1
00:00:01,020 --> 00:00:04,019
Instructor: By now, if you covered all of the Nmap videos

2
00:00:04,019 --> 00:00:05,490
that we did, you should have

3
00:00:05,490 --> 00:00:08,130
an intermediate knowledge of Nmap.

4
00:00:08,130 --> 00:00:10,470
All we are left to do to check out

5
00:00:10,470 --> 00:00:13,710
is just some of the few options that you might find useful

6
00:00:13,710 --> 00:00:15,330
once you're performing your scans,

7
00:00:15,330 --> 00:00:17,280
which we will check out in this video.

8
00:00:17,280 --> 00:00:21,090
And after it, we need to check out two more things.

9
00:00:21,090 --> 00:00:24,300
One of them is running Nmap with scripts,

10
00:00:24,300 --> 00:00:26,700
which part of it we are going to see right now,

11
00:00:26,700 --> 00:00:29,703
with the results of our dash A scan from the previous video.

12
00:00:30,600 --> 00:00:33,420
And the second thing is how we can bypass

13
00:00:33,420 --> 00:00:36,930
firewall IDS and IPS using Nmap.

14
00:00:38,250 --> 00:00:40,140
So for now, we only noticed how we can

15
00:00:40,140 --> 00:00:41,910
perform different scans,

16
00:00:41,910 --> 00:00:43,530
but we never really talked about

17
00:00:43,530 --> 00:00:46,470
what if our target is well secured.

18
00:00:46,470 --> 00:00:48,330
What if they have a firewall?

19
00:00:48,330 --> 00:00:51,510
We want to perform our scans as quietly as possible,

20
00:00:51,510 --> 00:00:54,210
in order for us to not get detected.

21
00:00:54,210 --> 00:00:55,890
But before we jump into all of that,

22
00:00:55,890 --> 00:00:59,400
let us check out the output of our dash A option.

23
00:00:59,400 --> 00:01:01,170
Remember from the previous video,

24
00:01:01,170 --> 00:01:03,420
dash A runs bunch of different things,

25
00:01:03,420 --> 00:01:06,150
such as OS detection, version scan,

26
00:01:06,150 --> 00:01:10,110
and it also runs something called and Nmap scripts.

27
00:01:10,110 --> 00:01:11,280
You will see down here,

28
00:01:11,280 --> 00:01:15,423
that we are getting output that we didn't get before.

29
00:01:16,410 --> 00:01:18,060
So, besides the open port

30
00:01:18,060 --> 00:01:20,820
and the version that the open port is running,

31
00:01:20,820 --> 00:01:24,960
we also get the output of different scripts that are running

32
00:01:24,960 --> 00:01:28,080
on the target, as we execute this scan.

33
00:01:28,080 --> 00:01:30,960
So right now, here we can see that it executed the script

34
00:01:30,960 --> 00:01:32,910
for FTP anonymous login

35
00:01:32,910 --> 00:01:35,310
and it says that it is allowed.

36
00:01:35,310 --> 00:01:38,790
And we will check out what the FTP anonymous login is,

37
00:01:38,790 --> 00:01:40,320
for now on, I can tell you that

38
00:01:40,320 --> 00:01:42,390
it is not really that secure,

39
00:01:42,390 --> 00:01:44,640
even though if we go all the way down,

40
00:01:44,640 --> 00:01:47,193
here it says FTPd 2.3.4,

41
00:01:48,450 --> 00:01:51,060
which is this version that the target has,

42
00:01:51,060 --> 00:01:53,130
is secure, fast and stable.

43
00:01:53,130 --> 00:01:56,760
And I can assure you this is one big lie,

44
00:01:56,760 --> 00:02:00,060
as this FTP version is vulnerable.

45
00:02:00,060 --> 00:02:02,940
And we are going to see in the exploitation section,

46
00:02:02,940 --> 00:02:05,520
how we can exploit this and gain access

47
00:02:05,520 --> 00:02:07,170
to our target machine.

48
00:02:07,170 --> 00:02:10,139
Down here we also get the enumeration of the SSH.

49
00:02:10,139 --> 00:02:13,710
So we get the SSH hostkey, nothing really too useful for us,

50
00:02:13,710 --> 00:02:16,080
the SMTP commands that are allowed,

51
00:02:16,080 --> 00:02:18,240
the SSL ciphers right here,

52
00:02:18,240 --> 00:02:21,450
we also get the HTP servers header, the HTP title.

