NMAP (Demo)

00:00

Hey, everyone, welcome back to the course. So in this video, we're gonna go over a brief introduction to end map, and that's a very powerful tool that we can use for scanning hosting Discovery. We can also identify services, running, etcetera, etcetera. There's a lot of stuff we could do with an map, both from a defensive standpoint. So as like a sys admin or network engineer,

00:19

our defender as well as more so from the pen tester side. Since this is a pen testing related course,

00:25

we could gather a lot of information about our targets. Also, talk briefly about things like the end map scripting engine in this video, but we're not gonna actually show examples of using that. That's outside the scope of this particular course. Some things to keep in mind about end map. If you don't specify like actual parameters by default, it's going to scan the most common 1000 ports.

00:45

Also, if you don't set any host discovery options by default and maps, gonna send an ICMP echo request basically that pink request it's gonna also send a sim packet Thio https as well as sending an Acknowledgement package to Port 80 which is http and it also send a timestamp request.

01:03

The exception to that is, if you're using the targets on the local network,

01:07

then it's just gonna do an AARP scan or if its I p v six, it's gonna do a neighbor what's called neighbor Discovery.

01:14

So let's go ahead and run our first scan here. What we're gonna do is we're gonna disable port scanning,

01:21

and we're just gonna be trying to do host discovery. So we're gonna do it for our sub net here.

01:26

All right, so you see, we've got a number of host currently up and live on this particular sub net.

01:33

All right? Next. We're just gonna go ahead and, uh, do a scan against facebook dot com and just creating a subject there. And what we're gonna do is we're using the facebook dot com this sub net, and we're not just gonna do ah scan to try to do a reverse look up on the these I p addresses and try to get some DNS names associated with

01:53

any servers

01:53

that we're able to ping over at Facebook. You notice a lot of them. Just give us the i P address, but if we scroll up here, you'll notice some of them. Actually, give us back the name s O. There is some DNS name resolution going on for us on this may potentially identify information about number one, possibly the operating system in use as well as

02:13

things like services. Maybe they're running or what the purpose of that particular server is.

02:17

Yeah.

02:20

So we can also we could also disable

02:23

port scanning, and we could just do host discovery as well. So we do that with the dash Capital P and command.

02:30

And if we run it against the subject we specified earlier, we see here that

02:36

a number of our host machines are targets. Potential targets have poor 53 open.

02:45

So we could also run a since can. So that's the dash lower case s capital s on making verbose and just see what kinds of ports are open on that particular device again. That since can has just given us that stealth or since can and has given us that first part of that TCP three way handshake,

03:01

we can also run a what's called a full connect scan. So this is gonna actually try to establish that TCP three way handshake with that target machine.

03:12

And because that might take a while, I'm just gonna use a flag that Dashti five. So the dash capital T flags allow us to specify how fast the scan should be going. So, for example, T zero would be a very, very slow scan

03:25

on T five being the fastest scan possible. We typically wouldn't do a t five just because it's gonna be pretty noisy. But for our purposes and this demo video, that's perfectly fine for us to use. And again, that's just going to speed up the actual scan itself.

03:39

Now, one thing to keep in mind as well, even we are using the T five flag, and that's noisy. But also running a full connects scan is noisy is considered noisy as well, and that's more than likely gonna be logged by that host. So I just want to keep that in mind that in some instances it might be okay to use and other instances you may not use

03:59

or you may not want to use the full connects can. I just kind of depends on what you're doing in that particular penetration test.

04:04

We could also run a UDP scan s Oh, this might allow us to see services that are running things like D, N, S, D, T, P S and M P. It's usually a pretty slow scan, and that's why I specify that T five flag again to try to speed things up for us in this demonstration video.

04:20

We could also do what's called version detection, so this will attempt to determine the version of the service that's running on the port. Once we can identify that, that may help us identify specific vulnerabilities on that target machine.

04:34

And so you'll see there. We've got one service running on there. The TCP rap.

04:41

We could also run acknowledgement scan. So in X can with the dash lower case as capital A. And this could be used to map out firewall rules to help determine is a staple or the not stay full and also see what's actually filtered on that target device

04:55

for this particular virtual machine that I'm pinging. We see that everything's unfiltered, so all the ports are actually unfiltered on this target device,

05:03

and we could also specify a port range of scan so that dash lower case P, That flag will allow us to specify a range of ports. So let's say there was a 500 ports open on this particular host. We could specify the range of ports that we actually want to scan. In this example. We know that this 5000.4 i p address is on. Lee got has only

05:23

poor 53 open on it.

