Time
28 minutes
Difficulty
Intermediate
CEU/CPE
1

Video Transcription

00:00
Hey, everyone is Ken Underhill, Master instructor. A sigh Berry. In this video, we're gonna talk about scanning and enumeration. Everyone, welcome back to the course. So in the last video, we went ahead and set up our lab. So we went ahead and loving to the cyber lab environment, we searched for the sort of ethical hacker labs
00:15
and inside of that grouping of labs, we specifically looked for the implementing scanning techniques lap.
00:20
We then went into that lab. We turned on our virtual machines. We connected to our server first. And then from there we started our Apache Web service is we did a quick command prompt with II p config to go ahead and just take a look of the i p. Address again, as I mentioned already already have list of that and the step by step guide for you.
00:38
Then we went ahead and moved over to our Windows 10 machine.
00:41
We launched DNC viewer. We went ahead and from there connected to our Callie Olympics machine, we ran our first command, which was the sin scans we typed in and map space dash lower case as capitalists space and then our i p address. You noticed that your instructor was busy talking and fat fingered and
00:59
typed in the wrong I P address. So initially didn't work.
01:02
And then I typed in the correct I P address, which was the 1 92 168.0 dot one. And that actually worked. Right? Surprising. Right. So in this video, where you go ahead, just finish out our lab. So we're gonna hand we've run our sin scan within map.
01:17
Question number one on our step by step guide. If we go back to that was just Do we get any results back? You see, I did in my command there. And you should as well if you didn't double check that you number one put in the right I p address and number two that your syntax is correct on. So you should get results back.
01:34
Now,
01:36
we take a look at some of those results there. We see that we've got a lot of different port numbers. We see that we some are showing is open there. Um and actually, a lot of them. And you don't normally find this on most like when you're actually doing a pen tests but this is showing a lot of open ports. Is also telling us like what
01:51
is associated with that port number. So we see, for example, port 21 we If you've got any basic networking, you probably understand that for 21 ftp,
01:59
you know, for 25 SMTP something more common ones, you know, like 1 10 pop, three et cetera, et cetera. Most people that are working in any capacity of I t probably also know that you know, port for 43 is https and 80 is a T v P.
02:14
Are so you know, some decent information that we get back. So the next thing we're gonna do is actually run what I mentioned earlier, it's a full connect with a full TCP three way handshake scans. Let's go and do that now. So what we're gonna do is run this a similar command here. We're just gonna change the flag we're using to the dash lower case s Capital T
02:32
that's gonna run the faux connects skin and then we're gonna take a look how the results actually differ from this initial.
02:38
I'll put that we get. So let's go ahead and do that Now,
02:42
where's gonna type in and map all over. Case space dash lower Case s capital T space 102.168 dot 0.1
02:51
and then just go ahead and run that one. Now, this one's gonna take a little time to run there. So I'm gonna pause the video briefly and use the magic of fast forwarding, and then we'll take a look at the results that I'm getting on my end. All right, so we see our results on the screen there. So the question was, Do you see any, you know, really different results from the since Can we ran
03:07
now in this example where we shouldn't see any major differences there, it's going to show us.
03:12
Ah, you know, a good amount of port number's still in. Most of them are similar to the previous scan we ran based off the flags were using and map. We could have added some different things there that would produce some different results for us by using a full connects Cannes. But one of the major things is the fact that it's,
03:29
uh, gonna be noisier. It's gonna do that established that entire handshake It's also going to usually take,
03:35
ah, lot longer to run, especially when you're doing more than just like a single scan against a single machine.
03:42
So the next part of our lab we're gonna do is just another skin. We're just gonna check for the version information here.
03:49
So let's go ahead and run that as well again. We're just changing the flag here. All these ones are very simplistic. Scans were running on, and that's on purpose. I deliberately made it simple. So any beginner to take this lab. But as I mentioned again, I want to reiterate I've listed out many commands for you and that downloadable guide, so definitely take a look at that.
04:06
Let's go and run that next skin. So we're just gonna type in end map
04:12
space Dash lower case s Capital V and then just our stay. My I p address here 1 92.168 dot zero, Not one.
04:19
And we'll go ahead and run that. This one shouldn't take us too long to run. So this is basically just gonna produce any type of version ing information for us. So hopefully it gives us back some information maybe about, you know, the OS or something in use. So it might take a little time to run. Usually don't take too long.
04:36
I'm gonna possibly a briefly just let it pull it the results for me.
04:40
All right. So we see our results there now, a couple of things that note here, number one. It makes it kind of an educated guess, so to speak. There's there's another flag, dash capital that we could use to see the operating system and used that kind of have it. You tell us a little more. Like maybe it's, you know, Windows seven or whatever. Um, we're not gonna do that in this lab. That's one of the commands that I have. Listen in that document for you,
05:00
but one thing that note here is look at the Apache. Right.
05:02
So if we if we had seen this and we knew, like, let's say we're looking, you know, you're in the future and we know that this is an outdated version of it. Um,
05:11
we could see, say like Okay. Well, hey, I've got you know, some Apache vulnerabilities in my arsenal. Let me go ahead and attack him that way. right, So that's what we're looking for here. That's why we wanted to take a look that version ing and use, because that might give us some good, valuable information that we can use. That kind of craft a custom attack for this particular organization
05:30
are so the next command we're gonna run, it's gonna be a since Cam. But we're just gonna run, run and specify the port number. What I'm gonna do is just kind of clear my screen a little bit, making a little prettier on my side. You don't have to do this, but if you want to do it, just type in, clear and press enter. So if you're not familiar with Lennox, that that's the way you could do that.
05:46
And so now we're just gonna type in our last command here in our step by step guide.
05:51
So we're just gonna run the since can'tjust specify a port number is all we're gonna do, so it should be pretty quick. Quick scan here. So just end, map,
06:00
dash, lower case s capital less space. And then we're gonna specify our port number. In this case, we're just being used for 45 on that just 1 92.168 dot 0.1. So you can specify certain port numbers if you just want to check a bunch of different systems against or, you know, a range of I P addresses
06:15
against, like, port 80 or, you know, or some other poor that you want to see is open like maybe Telnet Port 23.
06:21
You can do so,
06:24
so we'll do that. We'll just go ahead and run. That shouldn't take too long Number one because we're doing it against a specific I P address and number two because we're running it against a specific port and then, of course, number three, because we're running it as a sin scan and not a full three way handshakes can a full connects scan. So you see there
06:41
she's gonna get basically give us the same results as we had seen before.
06:44
A SZ faras like for this particular port numbers just gonna tell us Hey, it's open. And then it might be running Microsoft on it. So again, this was a very simple lab, just kind of introduce you to end map. If you're not familiar with it, as I mentioned, it could be used for both the defensive side and offensive side.
07:00
Ah, lot of times people think it's only for the offensive side. So if you didn't know that, there you go. Fun fact.
07:04
Tell your friends, uh, the other thing I want to mention about and maps. We have actually a full course on the website for that. So if you want a deep dive into and map, that's a great course by Rob Thurston is definitely check that out. A cz I mentioned I'm gonna link to that in the documents is going to be one of the many links I have in there, so definitely check that out.
07:21
Ah, and then I just want to mention as well again about the end mapped out work website. There are some books out there as well that you can.
07:28
I used to take a deep dive into en masse

Scanning and Enumeration with NMAP

In Scanning and Enumeration with NMAP, Ken Underhill gives an overview of scanning and the scanning methodology, which is the process of collecting information on a network using technical tools. Ken Underhill uses an Nmap lab to demonstrate this process. Nmap is a powerful tool used by both attackers and defenders to scan networks.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor