Network Mapping and Protocol Analyzers

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
21
Video Transcription
00:00
>> Hey, there Cybrarians.
00:00
Welcome back to the Linux+ course here at Cybrary.
00:00
I'm your instructor Rob Goelz.
00:00
In today's lesson,
00:00
we're going to be talking about Network Mapping
00:00
and Protocol Analyzers.
00:00
Upon completion of this lesson,
00:00
you're going to be able to understand the purpose of
00:00
network mapping as well as protocol analyzers.
00:00
We're going to use the nmap and tcpdump
00:00
tools later in the lesson during our demo.
00:00
Protocol analyzers, which are also
00:00
sometimes known as packets sniffers,
00:00
are things like tcpdump or Wire-shark,
00:00
and these are useful for troubleshooting network issues
00:00
as well as just viewing or sniffing that network traffic.
00:00
There are also penetration testing tools that we
00:00
can use that are useful for network troubleshooting.
00:00
One of those is nmap,
00:00
which is actually a network mapping tool.
00:00
So let's take a look at both of
00:00
these tools with some demo time.
00:00
Here we are over in our demo environment,
00:00
for example, to work with tcpdump,
00:00
we can just run sudo tcpdump.
00:00
I'll provide my password and
00:00
escalate privileges to become more, and here we go.
00:00
Now, this will run continuously and we might just
00:00
want to see a few pack instead of it going
00:00
continuously and displaying
00:00
every packet that comes across.
00:00
let's go ahead and hit control c on this one.
00:00
What we'll do is clear our screen,
00:00
and then now what we can do is we can use the dash C or
00:00
count option to specify how many packets we want to see.
00:00
You can say sudo tcpdump and then say dash C 10,
00:00
and this will only display
00:00
10 packets as they come across, and we're good to go.
00:00
Now if we wanted to,
00:00
we could also specify a specific interface and
00:00
a specific port or protocol that
00:00
we want to sniff on or that we want to see.
00:00
What we could do is we could use sudo tcpdump,
00:00
and we'll use our same guinea pig
00:00
>> for a few lessons ago, enp0s3,
00:00
>> that's the interface we're going to
00:00
look at and we'll specify,
00:00
we only want to see TCP and let's hit Enter.
00:00
This will only display
00:00
any network information that's
00:00
using this interface and is using TCP.
00:00
Right now we can see that it's not
00:00
really doing much of anything.
00:00
Let's try and actually kick
00:00
it off and make it do something.
00:00
Let's open up Firefox,
00:00
and remove Firefox off to the side,
00:00
and now we can see it doing a whole bunch of stuff.
00:00
[LAUGHTER] We can see all of
00:00
the TCP traffic flow by, well,
00:00
let's go ahead and hit control c. What if we want to
00:00
just view the port 80 web traffic?
00:00
Well, we can do that as well.
00:00
We can say sudo tcpdump -i enp0s3
00:00
and change this from TCP to just say port
00:00
80 and hit enter,
00:00
and now we can just see all of
00:00
that traffic that's coming through.
00:00
But what if we want to capture instead of just having
00:00
a blow past this in real-time.
00:00
Well, let's do it this way.
00:00
We can do this, let's clear our screen,
00:00
type clear hit Control L,
00:00
and we'll do sudo tcpdump -i, in the interface.
00:00
We're going to enp0s3 again.
00:00
Remember we can use our double greater-than
00:00
characters to do an output and append,
00:00
and then we'll just output this information
00:00
to say the desktop, home rob desktop.
00:00
We'll say capture.txt is
00:00
what we'll call it, capture.txt.
00:00
Let's specify we want to capture
00:00
anything related to any errors
00:00
or regular standard output,
00:00
put it into this file [NOISE].
00:00
We can just run that and let it run through.
00:00
When we're done with this capture,
00:00
what we can do is we can just hit
00:00
control c to get out of it,
00:00
and then we could grab inside of here,
00:00
for let's say TCP on home, rob desktop capture.txt.
00:00
This will give us any information that is related to
00:00
TCP in this file
00:00
and we can grab for
00:00
whatever strings we're interested in,
00:00
honestly, I just picked TCP at random.
00:00
Now let's take a look at the nmap command,
00:00
and I'm going to clear our screen here so we can get back
00:00
to a clean slate, so to speak.
00:00
Now, as I said before,
00:00
nmap is a port scanning tool and it's
00:00
often used in penetration testing.
00:00
I'm going to use this from
00:00
my CentOS machine to port scan my Ubuntu VM.
00:00
But I do not recommend
00:00
doing anything with nmap outside of
00:00
a lab as port scanning
00:00
can be considered a hacking technique.
00:00
So be very careful doing port scanning if it's
00:00
not on some sort of a penetration testing engagement,
00:00
you might run into some hot water.
00:00
With that being said, let's get started.
00:00
First of all, let's ping Ubuntu.
00:00
Make sure I don't have caps lock on. That'll help to.
00:00
Ping Ubuntu. There we go,
00:00
we see it's 192.168.1.245.
00:00
Now that we have the IP for Ubuntu,
00:00
we can run that with nmap.
00:00
So we'll do nmap to 192.168.1.245, and hit enter.
00:00
Now we can see that the only port
00:00
we have open is port 22.
00:00
Pretty good. Not too bad.
00:00
Not too many ports open.
00:00
Generally, you don't want to have a lot of unused,
00:00
unnecessary ports open or applications running.
00:00
But we could do a port scan
00:00
and get a little bit more information.
00:00
For example, we can get service versions
00:00
with nmap as well.
00:00
We do nmap -sv to get service version on
00:00
192.168.1.245, that's our Ubuntu IP.
00:00
We hit enter and now it finishes.
00:00
Now here we can see that we're running OpenSSH
00:00
8.2 P1 on Ubuntu.
00:00
But remember, we're not the only people who can see this.
00:00
Anybody who's doing port scanning in
00:00
this system can see this as well.
00:00
This is kind of the issue that you've run into.
00:00
You have to make sure that you stay up to date with
00:00
your patches and your releases and
00:00
everything for this version of OpenSSH,
00:00
because if we can see it,
00:00
attackers can see it too,
00:00
and if there's a known vulnerability on this,
00:00
they're going to try and exploit it.
00:00
With that, in this lesson,
00:00
we covered the purpose of network mapping
00:00
and protocol analyzers,
00:00
and then during our demo,
00:00
we got to use the nmap and tcpdump tools.
00:00
Thanks so much for being here
00:00
>> and I look forward to seeing you in the next lesson.
Up Next