1
00:00:00,330 --> 00:00:01,230
In this video

2
00:00:01,230 --> 00:00:02,910
we're going to take a look at some ports

3
00:00:02,910 --> 00:00:05,250
and protocols on a remote system.

4
00:00:05,250 --> 00:00:07,830
What we're going to do is we're going to scan a remote computer,

5
00:00:07,830 --> 00:00:11,070
in this case, a server, and see what things are open,

6
00:00:11,070 --> 00:00:14,070
which ports are listening on what services?

7
00:00:14,070 --> 00:00:15,510
So for example, if I scan it

8
00:00:15,510 --> 00:00:17,370
and find that port 21 is open,

9
00:00:17,370 --> 00:00:20,610
that means there's an FTP server sitting there listening

10
00:00:20,610 --> 00:00:22,260
and waiting for a connection.

11
00:00:22,260 --> 00:00:25,140
To do this, I'm going to use a tool known as Nmap,

12
00:00:25,140 --> 00:00:27,600
which stands for the Network Mapper.

13
00:00:27,600 --> 00:00:30,120
Nmap is a very popular command line tool

14
00:00:30,120 --> 00:00:32,070
that's used to be able to map the network.

15
00:00:32,070 --> 00:00:35,280
You can do ping sweeps and look at what is up and available.

16
00:00:35,280 --> 00:00:36,930
You can look at each individual port.

17
00:00:36,930 --> 00:00:38,820
You can even figure out what operating system

18
00:00:38,820 --> 00:00:40,500
that remote server is running.

19
00:00:40,500 --> 00:00:42,420
Now for our case, we're really focused

20
00:00:42,420 --> 00:00:44,760
on those open ports for this example.

21
00:00:44,760 --> 00:00:46,440
And so I'm going to show you how we can do a scan

22
00:00:46,440 --> 00:00:49,500
of the network on a particular host using its IP,

23
00:00:49,500 --> 00:00:52,623
and return every single port that's open on that machine.

24
00:00:53,640 --> 00:00:55,200
Nmap is used by network technicians

25
00:00:55,200 --> 00:00:57,360
or network administrators during troubleshooting,

26
00:00:57,360 --> 00:00:59,190
as well as by security professionals,

27
00:00:59,190 --> 00:01:01,860
to figure out what is open on a remote system.

28
00:01:01,860 --> 00:01:05,012
So as you move into Security+, CySA+

29
00:01:05,012 --> 00:01:06,870
and PenTest+, you're going to come back

30
00:01:06,870 --> 00:01:08,820
and use Nmap once more.

31
00:01:08,820 --> 00:01:11,430
Let's jump into the environment and take a look.

32
00:01:11,430 --> 00:01:13,680
All right, so here I am at the command prompt

33
00:01:13,680 --> 00:01:16,020
within my Kali Linux machine.

34
00:01:16,020 --> 00:01:18,540
This is a machine that's on my local area network,

35
00:01:18,540 --> 00:01:20,670
and I'm going to go and scan a web server

36
00:01:20,670 --> 00:01:23,340
that happens to be sitting on my local area network.

37
00:01:23,340 --> 00:01:26,340
To do that, I'm going to use the command line Nmap,

38
00:01:26,340 --> 00:01:27,990
the -sS,

39
00:01:27,990 --> 00:01:30,300
which tells it to do a SYN scan,

40
00:01:30,300 --> 00:01:34,560
using just those SYN packets from the SYN-ACK relationship

41
00:01:34,560 --> 00:01:36,180
from a three-way handshake.

42
00:01:36,180 --> 00:01:38,940
I'm going to use -O, which is going to tell me

43
00:01:38,940 --> 00:01:40,230
that I want to be able to figure out

44
00:01:40,230 --> 00:01:41,910
what operating system it's using,

45
00:01:41,910 --> 00:01:44,100
and then the IP that I'm going after,

46
00:01:44,100 --> 00:01:48,000
in my case, 10.0.2.6.

47
00:01:48,000 --> 00:01:50,940
And then I'm going to put this |more,

48
00:01:50,940 --> 00:01:52,890
which is just going to give me one screen at a time,

49
00:01:52,890 --> 00:01:54,570
because sometimes, Nmap can give you

50
00:01:54,570 --> 00:01:56,760
multiple screens worth of text.

