56

um,

08:56

another really useful strategy against hosts.

09:01

I'll choose a different one this time. I'm going to hit my firewall,

09:05

and that is combining ah vert application and service version detection with

09:11

the OS detection.

09:15

So do and map Dash s Capital V like in the last lesson,

09:20

dash capital O

09:24

against my firewall

09:28

scan takes a little bit of time

09:33

and there you have it.

09:35

I'll scroll up so you can see the results.

09:39

So the cool thing about this is that it not only did in OS detection, which I'll show you in a second,

09:45

but it also did a service inversion application version detection at the same time.

09:52

So that's a nice can Deron to save you some time. Maybe it's a little bit noisier,

09:58

but

09:58

showed me the work group that this device is in

10:03

shows me the versions of all the service is running on these ports

10:11

and shows me the operating system running on this device. Also,

10:16

this is actually a link sis

10:18

device.

10:20

A za firewall shows Belkin because I think that

10:24

Bilkin bought out lynxes from Cisco.

10:26

And it does show the CPD here also shows you the colonel of Lennox that it's running.

10:33

Okay, so I want to add to that, and

10:37

I'm kind of culminating with the probably one of the best scans and map will run against a single host does take a long time, so we'll cut the video

10:50

even longer than this last one, which was 47.77 seconds.

10:54

Um,

10:56

but that is an map. Dash capital A When I etude at 1 68 That 1.254 So this is what I call, uh,

11:05

advanced and aggressive Scan.

11:11

And I will have to cut the video on this. I think it takes about a minute

11:16

to a minute and 1/2

11:18

but I think that you'll be very satisfied and amazed at the results.

11:28

And there you have it. It's ah, took a minute to run that scan against a single host.

11:33

Um, well, scroll up, and I'll show you the details of this scan.

11:39

All right, So

11:41

it resolved its name,

11:43

and then it did a service in application version detection

11:48

and gave some even some additional details because it ran a script scan as well.

11:56

Even did a little bit of a banner grab.

11:58

No, that's ah, links this smart WiFi device, which the previous scan did not show

12:07

and so forth.

12:09

So you see that the dash capital A gives you

12:15

a lot of details and

12:20

really, what I want to show you was in order to get those same results.

12:26

If you didn't use the dash capital A,

12:30

you would have to do a command like this. Basically, you'd have to do an end map.

12:35

Dash s s

12:37

for a sin scan

12:39

s C

12:43

for a scrip scan.

12:43

Dash s V

12:46

for

12:46

a in application in, uh, service version detection dash capital O for unless detection

12:56

dash dash tracer out in order to do a trace route and then your target.

13:01

I'm not gonna show you the results. You can run on your own, but I assure you that the results are almost exactly the same Is the dash a dash capital A.

13:13

But it just takes a lot more command line options to get the same results. Or if I wanted to make it even longer,

13:20

I could D'oh.

13:26

Something like that

13:28

which basically, it doesn't script scan of

13:31

using all the default

13:33

scripts.

13:35

And there you have it. That's the end of the OS detection lab. And I look forward to seeing you in the next video.

13:43

In this lesson, we talked about what operating system detection and fingerprinting is.

13:48

Second, we discussed. White is both relevant and important

13:52

there. We talked about when and how to use it, including the most important command line option you need to know.

13:58

Then I provided a couple other command line options that are helpful.

14:03

And finally we wrapped up this lesson with a lab on operating system detection and fingerprinting