1 00:00:00,240 --> 00:00:02,100 In this video we have Nmap, 2 00:00:02,100 --> 00:00:03,510 the Network Mapper. 3 00:00:03,510 --> 00:00:05,550 Nmap is used to discover hosts and services 4 00:00:05,550 --> 00:00:07,560 on a computer network by sending packets 5 00:00:07,560 --> 00:00:09,810 and analyzing the responses it receives. 6 00:00:09,810 --> 00:00:11,610 Now Nmap provides a number of features 7 00:00:11,610 --> 00:00:14,190 for probing computer networks, including host discovery 8 00:00:14,190 --> 00:00:16,560 and service and operating system detection. 9 00:00:16,560 --> 00:00:19,020 Nmap is a great tool to use when you're conducting 10 00:00:19,020 --> 00:00:21,420 both port scanning or IP scanning. 11 00:00:21,420 --> 00:00:23,790 Now, in addition to this, Nmap can be configured 12 00:00:23,790 --> 00:00:25,830 to conduct fingerprinting of the services running 13 00:00:25,830 --> 00:00:28,470 on those ports, which allows it to identify the versions 14 00:00:28,470 --> 00:00:30,240 of the software being used. 15 00:00:30,240 --> 00:00:32,520 This is really helpful in detecting vulnerabilities 16 00:00:32,520 --> 00:00:34,230 in specific versions of services 17 00:00:34,230 --> 00:00:36,030 that are operating on your network. 18 00:00:36,030 --> 00:00:38,520 Also, Nmap is very useful when trying to create 19 00:00:38,520 --> 00:00:40,470 network maps, documenting your network, 20 00:00:40,470 --> 00:00:43,290 or identification of rogue network devices. 21 00:00:43,290 --> 00:00:46,800 I want to show you hands-on how we use Nmap 22 00:00:46,800 --> 00:00:49,980 by combining some commands into a real scan 23 00:00:49,980 --> 00:00:52,350 and real information gathering techniques. 24 00:00:52,350 --> 00:00:55,590 Now for this demonstration, I've put together this lab. 25 00:00:55,590 --> 00:00:58,380 On the left side, this is where I'm going to be attacking from, 26 00:00:58,380 --> 00:01:00,660 which is going to be simulating the internet. 27 00:01:00,660 --> 00:01:03,000 I'm coming in from outside the network 28 00:01:03,000 --> 00:01:04,680 and the router has certain things in place 29 00:01:04,680 --> 00:01:06,390 to try to keep me out. 30 00:01:06,390 --> 00:01:09,450 I'm going to attack from my Kalilinux command line environment, 31 00:01:09,450 --> 00:01:10,890 which you can see highlighted 32 00:01:10,890 --> 00:01:14,580 with the red dash lines, going to come in through the router, 33 00:01:14,580 --> 00:01:17,730 which is separating the internet, the outside versus 34 00:01:17,730 --> 00:01:20,130 the target network, which is the inside. 35 00:01:20,130 --> 00:01:22,530 And so with our scans, we're going to try to discover 36 00:01:22,530 --> 00:01:24,300 those three servers on the right, 37 00:01:24,300 --> 00:01:27,210 the LAMP-Server, the Metasploitable2, 38 00:01:27,210 --> 00:01:31,050 and the damn vulnerable web app or DVWA. 39 00:01:31,050 --> 00:01:36,000 Now those all reside inside the 10.10.10.0/24 network. 40 00:01:36,000 --> 00:01:38,640 So now that we are in the command line environment, 41 00:01:38,640 --> 00:01:42,390 what are we going to do? Well, we first are going to want to find 42 00:01:42,390 --> 00:01:47,390 out which things on the 10.10.10.0/24 network 43 00:01:47,400 --> 00:01:49,320 are up and which ones are down. 44 00:01:49,320 --> 00:01:51,540 So we want to use that ping scan. 45 00:01:51,540 --> 00:01:54,300 Now, do you remember what the command is for a ping scan? 46 00:01:54,300 --> 00:01:58,620 That's right. It's nmap -sn, and then the IP address. 47 00:01:58,620 --> 00:02:03,240 So for us that's 10.10.10.0/24 . 48 00:02:03,240 --> 00:02:07,890 It's going to go through and scan all 254 possible IPs 49 00:02:07,890 --> 00:02:10,560 and find which ones are up and which ones are down. 50 00:02:10,560 --> 00:02:12,450 Now it came back with four hosts. 51 00:02:12,450 --> 00:02:14,040 What are those four hosts? 52 00:02:14,040 --> 00:02:16,320 Well, the dot one is the router itself, 53 00:02:16,320 --> 00:02:18,510 it's the internal interface of the router. 