6 hours 31 minutes
Okay. Welcome to the end. Map OS detection in fingerprinting lab.
I already told you what Os detection and fingerprinting is an end map and why it's relevant. So let's get right to it.
The only thing I wanted to mention is that when scans take a really long time, I'll cut the video in order to save you some time. But I'll try to let you know when a skin takes awhile so that you could be prepared if you decide to run them along with me.
All right. To start with, just to get our bearings, I'm going to do a thing sweep so we'll do an map. Dash S. N
of my local network.
You've seen this before?
All right, so I've got 25 hosts up
and you can see all their Mac addresses and I p addresses and so forth
and again like I have in the past, I'm going toe stick to this 19 to 1 68 1.0 which is a del machine. Happens to be a Dell server.
So let me
clear the screen
and we'll just start out with the main OS detection scan, which is in map dash capital O
The skin doesn't take very long,
and there you have it.
I'll scroll up so that you can see the results of the port scan.
And there you have. It
took less than five seconds and shows that it's running Microsoft Windows 2012
or seven or 8.1,
and the C p E. Here is Server 2012 r two.
The server is actually running server 2020 12 r two essentials,
so it's pretty close to accurate.
So what I want to show you next, Waas adding the dash
We've seen it before, but,
um, when you're doing always detection, it's nice to see
the output as it's determining what's going on. So we'll do an map
Dash Capital O Dash, Lower Case T,
and you can see what it's doing as it's doing. It
takes the same amount of time
so it doesn't affect the time.
But you get to see what it's doing as going along.
one thing I wanted to show you is that one thing that verbosity ads is up time,
and that's actually very accurate.
So verbosity not only shows you details as it's going along. But it also does add some extra information that you otherwise wouldn't have known.
All right, so now I'm gonna show you one of my favorite
OS discovery strategies. And this is especially effective on Windows Network
because S and B is so prevalent.
And that is an
Dash Capital O,
well, actually leave the verbosity off this time.
So it's running an NSC script called SMB Dash O s Dash Discovery against this host that we just scanned. And I'm running os detection
even though you don't have to run the s detection.
Um, we've already done that, so it's gonna provide the same information it did before, but it's gonna add some details using this NSC script.
Okay, so I'm not gonna screw all the way up, But what I want to show you is the script results here S and B O s discovery.
Like I said before, this server is actually a server 2012 r two essentials and the regular OS detection scan didn't pick up on that detail. But S and B
OS Discovery scripts can did
also gives me the computer's name,
which you can obtain doing other things
um tells me the domain name
and the full of fully qualified domain name
and also the system time.
So that's a really, really good scan to remember
in case you are scanning a Windows network.
All right, clear skin again.
And now I want to do and a skin that we just did. But I'm gonna do it against a different target. That is
a mad dash capital O Dash V.
Okay, so this is against the Cisco switch toe layer to traditional switch. And what I want you to see is it's doing this lowest detection. It's showing you the number of tries against the target.
I'll scroll up
it. Did the Mac address determine the Mac address? It knows it's isco device,
but it shows, you know, exact matches for hosts
and gives you the fingerprint in case you want to submit it.
But it also shows you how many tries it
attempted against that device to determine the OS.
the reason why I wanted to show you that
is because we talked about an option called Max Os Tries
s o. I'll show you what that does do and map
dash capital o.
All right, So I've added the dash dash Max OS tries and I put the number one there
against the same target
before it tried five times to determine the host.
The less of the host
That time you saw, I think if you were watching quick,
initiating always detection, try number one. So it only tried it one time.
So that's one way that you can make your scans faster.
And theoretically, it's not gonna be as accurate. But
in this case, I'm on a local network. So in most cases,
on a local area network
limiting the number of tries to just one is gonna be sufficient.
And again, that says no exactly.
OS matches for host.
So we're gonna do a very similar skin again,
clear the screen. I'll do the up, up arrow.
And this time, what we're gonna d'oh
is I'll remove the verbosity.
I'm gonna add another command line switch that we talked about and that is OS
it's against the same target.
So we're doing a max always tries of one, and I'm telling and map to guess what operating system it iss based on that one. Try against the target
before it wasn't able to determine it, even though it did know that the Mac address was a Cisco device.
Okay, so here's the fingerprint.
It says no exact OS match for host. But
right above that, it says aggressive OS guesses. It says Cisco Catalyst, 29 50 Siri's switched 97%. 29 50. Switch
running IOS 12.1 96%
that is accurate. This happens to be a Cisco 29 50 Siri switch, and it is running IOS version 12.1
and with the Mac address of showing that it's a Cisco device. So
it's accurate. And it's very useful information in case you're doing inventory or getting ready for penetration test,
especially because this is Iowa's 12.1, which has some holes.
All right, so
clear this gun again. Okay, so now we're gonna do,
another really useful strategy against hosts.
I'll choose a different one this time. I'm going to hit my firewall,
and that is combining ah vert application and service version detection with
the OS detection.
So do and map Dash s Capital V like in the last lesson,
dash capital O
against my firewall
scan takes a little bit of time
and there you have it.
I'll scroll up so you can see the results.
So the cool thing about this is that it not only did in OS detection, which I'll show you in a second,
but it also did a service inversion application version detection at the same time.
So that's a nice can Deron to save you some time. Maybe it's a little bit noisier,
showed me the work group that this device is in
shows me the versions of all the service is running on these ports
and shows me the operating system running on this device. Also,
this is actually a link sis
A za firewall shows Belkin because I think that
Bilkin bought out lynxes from Cisco.
And it does show the CPD here also shows you the colonel of Lennox that it's running.
Okay, so I want to add to that, and
I'm kind of culminating with the probably one of the best scans and map will run against a single host does take a long time, so we'll cut the video
even longer than this last one, which was 47.77 seconds.
but that is an map. Dash capital A When I etude at 1 68 That 1.254 So this is what I call, uh,
advanced and aggressive Scan.
And I will have to cut the video on this. I think it takes about a minute
to a minute and 1/2
but I think that you'll be very satisfied and amazed at the results.
And there you have it. It's ah, took a minute to run that scan against a single host.
Um, well, scroll up, and I'll show you the details of this scan.
All right, So
it resolved its name,
and then it did a service in application version detection
and gave some even some additional details because it ran a script scan as well.
Even did a little bit of a banner grab.
No, that's ah, links this smart WiFi device, which the previous scan did not show
and so forth.
So you see that the dash capital A gives you
a lot of details and
really, what I want to show you was in order to get those same results.
If you didn't use the dash capital A,
you would have to do a command like this. Basically, you'd have to do an end map.
Dash s s
for a sin scan
for a scrip scan.
Dash s V
a in application in, uh, service version detection dash capital O for unless detection
dash dash tracer out in order to do a trace route and then your target.
I'm not gonna show you the results. You can run on your own, but I assure you that the results are almost exactly the same Is the dash a dash capital A.
But it just takes a lot more command line options to get the same results. Or if I wanted to make it even longer,
I could D'oh.
Something like that
which basically, it doesn't script scan of
using all the default
And there you have it. That's the end of the OS detection lab. And I look forward to seeing you in the next video.
In this lesson, we talked about what operating system detection and fingerprinting is.
Second, we discussed. White is both relevant and important
there. We talked about when and how to use it, including the most important command line option you need to know.
Then I provided a couple other command line options that are helpful.
And finally we wrapped up this lesson with a lab on operating system detection and fingerprinting
again. Thanks so much for working through this lesson with me, and I'll see you in the next one.
The network mapper (NMAP) is one of the highest quality and powerful free network utilities in the cybersecurity professional's arsenal.