WEBVTT

00:00.450 --> 00:01.650
Hello, my name is Stephen.

00:01.650 --> 00:05.190
Welcome to another awesome lecture of Nmap.

00:05.370 --> 00:08.400
Nmap is a versatile network scanning tool.

00:08.400 --> 00:15.930
It's widely recognized for its exceptional capability to not only detect the open ports, but also identify

00:15.930 --> 00:20.900
the operating systems and services running on remote hosts.

00:20.910 --> 00:28.980
So this recipe explores the process of fingerprinting, operating systems and services using Nmap,

00:29.280 --> 00:36.360
providing valuable insights for security assessments, vulnerability detection and network monitoring.

00:41.630 --> 00:49.430
Terrorist detection is a crucial feature of Nmap that unveils detailed information about the specific

00:49.430 --> 00:54.830
software versions running on a target host to enable service detection include.

00:54.830 --> 00:59.720
You can include the SV option in your port scan command, for example.

00:59.720 --> 01:05.690
Nmap, nmap sv and here you can enter the target host here.

01:05.690 --> 01:09.050
In this case, let's actually scan the code sally.com.

01:09.050 --> 01:17.300
And here by employing this SV option, Nmap initiates service detection and augments the scan results

01:17.300 --> 01:24.980
with additional column named version displaying the precise software version associated with each detected

01:24.980 --> 01:25.880
service.

01:25.880 --> 01:32.300
And here now we are waiting for let's actually and as you can see you can by using the arrow here arrow

01:32.300 --> 01:32.600
keys.

01:32.600 --> 01:35.390
You can see the process here.

01:53.760 --> 01:59.790
And here let's actually learn my open my windows machine on my.

02:02.170 --> 02:05.020
So I opened my windows machine on my.

02:05.790 --> 02:07.200
Uh, virtual machine here.

02:07.230 --> 02:09.000
Now, what we're going to do is.

02:13.120 --> 02:17.120
Scan all the hosts to find that open here.

02:17.550 --> 02:20.110
Parsley and here.

02:22.060 --> 02:22.780
Say that.

02:23.900 --> 02:25.610
And our scan is almost complete.

02:25.610 --> 02:27.980
It's 81% here.

02:39.150 --> 02:45.330
And here are operating system detection is ended here on console.com.

02:45.330 --> 02:51.570
And here as you can see here we are seeing the domain here with ports and so on.

02:51.600 --> 02:54.870
We have next service fingerprint.

02:54.870 --> 03:02.460
So when performing a port scan with a service detection enabled in Mac Nmap furnishes us an extensive

03:02.460 --> 03:05.340
report on the identified services.

03:06.570 --> 03:11.190
So the service version information is enclosed in parentheses here.

03:11.220 --> 03:14.550
Red Hat Enterprise Linux six.

03:14.700 --> 03:24.180
So let's consider an example where we can where we can well known scan and mapped at all costs here.

03:24.180 --> 03:26.220
And as you can see, let's actually read this.

03:26.220 --> 03:34.980
And here we are seeing some information here, fingerprint, open ports and their versions, their services,

03:34.980 --> 03:36.480
lightspeed, so on.

03:36.480 --> 03:38.880
So this gives us a good.

03:40.330 --> 03:51.670
Insight on what this posting is using in this case, for example, XML, Smtp smtpd 4.95.

03:51.700 --> 03:54.460
In this case we can search exploits for this.

03:54.490 --> 03:56.440
We can also search exploits for this.

03:56.470 --> 04:01.270
In this case it's a red hat, but in most cases it's actually pretty secure.

04:01.270 --> 04:05.940
But nothing in nothing is unhackable.

04:05.950 --> 04:06.850
So.

04:07.950 --> 04:11.610
And here we have XM Smtpd as well.

04:11.610 --> 04:14.220
So here let's actually use the Nmap.

04:14.220 --> 04:18.540
Scan me here, let's clear and now Nmap sv again.

04:19.020 --> 04:22.470
Actually if we use the sudo it will be much pretty good here.

04:22.470 --> 04:30.540
Nmap scan me.nmap.org here and nmap sv.

04:31.940 --> 04:34.940
To though we forgot to write Nmap here.

04:36.840 --> 04:38.160
Nmap is face scan.

04:38.460 --> 04:40.500
Org and.

04:41.370 --> 04:42.140
Here.

04:42.180 --> 04:42.840
I'm sorry.

04:43.740 --> 04:53.730
Here, we will see an output here, which the output showcases a comprehensive list of open ports along

04:53.730 --> 05:00.120
with their corresponding services and versions, aiding in identifying potential vulnerabilities and

05:00.120 --> 05:01.910
monitoring software updates.