54 00:02:18,510 --> 00:02:21,540 There is the dot 10, which is one of our servers, 55 00:02:21,540 --> 00:02:24,870 the dot 11 and the dot 12, which is the other two servers. 56 00:02:24,870 --> 00:02:27,930 So the dot 10 is going to represent the LAMP-Server. 57 00:02:27,930 --> 00:02:30,660 The dot 11 is our meta Metasploitable2 server 58 00:02:30,660 --> 00:02:33,370 and the dot 12 is going to be our DVWA 59 00:02:34,260 --> 00:02:36,540 or damn vulnerable web app. 60 00:02:36,540 --> 00:02:38,610 Now all we have at this point is knowing 61 00:02:38,610 --> 00:02:41,520 that those three servers are up and responding to pings. 62 00:02:41,520 --> 00:02:43,470 We have no other information. 63 00:02:43,470 --> 00:02:45,480 So we're going to want to take it a step further. 64 00:02:45,480 --> 00:02:49,440 Let's go ahead and do a SYN scan, which if you remember 65 00:02:49,440 --> 00:02:51,663 the command is nmap -sS, 66 00:02:52,500 --> 00:02:55,140 and then the IP address that we want to look at. 67 00:02:55,140 --> 00:02:57,690 But I'm going to combine that with port 80. 68 00:02:57,690 --> 00:02:59,280 So I want to figure out what web servers 69 00:02:59,280 --> 00:03:02,070 are being run out of this network. 70 00:03:02,070 --> 00:03:07,070 And then we're going to use the 10.10.10.0/24. 71 00:03:07,110 --> 00:03:09,720 Now as I scan away, I'm going to check 72 00:03:09,720 --> 00:03:12,450 all of the 254 IPs again. 73 00:03:12,450 --> 00:03:15,060 And in this case we found there are four 74 00:03:15,060 --> 00:03:16,590 web servers responding. 75 00:03:16,590 --> 00:03:20,730 There's port 80 responding up as closed on the router. 76 00:03:20,730 --> 00:03:24,360 It is open on the LAMP-Server, the dot 10, 77 00:03:24,360 --> 00:03:27,570 it is open on the dot 11, which is Metasploitable2, 78 00:03:27,570 --> 00:03:29,730 and it is open on dot 12, 79 00:03:29,730 --> 00:03:32,160 which is the damn vulnerable web app. 80 00:03:32,160 --> 00:03:35,730 So all three of my servers are running at least port 80. 81 00:03:35,730 --> 00:03:37,860 Now let's dig in deeper on one of those servers 82 00:03:37,860 --> 00:03:40,260 as we go further in our information gathering, 83 00:03:40,260 --> 00:03:43,080 let's go ahead and do a SYN scan against the LAMP-Server, 84 00:03:43,080 --> 00:03:44,490 which is the dot 10. 85 00:03:44,490 --> 00:03:48,060 So we're going to do nmap -sS 86 00:03:48,060 --> 00:03:52,950 and then 10.10.10 and we'll go ahead and search that. 87 00:03:52,950 --> 00:03:55,320 And you can see now that there are more than just 88 00:03:55,320 --> 00:03:56,460 the web server running, right? 89 00:03:56,460 --> 00:03:59,580 There are three services running on this server. 90 00:03:59,580 --> 00:04:02,250 There's an SSH server on port 22. 91 00:04:02,250 --> 00:04:04,260 There's the web server on port 80 92 00:04:04,260 --> 00:04:07,620 and the web proxy on port 8080. 93 00:04:07,620 --> 00:04:11,280 Now that we found those, what about the versions? 94 00:04:11,280 --> 00:04:12,990 What if I wanted to figure out what version 95 00:04:12,990 --> 00:04:16,410 of a web server it was running on Port 80? 96 00:04:16,410 --> 00:04:18,060 Well, how will we do that? 97 00:04:18,060 --> 00:04:22,230 Well, we're going to use nmap -sV 98 00:04:22,230 --> 00:04:26,400 and then the 10.10.10.10 99 00:04:26,400 --> 00:04:28,830 And now if we run it, you're going to see a little bit 100 00:04:28,830 --> 00:04:29,850 of a difference here. 101 00:04:29,850 --> 00:04:31,650 So you're going to see it takes a little bit longer 102 00:04:31,650 --> 00:04:34,620 to run this, but instead of half a second, 103 00:04:34,620 --> 00:04:36,570 it's taking almost seven seconds. 104 00:04:36,570 --> 00:04:39,750 The difference here is that I get the versioning associated 105 00:04:39,750 --> 00:04:41,280 with each of those services. 