Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This video covers port scanning and how it is used to exploit software. Port scanning allows programmers to discover what ports are open and this can be done manually. Be sure to search for the full range of ports as some might be proprietary and hidden. This video also teaches about NMAP which is the main tool set and the backbone is port scanning.

Video Transcription

00:04
Okay, so now let's take a look at port scanning. We are going to work with our virtual machines of this point, so we need to disengage from the Internet at large, as we do not have permission to perform a pin test on that was closed. So you want to keep
00:23
our testing from now on in our live environment.
00:27
Now our first question is from a network perspective.
00:32
What software can we potentially exploit? Don't know necessarily. If there's any exploits, just because a service is running on the network could certainly be
00:44
free of known vulnerabilities. But on the other hand, it may have known vulnerabilities that we can exploit. On the other hand, there maybe
00:54
software running on a target system. It's not listening on a port. It's not available on the network, and it is vulnerable. But without having access to it over the network, we're not going to be able to directly exploit it. We look at client side attacks later in the course where that will allow us to
01:14
potentially exploit local software.
01:17
But for now we'll stick with what's listening on the network.
01:22
So we need to know what ports are open and what's listening there. So there are
01:27
65,535 TCP ports and likewise the same about of UDP ports.
01:36
It would be unlikely to find that all ports are open on a single system and probably the CIA Hansel or two, depending on what the function of that who stays you may find, particularly when you're looking at Internet facing systems. They may decide, you know, two or three even just one year, maybe
01:53
80 or 443 or both for Web servers,
01:59
53 for D. N S
02:01
25 then
02:05
whenever poor to have, like, pop three or I'm out for both. For the mail server who may find more or less
02:15
use a VPN pours FTP Sshh. Who knows who really just depends what internally you'll probably see a bit more. You'll see. Some do may import certainly have a Windows domain.
02:28
Um, so it really just depends. The sky's the limit when we're just looking at it and saying, Well, what's there? Before we take a look? It could be anything ending potential networks. Vulnerability might be there. So basically what we're doing is starting with a really large picture on making it smaller
02:46
until we would let down to the exact set of vulnerabilities that were able to find and exploit in the environment.
02:53
So for these next few sections, I'm going to focus on our Windows X, p and R, even to a point in hosts.
03:01
There are other hosts in the course, certainly. But those are the two primary hosts. There's also Windows seven. It does have some vulnerabilities, but living the website nothing is a network baseball, nor ability. So we'll just focus on those two. So we have one too.
03:20
And we have when his ex p
03:23
So we need to know at this point are the I p addresses of those two systems.
03:30
Yours, of course, will probably be different than mine. Some minor 1 91 681.76 on DDE
03:39
1.80.
03:42
So just keep in mind, the years may be different. Also want to make sure that deserve it? Software is running.
03:47
It may fall down at some point, so we need to be able to turn it back on. And again, I'm putting it on a nonstarter. Port 32. 32.
03:59
I want to say yes to directory, listening
04:01
all the other software on them with his experience, she and as well on the bunch of machine
04:06
I'm going to start up automatically. This is just a special service as we'll see.
04:13
All right, so we can certainly just ask what ports are open manually. It's perfectly acceptable We could do like a Met cat.
04:23
I could tell it. I want to ask if port
04:28
say, 80 his urban.
04:32
Well,
04:33
it doesn't tell us anything, we think, Well, it's probably a Web server on eighties. Or what if we ask? It
04:42
seems to be an http response.
04:46
But what if instead, we kill it?
04:49
Net could cap for Boost Lee.
04:59
Oh, it just automatically tells us that the Port Open.
05:03
We don't have to come up with something that's protocol dependent to get her to talk to us.
05:12
But if we instead US report 81 because the connection has refused report, 80 is open
05:18
on the Windows extreme machine and Port 81 is closed. So then we could certainly go through that manually could even write a script to do it for us. We made a
05:30
simple script in our scripting section of the class. We could expand that script a little bit and haven't run through all the available ports. Or we could again use a piece of software that's been specifically designed to do this.
