Linux Network Information Gathering Lecture (part 2)

Video Activity

This lessons covers port specification and scan techniques and discusses the following examples: -p : only scan specific ports -F: fast mode. Scan fewer ports than the default scan. -r: scan ports consecutively. Don't randomize. Top ports : scan most common ports Port ratio : scan ports more common than Participants also learn about service/versio...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

7 hours 47 minutes
Video Description

This lessons covers port specification and scan techniques and discusses the following examples:

  • -p : only scan specific ports

  • -F: fast mode. Scan fewer ports than the default scan.

  • -r: scan ports consecutively. Don't randomize.

  • Top ports : scan most common ports

  • Port ratio : scan ports more common than

Participants also learn about service/version detection: - sV: probe open ports to determine service/version info

  • version intensity : set from 0 (light) to 9 (ty all probes)

  • version light: limit to most likely probes (intensity 2)

  • version all: try every single probe (intensity 9)

  • version trace: showed detailed version scan activity (for debugging)

This lesson also discusses P0f is passive OS fingerprinting and listens to traffic with the intention of identifying operation systems and does not generate its own traffic as well as Tcpdump which prints out a description of the contents of packets on a network to match the Boolean expression.

Video Transcription
nicest port specification and skin techniques. Obviously, this was scanned techniques. This is a little bit more in the way of scan techniques, but it's a little bit war
abstract in general. Rather than being so specific about blacks. Not sure thing. Support specification is very easy.
We could do tech P.
Obviously we see examples here like tech. P 22 will only as I mentioned earlier I described you could just check in S H port. See if S H is open.
You can also do it like this, which is 13 65 5 35
I'm only do this if you're a mass kissed or if you have tons and tons of time.
This meant that this method right here will scan every single port on a machine. TCP and UDP just run through everything it is going to take awhile. My general advice is get a cup of coffee cause you're in for a stake out. This is the more common when you're going to see.
This is well, not necessarily more common, but the better version. At least
this is specifying the exact ports. It may be that you have an exploit that you can throw against SM beer that you have an expert. You can throw in some specific strange service that some of their computer's gonna be running. But you also want to know if you know
this is the machine that has D. N s on it. You want to know if this is a server when identify who's serving up what?
Which is kind of what this is geared to do. This particular set that it gave here,
I'm it's designed to look at
commonly used, sir reports
and send the trying connect to each of those ports or syntax each of those sports.
By doing it in this man in this manner, you can identify pretty much every server on a network with a single port list just by saying, you know,
trying connect to 53 which is D. N s. You know, try and connect the 80 and 80 80 which are http
trying connected various sir reports. And if it replies, whatever replies to I know that it is a server for that protocol. That's, ah, well formatted handy list to use. It's one that I highly recommend. It kind of gets the best of both worlds between efficacy and efficiency.
Um, there's also the fast mode option. The default scan is the top 1000 ports. That isn't
exactly the 1st 1000 ports because there are some random highs or, theoretically randomized like 80 80 which are actually very, very well known and extremely common. So it has the 1000 most common ports by defaulter scan with fast mode, it scans fewer than that.
Um, I don't know the exact number off the top of my head. I want to say it's one of the range about 200 ports, but it skins few reports that scans only, you know, the very, very most common ports,
um, are
turns off the random ization,
which is typically bad. Random ization is nice because it doesn't look like you're just standing ports. If you've got our active and you're scanning slowly, it might look like normal trafficker might look like we're traffic, but it's not happening fast enough. Rented, yes, to catch
Tak are takes that away. It stopped for an imitation. It just runs, you know, if you're doing one through 65 5 35 it's can support one minutes can support two skins for three
all the way up. Um, that's very noticeable.
Ah, only in very specific use cases are you gonna want to turn off random ization. I have never had cause to do so,
but it isn't impossible. So it's worth knowing that option.
this is a good one, which is, you know, top ports. So if fast scan doesn't work for you or fast mode doesn't work for you, most common is over for you. Whatever. You can scan a specific number. You know, the top blink most common ports. So if you've got time, you can scan the top 10,000 most common ports,
which consists of almost 100% of Ulster reports.
Um, I mean, you're looking like 98. 99% of the common of the actually used ports will be in the top 10,000 in terms of servers.
Um, if, on the other hand, you only want, you know, the top 10 or 15 which is gonna be things like http Ah UDP the really, really common ports. You could do it that way.
Generally speaking, if you're looking for a number of top ports less than about 20 or 30. It's better to just write the specific ports. It's just more efficient. You have more control and you know for sure. But
if you just want to say, I want to see the most you know the top five ports and I don't want to specify this works for you port ratio.
Now I'll be completely honest. This is an option I've never used. It's kind of a cool option, and it's concept, but I've never really had a use case for it.