51
00:01:56,760 --> 00:01:58,530
When I hit enter, it's going to go out

52
00:01:58,530 --> 00:02:00,690
and start scanning that machine,

53
00:02:00,690 --> 00:02:03,240
and you'll see it came back in just a couple of seconds,

54
00:02:03,240 --> 00:02:05,790
and it shows me that out of the thousand ports

55
00:02:05,790 --> 00:02:10,500
that it looked for, 977 of those were closed,

56
00:02:10,500 --> 00:02:13,830
but there are 23 open ports on this machine.

57
00:02:13,830 --> 00:02:17,040
That means an attacker has 23 opportunities

58
00:02:17,040 --> 00:02:18,270
to break into this machine,

59
00:02:18,270 --> 00:02:20,970
because each of these is running a different service.

60
00:02:20,970 --> 00:02:23,190
Now ideally, we would want to minimize that

61
00:02:23,190 --> 00:02:25,800
just down to the things that we need open.

62
00:02:25,800 --> 00:02:27,630
For example, if this is a web server,

63
00:02:27,630 --> 00:02:31,710
we would expect port 80 to be open, and in this case, it is.

64
00:02:31,710 --> 00:02:33,120
If this was an FTP server,

65
00:02:33,120 --> 00:02:35,400
we would expect port 21 to be open,

66
00:02:35,400 --> 00:02:37,560
and again, here it is.

67
00:02:37,560 --> 00:02:39,150
We also see some other common ones

68
00:02:39,150 --> 00:02:41,130
like SSH for remote control.

69
00:02:41,130 --> 00:02:42,840
This is port 22.

70
00:02:42,840 --> 00:02:45,660
We can see telnet, which is port 23.

71
00:02:45,660 --> 00:02:47,040
Now I'm getting a little ahead of ourselves,

72
00:02:47,040 --> 00:02:48,870
but when you get into Security+

73
00:02:48,870 --> 00:02:51,630
you're going to learn about telnet being very insecure.

74
00:02:51,630 --> 00:02:53,190
And so you never want telnet

75
00:02:53,190 --> 00:02:54,900
to actually be open and listening.

76
00:02:54,900 --> 00:02:56,760
You want to disable that service.

77
00:02:56,760 --> 00:02:58,650
In this case, this is one of my servers

78
00:02:58,650 --> 00:03:00,480
that I use for my pen testing courses,

79
00:03:00,480 --> 00:03:02,430
so I have a lot of open things here

80
00:03:02,430 --> 00:03:05,010
that people can scan and attack.

81
00:03:05,010 --> 00:03:07,050
Next you can see smtp,

82
00:03:07,050 --> 00:03:10,470
which is our simple mail transfer protocol, port 25.

83
00:03:10,470 --> 00:03:13,020
That allows this server to send mail.

84
00:03:13,020 --> 00:03:16,140
I also have DNS open, because it's running a DNS server.

85
00:03:16,140 --> 00:03:19,080
You can see that here, port 53, domain,

86
00:03:19,080 --> 00:03:21,360
and that's domain name service.

87
00:03:21,360 --> 00:03:23,340
We have a lot of other ones here as we go down,

88
00:03:23,340 --> 00:03:24,360
but you get the idea.

89
00:03:24,360 --> 00:03:26,940
You can see here that there are 23 different ports

90
00:03:26,940 --> 00:03:29,640
that are all open and waiting for a connection.

91
00:03:29,640 --> 00:03:32,160
We can see that open state here in the middle column,

92
00:03:32,160 --> 00:03:34,950
and we can also see that these are tcp or udp,

93
00:03:34,950 --> 00:03:37,890
and in my case, all of these are tcp.

94
00:03:37,890 --> 00:03:40,050
And on the right, we see the service name.

95
00:03:40,050 --> 00:03:42,270
Now again, I did use that -O,

96
00:03:42,270 --> 00:03:44,010
which is going to tell me what type of operating system

97
00:03:44,010 --> 00:03:45,060
this is running.

98
00:03:45,060 --> 00:03:49,920
In this case, the operating system is running Linux 2.6.X,

99
00:03:49,920 --> 00:03:51,750
and that's not the operating system being run

100
00:03:51,750 --> 00:03:53,910
by my Kali Linux machine that you're seeing.

101
00:03:53,910 --> 00:03:55,590
That's the operating system being run

102
00:03:55,590 --> 00:03:57,930
by the server I just scanned.

