1
00:00:00,620 --> 00:00:04,080
Welcome to Part Five of this module.

2
00:00:04,220 --> 00:00:10,280
Today we're going to be taking a look at what many consider to be the king of scanning tools and map

3
00:00:11,720 --> 00:00:14,230
and map is short for network mapper.

4
00:00:14,570 --> 00:00:21,710
And it is free and open source utility for network discovery and security auditing and map uses raw

5
00:00:21,800 --> 00:00:29,060
IP packets and novel ways to determine what hosts are available on a network what services those hosts

6
00:00:29,060 --> 00:00:35,870
are offering what operating system and operating system version they are running what type of packet

7
00:00:35,870 --> 00:00:43,460
filters or firewalls are in operation as well as many other unique characteristics.

8
00:00:43,460 --> 00:00:52,100
It was designed to rapidly scan large networks but works for single hosts as well and map runs on all

9
00:00:52,100 --> 00:00:59,990
major computer operating systems and official binary packages are available for Linux Mac OS and yes

10
00:01:00,020 --> 00:01:02,510
even Microsoft Windows.

11
00:01:02,540 --> 00:01:08,750
In addition to the classic command line version the unmapped suite includes an advanced graphic user

12
00:01:08,750 --> 00:01:15,860
interface and results feature called z map which will be taking a look at in a future module.

13
00:01:15,860 --> 00:01:23,210
Both of these come prepackaged with Kali 2.0 and can be easily downloaded for any operating system from

14
00:01:23,210 --> 00:01:26,380
the end map Web site and map dot org.

15
00:01:26,450 --> 00:01:32,930
The output for any map is a list of scanned targets with supplemental information on each depending

16
00:01:32,930 --> 00:01:35,360
on the options selected during each scan.

17
00:01:36,710 --> 00:01:44,700
Key among that information is the interesting ports table the table lists the port number and protocol

18
00:01:44,850 --> 00:01:53,640
service name and state of each port the state being either open filtered closed or unfiltered open ports

19
00:01:53,640 --> 00:01:58,860
indicate the presence of an application on the target machine that is listening for connections and

20
00:01:58,860 --> 00:02:06,510
packets on that port filtered on the other hand would mean an application listening on them though they

21
00:02:06,550 --> 00:02:14,530
couldn't they could be open at any time ports are classed as unfiltered by any map when they're responsive

22
00:02:14,530 --> 00:02:21,660
to probes but when any map cannot determine whether or not they are in an open or closed state and of

23
00:02:21,660 --> 00:02:24,290
course closed is self-explanatory.

24
00:02:24,540 --> 00:02:31,410
The port tables that in map displays may also include software version detail when version detection

25
00:02:31,410 --> 00:02:39,400
has been requested when an IP protocol scan is performed and map provides information and supported

26
00:02:39,430 --> 00:02:43,730
IP protocols rather than listening ports.

27
00:02:43,790 --> 00:02:49,250
In addition to the ports table and map can provide further information on targets that include reverse

28
00:02:49,250 --> 00:02:56,720
DNS names operating system guesses device types and even MAC addresses and map has actually been featured

29
00:02:56,720 --> 00:03:02,670
in multiple movies including The Matrix Reloaded diehard 4 and The Bourne Ultimatum.

30
00:03:02,870 --> 00:03:09,020
The real value of any map is to learn the lay of the land before a penetration test finding out which

31
00:03:09,020 --> 00:03:13,000
ports are open and gaining critical information about a target.

32
00:03:13,100 --> 00:03:18,740
It is entirely possible to scan entire net blocks using any map such as those you might acquire on a

33
00:03:18,740 --> 00:03:21,380
target after a multi go search.

34
00:03:21,380 --> 00:03:24,940
See the module on multi go for more details about that.

35
00:03:25,310 --> 00:03:31,370
In this tutorial we're going to be covering the basic usage of any map and the core concepts associated

36
00:03:31,370 --> 00:03:36,550
with it loading and map is in fact very simple.

37
00:03:36,550 --> 00:03:41,780
We just go to applications information gathering

38
00:03:45,280 --> 00:03:48,550
and we could click on any map or

39
00:03:53,820 --> 00:03:58,570
or we can do it like pros and type and map in the terminal window.

40
00:03:58,860 --> 00:04:04,290
When you first load and map without any kind of argument you will be presented with a rather intimidating

41
00:04:04,290 --> 00:04:11,580
looking series of optional arguments which will make the program appear far more complicated to use

42
00:04:11,580 --> 00:04:12,760
than it really is.

43
00:04:13,810 --> 00:04:21,520
It is beyond the scope of any one tutorial to show every single possible case example of how to use

44
00:04:21,520 --> 00:04:28,260
this powerful tool covering every possible use of any map might almost be a class unto itself.

45
00:04:28,330 --> 00:04:34,000
The goal of this presentation is to get you comfortable with the core concepts and give you a strong

46
00:04:34,000 --> 00:04:40,780
idea of how to use and map in your penetration tests once you're comfortable with basic use.

47
00:04:40,780 --> 00:04:48,610
You can experiment with more advanced options to suit your specific needs but briefly I will illustrate

48
00:04:48,640 --> 00:04:51,700
that in map has a very detailed man page.

49
00:04:58,280 --> 00:05:04,900
Which you can read through at your leisure and it can be quite handy if you run into any problems not

50
00:05:04,900 --> 00:05:06,730
covered in this tutorial.

51
00:05:07,210 --> 00:05:15,190
So to begin I'm going to illustrate what a basic scan using any map looks like before I do it is once

52
00:05:15,190 --> 00:05:22,980
again necessary to point out a few key things that I already mentioned in prior modules first as always.

53
00:05:23,040 --> 00:05:29,550
For legal reasons you absolutely must have written permission from the owner of any system or network

54
00:05:29,550 --> 00:05:32,460
that you intend to scan before you scan it.

55
00:05:32,610 --> 00:05:35,370
Otherwise you might be breaking the law.

56
00:05:35,430 --> 00:05:43,920
Second and map is a very noisy tool and using it can often leave lockable fingerprints if you are performing

57
00:05:43,920 --> 00:05:50,160
a penetration test and part of that test is to see if the system administrators are asleep on the job

58
00:05:50,690 --> 00:05:53,610
and you have written permission to conduct the test.

59
00:05:53,760 --> 00:06:00,600
There are ways of using and map more stealthily which will be addressed shortly for our initial foray

60
00:06:00,600 --> 00:06:01,670
into using and map.

61
00:06:01,680 --> 00:06:05,250
We're going to be using this target sites

62
00:06:08,740 --> 00:06:09,810
as you can see.

63
00:06:09,910 --> 00:06:16,690
This site is offered by the developers of any map as a way to test the tool they provide written permission

64
00:06:16,690 --> 00:06:19,480
to conduct and map scans against it legally.

65
00:06:19,480 --> 00:06:25,360
Please note that they ask you to limit the number of scans per date for a reasonable number and this

66
00:06:25,360 --> 00:06:31,410
permission does not extend to using brute force or password cracking applications.