53
00:02:21,450 --> 00:02:23,940
And these are just some additional information

54
00:02:23,940 --> 00:02:26,283
that we got from running scripts.

55
00:02:27,270 --> 00:02:28,800
If I go all the way down,

56
00:02:28,800 --> 00:02:31,830
we also get information for some other open ports.

57
00:02:31,830 --> 00:02:34,080
And down here, we will see the tower scan

58
00:02:34,080 --> 00:02:38,070
also perform the SMB enumeration.

59
00:02:38,070 --> 00:02:40,410
So we got the computer name, NetBIOS computer name,

60
00:02:40,410 --> 00:02:43,260
domain name, SMB security mode.

61
00:02:43,260 --> 00:02:45,360
Down here we also get the traceroute

62
00:02:45,360 --> 00:02:46,980
to this target's IP address.

63
00:02:46,980 --> 00:02:49,140
And this is the one hop that we have,

64
00:02:49,140 --> 00:02:51,393
since it is in our own network.

65
00:02:52,440 --> 00:02:54,300
It tells us down here that it also performed

66
00:02:54,300 --> 00:02:55,920
the OS and service detection,

67
00:02:55,920 --> 00:02:58,800
and here is the OS detection, but we already saw this.

68
00:02:58,800 --> 00:03:00,840
We got Linux running.

69
00:03:00,840 --> 00:03:03,540
So, this is just some additional information

70
00:03:03,540 --> 00:03:06,420
on top of the information that we already had.

71
00:03:06,420 --> 00:03:09,660
But remember, dash A is an aggressive scan.

72
00:03:09,660 --> 00:03:13,290
It does give us the most output out of any other options,

73
00:03:13,290 --> 00:03:16,800
but it is also pretty aggressive and easily detectable,

74
00:03:16,800 --> 00:03:19,350
if target has some security measures.

75
00:03:19,350 --> 00:03:22,920
Since our metasploitable doesn't have any security measures,

76
00:03:22,920 --> 00:03:25,380
or is not behind any firewall,

77
00:03:25,380 --> 00:03:27,870
this scan is best for targets like that.

78
00:03:27,870 --> 00:03:32,070
So, we got the most information using dash A,

79
00:03:32,070 --> 00:03:35,730
but besides this dash A, let us also check a few more

80
00:03:35,730 --> 00:03:38,250
useful options that Nmap gives us.

81
00:03:38,250 --> 00:03:41,910
And to do that, we're going to run the Nmap manual.

82
00:03:41,910 --> 00:03:45,810
So, type man and then Nmap and it will open up the manual.

83
00:03:45,810 --> 00:03:48,600
Once again, we already know how we can go through it

84
00:03:48,600 --> 00:03:51,000
with upper and lower arrow,

85
00:03:51,000 --> 00:03:53,670
and we're going to just go really quick through it,

86
00:03:53,670 --> 00:03:56,190
and see whether there are any useful options

87
00:03:56,190 --> 00:04:00,150
that we haven't covered but, that you might want to use.

88
00:04:00,150 --> 00:04:02,040
So if you go down here,

89
00:04:02,040 --> 00:04:06,990
this dash SN option is really useful option.

90
00:04:06,990 --> 00:04:09,750
And it is not really useful for discovering vulnerabilities

91
00:04:09,750 --> 00:04:10,950
or open ports.

92
00:04:10,950 --> 00:04:13,290
Matter of fact, this option right here

93
00:04:13,290 --> 00:04:17,370
performs the same thing that our net discover tool did.

94
00:04:17,370 --> 00:04:18,202
Remember?

95
00:04:18,202 --> 00:04:21,060
We use net discover to locate all of the hosts

96
00:04:21,060 --> 00:04:23,490
that are up and running on our network,

97
00:04:23,490 --> 00:04:27,360
and dash SN pretty much does the same thing.

98
00:04:27,360 --> 00:04:28,350
As we can see right here,

99
00:04:28,350 --> 00:04:30,737
this option tells Nmap not do a port scan,

100
00:04:30,737 --> 00:04:33,987
so you will not find out any open ports with this scan.

