Scanning and Enumeration

00:00

Hey, everyone is Ken Underhill, Master instructor. A sigh Berry. In this video, we're gonna talk about skinning and enumeration.

00:06

Just a quick pre assessment question here. Jen is attempting to run 1/2 open scan against this I p address against Port 80 as well. So, http, using end map. So what's the correct command for her to you? So just make sure you get your syntax right here. So which one is correct?

00:24

All right, if you guessed Answer B, you are correct. That's correct. Syntax and the half open skin is actually more commonly called the sense can or the still skin. I have very few people I know in the industry that actually call it on a regular basis, half open scan, so we'll just leave it as that. It's more commonly called the same scan. And a lot of times it's still skin as well.

00:45

So are skinning methodology. We're checking for live systems here. Right? We want to see is the system actually live on the network? Are Excuse me? What systems air live on the network as well as what ports are open. We always want to try to scam be on the ideas or i p s system in place If there is one, we can also check for firewalls

01:03

on basically that we could check if a Packard ah packet is being filtered or not.

01:07

We could perform banner grabbing. So getting information about the operating system or the version of software and use. So, for example, maybe the maybe they're using an outdated version of Apache. We figure that out. And then from there, we can, you know, craft our attack more specific towards that

01:23

checking for vulnerabilities. So again go going along the lines of banner grabbing and getting information about the operating system or the version in use. We can then figure out the vulnerabilities that those systems have

01:34

and then mapping out our network dry grams based off what systems are responding to us.

01:40

So keeping in mind here that, um sometimes depending on like the certification exam you're taking scanning is considered like active reconnaissance In the real world, your your reconnaissance is gonna be

01:56

kind of it like its own separately. You're just getting information about the target, and then scanning is kind of like that Next level methodology there really blended during a 10 Penn test.

02:06

But the terminology might be mixed depending on the certification exam that you might be going for if you decide to go for them. So, as an example through that the CH exam of the EEC counsel certified ethical hacker exam that one will really separate out, like, you know, foot printing, reconnaissance from

02:23

scanning like it considers those totally separate things.

02:25

Ah, whereas like Conti is pen tests. Plus, we'll consider what kind of Lupin scanning underactive reconnaissance. So just the terminology may change May kind of migrate as you do different certification exams. But when you're doing an actual pen test, you're just kind of like, OK, I'm either like touching my target or I'm not right. So I'm either doing things like

02:46

Google Dorking searching the job board, searching the company website,

02:49

maybe doing some socially some social media reviews, that sort of stuff. And then I'm touching my target. So I'm doing scanning right. I'm doing scanning within map, you know, tryingto, you know, do fire walking. In some cases, I'm just trying to figure out what kind of rule sites are in place of the firewall, or I'm just trying to figure out are they even using a firewall? Right, So that's kind of touching the target in that sense.

03:08

So you don't get what I'm trying to say here is Don't get too caught up in terminology.

03:14

Focus on, like, the actual action steps you're doing.

03:17

So when we talk about scanning, we of course, if you don't know the three way handshake, we're gonna take a high level. Talk about it here. But you really need to know this, especially if you're gonna be a pen tester. You have to have foundational networking. That's just the name of the game there. So the three way handshake Think of it like this Like, let's say that in putting all the, you know, the, uh

03:37

the human element societal. She's put all that

03:39

stuff aside for a minute. Let's say you're you know, you're trying to ask me out to the school dance.

03:44

So you

03:46

you come up to me, you say, you know Hey, how you doing? You know, So that's your sin packet, right? You're setting me that sin packet. You know, it's saying, Hey, I want establish communication with you, right?

03:53

And I give you some kind of acknowledgement back right. It's a well, hello there, you know. You know. How are you doing? Um, and then I also ask you a question. So I send you back my acknowledgment packet there. All right, I say, Hey, how you doing? Right. I acknowledge that you've, you know, communicated with me, and then I want to send you my own sin packets. So I I need to ask you a question. Right. So I would say, Are you doing

04:13

you know, and then I'm gonna Then I'm gonna say,

04:15

Do you want do you want to talk to me about the dance?

04:18

Right? And then And then Esther said, That's my sin packing back to you. Right? So that's my CNAC packet.

04:24

And then you send me another packet back, right? You give me a response back saying yes, of course. That's why I came up to you, right? And that's your acknowledgement packet. So that's a very simplistic example. But again, you're establishing communication with me. You send me that that ah ah syn packet. And you say, Hey, I want to talk to you. Essentially right?

04:40

I sent into Acknowledgement packet back along with my own sin packets. So I basically say, Yeah, you know, I want to talk to you, and then I gotta ask you some questions, right? Well, to say, in this case, it's Do you want to talk to me? Right? So that's my sin act packet, and then you send me a packet back. You know the acknowledgment. Just saying, Of course I want to talk to you, Right? That's why I came up to you in the first place.

04:59

So that's what this the TCP three way handshake. That's how it occurs

05:02

now. At each step of that, we're incriminating our number by one. Essentially, right. So if you started out sending me, you know, with the number one, I send you back and increments yours by one, and then you send me back in a knowledge minute in increments. My acknowledgment packet by one.