67
00:06:31,420 --> 00:06:37,620
This is a public service that is available available to everyone so please don't abuse it.

68
00:06:37,720 --> 00:06:39,620
All right that was a lot of preamble.

69
00:06:39,730 --> 00:06:40,890
So let's dive right in

70
00:06:43,950 --> 00:06:45,680
in the terminal window.

71
00:06:45,750 --> 00:06:51,390
We're going to type and map and then we're going to provide the domain which in this case is scanned

72
00:06:51,390 --> 00:06:56,050
me Dot and map dot org press enter.

73
00:06:56,050 --> 00:07:00,070
This is going to start the scanning process now at the risk of sounding redundant.

74
00:07:00,070 --> 00:07:05,390
Please keep in mind this is not a passive scan OK.

75
00:07:05,510 --> 00:07:08,890
Here we see which ports are listed for the target.

76
00:07:08,930 --> 00:07:20,750
It appears that 991 are closed but we see at least four that are in open state we can see the port number

77
00:07:20,750 --> 00:07:22,470
in the first column.

78
00:07:22,760 --> 00:07:29,400
It's state in the second and the service typically associated with that port in the third.

79
00:07:29,440 --> 00:07:35,710
Keep in mind that sometimes and map just takes a guess about which service is running on a particular

80
00:07:35,710 --> 00:07:43,060
port a canny system administrator might switch things up and run services normally associated with one

81
00:07:43,060 --> 00:07:48,720
particular port on another port so as to confuse would be hackers.

82
00:07:48,730 --> 00:07:52,580
This is rare of course but I have seen it happen.

83
00:07:52,630 --> 00:07:59,080
It's also possible to hide services that could be brute forcible or otherwise compromised able in this

84
00:07:59,080 --> 00:08:01,830
way by obfuscating them.

85
00:08:01,870 --> 00:08:08,440
Of course this philosophy of security by obscurity is not reliable but it does effectively frustrate

86
00:08:08,440 --> 00:08:17,890
the efforts of the lazy anyway now I'm going to perform an end map scan against a metal spoil machine

87
00:08:18,370 --> 00:08:20,590
that I've set up here in the office.

88
00:08:20,620 --> 00:08:22,920
This machine is on my own network.

89
00:08:23,110 --> 00:08:28,750
I picked out the specific address for it using the Net discover command which I'll demonstrate later

90
00:08:28,750 --> 00:08:30,410
in this module.

91
00:08:30,430 --> 00:08:34,330
So in this case we're going to do and map.

92
00:08:34,330 --> 00:08:39,370
And then I'm going to give it the IP address on the network of the many exploitable machine and press

93
00:08:39,370 --> 00:08:43,140
enter so to start off.

94
00:08:43,320 --> 00:08:51,540
If we're running any map against a target without any of the optional switches it will by default run

95
00:08:51,570 --> 00:08:54,240
what is called a stealth scan.

96
00:08:54,240 --> 00:08:59,430
This word's stealth can actually be pretty misleading and I don't exactly mean it the way you might

97
00:08:59,430 --> 00:09:01,070
think that I do.

98
00:09:01,080 --> 00:09:06,120
Please bear with me and don't make the mistake of thinking that I am in any way suggesting you are anonymous

99
00:09:06,150 --> 00:09:09,420
or shielded if you run and map in this way.

100
00:09:09,840 --> 00:09:15,450
Additional steps must be taken for true anonymity to be achieved and some of those will be covered in

101
00:09:15,450 --> 00:09:20,620
a section of this class that deals entirely with that subject.

102
00:09:20,640 --> 00:09:28,050
There are a few different scan types you can use such as a teepee full Kinect scan the full Kinect is

103
00:09:28,050 --> 00:09:35,420
exactly what it sounds like you will do a full spin since an act three way handshake and fully connect

104
00:09:35,430 --> 00:09:38,850
the target port to verify its status.

105
00:09:38,950 --> 00:09:46,840
That is the most reliable and it is also the most noisy if a part of your authorized pen test is to

106
00:09:46,840 --> 00:09:48,160
test the administrators.

107
00:09:48,160 --> 00:09:52,960
Keep in mind that this sort of activity can be highly visible to them.

108
00:09:53,170 --> 00:10:00,460
In this case the TCE full Kinect scan is not the one you want to use because a lot of admins will log

109
00:10:00,550 --> 00:10:07,020
and even be alerted to all full three way handshake connections.

110
00:10:07,020 --> 00:10:15,320
That being said the T C P is the more reliable for detecting the status of ports the stealth scan on

111
00:10:15,320 --> 00:10:17,710
the other hand is a little bit different.

112
00:10:17,780 --> 00:10:24,930
It sends the sin and then the destination if the port is open will send the snack.

113
00:10:25,070 --> 00:10:28,950
Then we on the source and will send an R S T.

114
00:10:29,450 --> 00:10:34,900
What that will basically do is stop the three way handshake from taking place.

115
00:10:34,940 --> 00:10:37,420
It won't actually fully connect.

116
00:10:37,450 --> 00:10:44,630
The idea is that we don't actually need to do a full connect to verify that the port is in fact open

117
00:10:45,020 --> 00:10:52,580
because it sent a reply in the form of a snack and thus strongly implying that the port is in fact open.

118
00:10:52,580 --> 00:10:59,300
So we effectively have our answer already and there's no need to perform a noisy lockable handshake

119
00:11:00,380 --> 00:11:06,590
but again be very careful with this word stealth just because any map calls it's stealth it doesn't

120
00:11:06,590 --> 00:11:08,060
mean you're anonymous.

121
00:11:08,150 --> 00:11:13,250
I'm sorry to repeat myself it's just very important to understand that without the use of additional

122
00:11:13,250 --> 00:11:20,390
methods for example a virtual private network or some form of proxy your activity will remain visible

123
00:11:20,390 --> 00:11:27,260
to your Internet service provider and the target may still have wire shark an operation to log and analyze

124
00:11:27,260 --> 00:11:27,890
traffic.

125
00:11:27,890 --> 00:11:33,680
So even if you sidestep a log event for a three way handshake you really aren't invisible.

126
00:11:33,710 --> 00:11:39,170
Again please see the section of this class covering methods of anonymity for more information if this

127
00:11:39,170 --> 00:11:47,680
is a topic of concern for you so just by doing that basic quote unquote stealth scan we can see that

128
00:11:47,950 --> 00:11:54,250
this target computer which is my met a spoiled evil machine has a bunch of ports open for you to peruse

129
00:11:56,260 --> 00:11:59,410
because of course it's meant exploitable.

130
00:11:59,410 --> 00:12:07,300
In this case what it did essentially at the beginning was to take the hostname and use DNS to resolve

131
00:12:07,300 --> 00:12:17,340
the hostname if you wanted to skip that you would use a dash an that will disable doing a DNS recursion.

132
00:12:17,340 --> 00:12:24,810
You could also disable the potentially noisy ping against the target by adding a dash p n and that is

133
00:12:24,810 --> 00:12:39,910
capitalized so it would look like this and map dash and dash p.m. And then your target.

