1 00:00:00,630 --> 00:00:03,628 -: Okay, so we know what scanning is. 2 00:00:03,628 --> 00:00:07,011 We also created our virtual machine that is vulnerable. 3 00:00:07,011 --> 00:00:11,070 Now we are ready to see what information can we get 4 00:00:11,070 --> 00:00:13,500 by scanning that machine. 5 00:00:13,500 --> 00:00:15,600 But before we scan a single machine, 6 00:00:15,600 --> 00:00:17,430 to discover open ports, 7 00:00:17,430 --> 00:00:22,380 we must first discover what machines we got on our network. 8 00:00:22,380 --> 00:00:25,020 So the first part of scanning the network is to figure 9 00:00:25,020 --> 00:00:27,300 out how many hosts you have active 10 00:00:27,300 --> 00:00:30,150 and what are their IP addresses. 11 00:00:30,150 --> 00:00:32,280 In this case, we are going to act 12 00:00:32,280 --> 00:00:35,937 as if we got a task to scan our home network. 13 00:00:35,937 --> 00:00:38,550 We want to discover vulnerable machines 14 00:00:38,550 --> 00:00:40,290 within our home network. 15 00:00:40,290 --> 00:00:44,013 So let's start by seeing how many hosts we got active first. 16 00:00:44,940 --> 00:00:48,330 There are many ways that we can go about doing this. 17 00:00:48,330 --> 00:00:50,820 Since I know that all the possible hosts 18 00:00:50,820 --> 00:00:53,340 for my network must go in range from 19 00:00:53,340 --> 00:00:54,277 192 20 00:00:54,277 --> 00:00:55,110 .168 21 00:00:55,110 --> 00:00:56,100 .1.1 22 00:00:56,100 --> 00:00:57,072 to 192 23 00:00:57,072 --> 00:00:57,905 .168 24 00:00:57,905 --> 00:00:58,738 .1 25 00:00:58,738 --> 00:00:59,970 .255. 26 00:00:59,970 --> 00:01:04,080 Since my IP address starts with these three first numbers 27 00:01:04,080 --> 00:01:06,960 let me just type the password and here it is 28 00:01:06,960 --> 00:01:10,953 192.168.1. This is the part that doesn't change. 29 00:01:12,090 --> 00:01:15,780 To scan all 254 hosts inside of my network. 30 00:01:15,780 --> 00:01:19,440 I can just go and ping each and every one of them 31 00:01:19,440 --> 00:01:23,045 and see whether they respond to our pinging or not. 32 00:01:23,045 --> 00:01:25,484 If they respond, they are online. 33 00:01:25,484 --> 00:01:27,663 If not, they are offline. 34 00:01:28,500 --> 00:01:31,620 But what if I had to test more than one network? 35 00:01:31,620 --> 00:01:33,870 What if I had 10 more networks 36 00:01:33,870 --> 00:01:36,840 besides this one that I need to test? 37 00:01:36,840 --> 00:01:39,570 Am I about to try to ping every possible host 38 00:01:39,570 --> 00:01:41,218 from all those networks? 39 00:01:41,218 --> 00:01:42,840 Of course not. 40 00:01:42,840 --> 00:01:45,131 That's why we are going to use different tools to 41 00:01:45,131 --> 00:01:48,060 perform this much faster. 42 00:01:48,060 --> 00:01:51,060 Let us try with the first tool called ARP. 43 00:01:51,060 --> 00:01:56,060 Now, ARP is a tool in Cal Linux, but it is also a packet. 44 00:01:56,100 --> 00:01:59,160 ARP packets are used in discovering hosts on the network. 45 00:01:59,160 --> 00:02:00,780 But more about them later on, 46 00:02:00,780 --> 00:02:03,090 once we get to demand in the middle section. 47 00:02:03,090 --> 00:02:04,560 For now, just remember 48 00:02:04,560 --> 00:02:07,440 that they are packets for discovering hosts. 