WEBVTT 00:00.330 --> 00:01.680 Hello, my name is Stephan. 00:02.010 --> 00:06.660 In previous lecture, we learned about the importance of information gathering and security assessments. 00:06.690 --> 00:14.430 We explored various techniques for Nmap and its scripts for gathering valuable information about a target's 00:14.430 --> 00:17.970 assets attack surface and potential vulnerabilities. 00:18.000 --> 00:25.080 To begin with, we discussed the scripts used for IP geolocation, namely IP geolocation, plugin, 00:25.080 --> 00:28.890 IP allocation, Maxmind and IP geolocation. 00:28.920 --> 00:29.940 IP info. 00:30.780 --> 00:38.250 Here we learned that IP geolocation plugin does not require an API key, while IP geolocation Maxmind 00:38.250 --> 00:42.240 relies on a database that needs to be downloaded separately. 00:42.240 --> 00:44.790 The IP geolocation IP info. 00:45.360 --> 00:52.040 Here script requires an IP key as well, which can be obtained for free by registering on their website. 00:52.050 --> 00:53.670 So here. 00:54.830 --> 00:57.890 We also discuss some additional options for who is script here. 00:57.890 --> 01:06.230 We can select specific providers using who DB argument, which we will learn in next lecture again. 01:06.230 --> 01:10.580 So from the scripts mentioned previously only IP geolocation. 01:10.580 --> 01:16.430 Your plugin does not require an API key as I said, and the IP geolocation maxmind script depends on 01:16.430 --> 01:19.970 the on a database that's not included in Nmap. 01:19.970 --> 01:27.980 By default, you can sign up and download from Maxmind light city database from their website, but 01:27.980 --> 01:36.380 the IP geolocation IP info DB script requires an IP key to IP API key to require IT external service 01:36.380 --> 01:43.550 and the service actually is free and you can only you need to only register at their website which is 01:43.580 --> 01:45.050 IP info db.com. 01:45.050 --> 01:49.250 And here what we're going to do is we will use the free version of it. 01:49.250 --> 01:53.720 We will not register any IP API keys and others here. 01:53.720 --> 01:59.160 We will just use the IP geolocation in this script here and this script here. 01:59.160 --> 02:00.780 So we will open a terminal. 02:00.780 --> 02:03.450 We will write a pseudo here Nmap. 02:03.480 --> 02:12.510 We can also use the SDN here to make it faster and after that we will use a script script here, script 02:12.510 --> 02:13.590 after script. 02:13.590 --> 02:17.760 Here you will enter the script and as a script name. 02:17.760 --> 02:25.140 In this case it's IP geolocation and after that you will enter this and this character, and after that 02:25.140 --> 02:28.830 you will just enter the target IP or domain. 02:28.830 --> 02:31.650 So in this case, it's going to be a domain code telecom. 02:31.650 --> 02:32.400 That's it. 02:32.400 --> 02:35.370 And now we will press enter. 02:35.950 --> 02:39.010 And as you can see here, we got this coordinates. 02:39.520 --> 02:46.090 So this this the test result was, uh, what output was so fast here? 02:46.090 --> 02:55.030 Because we, we use as n here and here, if we use it without n, we are actually, uh, would need 02:55.030 --> 02:57.790 to wait for like a minute or 30s here. 02:57.790 --> 03:03.400 So we always use as n two for using your location here. 03:03.400 --> 03:06.820 And as you can see, this is our coordinates here. 03:06.820 --> 03:17.620 What we're going to going to do is we will, uh, coordinates to IP here or coordinates to location. 03:17.620 --> 03:19.690 And here we will use DuckDuckGo. 03:19.690 --> 03:20.890 Here, enter. 03:22.100 --> 03:25.700 And now we will select some website here. 03:26.090 --> 03:28.730 Let's GPS coordinates. 03:31.660 --> 03:32.910 And here we are. 03:32.930 --> 03:33.670 Go. 03:33.700 --> 03:40.150 We're going to go use longitude and latitude and longitude here. 03:40.180 --> 03:42.280 Uh, the latitude is first one. 03:42.280 --> 03:47.230 Latitude is the first one, and longitude is second place here. 03:47.230 --> 03:50.230 And now we are going to press get address. 