134
00:12:39,920 --> 00:12:47,520
Note that when we do it this way the port information we get back is limited to just open or closed.

135
00:12:47,600 --> 00:12:52,820
We won't know specifically if a port is in a potentially filtered state.

136
00:12:53,100 --> 00:12:58,900
The results we get back are therefore more limited now in this case.

137
00:12:58,910 --> 00:13:03,560
We can see that we have a bunch of ports open and a service beside it.

138
00:13:03,560 --> 00:13:13,390
For example Shell and an F S shares so if that is what we're going on the thing we may wish to consider

139
00:13:13,390 --> 00:13:17,270
is what version of I don't know let's say h TTP.

140
00:13:17,290 --> 00:13:24,640
They are using we don't know if it's Apache or something else so we can add another switch to the mix

141
00:13:24,640 --> 00:13:25,780
here.

142
00:13:25,780 --> 00:13:34,810
It's called Dash s capital V so it's going to look like this map dash and dash a little fast capital

143
00:13:34,810 --> 00:13:36,790
V and then the target

144
00:13:41,340 --> 00:13:47,700
when you do a little lowercase s what you're saying is script type when you add another letter to the

145
00:13:47,700 --> 00:13:52,680
end of it it tells and map what type it really is.

146
00:13:52,680 --> 00:14:01,470
So in this case if we do the dash n we are disabling and maps DNS recursion the V stands for version

147
00:14:01,470 --> 00:14:07,650
scan when we do run the scan it will look for what ports are open on the target and hopefully come back

148
00:14:07,650 --> 00:14:10,350
with a detailed version information

149
00:14:13,920 --> 00:14:16,940
so just to make things a little easier to follow along.

150
00:14:17,100 --> 00:14:19,520
I'm going to pull up a little cheat sheet at this point

151
00:14:23,210 --> 00:14:32,100
so when we run and map without any kind of argument just by itself it's what's called a stealth scan.

152
00:14:32,150 --> 00:14:42,640
Remember that word stealth does not mean invisible when we add the switch and we are disabling the DNS

153
00:14:43,480 --> 00:14:54,330
recursion when we add dash p n we're disabling and maps pinging function.

154
00:14:54,380 --> 00:15:04,830
That was the one we just did along and when we add and when we add s capital V we are doing a version

155
00:15:04,830 --> 00:15:05,460
scan

156
00:15:08,840 --> 00:15:16,550
so as we go along I'll add to this little cheat sheet that we're forming here.

157
00:15:16,680 --> 00:15:17,130
Excellent.

158
00:15:17,130 --> 00:15:18,180
All right.

159
00:15:18,180 --> 00:15:20,660
So here we can see if I scroll up a little bit

160
00:15:27,700 --> 00:15:29,630
we can see that we have an F tepee.

161
00:15:29,670 --> 00:15:41,530
But it also tells me the version we can also see that they are running Apache for each TTP.

162
00:15:41,780 --> 00:15:46,850
It looks like there's v NC and look some old school.

163
00:15:46,860 --> 00:15:48,720
Unreal I.R.S..

164
00:15:48,750 --> 00:15:56,350
Wow that takes me back and it looks like the creators of metal split have a sense of nostalgia.

165
00:15:56,490 --> 00:15:59,250
We can also see an operating system scan as well

166
00:16:02,530 --> 00:16:05,110
even though the information is visible.

167
00:16:05,290 --> 00:16:12,550
We can do a specific scan just to determine the nature of the operating system by doing and map dash

168
00:16:12,610 --> 00:16:15,220
and dash capital O.

169
00:16:15,940 --> 00:16:22,630
And then we'll give it our target and this is a little bit less intrusive because we're really looking

170
00:16:22,630 --> 00:16:24,020
at.

171
00:16:24,110 --> 00:16:24,780
Here we go.

172
00:16:25,660 --> 00:16:27,160
OS detection performed

173
00:16:31,050 --> 00:16:33,120
and we've got Linux.

174
00:16:33,120 --> 00:16:35,040
Two points six nine

175
00:16:37,630 --> 00:16:44,380
just keep in mind this is an effective 100 percent of the time sometimes and map will just take its

176
00:16:44,380 --> 00:16:47,700
best guess based on the information that it gets back.

177
00:16:47,710 --> 00:16:50,260
It's usually pretty accurate though.

178
00:16:50,390 --> 00:17:00,110
Now on the subject of where in map is getting this information we do see user share and map and then

179
00:17:00,110 --> 00:17:10,150
we do an Alice we can see here that there are a few different files the OS one is on the right OS D.B.

180
00:17:10,820 --> 00:17:13,140
and it does a variety of things.

181
00:17:13,220 --> 00:17:15,200
Oh we've had this here to bring it up.

182
00:17:15,200 --> 00:17:15,800
One moment

183
00:17:21,330 --> 00:17:26,970
and what this basically does is send a variety of different probes out to the operating system that

184
00:17:26,970 --> 00:17:34,310
we are trying to scan if it responds back with an expected response.

185
00:17:34,530 --> 00:17:38,140
It will verify based on that response to the probe sent.

186
00:17:38,160 --> 00:17:45,060
The target is running a particular operating system again not 100 percent effective 100 percent of the

187
00:17:45,060 --> 00:17:49,080
time but it is basically reliable.

188
00:17:49,080 --> 00:17:50,700
If you do a quick search

189
00:17:54,540 --> 00:17:57,090
for let's say Windows 7

190
00:18:06,580 --> 00:18:10,030
we can see the types of probes that it sends.

191
00:18:10,030 --> 00:18:16,600
If you really know your stuff you can edit this file and save it to change the behavior of these probes.

192
00:18:16,600 --> 00:18:22,120
But such changes are frankly beyond the scope of this tutorial and I don't recommend it unless you have

193
00:18:22,120 --> 00:18:23,860
a strong reason to do so.

194
00:18:25,960 --> 00:18:35,310
The same thing happens when we do the dash lowercase s capital we scan it bases off this and map services

195
00:18:35,310 --> 00:18:44,770
probes to determine what it is actually looking at so it sees port 80 open and sends some probes to

196
00:18:44,770 --> 00:18:49,200
it to determine what is the actual service running on it.

197
00:18:49,470 --> 00:18:55,850
It responds back with Apache to point to point three or whatever else is indicated by the parameter

198
00:18:55,850 --> 00:19:04,090
set in the file there and we can know with some confidence the exact service and version as I said before

199
00:19:04,930 --> 00:19:10,810
this is key when using things like met a spoiler to attempt to penetrate another system because knowing

200
00:19:10,810 --> 00:19:19,030
the exact version of a particular service you can easily look up known vulnerabilities and you can tailor

201
00:19:19,030 --> 00:19:24,790
your attack against the service in a very strong and well established way.

202
00:19:25,090 --> 00:19:31,510
Half the battle is knowing your foe and its weaknesses and with just a little bit of information and

203
00:19:31,510 --> 00:19:38,240
maybe a simple Web search you can create all sorts of operational vectors against a target machine.