103
00:03:57,930 --> 00:03:59,430
And then I can go ahead

104
00:03:59,430 --> 00:04:01,740
and we'll see that we had finished that scan.

105
00:04:01,740 --> 00:04:04,500
We scanned only one host, one host was up,

106
00:04:04,500 --> 00:04:07,260
and it took us 1.7 seconds.

107
00:04:07,260 --> 00:04:10,080
Now, Zenmap is great and it's really powerful

108
00:04:10,080 --> 00:04:11,460
and it's fairly easy to use,

109
00:04:11,460 --> 00:04:14,220
once you get used to the way the command line works.

110
00:04:14,220 --> 00:04:16,800
But if you want to do something even easier,

111
00:04:16,800 --> 00:04:19,470
you can use a program known as Zenmap,

112
00:04:19,470 --> 00:04:22,980
which is a graphical user interface for Nmap.

113
00:04:22,980 --> 00:04:26,040
Now once we're in Zenmap, it's really easy to use.

114
00:04:26,040 --> 00:04:27,390
You're just going to put in your target,

115
00:04:27,390 --> 00:04:31,350
which again was that server, 10.0.2.6,

116
00:04:31,350 --> 00:04:32,850
and then you're going to select the profile

117
00:04:32,850 --> 00:04:34,170
that you want to scan with,

118
00:04:34,170 --> 00:04:36,210
and it will create the command line

119
00:04:36,210 --> 00:04:37,980
for Nmap that you would've used.

120
00:04:37,980 --> 00:04:41,220
So here for example, is what an intense scan looks like.

121
00:04:41,220 --> 00:04:42,510
If I wanted to go through here,

122
00:04:42,510 --> 00:04:44,670
and maybe I just want to do a quick scan,

123
00:04:44,670 --> 00:04:46,650
it'll go ahead and change that for me.

124
00:04:46,650 --> 00:04:49,050
And then hit scan, and off it goes,

125
00:04:49,050 --> 00:04:50,760
and it's going to scan that server.

126
00:04:50,760 --> 00:04:54,630
In this case it came back in just about a fifth of a second.

127
00:04:54,630 --> 00:04:57,090
And you can see again, all of those ports

128
00:04:57,090 --> 00:04:59,580
and all of those protocols that are being used.

129
00:04:59,580 --> 00:05:01,380
It also puts it in a nice graphical format

130
00:05:01,380 --> 00:05:03,090
where I can click onto ports

131
00:05:03,090 --> 00:05:05,340
and see them here in the port tab,

132
00:05:05,340 --> 00:05:07,410
or I can look at the topology

133
00:05:07,410 --> 00:05:09,630
and see how it looks on the network.

134
00:05:09,630 --> 00:05:10,950
And in this case, I only had one host,

135
00:05:10,950 --> 00:05:12,060
so it's not very interesting,

136
00:05:12,060 --> 00:05:14,370
but if I looked at an entire network scope,

137
00:05:14,370 --> 00:05:16,020
I could see all of the different hosts there,

138
00:05:16,020 --> 00:05:17,970
and then click into them for their details.

139
00:05:17,970 --> 00:05:19,650
And if I click on host details,

140
00:05:19,650 --> 00:05:20,550
I'll be able to figure out

141
00:05:20,550 --> 00:05:22,980
what information I know about that host.

142
00:05:22,980 --> 00:05:25,710
Because I did a quick scan, I don't get the operating system

143
00:05:25,710 --> 00:05:26,880
and other details,

144
00:05:26,880 --> 00:05:29,220
that I would've if I had done an in-depth scan.

145
00:05:29,220 --> 00:05:31,680
And so let's go back here, and we'll just change it

146
00:05:31,680 --> 00:05:33,003
and do a deeper scan.

147
00:05:38,190 --> 00:05:40,650
And here you'll see we'll do an intense scan.

148
00:05:40,650 --> 00:05:42,030
I'll give it just about a minute here.

149
00:05:42,030 --> 00:05:44,663
I'm going to fast forward so I can show you the results.

150
00:05:46,020 --> 00:05:49,470
And now, if I go over here to my ports and hosts,

151
00:05:49,470 --> 00:05:51,030
you'll see even more details.