05:45
Possibly the best known and most powerful port scanner is a tool called in Map,
05:50
as we'll see has a lot of additional functionality besides just network mapping
05:57
but does its original purpose. So there is a lot of things you could do within map. There is, of course, a man Paige.
06:05
But in typical
06:10
man Paige fashion, it's not too friendly to read. I would actually say that if we go to
06:17
in my dot order, there is a book here
06:21
online that I think is
06:25
probably a better place to look for reference. Certainly you can use the man page, but I prefer this reference guide over here to the left,
06:32
basically an entire book online about in map.
06:35
Preston's targets specifications different ways. You can specify which target she'd like to scan
06:43
the whole section on that
06:46
and of course, kinds of skins
06:57
report scanning basics, for instance,
07:00
and
07:02
a port for open, closed, filtered, unfiltered,
07:10
so there's a possibility that There's a firewall between you and the oven ports open. Fit is open. You may not be able to talk to it.
07:17
With these particular to host. Neither one of them are running a host based firewall. The window seven box is
07:26
Well, if you try it in my heart, that one which you're certainly welcome to do,
07:30
you will see that far less ports, earth listening. Probably because of the Windows firewall
07:40
course getting techniques
07:43
they're like S s is a sin scan for TCP. So TCP, if you're unfamiliar, does a three way handshake there. We sent over a sin, but who says, Hey, I'd like to open a connection.
07:58
He writes back, and it says, sin ax of sin, dash AC and visually acknowledges that we would like to open a connection and we sent by the third part of the handshake, which is an AK and that will open up a TCP connection.
08:15
So with decent scan, what we do is we said over the sin. Listen for this in act within, never actually send the AC so we don't complete the three way handshake.
08:24
Some people call this a stealthy scan. I don't really think it's particularly stealthy. There's nothing to say that someone couldn't log
08:33
half open
08:35
scanning. You could just say anytime someone sent to send that we should long it. So it's certainly not completely stealthy, sir.
08:43
It's not necessarily really that much better than a full connect scan, which is the next one's RST would finish up the three way handshake
08:56
on. Of course, it's UDP scans as well as we'll see you. T P is a little bit harder to scan was it is connection less?
09:05
There's other ones as well. There's all sorts of different scans also different ways that have at some point that past allowed us to bypass filtering technologies. Hopefully, any firewalls or other filters that you'll run into today will
09:20
be able to see through like axe can or Christmas Tree scan for you said all the bits
09:26
on the TCP packet. But at some points, that has been ableto full, different filters to get by on bypass filters. Hopefully, that won't work anymore.
09:39
There's lots of different scans again. I encourage you to when the videos over try some different ones. We'll just look at a few basic ones that I used all the time in my pin tests.
09:52
So let's start with just a sin scan. So Dash Little s big s
09:58
on that. We can tell it the host we want
10:03
and there's lots of different ways to specify hosts
10:05
is this is just two hosts not too hard to just give a list like this. You could have it pulled from a file with Daddy's little I big l can do, arrange and do a slash 24 flies, whatever that mask you want.
10:20
And let's do dash over output, we are gonna output thes to a file. It is certainly worthwhile to do so.
10:31
We do want to be keeping good notes and Arpin tests, of course. And however you want to do this for all it matters, you know, pen and paper works. There's tools specifically for keeping pin test notes like greatest or keep note.
10:43
But
10:45
I'd just like to keep all my output. So this is how in map does the outfit. So it puts it out in three different formats. Sheikhoun specify a specific format or like I am here to She's a big A for old that'll put it out in XML format
11:01
in Matt format, which is the same as we'll see, printed out to the screen, nicely readable and formatted. There's also G in my bushes, graspable in Mac, which, as the name implies, is regrettable and easy to use the grip tool
11:16
to pull specific strings out.
11:20
So then we just want to tell it the beginning of the names I was. Cool it.
11:26
Close scan.
11:28
It'll make class. Cannot in map cache class can don't g and map in class Scandal XML Mine was pretty fast since I'm on my local network might take a little bit longer,
11:43
so we take a look at our output.