03:50.230 --> 03:53.170 And here, as you can see here, we need to. 03:54.720 --> 03:55.920 See map here. 03:55.920 --> 04:05.100 And this is the geolocation of our web server or IP address where the IP address belongs here. 04:06.290 --> 04:11.270 And here we can zoom it in and here it's on a. 04:11.300 --> 04:14.060 Weslo wheel low here. 04:19.060 --> 04:19.840 Okay. 04:26.730 --> 04:33.430 As you can see, capital is seafood and seek settlers Restaurant and pastry. 04:33.750 --> 04:35.900 Sierra West. 04:36.240 --> 04:39.210 Western Guilford High School. 04:39.720 --> 04:41.160 Doris Henderson. 04:41.490 --> 04:42.240 Newcomers. 04:42.240 --> 04:46.410 School, Korean First Parish Church and so on. 04:46.410 --> 04:52.350 So this is how IP geolocation or geolocation works here. 04:52.350 --> 04:56.790 You can also use this markers to mark on the places. 04:56.790 --> 04:57.480 That's it. 04:57.480 --> 05:01.410 So now we are going to close this. 05:01.410 --> 05:06.750 And here this is the scanner report for this Nmap plugin here. 05:06.750 --> 05:09.720 So let's think about firstly how it works. 05:09.720 --> 05:15.120 So the script IP geolocation options initialize all the scripts here. 05:15.120 --> 05:22.260 So here with this we initialize all the scripts starting with the file name pattern IP geolocation. 05:22.260 --> 05:26.830 So at the moment there are three scripts available to geolocate IP addresses. 05:26.830 --> 05:32.050 The first is geo plugin maxmind and IP info here. 05:32.050 --> 05:38.980 So IP geolocation geo plugin IP geolocation Maxmind and IP geolocation IP info database DB here. 05:38.980 --> 05:44.440 So the service providers will not return information about certain IP addresses, so it's recommended 05:44.440 --> 05:47.470 to use them all and compare the results. 05:47.470 --> 05:53.980 So the information returned by these scripts includes at least the latitude and longitude coordinates 05:53.980 --> 06:00.160 and other fields such as country, state, address and city when available. 06:00.160 --> 06:02.500 So and there is a more, of course. 06:02.500 --> 06:09.100 So the IP geolocation Geo Plug-in Mnsi scripts works by creating a free public service. 06:09.490 --> 06:14.890 So consider the number of queries you need to send and be considered. 06:14.890 --> 06:20.890 Otherwise the provider will restrict the service as the other providers have done in the past. 06:20.890 --> 06:29.050 So it's a common misconception that IP to geolocation services provide a 100% accurate location of the 06:29.050 --> 06:30.130 computer or device. 06:30.130 --> 06:37.120 So the location accuracy heavily depends on the database, and each service provider may have used different 06:37.120 --> 06:43.180 methods of collecting data and keep it in mind when interpreting results from external providers here. 06:43.330 --> 06:43.840 Right? 06:43.840 --> 06:52.840 So it's a misconception that IP to geolocation services provide a 100% accurate location of the computer 06:52.840 --> 06:53.590 or device. 06:53.590 --> 06:54.250 So. 06:55.670 --> 06:59.810 And here you can also map that your location marker. 06:59.810 --> 07:05.990 So the IP geolocation map scripts can be used for generating graphical representations of the markers 07:05.990 --> 07:07.730 obtained by the previous scripts. 07:07.730 --> 07:14.210 And similarly, they require API keys that are free but require signing up to get hold of. 07:14.240 --> 07:18.350 So consider using them to view and interpret results easily. 07:18.350 --> 07:25.250 After all, most of us are already familiar with the Google Maps and other service providers, so you 07:25.250 --> 07:33.350 can, instead of using this and registering to some websites, you can use online tools for geo locating 07:33.350 --> 07:37.490 a map and seeing the graphical placement of the map here. 07:37.490 --> 07:41.210 So you can also submit a new geolocation provider. 07:41.210 --> 07:47.330 So if you know a better IP to geolocation provider and don't hesitate in submitting your geolocation 07:47.330 --> 07:48.710 script to the official mailing list. 07:48.710 --> 07:55.190 So don't forget to document if the script requires an external API or database, or if you know an excellent 07:55.290 --> 08:01.680 service but do not have experience developing the scripts, you may add your idea to scripts. 