Time
10 minutes
Difficulty
Intermediate

Video Transcription

00:04
Hello. Welcome to breaking stuff with Joe with Meat. Europe Autonomous Host Joe Pair. If you've never seen a breaking stuff Joe video before, that's totally okay to bring you up to speed. This is a series of 30 minutes or less videos in which we go over different tools used in the pen testing and cybersecurity environments.
00:22
Today, we're gonna be talking about a really interesting tool of the application mapper
00:26
or a map. Now we're going to spend a little bit of time discussing what application mapping is and why it's important that we're gonna actually see the tool in use we're gonna look at. It's often we're gonna actually make use of the tool to examine an open application. So hopefully you're excited for this. This is a great tool. If you're working in the pen testing world, it's really, really effective. It's a great companion toe and map.
00:45
When you're performing your initial information gathering against the target,
00:48
it's a really useful tool, and I enjoy talking about it. I enjoy talking about all of these tools, so hopefully gonna learn a little bit today and we're gonna be able to have some fun along the way. As always. Thank you for watching breaking stuff with Joe. Let's get started. So what actually is application map it. What's the point of it? What do we do with that? How do we use it?
01:04
Application mapping is no more and no less than the attempt to identify what service is
01:08
are being offered by a given machine. And you do this sort of the same way that you perform in and mats and maps can. I kind of talked earlier about how this tool could be seen. His companion
01:19
one of the things that this tool is. Well, the main thing this tool is designed to do is to continue that process that is initially started by that port scan, but to a more complete and fulfilled solution until it's able to really identify the specific service that's being run and the way this has operated his vice
01:36
following the standard port connection process. So first, we're gonna send a sin,
01:41
and this is our immediate gate, where you immediately able to tell a couple of things If we get back a sin, I then we know that this is a TCP service. We know this TCP service is accepting and initiative and allowing connections. And we know that this TCP service is on a specific port because we're able to
01:57
either search a single port or a range of ports. But when it comes back, we'll have the information
02:01
about which poor connected. So from there we can see that we get back this sin at connection or the Cenac the sin acknowledgment for the connection rather, and so we can complete the handshake. Now, what's really cool about this tools? It doesn't stop there in the way that a lot of other tools usually and map depending on what you're doing with the map, we'll stop instead. It's actually going to continue the process
02:22
and attempt to get more information by sending properly formed requests.
02:25
Stop in the Cincinnati stack.
02:28
It's going to say, OK, now we know that's a TCP server. Cool. We've got our connection established.
02:31
Let's try an http request now has a bunch of different types of requests that consent, but it's going to send this request across.
02:38
We're going to see an http response.
02:42
I included the wire shirt capture of this response because this is
02:45
one of the most valuable uses of an application mapper of this application, rapper in particular,
02:51
is that once we get it back and we're able to look at the headers, which are printed out by a map, I often like to have wire short running as well, just to capture all of the traffic and go back through it and see if there are any oddities in it.
03:04
But you can see here, over to the right. There's a bunch of text, including not only the http version, but the date the connection was done, the server and explicitly the type of server and the system upon which it is running. So here we can see this is an Apache server that's running on a bun, too, which means that first of all, we know that it's running HTV 1.1,
03:23
which we know is a process our protocol,
03:25
which has aton of CVS associated with it, particularly when matched to a new unsecured or even unpatched Apache servers. So we're able to look at just this simple request back just for this response, back to our request and see. Not only is there a service running on the target, not only Is it running on a specific port?
03:46
Not only is it running PCP,
03:47
but it's also running a specific server type that we know and know how to exploit. So that's why application mapping
03:54
is so valuable because it can tell us from a black box what exactly were targeting and give us the information necessary as part of our information gathering stage to exploit that target.
04:05
So that's what it is. That's how it works. Now let's look at the actual tool and have a glance at some of its options
04:12
inside of our Callie V. M here, we're gonna go ahead and look the actual command for a math as well as some of its options. So much like with a lot of our tools. This is a command line program. So we're just gonna run it directly out of our terminal here.
04:24
We're gonna run it with this tack age option. We're gonna see what help looks like
04:28
now because of the size of the fund. It can be a little bit tricky to read here, but that's okay. We'll get a good look at the important detail
04:33
you can see here the usage
04:36
Go back there so you can see here the usage you got Aton of different options that are built in, uh, I will say from experience that a map could be a little bit persnickety by the order that it gets the arguments it. So it is best to follow this specific process and see here that at the end you're targeting report.
04:54
Generally speaking, you can you can get it to work. But I've definitely had had some interesting struggles with it over the years.
05:00
So you can see here we've got our options. Are primary options these capital letters? Here we can map application. So that's the people. That's what it's like to do on standard. It's going to send trainers and analyze the responses. Alternatively, you could just get the banners. Don't actually try and send trainers, So this is a less