106 00:04:41,280 --> 00:04:43,260 So the same three services are up, 107 00:04:43,260 --> 00:04:45,960 but I found out that it's running some form of Linux 108 00:04:45,960 --> 00:04:50,280 and it's running Apache 2.4.18, which tells me 109 00:04:50,280 --> 00:04:52,290 that I could start associating vulnerabilities associated 110 00:04:52,290 --> 00:04:54,540 with that and attack this machine. 111 00:04:54,540 --> 00:04:56,460 Now it tells me it's Ubuntu Linux, 112 00:04:56,460 --> 00:04:58,530 but it doesn't tell me what version. 113 00:04:58,530 --> 00:05:00,990 What if I wanted to go deeper and figure out the version 114 00:05:00,990 --> 00:05:03,363 of this operating system, how would I do that? 115 00:05:04,380 --> 00:05:06,570 Well, it's not SV because that's the version 116 00:05:06,570 --> 00:05:09,000 for the service, instead, it's dash O 117 00:05:09,000 --> 00:05:10,650 because it's for the operating system. 118 00:05:10,650 --> 00:05:15,420 So it's nmap -O and then 10.10.10.10 119 00:05:15,420 --> 00:05:18,840 and then we'll go ahead and hit enter and away it goes. 120 00:05:18,840 --> 00:05:20,760 And it comes back in less than two seconds 121 00:05:20,760 --> 00:05:24,962 and tells me that it is Linux somewhere between version 3.2 122 00:05:24,962 --> 00:05:25,795 and 4.6. 123 00:05:26,670 --> 00:05:28,860 So let's go ahead and take it a step further. 124 00:05:28,860 --> 00:05:30,840 Let's combine some commands. 125 00:05:30,840 --> 00:05:35,223 Let's go ahead and do an Nmap scan for dash ss. 126 00:05:36,210 --> 00:05:40,290 We're also going to do dash SV for the versioning, 127 00:05:40,290 --> 00:05:41,610 and we're going to go ahead 128 00:05:41,610 --> 00:05:45,120 and add the dash O to get the operating system. 129 00:05:45,120 --> 00:05:49,020 I'm going to do that against 10.10.10.10 130 00:05:49,020 --> 00:05:53,730 through 10.10.10.12, those three machines 131 00:05:53,730 --> 00:05:55,053 and see what comes back. 132 00:05:56,760 --> 00:05:58,980 Now, you may have noticed that it keeps saying it's unable 133 00:05:58,980 --> 00:06:01,170 to determine any DNS servers. 134 00:06:01,170 --> 00:06:04,650 That's an error because I don't have this lab environment 135 00:06:04,650 --> 00:06:05,820 connected to the internet. 136 00:06:05,820 --> 00:06:07,830 So there's no DNS being resolved. 137 00:06:07,830 --> 00:06:10,110 It's not an issue because we're using IP addresses, 138 00:06:10,110 --> 00:06:12,900 but if I tried to do something like scanning google.com 139 00:06:12,900 --> 00:06:15,630 right now, it wouldn't be able to give me that answer back 140 00:06:15,630 --> 00:06:18,693 because it doesn't know what the IP address is for Google. 141 00:06:20,010 --> 00:06:21,720 Now this scan is going to take a little bit longer, 142 00:06:21,720 --> 00:06:22,770 so I'm going to fast forward 143 00:06:22,770 --> 00:06:25,020 to when the scan comes back with the results. 144 00:06:26,490 --> 00:06:27,960 Now the results have come back. 145 00:06:27,960 --> 00:06:32,640 It took 140 seconds, so it took almost three minutes. 146 00:06:32,640 --> 00:06:34,980 So this has come back with a ton of information. 147 00:06:34,980 --> 00:06:37,470 So much so that actually scrolled off my screen. 148 00:06:37,470 --> 00:06:40,470 So we're going to scroll back up to where I put in the command. 149 00:06:41,850 --> 00:06:43,980 So there we go, there's the command we put in, 150 00:06:43,980 --> 00:06:48,980 nmap -sS a SYN scan, -sV versioning 151 00:06:49,200 --> 00:06:52,050 for the services, dash capital O 152 00:06:52,050 --> 00:06:53,940 for operating system versioning. 153 00:06:53,940 --> 00:06:58,070 And then 10.10.10.10 through 10.10.10.12 154 00:06:59,670 --> 00:07:02,010 Now the first one it comes back with is the results 155 00:07:02,010 --> 00:07:04,020 for 10.10.10.10, 156 00:07:04,020 --> 00:07:07,350 which shows that there are 997 closed ports 157 00:07:07,350 --> 00:07:11,010 'cause by default Nmap is going to scan the top 1000 158 00:07:11,010 --> 00:07:12,750 commonly open ports. 159 00:07:12,750 --> 00:07:15,180 You'll notice here there was those same three ports 160 00:07:15,180 --> 00:07:19,200 that we found earlier, port 22, port 80, and port 8080. 