204
00:19:38,240 --> 00:19:47,400
So going back to our cheat sheet here for a minute we'll add the new switch to the mix that's dash capital

205
00:19:47,460 --> 00:19:56,110
O and it's going to be short for operating system detection.

206
00:19:56,130 --> 00:20:01,590
Another thing that can be done through any map is the running of what's called scripts.

207
00:20:01,650 --> 00:20:10,460
Scripts are allowed here using what is called the dot in a sea format which is what a map uses.

208
00:20:10,490 --> 00:20:20,490
There are some scripts called default scripts for example and mapped ash and ash and see which runs

209
00:20:20,490 --> 00:20:22,000
are defaults.

210
00:20:22,890 --> 00:20:24,210
And while this is a running

211
00:20:28,040 --> 00:20:35,110
we'll take a look at the section of the website dedicated to and map scripts.

212
00:20:35,150 --> 00:20:41,630
Now if we look at the script interface we can see that there are a variety of different categories

213
00:20:44,390 --> 00:20:48,110
everything from brute forcing to selective scanning.

214
00:20:48,110 --> 00:20:54,260
You can read through all of them and see what they do as you click on each one you can see a description

215
00:20:54,260 --> 00:20:56,830
of what they are and what they do.

216
00:20:56,870 --> 00:20:58,790
So let's just

217
00:21:01,380 --> 00:21:03,170
open up a new tab window here.

218
00:21:04,310 --> 00:21:11,460
And here's an example script I just picked it at random called file off owners.

219
00:21:11,590 --> 00:21:15,020
It gives an example of case usage and the script output

220
00:21:21,070 --> 00:21:24,580
in this case we could just run the scripts by themselves.

221
00:21:24,580 --> 00:21:28,800
Just keep in mind you can run them individually if you like.

222
00:21:28,870 --> 00:21:36,770
Just look at all the scripts they have so when I did the lowercase s capital C it started and map running

223
00:21:37,530 --> 00:21:44,870
all of the scripts which were installed and I'm going to go through what each individual script does

224
00:21:44,870 --> 00:21:50,910
because as you can see at the time of this recording there are five hundred and ninety one of them but

225
00:21:50,940 --> 00:21:56,790
if you are interested please do read through all of this information and have a look at the finer details

226
00:21:56,790 --> 00:21:58,180
of each one.

227
00:21:58,590 --> 00:22:04,870
So a moment ago I ran and map with the lower case s capital C switch.

228
00:22:04,950 --> 00:22:10,830
What that did was it ran all of the default scripts which we have installed.

229
00:22:11,010 --> 00:22:12,300
If we screw up

230
00:22:15,460 --> 00:22:24,310
quite a ways in this case we ran a script called F T.P. anon which shows us that anonymous f teepee

231
00:22:24,310 --> 00:22:32,870
log in is allowed if we scroll down a little further we can see that open SS H is allowed and shows

232
00:22:32,870 --> 00:22:36,390
an SS H Host key again.

233
00:22:36,480 --> 00:22:43,940
What you're seeing is the result of one of these specific scripts testing for this specific vulnerability.

234
00:22:44,020 --> 00:22:49,340
There are some each TGP ones that they around she gives methods.

235
00:22:49,440 --> 00:22:51,630
Did a banner grab as well.

236
00:22:51,630 --> 00:22:57,880
Pretty good so you can see that there are all these different scripts that it runs and there are various

237
00:22:57,880 --> 00:23:04,840
pros and cons to each one when trying to walk that fine line between getting the best possible information

238
00:23:05,320 --> 00:23:07,800
and trying to remain stealthy.

239
00:23:07,930 --> 00:23:15,350
See it looks like my sequel was running I saw that appear

240
00:23:21,610 --> 00:23:25,680
and version that's good.

241
00:23:25,680 --> 00:23:26,130
All right.

242
00:23:28,580 --> 00:23:34,600
So lowercase s capital C will run everything in the defaults.

243
00:23:34,700 --> 00:23:39,800
I'm going to do one more here before I pull pull up our little cheat sheet again.

244
00:23:39,840 --> 00:23:41,440
This one is in map.

245
00:23:41,450 --> 00:23:52,710
Dash and dash capital a and then the target and we'll let that run what we've just done is what is called

246
00:23:52,710 --> 00:24:00,470
an aggressive scan which is just about as noisy and blatant as you can possibly get.

247
00:24:00,480 --> 00:24:03,710
It'll take a moment to finish so I'm going to pull up our cheat sheet again

248
00:24:07,670 --> 00:24:11,610
and let's go ahead and add Dash.

249
00:24:11,640 --> 00:24:21,550
S. capital C running the default scripts all of them now.

250
00:24:21,660 --> 00:24:26,980
Every time you update any map you're going to see that people have added more scripts to it.

251
00:24:27,270 --> 00:24:35,020
If we glance back at the scripts web page we can see the current number of scripts at the time of this

252
00:24:35,020 --> 00:24:35,960
recording.

253
00:24:35,970 --> 00:24:38,110
Five hundred and ninety one.

254
00:24:38,110 --> 00:24:43,030
Now there are some people who like to use and get hub as a method of distributing their scripts for

255
00:24:43,030 --> 00:24:43,560
any map.

256
00:24:44,110 --> 00:24:50,170
But be aware that that is somebody else's code and it won't be vetted by N map itself.

257
00:24:50,170 --> 00:24:57,550
If you pull it off GitHub it may perform malware or perform in some kind of a loud way that is undocumented.

258
00:24:57,550 --> 00:25:04,090
Still it's worth mentioning as you can find some real gems if you look just be sure to do your due diligence

259
00:25:04,090 --> 00:25:07,820
and check into them carefully before downloading.

260
00:25:07,900 --> 00:25:12,400
I'll just go ahead and add dash a to our cheat sheet.

261
00:25:12,400 --> 00:25:14,620
This is called an aggressive scam

262
00:25:20,420 --> 00:25:25,630
and this will definitely be picked up by any halfway competent system administrator.

263
00:25:25,640 --> 00:25:30,360
The reason why is that it literally throws the kitchen sink at the target.

264
00:25:30,500 --> 00:25:36,040
It runs a variety of scans such as include these here

265
00:25:40,840 --> 00:25:42,500
the version scan

266
00:25:48,660 --> 00:25:50,220
the operating system scan

267
00:25:54,660 --> 00:25:56,070
all scripts

268
00:26:00,800 --> 00:26:07,280
and even performs a trace route to the target by running that one command.

269
00:26:07,280 --> 00:26:10,250
You're running many that you might wish to run.

270
00:26:10,280 --> 00:26:15,140
So it's a bit of a shorthand method or a lazy method if you prefer.

271
00:26:15,140 --> 00:26:16,730
Now it does take a while to do it.

272
00:26:16,760 --> 00:26:20,080
And like I said it will be detected.

273
00:26:20,180 --> 00:26:27,090
So let's pull up our results here as we look at it here we can see that it ran all the scripts again

274
00:26:27,180 --> 00:26:30,180
and it did the regular version detection as well.

275
00:26:30,240 --> 00:26:36,510
Basically the same thing as we did before but it added a trace route which obviously didn't have very

276
00:26:36,510 --> 00:26:43,870
far to go in operating system detection and so forth a pretty handy tool to use.

277
00:26:43,900 --> 00:26:47,310
I don't recommend doing aggressive scans out in the wild.

278
00:26:47,380 --> 00:26:50,690
Still I had to include it for the sake of completion.

279
00:26:50,710 --> 00:26:55,390
You can also do a pure ping scan which is s capital P.

280
00:26:56,080 --> 00:27:00,570
So let's add that real quick to our little sheet.

281
00:27:00,720 --> 00:27:06,900
The idea of a pin scan is that when you first start doing your scan based off what you have from your

282
00:27:06,900 --> 00:27:14,460
reconnaissance phase you may want to go ahead and do scans of either subnets or IP addresses but you

283
00:27:14,460 --> 00:27:18,550
first want to see in a subnet if anything is up and running.

284
00:27:18,870 --> 00:27:21,090
So very quickly here is what that would look like

285
00:27:27,440 --> 00:27:30,980
quick and painless and an easy way to see if a particular host is up.

286
00:27:31,550 --> 00:27:36,980
But again it's useful if you're scanning a lot of different targets all at once because it brings back

287
00:27:36,980 --> 00:27:43,120
information quickly and it's less likely to be picked up so moving on.

288
00:27:43,120 --> 00:27:48,630
Now I'm going to momentarily set aside and map to talk about another tool that is useful in conjunction

289
00:27:48,630 --> 00:27:49,110
with it.

290
00:27:49,620 --> 00:27:51,720
And that is net discover.

291
00:27:51,750 --> 00:28:05,250
So if we do net discover dash AI and then we put in our interface which in my case is at zero and we

292
00:28:05,250 --> 00:28:09,660
do dash ah and then we give it a subnet IP range.

293
00:28:10,140 --> 00:28:11,760
So in this case

294
00:28:14,320 --> 00:28:23,720
everything between 10 0 0 0 and 10 0 0 0 24 will be scanned.

295
00:28:23,720 --> 00:28:26,030
I think I added in another zero there.

296
00:28:26,030 --> 00:28:27,440
Pardon me.

297
00:28:27,470 --> 00:28:36,940
So when we PRESENTER We can see all of the other devices connected to our network it does not pick up

298
00:28:36,940 --> 00:28:38,820
the address of the scanning machine.

299
00:28:38,830 --> 00:28:45,430
Now if you were testing it this at home or you are in a situation where you don't know the exact address

300
00:28:45,430 --> 00:28:48,360
to scan this is how you would start.

301
00:28:48,400 --> 00:28:56,320
I can identify my metal supportable machine at 10 1 0 0 0 to 8 and if I wasn't already sure I could

302
00:28:56,320 --> 00:29:01,360
disconnect it scan again and then verify by running net discover.

303
00:29:01,420 --> 00:29:07,140
So if the machine didn't show up in a second scan I would know that that was not the correct IP.

304
00:29:07,510 --> 00:29:13,420
Assuming of course that I didn't already recognize the host name and the Mac address

305
00:29:16,750 --> 00:29:21,830
and when you're done just press the controls Saeki to get back to the prompt.

306
00:29:21,830 --> 00:29:29,200
Now when you're looking for a particular port to scan you can proceed in a variety of different ways.

307
00:29:29,210 --> 00:29:37,080
For example if we do in map dash n dash P for port and I'm going to give it port 80.

308
00:29:37,100 --> 00:29:40,610
Because that's a pretty common one and then we'll give it the target

309
00:29:44,190 --> 00:29:52,830
on the Met hospitable machine now and map will just do a regular scan of port 80 which of course reveals

310
00:29:52,830 --> 00:30:01,850
what we already knew from the previous scan it's open but you can also scan a port range for example

311
00:30:01,970 --> 00:30:07,550
and map and then do one two let's say two hundred

312
00:30:10,290 --> 00:30:18,170
and what this does is it will scan all the ports between one and two hundred so this can get back quicker

313
00:30:18,170 --> 00:30:19,170
results.

314
00:30:19,220 --> 00:30:24,950
If you already have an idea of what services you're looking for and you know what particular ports they

315
00:30:24,950 --> 00:30:31,790
would be running on and sometimes because it's quicker and it's a little less intrusive it may slip

316
00:30:31,790 --> 00:30:33,500
under the radar to do it this way

317
00:30:36,380 --> 00:30:44,420
and just for the sake of completion I will add that you can also scan all ports by doing dash P dash

318
00:30:49,800 --> 00:30:56,970
you could even manually input the maximum number and scan all sixty five thousand five hundred and thirty

319
00:30:56,970 --> 00:31:04,770
four if you really wanted to just keep in mind that if you have a range of targets rather than a single

320
00:31:04,770 --> 00:31:09,680
target that you're trying to scan your scan time is going to run quite long.

321
00:31:09,810 --> 00:31:11,480
If you do something like that.

322
00:31:11,580 --> 00:31:17,550
So again limiting the number of ports that you're scanning to the specific services that you're planning

323
00:31:17,550 --> 00:31:18,880
to exploit.

324
00:31:18,990 --> 00:31:25,710
For example if you were using Metis ploy and you've had a few particular attacks in mind and your scanning

325
00:31:25,710 --> 00:31:30,960
a whole bunch of different systems on a network that this can be a lot more efficient.

326
00:31:31,100 --> 00:31:37,230
You know one thing that you don't notice in a video like this although you're seeing it now just against

327
00:31:37,230 --> 00:31:38,340
this one target.

328
00:31:38,340 --> 00:31:43,530
It takes a considerable amount of time if you're scanning absolutely everything but when you're scanning

329
00:31:43,530 --> 00:31:50,820
absolutely everything on a lot of systems you know I make edits to the video to make it more watchable

330
00:31:50,850 --> 00:31:56,120
but you're going to have to sit through it and believe me when I say that if you've got a lot of systems

331
00:31:56,120 --> 00:32:02,280
it can take actual hours to conduct these scans when you're doing absolutely everything.

332
00:32:02,280 --> 00:32:04,350
So just keep that in mind.

333
00:32:04,380 --> 00:32:12,720
Now if for some mysterious reason you wanted to scan ports non sequentially and you might do this if

334
00:32:12,720 --> 00:32:18,720
you're concerned that the admin is looking at their their wire shark panel or something and you want

335
00:32:18,720 --> 00:32:27,300
to make it look less like a a scan and more like something random is going on what you can do is and

336
00:32:27,300 --> 00:32:35,760
mapped dash n dash P 80 and we'll say karma I don't know 443

337
00:32:40,880 --> 00:32:52,110
so weird as that sounds it's going to scan port 80 and then port 43 except that I I'm sorry I did I

338
00:32:52,160 --> 00:32:57,880
did the wrong thing there I meant to do P not o I apologize

339
00:33:03,380 --> 00:33:04,650
and there we go.

