1
00:00:00,750 --> 00:00:01,980
Instructor: Welcome back.

2
00:00:01,980 --> 00:00:05,790
Here we are ready to start our scanning phase.

3
00:00:05,790 --> 00:00:07,620
We have covered the information gathering

4
00:00:07,620 --> 00:00:08,700
which was first phase

5
00:00:08,700 --> 00:00:11,760
of penetration testing and now we'll proceed

6
00:00:11,760 --> 00:00:14,430
with the second stage by scanning our target

7
00:00:14,430 --> 00:00:18,030
in trying to get even more information about it.

8
00:00:18,030 --> 00:00:21,420
Now, the difference between information gathering

9
00:00:21,420 --> 00:00:24,750
and scanning is that scanning is performed

10
00:00:24,750 --> 00:00:26,823
on a much deeper level.

11
00:00:27,840 --> 00:00:31,440
And also while in the first phase we gathered all kinds

12
00:00:31,440 --> 00:00:34,500
of information such as emails, phone numbers,

13
00:00:34,500 --> 00:00:36,600
and bunch of other things.

14
00:00:36,600 --> 00:00:41,130
In the scanning, we are mainly focused on technology side,

15
00:00:41,130 --> 00:00:43,240
so we want to find out as much as we can

16
00:00:44,157 --> 00:00:45,900
about our target's Technical aspect.

17
00:00:45,900 --> 00:00:48,030
We're going to talk about in just a second

18
00:00:48,030 --> 00:00:49,980
as to what exactly are we looking

19
00:00:49,980 --> 00:00:54,300
for in this stage and what are all the goals of this stage.

20
00:00:54,300 --> 00:00:58,320
But first you could be wondering what are we going to scan.

21
00:00:58,320 --> 00:01:01,770
Since remember that scanning is something

22
00:01:01,770 --> 00:01:03,480
that we are not allowed to do

23
00:01:03,480 --> 00:01:05,613
on any target that we want.

24
00:01:06,630 --> 00:01:08,400
Don't worry, for this stage

25
00:01:08,400 --> 00:01:10,680
and any future stage from now on

26
00:01:10,680 --> 00:01:14,283
we're going to be using vulnerable virtual machines.

27
00:01:15,210 --> 00:01:17,880
There are lots of paid vulnerable virtual machines

28
00:01:17,880 --> 00:01:20,160
that you can buy and test on,

29
00:01:20,160 --> 00:01:24,540
but for this course I will be showing the free ones so all

30
00:01:24,540 --> 00:01:26,470
of us can download them, install them

31
00:01:27,797 --> 00:01:29,370
and then try to hack them.

32
00:01:29,370 --> 00:01:31,380
All of these virtual machines are going to

33
00:01:31,380 --> 00:01:34,260
be running some outdated vulnerable software

34
00:01:34,260 --> 00:01:37,170
that we will be able to exploit in the third stage

35
00:01:37,170 --> 00:01:41,130
and they will also require very little hardware power.

36
00:01:41,130 --> 00:01:43,200
So all of us will be able to run them

37
00:01:43,200 --> 00:01:46,050
while also running Cal Linux.

38
00:01:46,050 --> 00:01:47,160
And keep in mind

39
00:01:47,160 --> 00:01:50,130
that penetration testing process will look exactly

40
00:01:50,130 --> 00:01:52,110
like it will look in real world

41
00:01:52,110 --> 00:01:54,960
if you were to test some website or some network.

42
00:01:54,960 --> 00:01:57,360
The only difference is that right now.

43
00:01:57,360 --> 00:02:00,270
we know that these machines are vulnerable

44
00:02:00,270 --> 00:02:03,180
since I just told you and in real world

45
00:02:03,180 --> 00:02:06,480
you wouldn't essentially know that before testing them.

46
00:02:06,480 --> 00:02:09,720
However, just knowing they're vulnerable doesn't really

47
00:02:09,720 --> 00:02:12,610
help us as we need to figure out in what way are

48
00:02:13,525 --> 00:02:16,110
they vulnerable and how can we take advantage of that.

49
00:02:16,110 --> 00:02:18,900
Scanning will help us with this.