101
00:04:33,987 --> 00:04:36,450
The only useful thing we get from this

102
00:04:36,450 --> 00:04:39,360
is which hosts are up and running.

103
00:04:39,360 --> 00:04:41,340
So, let's test it out real quick.

104
00:04:41,340 --> 00:04:43,320
And this is a scan that you would use

105
00:04:43,320 --> 00:04:46,410
probably on multiple machines to discover which ones are up

106
00:04:46,410 --> 00:04:47,730
and which ones aren't.

107
00:04:47,730 --> 00:04:50,580
But, you can also use it on one machine if you'd like.

108
00:04:50,580 --> 00:04:53,850
For this scan, I will use my home network, so dash SN,

109
00:04:53,850 --> 00:04:58,350
and then, 192.168.1.1 dash 255.

110
00:04:58,350 --> 00:05:02,670
If I press enter, this should pretty much just a few seconds

111
00:05:02,670 --> 00:05:06,180
and here it is, it'll give us which hosts are currently up.

112
00:05:06,180 --> 00:05:08,820
We get their IP addresses.

113
00:05:08,820 --> 00:05:11,130
So, 192.168.1.10.

114
00:05:11,130 --> 00:05:12,780
This is my laptop.

115
00:05:12,780 --> 00:05:16,620
We get the metasploitable, we get Windows 10 probably

116
00:05:16,620 --> 00:05:18,450
and we get my router.

117
00:05:18,450 --> 00:05:20,910
So instead of net discover, you can use this

118
00:05:20,910 --> 00:05:23,040
to figure out which hosts are up.

119
00:05:23,040 --> 00:05:26,220
But for me personally, I like net discover output

120
00:05:26,220 --> 00:05:27,990
a little bit better than this one.

121
00:05:27,990 --> 00:05:30,183
This right here looks a little bit messy.

122
00:05:31,170 --> 00:05:34,110
Okay so, the second thing that I want to show you

123
00:05:34,110 --> 00:05:36,270
is dash P option,

124
00:05:36,270 --> 00:05:40,320
and this an actual option that you will use a lot.

125
00:05:40,320 --> 00:05:42,990
So for this, we're going to scan our metasploitable.

126
00:05:42,990 --> 00:05:46,050
So change the IP address to the metasploitable IP address,

127
00:05:46,050 --> 00:05:50,760
and what dash P option is, is simply you can specify

128
00:05:50,760 --> 00:05:55,080
what range of port you want to scan with Nmap.

129
00:05:55,080 --> 00:05:57,660
So remember, when we perform any other scan,

130
00:05:57,660 --> 00:06:00,360
its can stop 1000 ports.

131
00:06:00,360 --> 00:06:05,010
But what if we, for example, only wanted to scan one port?

132
00:06:05,010 --> 00:06:06,810
For example, let's say we wanted to scan

133
00:06:06,810 --> 00:06:09,120
port 80 on the metasploitable.

134
00:06:09,120 --> 00:06:10,560
Can we do that?

135
00:06:10,560 --> 00:06:14,280
Well, if you specify dash P, and then 80,

136
00:06:14,280 --> 00:06:15,900
and then the IP address,

137
00:06:15,900 --> 00:06:18,480
here it'll tell us port 80 open,

138
00:06:18,480 --> 00:06:20,610
and service that it is running.

139
00:06:20,610 --> 00:06:23,790
So, we can scan only one port if you want.

140
00:06:23,790 --> 00:06:26,970
This option is useful if you're only attacking one port,

141
00:06:26,970 --> 00:06:28,890
and you don't want to bother really

142
00:06:28,890 --> 00:06:31,140
and let Nmap scan 1000 port,

143
00:06:31,140 --> 00:06:34,890
when you only want to enumerate one single port.

144
00:06:34,890 --> 00:06:37,560
You can also do it on multiple ports, for example,

145
00:06:37,560 --> 00:06:42,560
port 80, port 22, port 100 and let's see what the output is.

146
00:06:44,550 --> 00:06:48,090
And here, we can see port 80 and port 22 are open,

147
00:06:48,090 --> 00:06:51,060
while the port 100 is closed.

148
00:06:51,060 --> 00:06:53,850
We separate different ports with comma,

149
00:06:53,850 --> 00:06:56,040
and instead of separating them with comma,

150
00:06:56,040 --> 00:07:00,870
if you want to scan a range of ports, you can also do this.