11:48
It looks like on 80 which is
11:52
make this bigger
11:54
on 80 which is the bunch of machine it looks like we've got for TCP. We've got 21. That's if the's service's air. Just guess at this point we haven't even finished the connection who? We're not really sure what's listening there. Someone could run
12:09
different software on these ports. Over the default for 21 is FTP click Sssh! Web server.
12:18
Like some, uh, things. Network file system
12:24
from Windows looks like ftp
12:28
simple male transfer protocols, Mail Server
12:33
80. So we've got a Web server here is well better.
12:37
Https Web server.
12:39
We've got my sequel about RS and be as well.
12:48
So anything that's not on those ports is definitely not listening. Right?
12:52
Well, actually, wrong. Remember, we opened up the observe it poor 32 32. We don't see that on our list here for expiate all. So, as it turns out in my fight, a full only scans the 1000 most interesting. And I'm doing air quotes so you can't see me
13:11
interesting and air quotes poured. So I believe they did a Google Summer of code project and basically had a bunch of students scan the entire Internet. And did Cem
13:22
calculations honor to decide what were the most interesting port So you may find, but particularly if you
13:30
using a non standard port, you may find that things were missed in this case. We know that servant port is there, and it certainly did not respond here so we can specify a specific courts.
13:45
So we just clear this *** up higher, do in my up
13:50
and do does S s on 1 90 that wants a eight. I wanted 76 I said the port. We could do a range of port so we could do all of them like that.
14:03
Or we'll just set a specific pours. I'll say I want Port 32. 32
14:11
and it's open, but the service is unknown. It doesn't know of any standard thing that listens on 32 32
14:18
so it can miss sports. So I would encourage you to
14:22
do the full range of ports. You might miss something particularly internally,
14:28
and there's probably some
14:30
proprietary something lying around somewhere. If they do any development,
14:37
we can also do you d p So Dash s u for UDP. And this is gonna be a little bit different on what we see.
14:45
The 76 on 80
14:48
Lycos
14:52
my out. But again, I always did you remember to do my
14:54
don't put We'd like to keep our nooch.
14:58
You
15:00
Miss Feldt Feet either.
15:03
This is gonna be a little bit slower again. UDP is connection list. So whereas with TCP, we should expect to see a response immediately or nothing With beauty peeling. How long did you wait? So it is waiting for a second to see if it's going to get a response.
15:20
And
15:22
so that could take us a little bit of time
15:26
to run even here locally, when we did the TCP on the same systems that are all on
15:33
this original machine network on my host, and it was significantly faster than we're seeing here.
15:41
You know, I could always open up another terminal
15:46
rather than sit here and watch it.
16:00
And we can also, if you do it, the, uh Pero it'll tell you where it's timing is that the time remaining is convey be completely dead wrong the gas. Based on what I've seen, I feel like it basically takes how long it's been running and then how much more it has to do
16:18
and calculates it that way. But if it does more than one task, it will take a lot longer to do later. Tash. So it could be completely wrong. So, for instance, I think it's been more than 52 seconds since I did that.
16:33
See, now it thinks is one minute and 13 seconds remaining, so you kind of have to take the time remaining with a grain of salt.
16:48
All right, so we see with the UDP, we actually get some different results. We see other open slash, filtered opened or course the rest of the ports that don't show up are closed a little bit different than what we saw. A cheesy P here with the U. K. P
17:04
um, open. Obviously it's open. Closed is closed. But what is this? Open slash filter? Why? Can't tell. Well,
17:11
there's no requirement with UDP that there's any cold back to you with TCP felt the freeway handshake. So
17:21
you're always gonna get a response if it's open. But with our UDP since its connection lis, it's possible you'll get a response from whatever is listening
17:32
on that poor. It may call back to you and say, Hey, you sent me the wrong stuff or,
17:37
you know, whatever it's up to, whoever wrote it
17:40
or it may just say nothing. It may just act upon your input. It's really up to the developer, so if it receives no response, it's not sure whether it's open or filtered.
17:49
So we send it like information it doesn't understand and just ignores us.
17:55
Then
17:56
we could get open or filtered
17:57
because it would also receive net response. If there was a firewall in place that just
18:03
filtered it out.