05:01.920 --> 05:03.870
So here we are waiting for this.

05:05.090 --> 05:09.140
It's actually and here, I think 16% is done by now.

05:17.810 --> 05:19.040
Let's check it again.

05:20.910 --> 05:23.460
Let's say it's 18.13 here.

05:29.090 --> 05:35.930
So while scanning this actually use another here so we can also enable the operating system detection

05:35.930 --> 05:36.200
here.

05:36.200 --> 05:42.470
So in addition to service detection and Map offers powerful operating system detection capabilities

05:42.470 --> 05:50.150
to activate the operating system detection, you can include the uppercase or option in your scan command.

05:50.150 --> 05:57.110
And keep in mind that running Nmap with operating system detection requires privileged, privileged

05:57.110 --> 05:58.070
user access.

05:58.070 --> 06:06.950
In this case, we will use the sudo here again and sudo nmap here and operate uppercase o and here we

06:06.950 --> 06:13.250
will write code solely code Silicom and then here.

06:13.890 --> 06:14.520
That's it.

06:39.090 --> 06:42.210
And here are scanning is complete by now.

06:42.240 --> 06:48.120
You can see the server again, the services and here we are and provides a.

06:51.160 --> 06:58.840
Output here or scan results may be real or unreliable or unreliable because we could not find at least

06:58.840 --> 07:00.370
one open and one closed port.

07:00.370 --> 07:08.800
And here aggressive operating system guesses is action tag this here we probably servers and it's probably

07:09.040 --> 07:21.490
to windows in 1997 present Linux 94% 94% and VMware player virtual net device here so no exact operating

07:21.490 --> 07:22.810
system matches for host.

07:22.810 --> 07:25.810
So here we can also scan the our localhost.

07:25.810 --> 07:34.180
So I have Windows 10 machine on my network 1333 here and now we are going to scan this.

07:34.180 --> 07:43.930
So because of the, our Windows system, so our target system in our localhost, it will do much more

07:43.930 --> 07:44.320
fast.

07:44.320 --> 07:52.460
And here, as you can see here, it's guessing Microsoft Windows 2019, which is Microsoft Windows 10.

07:52.580 --> 07:59.420
And here aggressive guesses is say they are the pretty same here, but that's it.

07:59.420 --> 08:03.290
So this is how operating system guessing works.

08:03.290 --> 08:09.140
So the actually let's actually I want to also tell you something.

08:09.140 --> 08:11.270
Let's actually run it again.

08:11.270 --> 08:18.770
So this upon enabling the operating operating system detection Nmap appends operating system related

08:18.770 --> 08:26.060
information at the bottom of the port list in the scan results, as you can see here and here, Nmap

08:26.060 --> 08:34.010
service detection is facilitated by the SRV option operates by dispatching a series of predefined probes

08:34.010 --> 08:38.570
for the Nmap service probes file to the open ports detected during the scan.

08:38.570 --> 08:45.140
So this probes are selected based on their likelihood of identifying a specific service, taking into

08:45.140 --> 08:48.440
account the port number and rarity score.

08:48.440 --> 08:54.650
So service detection plays a crucial critical role in various scenarios such as vulnerability assessment,

08:54.650 --> 08:58.760
service verification and patch update assessment.

08:58.760 --> 09:07.910
So similarly, the operate minus O option here empowers Nmap operating system detection features, so

09:07.910 --> 09:16.520
it achieves this by sending probes to the TCP, UDP and ICMP protocols against both open and closed

09:16.520 --> 09:17.060
ports.

09:17.060 --> 09:25.100
So Nmap is a vibrant user community has contributed an extensive collection of fingerprints encompassing

09:25.100 --> 09:31.490
diverse systems including residential routers, operating systems, IP webcams and various hardware

09:31.490 --> 09:32.120
devices.

09:32.120 --> 09:39.950
And it's important to note that operating system detection and necessities, raw packet manipulation

09:39.950 --> 09:47.090
requiring Nmap to be executed in privileged mode so Nmap adopts the common platform.

09:47.240 --> 09:51.980
Common platform enumeration CP naming scheme.

09:51.980 --> 09:58.340
So while the embraced in the information security industry to accurately identify services and operating

09:58.340 --> 09:59.090
systems.

09:59.090 --> 10:06.800
So this standardized convention facilitates precise identification of a packages, platforms and systems,

10:06.800 --> 10:10.370
streamlining vulnerability assessment and risk analysis.