151
00:07:00,870 --> 00:07:04,713
You can do port one to port 100.

152
00:07:05,700 --> 00:07:07,410
And, here are the results.

153
00:07:07,410 --> 00:07:09,810
Not shown, 94 closed ports,

154
00:07:09,810 --> 00:07:14,490
and we got six ports that are open in first 100 ports.

155
00:07:14,490 --> 00:07:16,740
And remember when I told you that there are

156
00:07:16,740 --> 00:07:18,720
over 65,000 ports?

157
00:07:18,720 --> 00:07:20,550
Well, this is the option that we can use

158
00:07:20,550 --> 00:07:23,250
in order to scan all 65,000.

159
00:07:23,250 --> 00:07:24,960
If I type the same command,

160
00:07:24,960 --> 00:07:29,960
just I scan from one to 65,535 and press enter.

161
00:07:31,950 --> 00:07:35,040
This scan will take longer than any previous scan

162
00:07:35,040 --> 00:07:38,643
that we did, since it is scanning 65,000 ports.

163
00:07:39,510 --> 00:07:44,100
Here we can see the output, it finished in 7.74 seconds.

164
00:07:44,100 --> 00:07:48,570
And here are all the open ports that it managed to discover.

165
00:07:48,570 --> 00:07:51,810
Here are some of the ports that we never really discovered

166
00:07:51,810 --> 00:07:55,290
with previous scans that we did in last few videos.

167
00:07:55,290 --> 00:07:56,940
So, this is really useful.

168
00:07:56,940 --> 00:07:59,970
If we used regular scans and we only scanned

169
00:07:59,970 --> 00:08:02,670
first 1,000 ports,

170
00:08:02,670 --> 00:08:06,123
We would never really know that these ports are also open.

171
00:08:07,410 --> 00:08:10,980
Now, on the contrary, instead of scanning 1,000 ports

172
00:08:10,980 --> 00:08:15,980
or 65,000 ports, we can use a cool option which is dash F,

173
00:08:16,290 --> 00:08:18,540
and it is capital F.

174
00:08:18,540 --> 00:08:21,103
And, what this option does is instead of scanning

175
00:08:21,103 --> 00:08:24,783
1,000 ports, it scans first 100 ports.

176
00:08:25,710 --> 00:08:28,140
So, in case you want to perform a quicker scan,

177
00:08:28,140 --> 00:08:31,800
and you also want to scan top 100 used ports,

178
00:08:31,800 --> 00:08:33,809
you would use the dash F option.

179
00:08:33,809 --> 00:08:36,630
If I press enter, you can see it finished

180
00:08:36,630 --> 00:08:41,630
in less than one second and it scanned top 100 ports.

181
00:08:41,760 --> 00:08:43,799
Now, this doesn't mean that it's scanned port

182
00:08:43,799 --> 00:08:45,210
from one to 100.

183
00:08:45,210 --> 00:08:48,210
This simply means it's scanned first 100 ports,

184
00:08:48,210 --> 00:08:50,550
that are usually most used.

185
00:08:50,550 --> 00:08:55,550
So, we got 21, 22, 25, 53 and bunch of others, as well.

186
00:08:55,770 --> 00:08:58,140
But, whenever you really want to find out everything you can

187
00:08:58,140 --> 00:09:01,980
about the target, this scan will be more useful.

188
00:09:01,980 --> 00:09:04,530
The one where we scan 65,000 ports,

189
00:09:04,530 --> 00:09:07,470
since you can see there are a lot more ports that are open,

190
00:09:07,470 --> 00:09:08,823
than with this scan.

191
00:09:09,690 --> 00:09:10,890
Okay, cool.

192
00:09:10,890 --> 00:09:12,540
Let me show you one more option

193
00:09:12,540 --> 00:09:14,460
before we proceed to the next video.

194
00:09:14,460 --> 00:09:18,390
And that option is how to output an Nmap scan.

195
00:09:18,390 --> 00:09:20,970
So, there are a few ways that we can do that.

196
00:09:20,970 --> 00:09:24,150
If I run Nmap and then we use the SYN scan,

197
00:09:24,150 --> 00:09:25,620
which we covered.

198
00:09:25,620 --> 00:09:27,570
And let's say with scan metasploitable.

