Okay, so now let's take a look at port scanning. We are going to work with our virtual machines of this point, so we need to disengage from the Internet at large, as we do not have permission to perform a pin test on that was closed. So you want to keep
our testing from now on in our live environment.
Now our first question is from a network perspective.
What software can we potentially exploit? Don't know necessarily. If there's any exploits, just because a service is running on the network could certainly be
free of known vulnerabilities. But on the other hand, it may have known vulnerabilities that we can exploit. On the other hand, there maybe
software running on a target system. It's not listening on a port. It's not available on the network, and it is vulnerable. But without having access to it over the network, we're not going to be able to directly exploit it. We look at client side attacks later in the course where that will allow us to
potentially exploit local software.
But for now we'll stick with what's listening on the network.
So we need to know what ports are open and what's listening there. So there are
65,535 TCP ports and likewise the same about of UDP ports.
It would be unlikely to find that all ports are open on a single system and probably the CIA Hansel or two, depending on what the function of that who stays you may find, particularly when you're looking at Internet facing systems. They may decide, you know, two or three even just one year, maybe
80 or 443 or both for Web servers,
whenever poor to have, like, pop three or I'm out for both. For the mail server who may find more or less
use a VPN pours FTP Sshh. Who knows who really just depends what internally you'll probably see a bit more. You'll see. Some do may import certainly have a Windows domain.
Um, so it really just depends. The sky's the limit when we're just looking at it and saying, Well, what's there? Before we take a look? It could be anything ending potential networks. Vulnerability might be there. So basically what we're doing is starting with a really large picture on making it smaller
until we would let down to the exact set of vulnerabilities that were able to find and exploit in the environment.
So for these next few sections, I'm going to focus on our Windows X, p and R, even to a point in hosts.
There are other hosts in the course, certainly. But those are the two primary hosts. There's also Windows seven. It does have some vulnerabilities, but living the website nothing is a network baseball, nor ability. So we'll just focus on those two. So we have one too.
And we have when his ex p
So we need to know at this point are the I p addresses of those two systems.
Yours, of course, will probably be different than mine. Some minor 1 91 681.76 on DDE
So just keep in mind, the years may be different. Also want to make sure that deserve it? Software is running.
It may fall down at some point, so we need to be able to turn it back on. And again, I'm putting it on a nonstarter. Port 32. 32.
I want to say yes to directory, listening
all the other software on them with his experience, she and as well on the bunch of machine
I'm going to start up automatically. This is just a special service as we'll see.
All right, so we can certainly just ask what ports are open manually. It's perfectly acceptable We could do like a Met cat.
I could tell it. I want to ask if port
it doesn't tell us anything, we think, Well, it's probably a Web server on eighties. Or what if we ask? It
seems to be an http response.
But what if instead, we kill it?
Net could cap for Boost Lee.
Oh, it just automatically tells us that the Port Open.
We don't have to come up with something that's protocol dependent to get her to talk to us.
But if we instead US report 81 because the connection has refused report, 80 is open
on the Windows extreme machine and Port 81 is closed. So then we could certainly go through that manually could even write a script to do it for us. We made a
simple script in our scripting section of the class. We could expand that script a little bit and haven't run through all the available ports. Or we could again use a piece of software that's been specifically designed to do this.
Possibly the best known and most powerful port scanner is a tool called in Map,
as we'll see has a lot of additional functionality besides just network mapping
but does its original purpose. So there is a lot of things you could do within map. There is, of course, a man Paige.
man Paige fashion, it's not too friendly to read. I would actually say that if we go to
in my dot order, there is a book here
online that I think is
probably a better place to look for reference. Certainly you can use the man page, but I prefer this reference guide over here to the left,
basically an entire book online about in map.
Preston's targets specifications different ways. You can specify which target she'd like to scan
the whole section on that
and of course, kinds of skins
report scanning basics, for instance,
a port for open, closed, filtered, unfiltered,
so there's a possibility that There's a firewall between you and the oven ports open. Fit is open. You may not be able to talk to it.
With these particular to host. Neither one of them are running a host based firewall. The window seven box is
Well, if you try it in my heart, that one which you're certainly welcome to do,
you will see that far less ports, earth listening. Probably because of the Windows firewall
course getting techniques
they're like S s is a sin scan for TCP. So TCP, if you're unfamiliar, does a three way handshake there. We sent over a sin, but who says, Hey, I'd like to open a connection.