I'm a scan sports that are more common again. I've never had used for it,
but it's worth trying out. You may want to if you do, by all means. You know, Post a comment. Send me a message. Go to cyber. Very intelli ruin Port ratio. Blah is the greatest scan I've ever done. Whatever whatever works for you. Next series of options service inversion detection.
don't worry. You know, we see the light at the end of tunnel. We're almost done with that map options, I promise. But service inversion detection
is used, as I mentioned, to determine
actual versions of
or what kind of service or version is running so could be used to say is that I'm just saying, Oh, this is running as S. H says it's running S h B two s s h B one if you're very lucky.
Um, and you want an easy, you know, serves to target. But I can tell you about specific service Is so it's useful. Ah, lot of a lot of lot of lot of exploits don't work against every version of a service. They will work against you. Version 13.9
as released on Tuesday.
Um, you know, you've got a you got to tell you that one specifically, So you can do obviously
just probe of importance to the German new version. Intensity of a specific level. So it will try really hard or not hard at all, depending version light.
It's only the most likely probes version all. Try every probe again. That's just ah,
a pneumonic for intensity nine inversion trace.
It's for debugging.
All right. I made it out of n map. Out of the trees ran smack dive into the next forest. This will be much, much, much shorter.
So prof is also for OS fingerprinting, and it typically will fall under the heading of scanning,
which isn't exactly correct. It's more of a sniffer than it is a scanner, but it's sort of used in conjunction with scanners, and it functions to accomplish a lot of the same goals as scanners do, which is why it tends to fall under that heading.
Prof is passive OS fingerprinting. We use zero because we're really act source. As I say, not to be confused with P. O. F. Puff is not a thing. So far as I'm aware,
it listens to traffic intending to identify operating systems. It doesn't generate any traffic of its own, so you can leave it running on a machine overnight.
Um, and as long as you're you know, it's not generating too much data on its file on the local machine, very unlikely someone's gonna catch it.
You see, it watches. It tells you I ps import numbers. So you see there's another I P.
Or there's an active. I pee in the network. We see it's connecting to an external I p. Of 23 60 to 96 1 94
It's hitting
for 43 which is https.
Ah, this unknown here means hasn't yet identified the operating system of the source machine.
So this data here, which is what it uses, has been inconclusive. So so far,
you can set it to be more aggressive in trying to term. You can set it to guess harder. Basically, um, aggressiveness and end map says send more data. I don't care if you get caught. Aggressiveness in peace arrive is really just saying, you know, I permit you to use more guesswork,
but it uses various fields that are inside of a packet. It analyzes packets, it says. Okay, well, this has a window size of blah combined with, you know,
uh, this field over here,
it tells me it's probably a Windows machine. You know, the TT Ellis 64. Probably a Lennix. That's kind of tricky,
because T t l obviously goes down with each successive machine. So if you have, if you receive a TPL and it's less than 64
on a modern Internet, the other extremely good at some sort of UNIX variant. But it's not positive. You could just have really weird luck. But yes, oh uses lots and lots of different sources from each packet again. It doesn't generate back in, but he uses lots of sources from back. It's that sees, Um, and if you leave it running for,
you know, a period of time, it will almost always successfully identify and operating sister. If you leave it running for long,
next thing is gonna be sniffing. Sniffing is different from scanning and the scanning other than obviously with weird hybrid case of prof scanning attempts to identify information by
generating traffic and looking at responses and looking at that information. Ah, sniffing, on the other hand, has done with T C, B, D O T. Shark and various things like that. Ah, sniffing doesn't generate traffic. It just opens traffic that that machine receives
and just prints out description. If you've used wire shark, you'll be familiar with this sort of thing. Just read the raw hex. If your massive mystic or
you know like me, you're used to implementing weird protocols and you know wire Shark's gonna freak out. I do a lot of raw soccer programming, so I see a lot of strange things on wire short.
So a lot of times you just print the raw hex and you'll learn more that way. But
it's also less fun to read. So if you're using normal protocols, it's better to let it do some of the analysis for you.
Um, so from the man Paige, we see TCP dump prints out a description of the contents of packets on a network interface that matched the Boolean expression.
Human version. TCB dump is a Pakistani, for it spits out easy to read information. That's all it does. It opens a packet and it tells you about it.
Nice and straight forward the output from TCP dump as we see right here. We've got a little bit of sample output for you,
so there's a time stamp for each packet.
Um, this one was obviously collected around 9 30 uses a 24 hour clock. So you used military time. The I p was the dot to
and it was going to the 1 28 It's you know, it's specifically targeting this port.
It's kind of an ugly output with this,
Um, but we see an ex domain,
so we know it's coming from domain,
which is D. N s. It's going from name, server and name exchange domain port s
and it's going to ran to my,
which means that there was a D. N s request and this is a reply to it. So you know that whether or not dot to is actually a D. N s or whether or not about two is just,