152
00:05:51,030 --> 00:05:53,790
Not only do I have the ports, the protocols,

153
00:05:53,790 --> 00:05:56,670
the state, whether it's open or closed, and the service,

154
00:05:56,670 --> 00:05:58,860
but now I know the version of the application

155
00:05:58,860 --> 00:06:00,240
that's even running there.

156
00:06:00,240 --> 00:06:01,620
So before we were able to find out

157
00:06:01,620 --> 00:06:04,110
that FTP was running on port 21,

158
00:06:04,110 --> 00:06:05,550
but now I can find out

159
00:06:05,550 --> 00:06:09,540
that they're actually running the application called vsftp,

160
00:06:09,540 --> 00:06:12,210
at version 2.3.4.

161
00:06:12,210 --> 00:06:13,740
Now, as a network technician,

162
00:06:13,740 --> 00:06:15,540
this probably isn't very helpful to me,

163
00:06:15,540 --> 00:06:17,370
but as you go into security later on,

164
00:06:17,370 --> 00:06:19,320
this is really important information.

165
00:06:19,320 --> 00:06:20,640
Because it helps you to identify

166
00:06:20,640 --> 00:06:23,280
what version is running on your different servers.

167
00:06:23,280 --> 00:06:24,840
And that version can then be tied

168
00:06:24,840 --> 00:06:27,450
to different vulnerabilities or attack methods.

169
00:06:27,450 --> 00:06:30,570
So again, as you get into Security+ and CYSA+

170
00:06:30,570 --> 00:06:31,800
and PenTest+,

171
00:06:31,800 --> 00:06:33,300
these type of details

172
00:06:33,300 --> 00:06:35,670
are going to become really important to you.

173
00:06:35,670 --> 00:06:37,890
Next, if I go over here and go to host details,

174
00:06:37,890 --> 00:06:39,510
we should see the operating system,

175
00:06:39,510 --> 00:06:40,740
and in this case we do.

176
00:06:40,740 --> 00:06:45,450
It's Linux version 2.6.9 through 2.6.33,

177
00:06:45,450 --> 00:06:48,810
somewhere in that range is what this server is running.

178
00:06:48,810 --> 00:06:51,810
And so that's the idea here as you're using Zenmap,

179
00:06:51,810 --> 00:06:54,360
Zenmap just puts it into a nice graphical format

180
00:06:54,360 --> 00:06:55,380
for you to see it.

181
00:06:55,380 --> 00:06:58,530
You can do all of the same things using Nmap.

182
00:06:58,530 --> 00:07:01,830
I hope you've enjoyed this introduction to Nmap and Zenmap.

183
00:07:01,830 --> 00:07:03,690
They are both very powerful tools

184
00:07:03,690 --> 00:07:05,640
that you use both in your technician days

185
00:07:05,640 --> 00:07:08,520
and administrator days, as well as in your security days

186
00:07:08,520 --> 00:07:10,380
as you progress through your career.

187
00:07:10,380 --> 00:07:13,230
Now, what I would recommend is downloading Zenmap.

188
00:07:13,230 --> 00:07:15,390
Go to Google and type in "Zenmap,"

189
00:07:15,390 --> 00:07:17,610
and you'll find it and be able to download it quickly.

190
00:07:17,610 --> 00:07:21,750
It runs on all platforms including Windows, Linux, and Mac,

191
00:07:21,750 --> 00:07:23,070
and you can run it on your network,

192
00:07:23,070 --> 00:07:24,630
you can run it against your friends,

193
00:07:24,630 --> 00:07:26,790
you can even run it against scanme.org,

194
00:07:26,790 --> 00:07:28,860
which is a server setup by Nmap,

195
00:07:28,860 --> 00:07:30,180
for you specifically to scan

196
00:07:30,180 --> 00:07:31,980
and learn how to use these tools.

197
00:07:31,980 --> 00:07:34,140
Play around with them and get comfortable with it.

198
00:07:34,140 --> 00:07:36,600
It's not something you need to know specifically in depth

199
00:07:36,600 --> 00:07:38,100
for the Network+ exam,

200
00:07:38,100 --> 00:07:41,070
but it is a great tool to have in your toolbox

201
00:07:41,070 --> 00:07:43,560
as you go forth and start working in the real world,

202
00:07:43,560 --> 00:07:46,050
because you're going to see it come up time and time again,

203
00:07:46,050 --> 00:07:49,050
and it gives you lots of great information that you can use.