49 00:02:07,440 --> 00:02:09,090 Before we use this ARP tool 50 00:02:09,090 --> 00:02:12,120 make sure your Metasploitable is started up 51 00:02:12,120 --> 00:02:15,450 and in case you got some other devices that you can connect 52 00:02:15,450 --> 00:02:17,250 to the internet, connect them just 53 00:02:17,250 --> 00:02:20,100 just so we can get various output and try to figure 54 00:02:20,100 --> 00:02:22,860 out which IP address belongs to which hosts. 55 00:02:22,860 --> 00:02:24,129 Now our ARP tool 56 00:02:24,129 --> 00:02:27,420 works based on those ARP packets that I mentioned. 57 00:02:27,420 --> 00:02:28,253 So if I type 58 00:02:28,253 --> 00:02:29,086 ARP 59 00:02:29,086 --> 00:02:30,330 -: - help 60 00:02:30,330 --> 00:02:31,273 and press enter 61 00:02:31,273 --> 00:02:33,990 it will tell me command not found. 62 00:02:33,990 --> 00:02:35,040 Now this is because 63 00:02:35,040 --> 00:02:37,800 I must run the tool with Sudo privileges. 64 00:02:37,800 --> 00:02:40,680 So sudo arp -- help 65 00:02:40,680 --> 00:02:42,510 and here is the tool. 66 00:02:42,510 --> 00:02:44,130 It doesn't have too many options. 67 00:02:44,130 --> 00:02:46,950 We got -a which displays all hosts 68 00:02:46,950 --> 00:02:49,080 in alternative BSD style, 69 00:02:49,080 --> 00:02:52,410 -: e display all hosts in default Linux style. 70 00:02:52,410 --> 00:02:54,870 And these options down here are not something 71 00:02:54,870 --> 00:02:56,220 that we are interested in. 72 00:02:56,220 --> 00:02:59,103 All we want to do is use this -a option. 73 00:03:00,210 --> 00:03:01,238 So if I go down here 74 00:03:01,238 --> 00:03:02,910 clear the screen and type 75 00:03:02,910 --> 00:03:03,780 sudo 76 00:03:03,780 --> 00:03:05,581 arp -a 77 00:03:05,581 --> 00:03:09,839 it will tell me it only discovered my router. 78 00:03:09,839 --> 00:03:11,220 But why is that? 79 00:03:11,220 --> 00:03:13,290 I got my Metasploitable running. 80 00:03:13,290 --> 00:03:15,330 Also got my laptop running. 81 00:03:15,330 --> 00:03:18,480 So it should be discovering other hosts as well. 82 00:03:18,480 --> 00:03:20,610 Sometimes we must ping a host first 83 00:03:20,610 --> 00:03:22,290 before it appears right here, 84 00:03:22,290 --> 00:03:24,270 since this information is being read 85 00:03:24,270 --> 00:03:26,250 from our ARP tables. 86 00:03:26,250 --> 00:03:27,240 See if for example I 87 00:03:27,240 --> 00:03:31,650 tried to ping my Metasploitable, 88 00:03:31,650 --> 00:03:33,120 it'll get responses back. 89 00:03:33,120 --> 00:03:35,700 And if I run arp -a again, 90 00:03:35,700 --> 00:03:37,770 now we'll see that we got an entry 91 00:03:37,770 --> 00:03:41,520 for the Metasploitable inside of our ARP tables. 92 00:03:41,520 --> 00:03:43,440 So this tool doesn't seem to be that good 93 00:03:43,440 --> 00:03:44,610 for discovering hosts. 94 00:03:44,610 --> 00:03:47,400 Sometimes it will have all the hosts available 95 00:03:47,400 --> 00:03:49,860 since you already communicated with them before. 96 00:03:49,860 --> 00:03:51,120 But sometimes it seems 97 00:03:51,120 --> 00:03:54,030 that we must ping the host first before it shows them. 98 00:03:54,030 --> 00:03:58,800 That's why a much better option is tool called Net Discover. 99 00:03:58,800 --> 00:04:00,150 To run Net Discover, 100 00:04:00,150 --> 00:04:03,780 we can simply type sudo netdiscover 101 00:04:03,780 --> 00:04:05,220 inside of your terminal. 