05:25

So next we're gonna do service detection so more to do this against the scam me dot m f at dot org's, which is a site you can scan to get some hands on practice within map. And so we're just gonna use a dash Lower case s capital V to specify the service detection, and we're gonna specify it on these particular report. So we'll do, Http,

05:44

We'll do S s a to tell now at https,

05:46

etcetera, etcetera, etcetera.

05:49

And you see, we're able to identify services running on a number of those different ports that we specified, and again that may help us identify things like the version of the software. So you see the Apache we see 2.4 dot seven there. Let's say, for example, that was an outdated version

06:05

we may be able to Then go look up vulnerabilities for that and attack the target that way

06:11

versus continuing on with some other method, right? Or we might see that. Hey, they're always they always have their software updated. Maybe we need to do a social engineering attack on this particular target organization.

06:23

We could also attempt to identify the operating system in use on this particular target on DSO. It may not tell us specifically the operating system for So, for example, let's just say it identifies windows. It made. It probably isn't gonna tell us, like, Hey, it's Windows seven on Lee.

06:38

But it may tell us, Hey, it might be Windows seven or 10 or Windows Server and based on some other data we might be able to identify. Well, this is a server or this is a a user endpoint.

06:49

You see, here, British, the British G s Z three

06:54

is the operating system and use on this particular device on that port

06:59

I mentioned earlier the end map scripting engine. So let me just clear the screen here. All we're gonna do is we're gonna take a look at the scripts available in the end map scripting engine, so you'll just see basically a list of scripts. So the way we do that is we do locate space, the asterisk and then dot N S S O N S C again and map scripting engine.

07:15

You'll see a number of scripts that are already pre made templates

07:19

that we could just run and use as we need them now, for example, if for some reason we say, well, none of these really work for what I need, then we can also, you can also write your own scripts with the Lua programming language, and

07:34

then you can have your own on maps, scripts that you could share around etcetera. But these are just some templates that you can use,

07:40

uh, inside and map. There's plenty of them and they cover a lot of different things. So I encourage you to just check it out, download an app played around with and map.

07:47

It's gonna be really, really fun thing. Other thing I just want to cover in this video is just a little bit of I. D. S or firewall evasion using in map. So one way we can do that is just fragmenting packets so that Ash F command allows us to fragment packets

08:01

on the goal is to try to hide what we're actually doing. So we fragment the packets and then after they get through the ideas or firewall, they magically reassemble and go do what we want them to dio. Things can be effective depending on the what the target organizations using, uh, there a larger order these days this

08:20

the more the more advanced ideas on GPS systems and firewalls

08:26

are gonna be looking for this. But

08:30

we try everything right, We try What what will work and get us into that organization.

08:35

We could also run what's called a decoy scan so we could specify a bunch of different I p addresses with the hope that were obfuscating or hiding the origination i p address, which is our actual i p address. And so, for example, here

08:50

let's pretend that that 1 92 168 56 4 is are originating

08:56

by P address. We were trying toe mask that by making this skin look like it came from all these other I P addresses in the hopes that we can fool the target

09:07

and you'll see here. I actually forgot to specify the target. So let me go ahead and put that information in. There s so we can specify our target.

09:15

All right, So now if we specify our target, this will go ahead and run. And again, we're just obfuscating the origin source there were able to do the scan, and that target device is thinking that any number of these I p addresses where the ones that actually scan them. And that's where the attacker lives.

09:30

And most real Attackers will also do this from their hacking infrastructure. So, for example, they'll run anonymously through something like two, or they'll then go to an infrastructure that they are, you know, like renting, for example, like a bulletproof host. And then and then from there, they'll go from that to some other target

09:50

infrastructure they've compromised, and then they'll actually run

09:52

the n maps can. So they're trying to obfuscate who they actually are. By doing all of that,

09:58

we could also try to use, like, a different source port. So this is what we're doing here with the dash. G command were specifying a different port eso Maybe that might help us bypass it. Firewall might also tricks some of the ideas systems out there because common ports are sometimes overlooked because they're trusted, right? We use them all the time. These were trusted ports,

10:18

and so they might be overlooked. And even like a sys admin that's looking at this might overlook it as well, Because, hey, it's coming from Port 53. Report 80

10:26

on we We expect traffic to be coming from that source.