50
00:02:18,900 --> 00:02:23,900
We'll be using our Cal Linux machine to scan these machines

51
00:02:24,540 --> 00:02:27,427
and by scanning these machines, what they really

52
00:02:27,427 --> 00:02:29,670
mean is we're going to directly exchange packets

53
00:02:29,670 --> 00:02:33,030
with our target and once that target sends packets back

54
00:02:33,030 --> 00:02:36,660
to us, hopefully it'll discover something about the target

55
00:02:36,660 --> 00:02:38,913
machine that we will find useful.

56
00:02:39,840 --> 00:02:41,610
And what we will be sending

57
00:02:41,610 --> 00:02:45,423
to the target are TCP and UDP packets.

58
00:02:46,841 --> 00:02:49,200
TCP and UDP are just protocols that are used

59
00:02:49,200 --> 00:02:52,560
for sending bits of data, also known as packets

60
00:02:52,560 --> 00:02:55,170
and we will discuss them in a little more detail

61
00:02:55,170 --> 00:02:56,670
in the next video.

62
00:02:56,670 --> 00:03:00,360
For now, just think of them as different protocols

63
00:03:00,360 --> 00:03:04,323
that will allow us to get information from our target.

64
00:03:05,310 --> 00:03:09,450
I keep talking about information and scanning and all

65
00:03:09,450 --> 00:03:12,300
of that without actually explaining what do I mean

66
00:03:12,300 --> 00:03:14,940
by scanning and getting information?

67
00:03:14,940 --> 00:03:16,290
What are the goals of this?

68
00:03:17,256 --> 00:03:19,110
What are we looking for exactly?

69
00:03:19,110 --> 00:03:22,800
Well, we are looking for open ports

70
00:03:22,800 --> 00:03:26,130
and I don't mean USB ports or some physical ports.

71
00:03:26,130 --> 00:03:28,070
I mean we're looking

72
00:03:28,070 --> 00:03:30,600
for virtual open ports that every machine has

73
00:03:30,600 --> 00:03:33,150
and it uses them to host their software

74
00:03:33,150 --> 00:03:36,060
and communicate with other machines over internet.

75
00:03:36,060 --> 00:03:37,950
For example, you watching this

76
00:03:37,950 --> 00:03:41,100
over internet on a website means that the machine

77
00:03:41,100 --> 00:03:45,270
that's hosting this website has port 80 open.

78
00:03:45,270 --> 00:03:46,950
Why port 80?

79
00:03:46,950 --> 00:03:49,770
Well port 80 is used to host a web server

80
00:03:49,770 --> 00:03:54,770
it is used for HTP and it's also known as HTP port.

81
00:03:55,050 --> 00:03:56,970
So every time you visit a website

82
00:03:56,970 --> 00:03:58,770
you are essentially making a connection

83
00:03:58,770 --> 00:04:02,110
to that machine hosting that website on port 80

84
00:04:04,112 --> 00:04:04,950
or on port 443.

85
00:04:04,950 --> 00:04:09,100
Since port 80 is used for htp and Port 443

86
00:04:10,280 --> 00:04:15,280
is used for HTPs and HTPs is just a secure version of http.

87
00:04:16,320 --> 00:04:19,260
These are the two most usual ports that target

88
00:04:19,260 --> 00:04:21,990
that you're scanning externally will have open.

89
00:04:21,990 --> 00:04:24,990
And by externally scanning, I mean that you are scanning it

90
00:04:24,990 --> 00:04:27,813
while not being in the same network as the target.

91
00:04:28,710 --> 00:04:32,019
An example would be you scanning some website

92
00:04:32,019 --> 00:04:34,750
from your home and a port that could sometimes

93
00:04:35,702 --> 00:04:37,200
be open if you're scanning internally

94
00:04:37,200 --> 00:04:39,600
which means either scanning machines on your network

95
00:04:39,600 --> 00:04:41,910
or you're performing network penetration testing

96
00:04:41,910 --> 00:04:43,560
inside of some company.

97
00:04:43,560 --> 00:04:47,253
You could, for example, find port 21 to be open.