you know, the go to between the two. If you want to screw with the N s, you're gonna want to get on that dot to machine because that's where Deanna's information is coming from. So if you wanna, you know, control someone's DNA or you want to edit it or whatever, that's the machine you want to go after on this next one is a little bit more informative again. We have a time stamp right here.
We see it's an I P packet.
You see, the I pee again is 1 to 8.
This random high port, so 1 to 8 is probably the client,
and it's going out to this weird
name here that was resolved by D. N s. It's occupied technologies com dot https.
If you're unfamiliar with occupy technologies, you have almost certainly used their service is to some extent, they are a cloud server cloud storage cloud server company. The most common or the biggest client, Probably that I have this Facebook. So if you have a Facebook account, you've been to a knock on my website
because where it's hosted,
you see there's a knack. There's an act number. It's got flag. It's gotta flags. Field
of the window sizes 46 7 20
So again, if you're a savant and you know all the window sizes and the common window sizes for every operating system that could be used more commonly, you can plug this into analyzers that will tell you Hey, with window size of 46 7 20 it's probably going at a UNIX server. We see this is just a backpack. It was It's got the length of zero, so there's no actual data.
So this is a knack. It saying, I got whatever you just sent me.
We're good to go, All right. That was T C media. This is T Shark was very similar to TCB dump, but it's a little bit more fully fledged. Um, T Shark is the command line version of wire short when I was describing earlier, it's for boasts. It tells you a lot
for the programmers in my audience. It's built around limpy cap dot c Uh, which is,
you know, just Lennox or not necessarily Lennox. Usually a Lennox implementation. I mean, it's got all of the packet information built in. So there's something you'd like to know about packets. You can go through limpy caps, documentation. You could learn a lot.
It deciphers packets in real time.
Um, and it's I mean, it's very near real time. It's hard to tell the difference between this and a normal application. In some cases, this will be faster because it's not actually processing all of the data. Just the headers, really, And then it's giving you the data in Raw Hex. Most of the time,
it's got a decent Reg. It regulates sparser, so regular expressions in terms of identifying the I P and that sort of thing. They're not traditional regular expressions they don't have, you know, the engine like you would normally see, but it's capable of using fairly complicated logic. Siri's to only show you specific packets.
So you see here some sample output from it.
We see,
and it's got a packet number.
It's got
The time stamp is relative. It's not actual actually a hard time stamp late. The other was, This is the time stamp from whenever this communication started.
That's coming from this I, p right here, which is 66 to 49 89 1 72
And it's going to a 1921681 dot Wanna Wait. This is just a random chunk that I took off the Internet. So this isn't actually correspondent the other packets we've been showing
eso don't get confused that this I p is slightly different. It's not a big deal. I would see that today. It's http,
so it's an Internet connection of some sort. Specifically, we see it's http version 1.1,
which can be useful, lots of exploit to get exist that go against that sort of thing. We're checking out
check sums. Okay, so it you know it's a valid packet.
It's going after a gift for a Jiff. I'll leave it to you guys to fight it to the death of the comments as to whether or not it should be a gift for Egypt.
All I'm gonna say is that an animated picture is not peanut butter, and I'm going to go from there.
Content type is again an image or
this sort of
moving animated image file. I'm not going to say specifically
pronunciation again, and he's got a content length of 35. There's not a lot of data there. I'm obviously we see here there's 4 77 There's a lot more data on that one on a 5 35 again.
So when you see the same length occur a few times, it's worth checking on that lengthened scene. That's a standard.
It could mean 35 is the cheque. Value could mean 35 has just got the or l could mean lots of things. Either way, it's worth examining and checking out. This is T shirts out, but obviously it's a little bit easier to read a little bit more indicative than what we saw from TCP dump.
It doesn't have the flags right now. You can change settings and make the flags available,
but I decided not to dig into every option for T shirt and DCP dumb after kind of beating you over the head with all the end my options. So with ease, as with everything else, I recommend exploring exploring exploring, exploring. Check out what they can do, play with them yourself, get very familiar scanning and sniffing or two of the most important parts of gathering information.
And obviously they're among the most important things because you're gathering information on the network itself. Next video, when we come back is gonna be kind of going back to doing the current machine. But it's gonna be using Windows. You'll see there are some galleries, some similarities between doing so on Windows and Lennox, and there are also some massive, massive differences.
But that will be when we get back. Until then. Like I said, familiarize yourself with the tools you saw here or on cement. Maps can scan the Internet, get a call from the FBI. Whatever. Learn about the tools. Have some fun. You've learned a lot of hope. You enjoyed the current very long,
admittedly somewhat dry lecture until next time. My name is Joseph Perry. I'm a resident post exploitations me and you're watching this on the side buried that IittIe website
Up Next