199
00:09:27,570 --> 00:09:29,640
There are two ways that we can do this.

200
00:09:29,640 --> 00:09:32,790
If we want the output to be inside of a file,

201
00:09:32,790 --> 00:09:36,120
we can use two arrows to the right and then,

202
00:09:36,120 --> 00:09:39,420
outputofscan.txt.

203
00:09:39,420 --> 00:09:40,253
Let me see.

204
00:09:40,253 --> 00:09:42,750
You request the scan type which requires root privileges.

205
00:09:42,750 --> 00:09:47,700
So, let us run it with root and press enter,

206
00:09:47,700 --> 00:09:48,963
type in password,

207
00:09:49,860 --> 00:09:53,670
and you will see we get no output to our terminal.

208
00:09:53,670 --> 00:09:57,330
That is because all of the output is stored in this file.

209
00:09:57,330 --> 00:10:01,680
If we use the cat command to output the results,

210
00:10:01,680 --> 00:10:05,280
here is our scan that is being stored inside of this file.

211
00:10:05,280 --> 00:10:07,950
So, this is useful once you want to, for example,

212
00:10:07,950 --> 00:10:09,360
add this to your report.

213
00:10:09,360 --> 00:10:11,340
So, you just save it in a file, and then later on,

214
00:10:11,340 --> 00:10:13,740
copy and paste this on our report.

215
00:10:13,740 --> 00:10:15,630
Another way that you can do this,

216
00:10:15,630 --> 00:10:19,200
in case you want the results to be saved

217
00:10:19,200 --> 00:10:22,740
both in a file and also outputted in your terminal,

218
00:10:22,740 --> 00:10:26,313
we can use the dash oN option, so dash oN.

219
00:10:27,180 --> 00:10:31,590
I'm not sure if it is with capital N or lowercase N.

220
00:10:31,590 --> 00:10:34,290
We're going to check that out with the help menu.

221
00:10:34,290 --> 00:10:36,870
So, let's go to the output settings,

222
00:10:36,870 --> 00:10:39,630
and it is dash oN option.

223
00:10:39,630 --> 00:10:40,590
And we can see right here,

224
00:10:40,590 --> 00:10:43,770
dash oN option is output scan in normal.

225
00:10:43,770 --> 00:10:46,590
So, we can simply just save this in a normal file.

226
00:10:46,590 --> 00:10:48,360
If you want some other file type,

227
00:10:48,360 --> 00:10:50,790
you can use oX for the XML.

228
00:10:50,790 --> 00:10:52,920
And we got some other options here, as well,

229
00:10:52,920 --> 00:10:54,330
that you might find interesting.

230
00:10:54,330 --> 00:10:57,660
For now on, we are just going to check out this one.

231
00:10:57,660 --> 00:10:58,920
So if I go down here,

232
00:10:58,920 --> 00:11:02,970
and type Nmap, dash oN, and then, dash sS.

233
00:11:02,970 --> 00:11:05,163
Of course, we need to run this with sudo,

234
00:11:06,030 --> 00:11:09,903
and we specify 192.168.1.5.

235
00:11:10,890 --> 00:11:13,860
Output file begins with, yeah, we need to specify

236
00:11:13,860 --> 00:11:15,900
the name of the file that we want to save it.

237
00:11:15,900 --> 00:11:18,153
So, let's just call it output.

238
00:11:19,830 --> 00:11:22,860
And here it is, we get the output to our terminal,

239
00:11:22,860 --> 00:11:26,580
but if I also type LS and CAT, the output file,

240
00:11:26,580 --> 00:11:29,493
we also get the results saved inside of this file.

241
00:11:30,630 --> 00:11:31,710
Okay, great.

242
00:11:31,710 --> 00:11:33,450
These are just some of the basic options

243
00:11:33,450 --> 00:11:37,110
that I wanted to mention, since you might find them useful.

244
00:11:37,110 --> 00:11:39,270
And by now, as I already told you,

245
00:11:39,270 --> 00:11:43,770
you can consider yourself an intermediate Nmap scanner.

246
00:11:43,770 --> 00:11:46,200
Now to take this to the advanced level,

247
00:11:46,200 --> 00:11:48,390
we're going to check out, in the next few videos,

248
00:11:48,390 --> 00:11:53,390
how we can bypass Firewall IDS and IPS using Nmap scans.