98
00:04:48,390 --> 00:04:52,050
This is an FTP port and it's used for file transferring.

99
00:04:52,050 --> 00:04:55,590
FTP stands for file transfer protocol.

100
00:04:55,590 --> 00:04:59,640
These is just two of the ports and there are a lot of them.

101
00:04:59,640 --> 00:05:03,090
You could, for example, have port 22 open

102
00:05:03,090 --> 00:05:06,840
which is SSH port or secure shell port.

103
00:05:06,840 --> 00:05:07,770
It is used to log

104
00:05:07,770 --> 00:05:11,490
into the target machine and execute commands on it remotely.

105
00:05:11,490 --> 00:05:15,240
We could also have, for example, port 53 open

106
00:05:15,240 --> 00:05:17,160
which is DNS port

107
00:05:17,160 --> 00:05:21,810
or we could have port 25 open, which is SMTP port.

108
00:05:21,810 --> 00:05:23,880
So there are are a lot of ports.

109
00:05:23,880 --> 00:05:28,263
Matter of fact, every machine has 65,535 ports

110
00:05:29,850 --> 00:05:34,850
for both DCP and udp, and if there is just one open port

111
00:05:35,130 --> 00:05:38,280
with one vulnerable software running on that open port

112
00:05:38,280 --> 00:05:42,450
then that target is vulnerable and it could be exploited.

113
00:05:42,450 --> 00:05:44,970
Now the highest secured machines are the ones

114
00:05:44,970 --> 00:05:47,730
that have all ports closed.

115
00:05:47,730 --> 00:05:49,800
These are usually your home devices such

116
00:05:49,800 --> 00:05:53,190
as laptops or computers that you use just

117
00:05:53,190 --> 00:05:56,790
for browsing online or playing video games or something.

118
00:05:56,790 --> 00:05:58,890
They don't need to be hosting any software

119
00:05:58,890 --> 00:06:02,187
since they're not a server that someone will connect

120
00:06:02,187 --> 00:06:03,120
to for a certain service.

121
00:06:03,120 --> 00:06:05,580
They're just home devices that you use.

122
00:06:05,580 --> 00:06:08,890
But websites, for example, must have port 80

123
00:06:09,815 --> 00:06:13,500
or port 443 open since they're hosting a webpage there.

124
00:06:13,500 --> 00:06:18,090
Also in companies, their machines could have some port open.

125
00:06:18,090 --> 00:06:21,367
Maybe they use that port on all their machines

126
00:06:21,367 --> 00:06:23,400
within that company to internally transfer files

127
00:06:23,400 --> 00:06:24,930
between different machines.

128
00:06:24,930 --> 00:06:26,460
It could be anything basically.

129
00:06:26,460 --> 00:06:29,820
Now the problem occurs if that software they use

130
00:06:29,820 --> 00:06:34,500
on their open ports is outdated and has a vulnerability

131
00:06:34,500 --> 00:06:38,280
then our job as a hacker is to scan that machine

132
00:06:38,280 --> 00:06:41,400
for open ports and exploit that machine

133
00:06:41,400 --> 00:06:45,090
through that vulnerable software running on that open port.

134
00:06:45,090 --> 00:06:46,920
But the goal for now

135
00:06:46,920 --> 00:06:50,280
in the scanning section is only to scan the target

136
00:06:50,280 --> 00:06:51,780
for the open ports.

137
00:06:51,780 --> 00:06:55,080
Then we want to discover what software are they running

138
00:06:55,080 --> 00:06:56,790
on those open ports.

139
00:06:56,790 --> 00:07:00,360
And we want to go as deep as discovering what version

140
00:07:00,360 --> 00:07:03,540
of software is on that open port.

141
00:07:03,540 --> 00:07:04,800
Are you ready?

142
00:07:04,800 --> 00:07:07,620
We're going to be covering a lot in this section.

143
00:07:07,620 --> 00:07:09,780
And in this section we will cover one

144
00:07:09,780 --> 00:07:13,710
of the most important tools that a hacker must master.

145
00:07:13,710 --> 00:07:15,783
That tool is called and enmap.

146
00:07:16,800 --> 00:07:18,063
Let's dive into scanning.