05:16
direct map. It's not really trying is hard to analyze and match the
05:20
the specific application,
05:21
but it is giving you back the banner for the connection. So that's gonna be
05:26
to some extent useful
05:27
but not necessarily is as deep or is complex is the application
05:31
here. You can see we can choose not to do any actual analysis or pull anything back. We're just connecting and essentially functioning is kind of a lesser and map. That's not really a great use of the stool, but it is an option
05:44
you can see here. We've got different options in terms of how we can send the trigger is what I p's we might want to use what we wanted to actually print out.
05:51
Uh, and this is actually an interesting little note here at the bottom is that it actually comes with a suggested use. The best set of options for the most common set of options are B Q. B.
06:02
So we'll scroll back up here. We'll see that the bee was what I mentioned just a second ago with just printing, printing the asking banner
06:10
of each response that you get back.
06:12
Additionally, cute, you can see do not report close support. So if it tries to hit a port and that port isn't open, then it's just gonna not tell you anything. It's not gonna report back,
06:20
and then the last one beaten, which is may have skipped here this for most mode, that's just going to give you more information. That's exactly it. sounds like it's for boats. It says more. You can actually use it multiple times for higher levels of verbosity.
06:36
That said, Once you get into like you know 234 B's, it can get a little bit difficult to read. There's just too much noise and not enough signal kind of cluttered.
06:46
So there's the auction's doesn't sort of a quick rundown of the options of using this tool. Now we're just gonna go ahead and actually apply it. We're gonna do this very, very simple. We're just going to go ahead and run a map
06:58
attack B Q. B.
07:00
We're gonna run it against a fully against a qualified domain name that we know is safe and easy to target that we're also not gonna get in trouble for if you've seen previous videos, not getting soon, as you may be aware, is one of my favorite things. I am not a fan of being sued. I've never enjoyed it, and I don't intend to give it to many more shots. So
07:17
a map attack B Q V and they were just gonna go ahead and we're gonna type in
07:21
google dot com
07:24
and we're gonna see if this works now, as I mentioned, a map can be a little bit persnickety, so there's sometimes you're gonna have to tweak the commands a little bit just to figure out what it's doing wrong. But I think I know sure enough, this time we didn't get it. So let's try.
07:38
There we go.
07:39
Now you can see this is, ah,
07:42
a lot of information back pretty quickly. You can see it tells you what trigger violence using. So that's something that can theoretically be modified to give it more triggers the response file where it's actually seeing what response is it can analyze against. You can see here that has a bunch of different responses, that it's gonna load a bunch of different triggers that load. So it's looking for all of the different potential
08:01
connections and using that to identify what application
08:03
and then down here below, you can see that it's a little bit messy again most of the font size. But you can see here that what we're doing is we're just performing this search, getting back our banner,
08:13
and then we're looking to see what information could be gathered so you can see here that this protocol on this Pacific Port matches team speak to. So that's the That's the analysis that it gave back. Now, obviously, specifically targeting Google's Port 80 is probably not going to get us exactly what we want back. But it does match to the nearest similar
08:31
protocol, the nearest similar application. We can see here that we got a bad request. It's a 400 air,
08:37
so we can say probably that whatever connection we attempted to initiate wasn't quite right or didn't quite work. But we're still able to gather all sorts of fascinating information, as you saw as I mentioned in the in the presentation. It's also valuable when you're doing this to have a wire shark running and look at the actual facts to come back.
08:54
So that's the actually, you should usage of a map. It's a pretty interesting tool. It could be a little bit tricky, as I mentioned, a little bit restricted. You have to give it certain options and certain order, but it is capable of performing some pretty thorough analysis and giving you very useful information about your partner. I generally will perform when I'm performing a test. I'll start with a map to identify the open ports.
09:15
You know, sometimes I use allowed scan. Sometimes I'll be nice and quiet, and you use stealthy packet designs that I won't get caught with. But I'll often follow that up just by using a map and examining exactly what's running and that's gonna give us, I said in the presentation. Knowing the specific targets service is is going to give you just so much information. Thank you so much more effective
09:35
when you're attacking that system,
09:37
it's gonna be all there is for this breaking stuff. Joe Video. It's another another pretty short one, which is totally cool. It means you've got more time to go out and play around with yourself. Hopefully offended. Valuable on the idea of application mapping makes a little bit more sense, and you understand why it's useful and how you can make it on effective part of your pen testing toolkit.
09:54
So thank you for watching again. You've been watching breaking stuff with Joe with me. Your host, Joe Perry, you're on cyber Eri on demand next

How to Use Amap (BSWJ)

The application mapper (AMAP) is an information-gathering tool which allows the user to identify the active programs serving each open port. By performing TCP handshakes and analyzing the communications received from target systems, AMAP provides an invaluable service to the hacking process.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor