1 00:00:00,390 --> 00:00:05,880 So remember that while performing a penetration test, we should always test the network devices, whether 2 00:00:05,880 --> 00:00:12,480 they're vulnerable to attacks, all the ones we've mentioned up till now, of course, we have to discover 3 00:00:12,480 --> 00:00:16,200 the network devices and the services running on them first. 4 00:00:16,650 --> 00:00:22,890 So let's see how we discover network devices and their services and what else we can do to attack these 5 00:00:22,890 --> 00:00:23,550 services. 6 00:00:23,820 --> 00:00:24,830 Come on, it'll be fun. 7 00:00:26,770 --> 00:00:32,920 So, as you already know, the first step of a penetration test is always reconnaissance, in other 8 00:00:32,920 --> 00:00:34,550 words, gathering the information. 9 00:00:35,440 --> 00:00:38,740 So how can we collect information about the network devices? 10 00:00:39,520 --> 00:00:44,200 The answer is the same with the reconnaissance of all the other parts of the penetration tests. 11 00:00:45,740 --> 00:00:52,070 We can scan the network and find the network devices according to the fingerprints or operating systems 12 00:00:52,070 --> 00:01:00,830 of the devices found, for example, if the operating system of a device is Cisco iOS, it's most probably 13 00:01:00,830 --> 00:01:03,710 a network device such as a switch or router. 14 00:01:05,000 --> 00:01:11,090 Sniffing is another way to collect data about the network devices, you should always especially focus 15 00:01:11,090 --> 00:01:13,580 on the clear text services such as Telnet. 16 00:01:15,590 --> 00:01:21,050 Now, one of the brilliant ways of reconnaissance is analyzing the documents collected throughout the 17 00:01:21,050 --> 00:01:27,530 penetration test in a typical penetration test, you probably find a lot of sensitive information by 18 00:01:27,530 --> 00:01:35,690 just looking at the file servers, shared files and e-mail backups or unprotected ASCII files of compromised 19 00:01:35,690 --> 00:01:37,190 admin personal computers. 20 00:01:39,330 --> 00:01:45,960 So as we were saying before, the most common services open in the network devices are S.H. Telnet, 21 00:01:46,560 --> 00:01:50,130 HTTP https and S&P. 22 00:01:51,200 --> 00:01:54,540 And the default parts of these services are listed in the slide. 23 00:01:56,210 --> 00:02:01,850 I want to call your attention to these are the default ports, right? 24 00:02:01,880 --> 00:02:05,080 So they don't have to run on the specified port. 25 00:02:05,900 --> 00:02:13,340 You can run an escort service on port for three or an HTTPS service on the port. 26 00:02:13,430 --> 00:02:16,100 I don't know, for three, two, one, et cetera. 27 00:02:17,450 --> 00:02:22,670 You can discover more details about the network devices by analyzing these services deeply. 28 00:02:24,780 --> 00:02:31,410 Right, and now they have the correct result and discover even more, you should always scan network 29 00:02:31,410 --> 00:02:34,950 with OS Discovery and version detection options. 30 00:02:37,020 --> 00:02:43,680 So if you look at the example in the slide, again, you see and and map, command and map is a security 31 00:02:43,680 --> 00:02:50,700 scanner which is used to discover hosts and services on a computer network in the same sample command 32 00:02:50,700 --> 00:03:00,000 shown the parameter is used for OAC detection, while S of Score V is used for version detection. 33 00:03:03,820 --> 00:03:05,170 So just listen to the traffic. 34 00:03:06,460 --> 00:03:13,360 We can gather some information about the network devices here, the protocols which use clear text communication 35 00:03:13,360 --> 00:03:19,930 are especially important because you can see the payload data transferred between the end points. 36 00:03:21,360 --> 00:03:25,140 The most important clear text protocols are telnet. 37 00:03:26,520 --> 00:03:28,200 Cisco Discovery Protocol. 38 00:03:29,590 --> 00:03:31,210 Spanning tree protocol. 39 00:03:32,710 --> 00:03:33,880 Routing protocols. 40 00:03:35,430 --> 00:03:37,950 VLAD trunking protocol and. 41 00:03:39,000 --> 00:03:41,160 Simple network management protocol. 42 00:03:44,200 --> 00:03:48,240 So let's scan the router according to the criteria that we talked about up now. 43 00:03:49,780 --> 00:03:56,840 In Cali, I opened the terminal screen, so I'll use the end map to scan the router, but first. 44 00:03:57,790 --> 00:04:00,040 Let's go ahead and ping the router to check the network. 45 00:04:03,830 --> 00:04:06,290 So unmap is the command itself. 46 00:04:07,610 --> 00:04:16,280 As Hyperscore s to make it a sin scan, a simple scan is a kind of TCP scan where a three way handshake 47 00:04:16,280 --> 00:04:22,190 is not completed, but please refer to my network and vulnerability scan for hacking by and Map and 48 00:04:22,190 --> 00:04:27,170 Nessus Course for more details about the unmap and those scanned times. 49 00:04:28,500 --> 00:04:30,180 Target IP is our router. 50 00:04:31,570 --> 00:04:36,130 Asclepius Gorvy is for the version detection of the open ports. 51 00:04:37,580 --> 00:04:39,740 Oh, for the operating system detection. 52 00:04:40,920 --> 00:04:46,230 Reason is to force and map to tell the reason of its decisions. 53 00:04:47,500 --> 00:04:56,950 And P is for the ports, so let's scan S.H. Telnet https htp and as an MP, ports now hit enter. 54 00:05:01,280 --> 00:05:06,050 So that took 15 seconds, seems the only port open is the telnet. 55 00:05:09,010 --> 00:05:13,810 Here's the details, it is a Cisco device and one of these series.