He writes back, and it says, sin ax of sin, dash AC and visually acknowledges that we would like to open a connection and we sent by the third part of the handshake, which is an AK and that will open up a TCP connection.
So with decent scan, what we do is we said over the sin. Listen for this in act within, never actually send the AC so we don't complete the three way handshake.
Some people call this a stealthy scan. I don't really think it's particularly stealthy. There's nothing to say that someone couldn't log
scanning. You could just say anytime someone sent to send that we should long it. So it's certainly not completely stealthy, sir.
It's not necessarily really that much better than a full connect scan, which is the next one's RST would finish up the three way handshake
on. Of course, it's UDP scans as well as we'll see you. T P is a little bit harder to scan was it is connection less?
There's other ones as well. There's all sorts of different scans also different ways that have at some point that past allowed us to bypass filtering technologies. Hopefully, any firewalls or other filters that you'll run into today will
be able to see through like axe can or Christmas Tree scan for you said all the bits
on the TCP packet. But at some points, that has been ableto full, different filters to get by on bypass filters. Hopefully, that won't work anymore.
There's lots of different scans again. I encourage you to when the videos over try some different ones. We'll just look at a few basic ones that I used all the time in my pin tests.
So let's start with just a sin scan. So Dash Little s big s
on that. We can tell it the host we want
and there's lots of different ways to specify hosts
is this is just two hosts not too hard to just give a list like this. You could have it pulled from a file with Daddy's little I big l can do, arrange and do a slash 24 flies, whatever that mask you want.
And let's do dash over output, we are gonna output thes to a file. It is certainly worthwhile to do so.
We do want to be keeping good notes and Arpin tests, of course. And however you want to do this for all it matters, you know, pen and paper works. There's tools specifically for keeping pin test notes like greatest or keep note.
I'd just like to keep all my output. So this is how in map does the outfit. So it puts it out in three different formats. Sheikhoun specify a specific format or like I am here to She's a big A for old that'll put it out in XML format
in Matt format, which is the same as we'll see, printed out to the screen, nicely readable and formatted. There's also G in my bushes, graspable in Mac, which, as the name implies, is regrettable and easy to use the grip tool
to pull specific strings out.
So then we just want to tell it the beginning of the names I was. Cool it.
It'll make class. Cannot in map cache class can don't g and map in class Scandal XML Mine was pretty fast since I'm on my local network might take a little bit longer,
so we take a look at our output.
It looks like on 80 which is
on 80 which is the bunch of machine it looks like we've got for TCP. We've got 21. That's if the's service's air. Just guess at this point we haven't even finished the connection who? We're not really sure what's listening there. Someone could run
different software on these ports. Over the default for 21 is FTP click Sssh! Web server.
Like some, uh, things. Network file system
from Windows looks like ftp
simple male transfer protocols, Mail Server
80. So we've got a Web server here is well better.
We've got my sequel about RS and be as well.
So anything that's not on those ports is definitely not listening. Right?
Well, actually, wrong. Remember, we opened up the observe it poor 32 32. We don't see that on our list here for expiate all. So, as it turns out in my fight, a full only scans the 1000 most interesting. And I'm doing air quotes so you can't see me
interesting and air quotes poured. So I believe they did a Google Summer of code project and basically had a bunch of students scan the entire Internet. And did Cem
calculations honor to decide what were the most interesting port So you may find, but particularly if you
using a non standard port, you may find that things were missed in this case. We know that servant port is there, and it certainly did not respond here so we can specify a specific courts.
So we just clear this *** up higher, do in my up
and do does S s on 1 90 that wants a eight. I wanted 76 I said the port. We could do a range of port so we could do all of them like that.
Or we'll just set a specific pours. I'll say I want Port 32. 32
and it's open, but the service is unknown. It doesn't know of any standard thing that listens on 32 32
so it can miss sports. So I would encourage you to
do the full range of ports. You might miss something particularly internally,
and there's probably some
proprietary something lying around somewhere. If they do any development,
we can also do you d p So Dash s u for UDP. And this is gonna be a little bit different on what we see.
my out. But again, I always did you remember to do my
don't put We'd like to keep our nooch.