340
00:33:04,650 --> 00:33:12,750
No the example I'm about to point out next May seem a little bit silly and you might be scratching your

341
00:33:12,750 --> 00:33:19,680
head why you'd want to do it but bear with me because this this will actually lead somewhere.

342
00:33:19,680 --> 00:33:28,900
You can also specify if you want to scan for TCE or UDP so by way of another example and map dash and

343
00:33:28,900 --> 00:33:32,310
dash P T for TCE

344
00:33:34,650 --> 00:33:41,760
colon twenty five eighty so it's going to scan ports twenty five and eighty but then we're gonna do

345
00:33:41,760 --> 00:33:53,010
another comma and we're gonna do a u for UDP colon and I'll just give it random ports 137 get it the

346
00:33:53,010 --> 00:33:55,740
target press enter

347
00:33:59,070 --> 00:34:09,450
in this case we'd be scanning both t C.P. ports 25 and 80 and UDP ports 161 and 137 against the specific

348
00:34:09,450 --> 00:34:11,490
target IP.

349
00:34:11,490 --> 00:34:18,960
Now this might be useful if you want to quickly check for a specific exploit and you know which ports

350
00:34:18,960 --> 00:34:28,470
to expect when scanning in the range but in this particular example and this is what I'm kind of leading

351
00:34:28,470 --> 00:34:29,610
up to.

352
00:34:29,720 --> 00:34:31,440
We have to make this a little more complicated.

353
00:34:31,440 --> 00:34:32,820
Let's look at any map

354
00:34:35,450 --> 00:34:48,460
s s p h t 25 I want it to cooperate and demonstrate what I want you to see.

355
00:34:48,700 --> 00:34:52,630
It's not always easy even when you pre-recorded

356
00:34:57,670 --> 00:35:05,100
OK as you can see right here it has given us a few different ports that we specifically looked up.

357
00:35:05,160 --> 00:35:06,710
So that's another way of doing it.

358
00:35:06,900 --> 00:35:12,990
But one important thing to note here is that if we scroll up to our previous scan

359
00:35:16,060 --> 00:35:17,620
which is a ways up here

360
00:35:21,030 --> 00:35:25,620
notice that the previous scan says all T.

361
00:35:26,170 --> 00:35:38,780
We scroll back down can see that there is actually a UDP port open 137 so why did that not get picked

362
00:35:38,780 --> 00:35:40,220
up in the normal scan.

363
00:35:40,360 --> 00:35:49,040
I hear you ask that is because any map does not do UDP scans by default this may stump newer users who

364
00:35:49,040 --> 00:35:55,070
think based on how it is written that the aggressive scan I mentioned earlier would of course do a UDP

365
00:35:55,070 --> 00:35:55,490
scan.

366
00:35:55,490 --> 00:35:57,070
I mean why wouldn't it.

367
00:35:57,080 --> 00:36:01,720
This is just one of those little quirks about any map to do a UDP scan.

368
00:36:01,730 --> 00:36:05,150
We need to specify that we want to do one.

369
00:36:05,240 --> 00:36:07,460
So coming back to our cheat sheet here

370
00:36:11,940 --> 00:36:21,100
we add s you first scan for low repeat scan now make me kind of slow if you did it by itself without

371
00:36:21,100 --> 00:36:28,300
any other switches but it is viable to do that.

372
00:36:28,390 --> 00:36:30,730
So this is something that's worth remembering.

373
00:36:30,970 --> 00:36:37,390
In this case we can see that it did in fact find UDP ports that were open but you have to add the switch

374
00:36:37,390 --> 00:36:43,850
for it otherwise it simply won't pick it up and you might miss out on a very good open port.

375
00:36:43,860 --> 00:36:48,850
You can also do n map scans based off the name of a service.

376
00:36:49,240 --> 00:36:57,800
In this case we can say for example and map each TTP which is the service we're going to be looking

377
00:36:57,800 --> 00:36:58,800
at.

378
00:36:58,850 --> 00:37:00,560
Give it the target information

379
00:37:05,050 --> 00:37:06,160
and run it that way.

380
00:37:08,440 --> 00:37:10,510
Some of the other scans that we can run

381
00:37:13,050 --> 00:37:17,200
or a little lowercase s capital T

382
00:37:21,340 --> 00:37:25,370
and that specifies that you want to do the full Kinect scan.

383
00:37:25,370 --> 00:37:33,220
We didn't do any version scan with that so coming back over to our cheat sheet

384
00:37:53,670 --> 00:38:00,100
now as I mentioned before this option does do the three way handshake when it connects to ports so it

385
00:38:00,100 --> 00:38:02,440
will most probably be logged

386
00:38:07,530 --> 00:38:08,630
probably.

387
00:38:08,760 --> 00:38:19,110
And then if we do lowercase s capital S we specify these stealth scan also known as the half open scan

388
00:38:20,960 --> 00:38:26,870
because we only find out if ports are open or closed and not in a filtered state.

389
00:38:26,870 --> 00:38:30,770
But remember that word stealth does not mean invisible.

390
00:38:30,770 --> 00:38:37,340
I know I keep harping on that but I really don't like that word because it misleads a lot of people.

391
00:38:37,460 --> 00:38:42,110
And while I'm on the subject another scan that we can do although it does not.

392
00:38:42,590 --> 00:38:49,510
OK another scan that we can do with most versions of any map is called an X Smith scan.

393
00:38:49,520 --> 00:38:57,370
However this version will only work with Linux versions of any map and I believe Mac OS.

394
00:38:57,380 --> 00:38:59,960
It will not work with Windows.

395
00:38:59,960 --> 00:39:12,780
So for that we would do lowercase s capital X and that sends scan with push and Fin flags set.

396
00:39:12,790 --> 00:39:20,590
It does not work with Windows and really there are only a few select cases where you'd want to do that

397
00:39:20,650 --> 00:39:21,230
anyway.

398
00:39:21,730 --> 00:39:26,360
But it's just worth remembering that when you're using and map with windows it just doesn't work.

399
00:39:26,380 --> 00:39:34,720
And again the idea of doing doing that is to try to bypass logging and last but not least

400
00:39:37,890 --> 00:39:45,810
we'll throw in and map dash lowercase s capital a and this one will work with Windows

401
00:39:49,400 --> 00:39:54,120
and the scan will come back with whether or not the port is filtered.

402
00:39:54,590 --> 00:39:56,650
Oh I forgot to add the port.

403
00:39:56,660 --> 00:40:00,460
I'm sorry low mistakes.

404
00:40:00,460 --> 00:40:04,160
There we go okay.

405
00:40:04,330 --> 00:40:06,760
Right here it tells me that it is unfiltered

406
00:40:10,730 --> 00:40:12,190
and determines the state of the port.

407
00:40:12,200 --> 00:40:19,410
And that is essentially it so those are all of the basic examples of using any map.

408
00:40:19,410 --> 00:40:22,480
There are many other switches that you can use as well.

409
00:40:22,710 --> 00:40:26,490
But those are some of the most common that you would use.

410
00:40:26,520 --> 00:40:34,120
It just depends on how sneaky you're trying to be during your licensed and authorized penetration test.