08:01.770 --> 08:07.530 Visualize located at their Security.org and map script idea link here. 08:07.650 --> 08:13.380 So now let's get get information from Whois records here. 08:13.380 --> 08:14.310 So. 08:15.480 --> 08:15.920 Now. 08:16.020 --> 08:19.920 Now what we are going to do, we will get information from Whois Records. 08:19.920 --> 08:26.430 So the Whois records contains useful information, right? 08:26.430 --> 08:31.440 Such as register organization, name creation and expiration date. 08:31.440 --> 08:38.280 So geographical location and abuse, contact information among some potential interesting fields. 08:38.280 --> 08:45.510 So system administrators, IT staff and other security professionals have been using who is records 08:45.510 --> 08:46.950 for years now. 08:46.950 --> 08:53.880 And although there are many tools and websites available to query this information and Map can process 08:53.910 --> 08:59.970 IP range targets lists in many formats to perform this tasks in batch. 08:59.970 --> 09:08.400 So this is I will show you how to retrieve the Whois records of an IP address or domain name with Nmap 09:08.430 --> 09:08.670 here. 09:08.670 --> 09:13.740 So what we're going to do is we will use the sudo SDN and script here. 09:13.740 --> 09:16.960 We will use Whois and we will do that again. 09:16.960 --> 09:23.710 We will use all the scripts that start with who is here and after that we will enter our target here 09:23.780 --> 09:32.470 code Silicom and here we get sudo nmap here of course sudo nmap that's it now. 09:33.410 --> 09:36.290 And as you can see here, it's almost completed. 09:36.290 --> 09:37.880 50% is done. 09:38.620 --> 09:42.880 So now we're going to get the output here. 09:55.000 --> 09:58.720 And as you can see here, we got the output here. 09:58.720 --> 10:04.180 So now we have the register in a register here. 10:04.180 --> 10:07.030 Namecheap here, expired date. 10:07.150 --> 10:12.310 This is the expired date of this domain creation date update date. 10:12.370 --> 10:16.090 And we also have the register Whois server in this case. 10:16.090 --> 10:16.510 Who is that? 10:16.510 --> 10:21.580 Namecheap.com and domain name called telecom, which we obviously need that. 10:21.580 --> 10:28.030 And here we have the name servers here, DNS one, DNS two here, Namecheap hosting.com and the URL 10:28.030 --> 10:31.840 of the icon who is inaccurate, accurate, complete form, and that's it. 10:31.840 --> 10:37.840 So here we have some notices, we have the register database here and so on. 10:37.840 --> 10:41.200 So here let's actually think about how it works. 10:41.200 --> 10:51.100 So the nmap here nmap is n script whois nmap command scripts, the port scanning phase with s n here, 10:51.100 --> 11:00.170 which makes it more fast and executes the scripts that match the file name pattern from that starts 11:00.170 --> 11:01.220 with the who is here. 11:01.220 --> 11:05.810 So there there are two scripts that match this expression here. 11:06.260 --> 11:09.110 Uh, let me actually do that here. 11:12.140 --> 11:15.740 There are two scripts that match to this expression. 11:16.340 --> 11:21.430 The the first is who is IP and who is domain. 11:21.440 --> 11:30.470 So the who is IP script queries I regional regional internet whois database and who is domain script 11:30.470 --> 11:38.000 queries the iana that org who is to obtain records until it finds the requested information. 11:38.000 --> 11:46.010 But there is more of course, so the behavior or behavior of the who is IP and its script can be configured 11:46.010 --> 11:54.050 to enable or disable the lookup catch so you can select a specific server provider and ignore referral 11:54.050 --> 11:54.890 records. 11:54.890 --> 12:00.460 So we can let's actually see how we can use these options. 12:00.470 --> 12:04.910 Now what we're going to do is we will select a service provider specifically. 12:04.910 --> 12:16.680 So the Who is IP script uses Ian's assignment, E A and a assignment data to select the RA and it catches 12:16.680 --> 12:18.270 the results locally. 12:18.270 --> 12:23.760 Alternatively, you could override this behavior and select the order of the service providers to use 12:23.760 --> 12:25.980 in the Who DB argument here. 12:25.980 --> 12:31.740 In order to do that, we will use the sudo and after that Nmap here we will enter the script. 