18:04
It looks like we do have some open
18:07
and some opens last filtered ports on both of them. So it is gonna be a little bit harder to deal with you. T p
18:15
I've always kind of joked that if you wanted to hide things that we're vulnerable in plain sight, you should put them on you defeat because it's
18:22
a bit more difficult to
18:23
determine what's there than with
18:26
TTP can do in my s u. And that has to be together to do subversion scanning,
18:33
um, for UDP, but even slower than UDP. And I've noticed that kind of cut the video to make it a little bit slower. So if yours too,
18:45
are a little bit faster rather So if years took a little bit longer than mine, I don't worries. That's normal.
18:51
Um, so speaking of version scanning, we haven't actually done that. Yeah, that's another in map
18:57
scam. Weaken. D'oh!
19:00
And that's gonna be
19:02
in map s V
19:04
and all right. P addresses
19:08
course years, maybe different. Unlikely Are
19:12
is it all again? Do my output class
19:17
purring?
19:19
This is big in tpp we can do an issue. Does Jesse and do some version scanning against you. Decree.
19:27
We'll see what we can get out here. This us, the name applies is going to do a little bit more than just telling whether the port is open is going to give a best guess of what a things is actually listening there.
19:41
So whereas before when we did the dash s s, we saw the version, I mentioned that it was really just based on what the port was supposed to be doing. Putting one is supposed to be ftp mi five is supposed to be SMTP
19:56
things like that.
19:59
Then, like my sequel
20:00
33 or six.
20:03
But when we did the version scanning it pulls banners and otherwise does some magic to try and make a best guess what's actually listening there? Who gives us a pretty good version? Numbers. Here
20:14
we have files. Ill FTP version s o male version,
20:18
Apache.
20:22
Um, my sequel was unauthorized. May or may not know what that means. We'll find you out.
20:29
This would even kind of gives us the operating system to some extent. Mouthy
20:33
version two down to the service pack. But those give us it's Microsoft Windows X p
20:40
the S F D P 2.3 point four open. Sshh. 5.1. This one is Bunty Lennix,
20:48
The Apache again. Samba
20:52
network Final systems. Oh, good. Substantive open ports here. It looks like we've got some potential on both of these hos.
21:02
Course, we forgot all about that
21:03
extra port that we found
21:07
32 32. So you need to either do, uh,
21:11
dash p for the whole range with S V. Or we could just do it like this.
21:15
Let's take a single pour. It makes it that quicker.
21:19
That is on Windows 76. In my case,
21:26
when we see that this kind of hangs a little bit,
21:30
we go back to X p. C. What's going on?
21:33
Which we have access to it. So we can, of course, do this. The sexually crashes reserve it program, which we know how to restart.
21:42
No, no problems. They're going to restart it
21:45
when we're ready, but may not always be able to do that. If you're on a pin test, chances are you know, you could hang your head in shame and go to the people who are who hired you and say that you knocked something over you. Please put it back up. But the main point But I want to make with this is that you should never
22:04
tell your customers that nothing will go wrong because this is just in. My oh, we're doing here is Port Gani.
22:11
It's really unfortunate people build software that can hold up to a port scanner. But they do.
22:17
You are
22:18
all the time, of course. But you know, people who write software aren't always thinking about things like dealing with input that is not expected. So
22:26
especially in this occasion, I was listening on a non standard port, and I have no idea what it should send it. So it seems. Observe it if it doesn't get input that it expects
22:37
it describes is so never guarantee to your customers that nothing will go wrong is possible. Something will
22:44
hopefully not at this stage, more dis port scanning. But you know, you may knock something over and they need to be aware of that. And we could just restart this
22:52
and it does, you know, after a little bit of time, say I don't know what this is, but it does point out what it got back before the crash. You can kind of get an idea by reading that some things are ugly. But, Http,
23:06
1.0 20 being a space with slash Ex
23:11
200. Okay,
23:12
Server deserve it. 0.4
23:19
hour by car. Bona, you can get an idea what it is Just from that, even though in map couldn't decide, Looks like a deserve it the room point for which again, if we're on a fin tests or it may be dead forever and knowing that may or may not do us any good whatsoever.