05:19

We're not gonna deep dive into that. I've got other courses on the Cyber East Side that will kind of walk you through that

05:24

a CZ well is like anything like network. Plus, we'll walk you through that stuff.

05:29

Well, let's talk about briefly. Talk about TCP header flags. So thes allow us. This is more specifically if you're gonna go take a serving sandwiches. Good idea to get high level overview. So, you know, we talked about the sin, right? We talked about the acknowledgment we talked. We've got the reset packet as well. That will are the Excuse me, the reset flag

05:47

that will force termination of communications. Right? So think of it, like on your video game system. You know, back in the day you would press your reset button and you're

05:55

a Nintendo, and that would reset whatever is going on because a lot of times, at least, mine I don't know if anyone else had this problem out there, but a lot of times, mine would just freeze up on me. So especially super Nintendo when I when I got one of those.

06:06

Anyways, we're jumping back in time there. For those of you that are kind of newer to the world, you may not have used one of those things. Those were some of the things we had a deal with back then as well as atari. So quick shoutout to Atari for any of anyone listening that actually knows what I'm talking about. There.

06:24

We've also got a fin flag, so that one signifies a order close to think of it like a race, right? You're you've got the race, You've got the finish line of the race and it's an order closed, right? Like nobody just like, Well, people collapse at the end of the finish line. But you get the idea, right? I crossed the finish line. I know at that point that undone,

06:41

we've got the push that's gonna force a delivery of data. So think of it. You know, like somebody given birth there. They've gotta push out that baby. The urgent flag

06:49

that's going to signify the data's being sent out a band. So let's just say that I've got an emergency. I need to, you know, send the bat signal to get Batman. Come. That's the urgency, right? That's urgent Flag.

07:01

Let's talk about port scanning. So full open, half open. As I mentioned, you know, the sinner still scan inverse TCP Christmas. Can Christmas games don't actually work on windows? It's a Lennox thing. And if you want to like be, in my opinion, be bored out of your mind, go read the request for comment documents. There's a whole lot of them out there.

07:19

Just go free through those. It will make you better

07:23

just cause you understand that Kyle Protocols working everything like that. But they're they're extremely dry, in my opinion. Um, so some people love them. Some people hate him. Just check him out. If you want to acknowledgement Pakistan as well as the idol packages. Well, I'm not gonna read bore you to death by reading

07:39

the screen there. But also, I'm gonna leave this slides in the resource of section. Of course as well. You could take a look through those as well

07:46

We talked about and map, right? So again in the lab, run and don't jump in and just run a couple and met commands is gonna take a look at the output we get the SIM command there is the dash lower case as capital s just be mindful of the syntax and everything like that. Especially if you're going through practice questions.

08:03

We like to trick you a little bit and, you know, make it like maybe a dash capital s capitalist.

08:07

Ah, we've got the full open scan or the full scan or the full connects scan Is the dash lower case as Capital T. So that's gonna run the full scan. So the difference they're being since can is just going to send the sin packets to the starting point of our conversation there, right? It's going to send those. And then now it's not gonna wait on. The response is just gonna basically keep sending those to see,

08:28

you know, doesn't get some kind of RST back.

08:31

Ah, and it's gonna be a relatively quick scan to do. Now, the full scan is gonna establish that full three way handshake right there. Full TCP three way handshake There.

08:41

We've got the dash P flag that will allow us to specify a port number. We'll and we'll see that in the lab. A dash lower case as capital you that sending udp packets. So that's running the UDP scan a dash lower case as Capital V is gonna allow us to see the version ing of the software and use dash lower case

09:00

esque lower case and is gonna disable port scanning and then the dash capital T is just a flag for us to use for speed s. So we've got you know t zero would be the fastest. Excuse me. the slowest possible on then that the dash T five will be the fastest possible.

09:16

Um, most, most pen tests scans you're gonna do are gonna probably be around the

09:20

the T three t three range, but it's variable based off your pen test that you're doing so sometimes. So what I mean by that is sometimes you don't care that you're very noisy. So, like running a T five scan in R T Force can. For example,

09:35

um, you may not care that somebody's able to see you because you're running a white box test,

09:41

but also, you might be running a black box test, right? So then, from there, you might use it like a t zero r a t one to make a very slow process. And and all that's variable is well off the amount of time you have that actually do the pen test

09:54

of all numbers scanning. We mentioned you can if you if you can get access to the target systems, you can run like open Voss or necessary on them. Mostly when we talk about vulnerability scanning in the aspect of just kind of generalized scanning, it's usually gonna be done with something like and map h being, um,

10:13

And then from there, Like I said, if you can actually

10:16

touch her systems and be able to run scans against him with open boss, for necessary or equivalent, you can do so definitely check out these two sides. I'm gonna list a CZ. Well, I've got a helpful links document is what I'm calling it in. The resource is section, and that's gonna have, um it's gonna have the end Mac commands for you. It's also gonna have all these links that I mentioned

10:35

in this video as well as

10:37

what I mentioned in the next couple of modules. So all the links that I mentioned that you should check out those We're all gonna be listed there.

10:46

Quick post assessment question here. Which flag indicates an ordered close to commit communication? Which one was that?