Miss Feldt Feet either.
This is gonna be a little bit slower again. UDP is connection list. So whereas with TCP, we should expect to see a response immediately or nothing With beauty peeling. How long did you wait? So it is waiting for a second to see if it's going to get a response.
so that could take us a little bit of time
to run even here locally, when we did the TCP on the same systems that are all on
this original machine network on my host, and it was significantly faster than we're seeing here.
You know, I could always open up another terminal
rather than sit here and watch it.
And we can also, if you do it, the, uh Pero it'll tell you where it's timing is that the time remaining is convey be completely dead wrong the gas. Based on what I've seen, I feel like it basically takes how long it's been running and then how much more it has to do
and calculates it that way. But if it does more than one task, it will take a lot longer to do later. Tash. So it could be completely wrong. So, for instance, I think it's been more than 52 seconds since I did that.
See, now it thinks is one minute and 13 seconds remaining, so you kind of have to take the time remaining with a grain of salt.
All right, so we see with the UDP, we actually get some different results. We see other open slash, filtered opened or course the rest of the ports that don't show up are closed a little bit different than what we saw. A cheesy P here with the U. K. P
um, open. Obviously it's open. Closed is closed. But what is this? Open slash filter? Why? Can't tell. Well,
there's no requirement with UDP that there's any cold back to you with TCP felt the freeway handshake. So
you're always gonna get a response if it's open. But with our UDP since its connection lis, it's possible you'll get a response from whatever is listening
on that poor. It may call back to you and say, Hey, you sent me the wrong stuff or,
you know, whatever it's up to, whoever wrote it
or it may just say nothing. It may just act upon your input. It's really up to the developer, so if it receives no response, it's not sure whether it's open or filtered.
So we send it like information it doesn't understand and just ignores us.
we could get open or filtered
because it would also receive net response. If there was a firewall in place that just
It looks like we do have some open
and some opens last filtered ports on both of them. So it is gonna be a little bit harder to deal with you. T p
I've always kind of joked that if you wanted to hide things that we're vulnerable in plain sight, you should put them on you defeat because it's
a bit more difficult to
determine what's there than with
TTP can do in my s u. And that has to be together to do subversion scanning,
um, for UDP, but even slower than UDP. And I've noticed that kind of cut the video to make it a little bit slower. So if yours too,
are a little bit faster rather So if years took a little bit longer than mine, I don't worries. That's normal.
Um, so speaking of version scanning, we haven't actually done that. Yeah, that's another in map
and all right. P addresses
course years, maybe different. Unlikely Are
is it all again? Do my output class
This is big in tpp we can do an issue. Does Jesse and do some version scanning against you. Decree.
We'll see what we can get out here. This us, the name applies is going to do a little bit more than just telling whether the port is open is going to give a best guess of what a things is actually listening there.
So whereas before when we did the dash s s, we saw the version, I mentioned that it was really just based on what the port was supposed to be doing. Putting one is supposed to be ftp mi five is supposed to be SMTP
Then, like my sequel
But when we did the version scanning it pulls banners and otherwise does some magic to try and make a best guess what's actually listening there? Who gives us a pretty good version? Numbers. Here
we have files. Ill FTP version s o male version,
Um, my sequel was unauthorized. May or may not know what that means. We'll find you out.
This would even kind of gives us the operating system to some extent. Mouthy
version two down to the service pack. But those give us it's Microsoft Windows X p
the S F D P 2.3 point four open. Sshh. 5.1. This one is Bunty Lennix,
The Apache again. Samba
network Final systems. Oh, good. Substantive open ports here. It looks like we've got some potential on both of these hos.
Course, we forgot all about that
extra port that we found
32 32. So you need to either do, uh,
dash p for the whole range with S V. Or we could just do it like this.
Let's take a single pour. It makes it that quicker.
That is on Windows 76. In my case,
when we see that this kind of hangs a little bit,
we go back to X p. C. What's going on?
Which we have access to it. So we can, of course, do this. The sexually crashes reserve it program, which we know how to restart.
No, no problems. They're going to restart it
when we're ready, but may not always be able to do that. If you're on a pin test, chances are you know, you could hang your head in shame and go to the people who are who hired you and say that you knocked something over you. Please put it back up. But the main point But I want to make with this is that you should never
tell your customers that nothing will go wrong because this is just in. My oh, we're doing here is Port Gani.