102 00:04:05,220 --> 00:04:08,640 Press enter and this tool will find all 103 00:04:08,640 --> 00:04:11,850 of the available devices on your network on its own. 104 00:04:11,850 --> 00:04:13,620 You don't have to ping anything. 105 00:04:13,620 --> 00:04:15,330 You don't have to communicate with anything. 106 00:04:15,330 --> 00:04:17,399 You can just leave this tool to run 107 00:04:17,399 --> 00:04:19,983 and it will find all the devices on your network. 108 00:04:20,970 --> 00:04:24,305 So right here it managed to find five of them. 109 00:04:24,305 --> 00:04:27,000 We can see up here that it is still scanning 110 00:04:27,000 --> 00:04:29,340 and it is just scanning different subnets. 111 00:04:29,340 --> 00:04:30,780 So it already finished mine 112 00:04:30,780 --> 00:04:34,260 and you can control + C this if you already see the result. 113 00:04:34,260 --> 00:04:37,440 Since this will scan all the usual subnets that occur 114 00:04:37,440 --> 00:04:39,000 in a network. 115 00:04:39,000 --> 00:04:42,180 Right here we see that we captured five ARP packets 116 00:04:42,180 --> 00:04:45,090 and there are ARP requests and ARP replies, but once again 117 00:04:45,090 --> 00:04:46,350 more about that later. 118 00:04:46,350 --> 00:04:47,995 This just means that we managed to discover 119 00:04:47,995 --> 00:04:50,256 five hosts using these packets. 120 00:04:50,256 --> 00:04:53,220 And these are those five hosts. 121 00:04:53,220 --> 00:04:54,420 Let me control + C this 122 00:04:54,420 --> 00:04:57,813 since it won't really manage to find anymore hosts. 123 00:04:58,740 --> 00:05:01,470 And right here we got their IP addresses, 124 00:05:01,470 --> 00:05:02,458 their Mac addresses 125 00:05:02,458 --> 00:05:06,063 and their Mac vendor name or host name. 126 00:05:07,320 --> 00:05:11,130 So right here I know that this is my Metasploitable, 127 00:05:11,130 --> 00:05:12,720 which is this one. 128 00:05:12,720 --> 00:05:13,687 This 192 129 00:05:13,687 --> 00:05:14,520 .168 130 00:05:14,520 --> 00:05:15,353 .1.7 131 00:05:15,353 --> 00:05:16,186 is my host machine 132 00:05:16,186 --> 00:05:19,680 or my physical machine that I'm running my Cal Linux on. 133 00:05:19,680 --> 00:05:22,650 These two down here are two laptops I believe. 134 00:05:22,650 --> 00:05:25,091 And this right here is my router. 135 00:05:25,091 --> 00:05:27,600 And how do I know that this is my router? 136 00:05:27,600 --> 00:05:30,660 Well, usually routers start with the first number. 137 00:05:30,660 --> 00:05:34,380 Either it will be something like .0 or .1 . 138 00:05:34,380 --> 00:05:37,362 And just you can be sure which IP address is your router. 139 00:05:37,362 --> 00:05:38,970 You can type the command 140 00:05:38,970 --> 00:05:39,803 netstat 141 00:05:39,803 --> 00:05:40,636 -: nr 142 00:05:41,820 --> 00:05:43,804 and under this gateway column 143 00:05:43,804 --> 00:05:47,010 we should see the IP address of the router. 144 00:05:47,010 --> 00:05:48,573 So you can see they do match. 145 00:05:49,500 --> 00:05:50,820 The next step would be to go 146 00:05:50,820 --> 00:05:53,190 about scanning each and every one of them. 147 00:05:53,190 --> 00:05:54,960 And for this we're going to be scanning 148 00:05:54,960 --> 00:05:56,250 our Metasploitable 149 00:05:56,250 --> 00:05:58,500 and you can also scan your home machines just 150 00:05:58,500 --> 00:06:00,060 for even more practice. 151 00:06:00,060 --> 00:06:01,360 See you in the next video.