411
00:40:34,290 --> 00:40:37,860
It is even possible to setup your end map scan to use.

412
00:40:37,860 --> 00:40:40,620
Timing and timing is a bit interesting.

413
00:40:40,620 --> 00:40:47,400
It goes from zero to five with five being the fastest and zero being the slowest.

414
00:40:47,550 --> 00:40:51,290
You might wonder why anyone would wish to slow down these scans.

415
00:40:51,300 --> 00:40:56,900
But the idea is to avoid the all seeing eye of the system administrator.

416
00:40:56,940 --> 00:41:02,250
So in this case going to pull up the cheat sheet one more time

417
00:41:05,060 --> 00:41:11,550
and we're going to add our timing switch so dash T.

418
00:41:11,670 --> 00:41:14,040
And then it would be 0 to 5

419
00:41:27,260 --> 00:41:33,890
so again the idea is if you're doing it at full speed and by the way if you want to do it at full speed

420
00:41:34,460 --> 00:41:36,380
you don't really need to specify five.

421
00:41:36,380 --> 00:41:40,160
This is just the maximum that any map will run by default.

422
00:41:40,160 --> 00:41:46,130
But if you're doing it at full speed you have the highest chance of being picked up and you'll see why

423
00:41:46,130 --> 00:41:53,900
this is when we get into the wire shark section that the module pertaining to while wire shark and I

424
00:41:53,900 --> 00:41:59,750
don't want to pull that up now because I think that that would be confusing for newer users and I don't

425
00:41:59,750 --> 00:42:02,890
want to muddy this module by bringing up another module.

426
00:42:03,020 --> 00:42:10,250
But when you're seeing things from a system administrator point of view you can see that packets are

427
00:42:10,250 --> 00:42:15,020
coming in at regular intervals being mixed with other packets.

428
00:42:15,020 --> 00:42:21,680
So by adjusting the timing what you're trying to do is you're trying to make your scan kind of slip

429
00:42:21,680 --> 00:42:25,140
through the cracks so to speak.

430
00:42:25,370 --> 00:42:33,200
In other words you're hoping that your scans will get lost amidst other noise and the bigger the delay

431
00:42:33,200 --> 00:42:36,370
between the scans the less likely you are to be seen.

432
00:42:36,380 --> 00:42:46,450
At least that's the idea so I'll give an example of how this works gonna do end map.

433
00:42:46,590 --> 00:42:49,230
Dash T for.

434
00:42:49,350 --> 00:42:51,280
Because I don't want to be here all night.

435
00:42:51,430 --> 00:42:54,120
10 0 0 8.

436
00:42:54,480 --> 00:43:04,170
And we will press enter and essentially all of this is doing is running a generic and map scan with

437
00:43:04,170 --> 00:43:11,970
no switches set which means it's technically a stealth scan but we've slowed the timing down and you

438
00:43:11,970 --> 00:43:14,030
can see it still came through rather quickly.

439
00:43:14,040 --> 00:43:24,480
But if we did it at 3 2 or or 1 it would be very very slow and that means really really slow when you're

440
00:43:24,480 --> 00:43:29,230
talking about a lot of different computers on a network.

441
00:43:29,310 --> 00:43:37,710
The more targets there are the more brutal it can get its what it's doing it's sending a probe it's

442
00:43:37,710 --> 00:43:43,350
waiting it's sending another probe it's waiting and it's usually going to be a predetermined amount

443
00:43:43,350 --> 00:43:44,960
of time between each probe.

444
00:43:44,970 --> 00:43:50,720
Fifteen seconds fifteen minutes whatever it happens to be.

445
00:43:50,820 --> 00:44:03,030
So if you decide to go with T1 and you're scanning a large net block I recommend going out for a bite

446
00:44:03,030 --> 00:44:10,990
to eat maybe see a movie cause you're gonna be at it for a while now I'd also like to demonstrate the

447
00:44:10,990 --> 00:44:17,610
verbose option and it goes well with timing because it lets you see what the timing actually is.

448
00:44:17,620 --> 00:44:28,180
So if we add a dash V A Dash V V or even a dash v v v we are specifying that we want the output to be

449
00:44:28,180 --> 00:44:35,720
either verbose very verbose or very very verbose and I know that's a mouthful.

450
00:44:35,740 --> 00:44:43,810
I'm also going to add the the dash d d option which is short for debug mode so it'll give us even more

451
00:44:43,810 --> 00:44:44,530
information.

452
00:44:44,530 --> 00:44:50,290
I'm going to cover both of these at once so we do and map and I'm going to do it at full speed but I'll

453
00:44:50,290 --> 00:44:58,740
still include timing and we're going to be very verbose remember 1 v is verbose 2 is very verbose 3

454
00:44:58,750 --> 00:45:05,280
is very very verbose and then D.D. for debug and give it our target

455
00:45:11,110 --> 00:45:16,060
you'll see here that it gives you a timing report when you add those switches in their

456
00:45:20,460 --> 00:45:27,050
it is extremely slow particularly if you select a number lower than 5 for your timing switch in the

457
00:45:27,050 --> 00:45:34,070
case of a T C P port it's going to wait a thousand seconds at a setting of T T1 before it sends another

458
00:45:34,070 --> 00:45:43,110
probe just to give you some idea when you do something like this against the larger network just remember

459
00:45:43,580 --> 00:45:50,670
it it can't it can't take a long time and this is something to consider when conducting a penetration

460
00:45:50,670 --> 00:45:57,270
test for a particularly demanding employer if you're on a schedule or a timetable and you have a limited

461
00:45:57,270 --> 00:46:01,250
number of tests that you can run in a given day.

462
00:46:01,440 --> 00:46:07,440
This may not be viable to try to use timing to circumvent detection anyway.

463
00:46:07,440 --> 00:46:16,400
Let's let's talk about outputs we can take the information that any map gives us and put it into reports.

464
00:46:16,600 --> 00:46:21,740
For that we just use a dash and a lower case O.

465
00:46:22,030 --> 00:46:23,470
For example

466
00:46:26,560 --> 00:46:37,950
in map dash 0 and then a and a stands for all of them then I'll give the reports a name which I'm going

467
00:46:37,950 --> 00:46:43,050
to just call you Demi scan for the target

468
00:46:52,260 --> 00:46:57,180
and what this will do is go ahead and pull up the scan in different formats.

469
00:46:57,270 --> 00:47:02,700
You won't see this happen because it's being written in the background as the scan is taking place.

470
00:47:02,700 --> 00:47:10,890
These reports come in three different flavors grapple as well as the normal end map report and finally

471
00:47:11,220 --> 00:47:13,080
an excel file.

472
00:47:13,080 --> 00:47:20,820
You may recall I mentioned it is possible to import an X AML and map scan into Sparta during the module

473
00:47:21,420 --> 00:47:22,790
covering that program.

474
00:47:22,800 --> 00:47:25,470
And this is how you would create one.

475
00:47:25,500 --> 00:47:36,210
So going back real quick talk cheat sheet we do dash 0 to create these reports and then a after the

476
00:47:36,210 --> 00:47:47,760
0 would be for all G would be for grep ABL if you only wanted that in for normal and X for example.