It's really unfortunate people build software that can hold up to a port scanner. But they do.
all the time, of course. But you know, people who write software aren't always thinking about things like dealing with input that is not expected. So
especially in this occasion, I was listening on a non standard port, and I have no idea what it should send it. So it seems. Observe it if it doesn't get input that it expects
it describes is so never guarantee to your customers that nothing will go wrong is possible. Something will
hopefully not at this stage, more dis port scanning. But you know, you may knock something over and they need to be aware of that. And we could just restart this
and it does, you know, after a little bit of time, say I don't know what this is, but it does point out what it got back before the crash. You can kind of get an idea by reading that some things are ugly. But, Http,
1.0 20 being a space with slash Ex
Server deserve it. 0.4
hour by car. Bona, you can get an idea what it is Just from that, even though in map couldn't decide, Looks like a deserve it the room point for which again, if we're on a fin tests or it may be dead forever and knowing that may or may not do us any good whatsoever.
So you really just depends, Of course. In our case again, we just restored it. So no worries there.
That's a little bit about him up again. I encourage you to go to
so that's a little bit about in map.
That's a little bit about in mop again. I encourage you to take a look at
the website for it. They do have a whole manual
with all sorts of different things. You can do here
lots of different scans,
so I could just spend more time with it. It is kind of the backbone of port scanning. Main tool set
what's also interesting is just based on what we've got within my up so far,
we can start to get an idea of what we might want to d'oh
for our exploitation. Certainly we won't know just from these versions whether or not to restrict vulnerabilities really exists for me to do some vulnerability analysis.
But we can at least start to make a list of vulnerabilities we might.
I want to take a look out later.
I'm gonna open up another terminal here. And
I was calling potential bones,
make it a little bit bigger
and look at our versions. So you're that so we got
they hear V S f t p d 2.3 point four
viper that into view, though,
Well, the first thing that comes up is V S f d p d. 2.3 point four backdoor command execution,
then right under that, there's a good block post. It actually explains what happened.
Basically, the very secure FTP
um depository was broken into, and the source code was replaced with the originals who are scared with some additional functionality. Specifically if with a smiley face in the user name. It will spawn a backdoor as route on port 6200.
And this is the only true for a few days,
So they didn't change the version number between it.
So just because you have 2.3 point four, you don't know, maybe it was downloaded before or after,
so it doesn't necessarily mean it's this vulnerability is present, but it may be based on the version number, So it sounds like a good thing that we might want to put on our list.
Most call it the smiley face
If I had a bigger pin test on this, I would probably
I want to keep track of where things are what
I p address or whose name or whatever you want to use Excel, spreadsheets or nice just
with this one. Windows in the nexus. Plenty.
Those do one more on actually give you a little bit of homework to see if you got any other ones.
So it pulls back up on stew one more here. How about
about this one S o male 5.5.
Put that into Google
again pretty much The first thing that comes up is that there is a buffer overflow
and it says it's pop three and this gives me to exploit database who actually have code for it.
She'll see how to write. This kind of could ourselves a bit later in the course. Will you exploit development?
But it says it's on pop three. So it's going to go to the pop three Port. If you aren't sure what that is, it might actually saying Here,
says it's connecting to Port 1 10
won tens When we go back to her hidden up yours might actually be different than mine. I set this up
in my classes, that air live so that it will have already expired. Who s Oval will only run for 15 days on the free version with big pop three by now.
No, no, it has I'm off honestly, his figure and some other stuff.
But after the 15 days of expires and only run SMTP on port 25 So if you're, like, really on point and have already started working on it have gotten this far in 15 days after you made your V abs you'll actually see that pop. Three.
You'll be like me and it's not listening. So it'll be, in that case, an example of vulnerability that
it might be there. But we can't excessive because pop three isn't listening.
So again, if yours doesn't have fought for you still listening, Feel free to put that on your list on Dhe. Maybe, maybe not. You'll be able to exploit it. Also, get through the rest of exploitation. You'll certainly be able to figure it out.
I'll let you go through these and see if you can find any other potential vulnerabilities. And then in the next section, we will look at
actively finding our vulnerabilities with vulnerability scanners in mob scripting, engine manual analysis, all sorts of things,
so I will see you next time.