161 00:07:19,200 --> 00:07:21,840 And you'll notice it tells us what version of SSH 162 00:07:21,840 --> 00:07:24,150 and what version of Apache is being run. 163 00:07:24,150 --> 00:07:27,570 And again, the versioning of Linux was somewhere between 3.2 164 00:07:27,570 --> 00:07:30,480 and 4.6, not very accurate. 165 00:07:30,480 --> 00:07:32,100 Now if we look at the bottom of the screen, 166 00:07:32,100 --> 00:07:34,470 I'm going to scroll it up to the top here. 167 00:07:34,470 --> 00:07:39,180 This is the scan report for 10.10.10.11. 168 00:07:39,180 --> 00:07:41,730 Notice this one has a ton of open stuff. 169 00:07:41,730 --> 00:07:45,000 It only has 979 closed ports, 170 00:07:45,000 --> 00:07:47,400 which means that there are 21 open ports 171 00:07:47,400 --> 00:07:49,650 and you'll see them all shown on the screen there. 172 00:07:49,650 --> 00:07:53,547 Things like FTP and SSH and Telnet and HTTP 173 00:07:53,547 --> 00:07:58,547 and RPC bind and Port 139 and 445 for NetBIOS SSN, 174 00:07:58,710 --> 00:08:00,960 which is samba for Windows file sharing 175 00:08:00,960 --> 00:08:03,630 between a Linux machine and a Windows machine. 176 00:08:03,630 --> 00:08:04,950 All of these different things 177 00:08:04,950 --> 00:08:06,750 with all of these different versions. 178 00:08:06,750 --> 00:08:08,910 Now, this is a great machine that we can target 179 00:08:08,910 --> 00:08:11,430 because we have a lot of vulnerable apps on it. 180 00:08:11,430 --> 00:08:13,470 Things like Apache 2.2.8, 181 00:08:13,470 --> 00:08:15,480 there's exploits that exist for that. 182 00:08:15,480 --> 00:08:20,040 There's vsftpd 2.3.4 for the FTP service. 183 00:08:20,040 --> 00:08:21,960 That's a vulnerable version we can attack. 184 00:08:21,960 --> 00:08:25,050 There's pro vsftpd 1.3.1, 185 00:08:25,050 --> 00:08:28,500 there's MySQL version 5.0.51, right? 186 00:08:28,500 --> 00:08:31,410 Lots of different pieces of information that we can use 187 00:08:31,410 --> 00:08:33,480 to then later exploit it. 188 00:08:33,480 --> 00:08:36,539 Now it does say that one service was unrecognized 189 00:08:36,539 --> 00:08:38,100 even though it gave back data 190 00:08:38,100 --> 00:08:39,990 and they weren't really sure what it was 191 00:08:39,990 --> 00:08:41,789 because there wasn't a valid fingerprint 192 00:08:41,789 --> 00:08:43,919 and you can submit it to Nmap 193 00:08:43,919 --> 00:08:46,050 for them to try to figure it out better. 194 00:08:46,050 --> 00:08:47,910 If you know what the service is, you could tell it 195 00:08:47,910 --> 00:08:50,790 and then they can add that to the next version of Nmap. 196 00:08:50,790 --> 00:08:52,410 Now, as we scroll down a little bit further, 197 00:08:52,410 --> 00:08:54,773 we'll go through that signature that they gave us. 198 00:08:56,220 --> 00:08:58,230 And you can see that the version 199 00:08:58,230 --> 00:09:02,480 of Linux here was again version 3.2 to version 4.6. 200 00:09:03,600 --> 00:09:06,270 So that, again, wasn't real helpful. 201 00:09:06,270 --> 00:09:08,430 And the reason why we're getting that wide range 202 00:09:08,430 --> 00:09:10,950 of operating systems is because this is all actually 203 00:09:10,950 --> 00:09:12,510 being run in a Docker environment. 204 00:09:12,510 --> 00:09:14,850 So they're all sharing the same operating system. 205 00:09:14,850 --> 00:09:17,580 This is a container-based virtualization. 206 00:09:17,580 --> 00:09:20,100 Now as I scroll on down, we're going to see the results 207 00:09:20,100 --> 00:09:22,590 for 10.10.10.12, 208 00:09:22,590 --> 00:09:25,050 and this one only has one port that's open 209 00:09:25,050 --> 00:09:28,980 and it's running Apache version 2.4.10, 210 00:09:28,980 --> 00:09:31,200 so again, we can go and look for something 211 00:09:31,200 --> 00:09:32,610 that would be able to be exploited 212 00:09:32,610 --> 00:09:35,280 and go after that server using that. 213 00:09:35,280 --> 00:09:37,860 So that's the idea here as we start scanning 214 00:09:37,860 --> 00:09:39,760 and figuring out all this information.