477
00:47:47,760 --> 00:47:48,720
So going back

478
00:47:55,230 --> 00:48:04,810
we can see that there are three new files that have been created you Demi scanned and map you Demi scanned

479
00:48:05,020 --> 00:48:09,900
GM map that's the grapple and you dummy scan x and.

480
00:48:09,940 --> 00:48:15,900
That would be if you wanted to imported into Sparta or some other program that would use the excel file

481
00:48:17,200 --> 00:48:24,030
pretty straightforward.

482
00:48:24,180 --> 00:48:31,170
Now we'll dig a little deeper into scripting the scripting language used for any map is called Lua that's

483
00:48:31,320 --> 00:48:35,190
l you a if you know how to script in Lua.

484
00:48:35,190 --> 00:48:41,010
There are some syntax that you can look up on the script or reference on the end map Web site and that'll

485
00:48:41,010 --> 00:48:45,200
teach you how to make various different types of scripts.

486
00:48:45,210 --> 00:48:50,820
That being said if you'd like to see what types of scripts are currently out there from within your

487
00:48:50,820 --> 00:49:00,750
terminal window you can type and map dash dash scripts dash help and then in quotations we're going

488
00:49:00,750 --> 00:49:05,790
to put the type of script that we're looking for in this case for example purposes.

489
00:49:05,790 --> 00:49:13,050
I'm going to do f T.P. dash and then the asterisk is kind of a wild card so I'll explain that in a minute

490
00:49:13,170 --> 00:49:21,430
and then close quotes and press enter and all this is doing is asking and map to find you all the scripts

491
00:49:21,460 --> 00:49:27,600
that begin with F. T.P. dash and the asterisk indicates you want them all.

492
00:49:28,030 --> 00:49:36,640
If you just want any script with FTB in it you would say F T.P. without the dash and the asterisk.

493
00:49:36,840 --> 00:49:43,080
We know from our prior scan that our target has a port that allows anonymous Loggins.

494
00:49:43,080 --> 00:49:46,020
So if we scroll up

495
00:49:54,840 --> 00:50:03,240
and see a script called F T.P. anon we can also check to see if they are vulnerable to bounce attacks

496
00:50:06,520 --> 00:50:14,570
and we could also check to see if we can see a specific backdoor and you can do this with basically

497
00:50:14,570 --> 00:50:22,210
any of these s empty S M T H GDP and you can just type in whatever you're looking for an N map will

498
00:50:22,220 --> 00:50:23,720
pull it up for you.

499
00:50:23,840 --> 00:50:26,750
So knowing this let's go ahead and do a script

500
00:50:37,030 --> 00:50:39,750
will actually run to and to do that.

501
00:50:39,750 --> 00:50:42,440
We need to separate each by a comma.

502
00:50:42,750 --> 00:50:46,200
So we'll do.

503
00:50:46,280 --> 00:50:52,270
And pardon me and map dash dash.

504
00:50:52,280 --> 00:50:54,590
Script equals.

505
00:50:54,920 --> 00:50:58,040
And then I'm going to paste in the one you just saw me copy

506
00:51:03,080 --> 00:51:07,570
and that ran it by default because of the way my Cally is configured.

507
00:51:07,580 --> 00:51:13,880
Again my apologies you shouldn't do that but we'll separate that by a comma and we will include f T.P.

508
00:51:14,010 --> 00:51:16,230
anon as our second script.

509
00:51:16,250 --> 00:51:19,730
So now when I press enter it will run both of them back to back.

510
00:51:19,910 --> 00:51:22,130
And of course it helps if you give it a target.

511
00:51:22,160 --> 00:51:32,740
So I will do that now I'll run it and now it will check for both of those.

512
00:51:32,940 --> 00:51:38,940
It looks like FCP a non failed perhaps the target is not vulnerable but

513
00:51:45,230 --> 00:51:54,260
we can see that f T.P. V.S. f TPD backdoor has revealed the target is in fact vulnerable to this exploit

514
00:51:55,640 --> 00:51:58,230
and that's basically how you would use a script.

515
00:51:58,280 --> 00:52:08,390
So just for clarity Another example might be and map dash dash script help equals s empty P L throw

516
00:52:08,390 --> 00:52:12,800
in the asterisk because we want all of them and press center

517
00:52:21,250 --> 00:52:25,280
and there we go.

518
00:52:25,500 --> 00:52:32,550
It is a powerful engine to be able to expand and maps overall functionality to add any scripts.

519
00:52:32,550 --> 00:52:40,560
It also allows and map to go from passive or even not so passive reconnaissance tool to an active exploitation

520
00:52:40,560 --> 00:52:44,690
framework which can be pretty handy.

521
00:52:44,720 --> 00:52:51,530
There are a great many other techniques for efficiency and stealth that you can find by carefully examining

522
00:52:51,530 --> 00:52:57,410
all the end maps switches instead of the start of this tutorial that it would not be realistic to go

523
00:52:57,410 --> 00:53:03,530
through every possible case example but you might try breaking up your search packets with something

524
00:53:03,530 --> 00:53:11,990
like the dash f switch or even randomize wing hosts so that ports are not scanned in succession in the

525
00:53:11,990 --> 00:53:12,650
end.

526
00:53:12,650 --> 00:53:16,440
Abuse of any map is both a science and an art.

527
00:53:16,540 --> 00:53:22,010
The science can be taught but the art must be developed through use.

528
00:53:22,010 --> 00:53:28,070
Before we wrap up this module I'd like to make mentioned the fact that in map can be used in conjunction

529
00:53:28,070 --> 00:53:34,300
with met a split and there are many valid ways to showcase it with wire shark.

530
00:53:34,340 --> 00:53:39,500
I thought long and hard about including those techniques in this video but I came to the conclusion

531
00:53:39,890 --> 00:53:46,430
that it would be too advanced for inexperienced students at this point in time both wire shark and met

532
00:53:46,430 --> 00:53:53,270
a spoil it will be covered in sections further down the line and I shall try to include some illustrations

533
00:53:53,270 --> 00:53:55,430
of these techniques when we get to them.

534
00:53:57,000 --> 00:54:01,600
Hopefully after watching this video you have a good idea of how to use and map.

535
00:54:01,650 --> 00:54:07,950
I encourage you to use it against your own met a spoiled bowl virtual machine or computers on your network

536
00:54:07,950 --> 00:54:09,900
that you personally own.

537
00:54:09,900 --> 00:54:16,080
Just again remember never to employ it against any system or net block that you don't have personal

538
00:54:16,890 --> 00:54:20,350
written permission to scan and have fun with it.

539
00:54:20,370 --> 00:54:25,860
And remember that while this may seem like one of the most daunting tools just because of the sheer

540
00:54:25,920 --> 00:54:27,600
options that it offers.

541
00:54:27,780 --> 00:54:32,700
It really is easy to learn with practice.

542
00:54:32,700 --> 00:54:34,740
So have fun with it.

543
00:54:34,770 --> 00:54:35,220
Thank you.