23:36
So you really just depends, Of course. In our case again, we just restored it. So no worries there.
23:45
That's a little bit about him up again. I encourage you to go to
23:55
so that's a little bit about in map.
24:03
That's a little bit about in mop again. I encourage you to take a look at
24:08
the website for it. They do have a whole manual
24:12
with all sorts of different things. You can do here
24:15
lots of different scans,
24:18
so I could just spend more time with it. It is kind of the backbone of port scanning. Main tool set
24:26
what's also interesting is just based on what we've got within my up so far,
24:30
we can start to get an idea of what we might want to d'oh
24:36
for our exploitation. Certainly we won't know just from these versions whether or not to restrict vulnerabilities really exists for me to do some vulnerability analysis.
24:45
But we can at least start to make a list of vulnerabilities we might.
24:51
I want to take a look out later.
24:53
So
24:56
I'm gonna open up another terminal here. And
25:00
I was calling potential bones,
25:04
make it a little bit bigger
25:08
and look at our versions. So you're that so we got
25:15
they hear V S f t p d 2.3 point four
25:19
viper that into view, though,
25:22
Yes, F t p d 2.3
25:27
Great war.
25:30
Well, the first thing that comes up is V S f d p d. 2.3 point four backdoor command execution,
25:38
then right under that, there's a good block post. It actually explains what happened.
25:44
Basically, the very secure FTP
25:47
um depository was broken into, and the source code was replaced with the originals who are scared with some additional functionality. Specifically if with a smiley face in the user name. It will spawn a backdoor as route on port 6200.
26:06
And this is the only true for a few days,
26:08
So they didn't change the version number between it.
26:12
So just because you have 2.3 point four, you don't know, maybe it was downloaded before or after,
26:19
so it doesn't necessarily mean it's this vulnerability is present, but it may be based on the version number, So it sounds like a good thing that we might want to put on our list.
26:33
Most call it the smiley face
26:36
back door
26:37
about is on Lennox.
26:41
If I had a bigger pin test on this, I would probably
26:45
I want to keep track of where things are what
26:48
I p address or whose name or whatever you want to use Excel, spreadsheets or nice just
26:56
with this one. Windows in the nexus. Plenty.
27:00
Those do one more on actually give you a little bit of homework to see if you got any other ones.
27:07
So it pulls back up on stew one more here. How about
27:15
about this one S o male 5.5.
27:33
Put that into Google
27:34
again pretty much The first thing that comes up is that there is a buffer overflow
27:41
and it says it's pop three and this gives me to exploit database who actually have code for it.
27:48
She'll see how to write. This kind of could ourselves a bit later in the course. Will you exploit development?
27:56
But it says it's on pop three. So it's going to go to the pop three Port. If you aren't sure what that is, it might actually saying Here,
28:08
Let's see
28:11
says it's connecting to Port 1 10
28:15
This is
28:17
won tens When we go back to her hidden up yours might actually be different than mine. I set this up
28:22
in my classes, that air live so that it will have already expired. Who s Oval will only run for 15 days on the free version with big pop three by now.
28:36
No, no, it has I'm off honestly, his figure and some other stuff.
28:41
But after the 15 days of expires and only run SMTP on port 25 So if you're, like, really on point and have already started working on it have gotten this far in 15 days after you made your V abs you'll actually see that pop. Three.
28:57
Court is listening,
29:00
but it's not.
29:02
You'll be like me and it's not listening. So it'll be, in that case, an example of vulnerability that
29:08
it might be there. But we can't excessive because pop three isn't listening.
29:14
So again, if yours doesn't have fought for you still listening, Feel free to put that on your list on Dhe. Maybe, maybe not. You'll be able to exploit it. Also, get through the rest of exploitation. You'll certainly be able to figure it out.
29:27
So
29:30
I'll let you go through these and see if you can find any other potential vulnerabilities. And then in the next section, we will look at
29:37
actively finding our vulnerabilities with vulnerability scanners in mob scripting, engine manual analysis, all sorts of things,
29:45
so I will see you next time.

Up Next

Advanced Penetration Testing

The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security
Instructor