12:31.770 --> 12:33.840 Who is that? 12:33.900 --> 12:35.190 Who is IP here? 12:35.190 --> 12:42.810 And after that we will enter the we need to use the call signs here and after that we will enter the 12:43.410 --> 12:48.870 script script arguments here. 12:48.870 --> 12:50.310 And who is that? 12:50.340 --> 12:50.700 Who? 12:50.730 --> 12:52.080 DB Here. 12:53.390 --> 13:01.010 Arin ripe and AfriNIC, and after that you will enter the target here in this case silly.com. 13:01.010 --> 13:05.360 And here we have failed to resolve this script here. 13:05.360 --> 13:08.270 So what we're going to do is we will add the. 13:09.890 --> 13:10.670 To. 13:11.640 --> 13:12.060 Here. 13:14.880 --> 13:18.840 And here we also had a we had arc here. 13:18.840 --> 13:19.590 We need to. 13:21.710 --> 13:24.750 Add argument, script arguments. 13:24.770 --> 13:25.550 That's it. 13:25.550 --> 13:28.070 And here our scan is started. 13:30.900 --> 13:31.680 And that's it. 13:31.680 --> 13:32.340 So. 13:33.590 --> 13:43.160 Here we selected the in ripe and AfriNIC to scan catholic.com and it's almost done. 13:43.550 --> 13:45.440 I guess here 93. 13:52.090 --> 13:53.260 It's almost done. 14:31.770 --> 14:33.590 And here this is the output. 14:33.600 --> 14:38.880 Here we have the again with results from different scripts here. 14:40.130 --> 14:40.960 And that's it. 14:40.970 --> 14:43.240 We have open ports and so on. 14:43.250 --> 14:49.010 So here we can also use the ignore the referral records. 14:49.250 --> 14:57.530 So the Whois script, the Whois IP script requires a list of who is providers in sequential order until 14:57.530 --> 15:00.890 the record or a referral to the record is fine. 15:01.480 --> 15:07.870 So taking out the Ripper records, you can use the nofollow script argument. 15:07.870 --> 15:10.960 In order to do that, we will just change Nmap script. 15:10.990 --> 15:15.850 Who is IP, IPS, IP script arguments here and now. 15:15.850 --> 15:20.950 What we're going to do is we is that after instead of deleting the airfield ripe and so on, we will 15:20.950 --> 15:25.090 just write nofollow and after that you enter the target. 15:25.090 --> 15:26.860 So sometimes catch it. 15:26.860 --> 15:32.560 Responses will be preferred over curing the Whois service and this might prevent the discovery of an 15:32.560 --> 15:33.700 IP address. 15:33.700 --> 15:39.610 So we will we can also disable the catch with no catch here. 15:39.610 --> 15:42.760 So actually let it complete. 15:42.760 --> 15:45.790 So we will just we will use the option. 15:45.790 --> 15:47.860 We don't need the ports here for now. 15:47.860 --> 15:51.220 So it will get get us the. 15:52.470 --> 15:53.640 Outputs so faster. 15:53.640 --> 16:03.570 And here, as you can see here, this is the Ethernet and we scanned with ignoring referral records. 16:03.570 --> 16:07.590 So now what we're going to do is we will disable the catch here. 16:07.590 --> 16:13.650 So in order to disable the catch, we just we will just delete the nofollow and we will add no catch 16:13.650 --> 16:14.100 here. 16:14.100 --> 16:21.840 So here and as you can see here, we the catch responses will be preferred over querying the Whois services 16:21.840 --> 16:25.350 and this might prevent the discovery of an IP address assignment. 16:25.350 --> 16:28.590 And here we disabled the catch here. 16:28.590 --> 16:34.320 So as with every free service, we need to consider the number of queries that we need to make to avoid 16:34.320 --> 16:41.070 reaching the daily limit and getting banned, or even worse, ruining the free services for everyone 16:41.070 --> 16:41.940 else here. 16:41.940 --> 16:44.850 So this is our lecture. 16:46.450 --> 16:54.250 And in summary, this lecture covers the practical aspects of IP geolocation using Nmap NSA scripts, 16:54.250 --> 16:59.860 including the set of requirements for specific scripts, the execution commands and the interpretation 16:59.860 --> 17:00.870 of results. 17:00.880 --> 17:05.860 We also explore the retrieval of Whois records and learned about the additional configuration options 17:05.860 --> 17:07.990 for the Whois IP script. 17:07.990 --> 17:13.720 So by applying these techniques, security professionals can gather essential information to enhance 17:13.720 --> 17:17.830 their security assessment and make informed decisions.