1 00:00:01,180 --> 00:00:03,460 Welcome to part six of this module 2 00:00:06,130 --> 00:00:13,090 now let's go ahead and take a look at Zen map Zen map is the official in map security scanner graphic 3 00:00:13,090 --> 00:00:20,410 user interface it's multi-platform just like in map which means that you can use it on Linux Mac OS 4 00:00:20,410 --> 00:00:28,450 and even Windows it's a free and open source application and its goal is to make and map a little easier 5 00:00:28,450 --> 00:00:29,760 for beginners. 6 00:00:29,830 --> 00:00:37,360 It also provides a few advanced features for and map users frequently use scans can be saved as profiles 7 00:00:37,390 --> 00:00:43,450 which make them easier to run repeatedly and a command creator allows interactive creation of and map 8 00:00:43,450 --> 00:00:46,360 command lines within the tool itself. 9 00:00:46,360 --> 00:00:52,630 Scan results can be saved and viewed later and scan results can also be compared with one another to 10 00:00:52,630 --> 00:00:54,280 see how they differ. 11 00:00:54,730 --> 00:01:01,510 All the results of recent scans are stored in a searchable database so all in all it's a pretty convenient 12 00:01:01,510 --> 00:01:02,020 tool 13 00:01:04,950 --> 00:01:11,880 Zen map comes prepackaged with Kelly Linux 2.0 or it can be downloaded from the end map. 14 00:01:11,880 --> 00:01:14,540 Dot org web page. 15 00:01:14,640 --> 00:01:16,740 So before I begin I have to give. 16 00:01:16,980 --> 00:01:25,740 I'm afraid the same tiresome admonition that I've given in previous modules and map is by its nature 17 00:01:27,070 --> 00:01:33,940 an aggressive scanner unless you take special steps to make the scans passive which means that I have 18 00:01:33,940 --> 00:01:41,470 to remind you to only scan networks that you personally own or have written permission from the owner 19 00:01:41,470 --> 00:01:42,640 to scan. 20 00:01:42,640 --> 00:01:46,380 Otherwise you could be doing something illegal in this tutorial. 21 00:01:46,390 --> 00:01:52,840 One of my targets will be scan me Dot and map dot org and as you can see on the web page written permission 22 00:01:52,840 --> 00:01:55,780 has been given to conduct these scans. 23 00:01:55,780 --> 00:02:03,340 They also ask that you don't use brute forcing or cracking tools on this site or conduct excessive scans 24 00:02:03,740 --> 00:02:05,650 and provided you follow these guidelines. 25 00:02:05,650 --> 00:02:14,680 You may also use this site as a test of your end map or zone map utilities for as long as this permission 26 00:02:14,680 --> 00:02:15,270 lasts. 27 00:02:15,280 --> 00:02:20,550 But please always check and make sure that the permission is still being extended. 28 00:02:20,560 --> 00:02:27,010 All right so with that necessary admonition out of the way I'm going to call ups and map. 29 00:02:27,010 --> 00:02:30,710 I'm going to minimize this to loads and map. 30 00:02:30,780 --> 00:02:32,800 It's just like any map we're going to go to. 31 00:02:32,800 --> 00:02:33,850 Applications 32 00:02:36,570 --> 00:02:43,600 information gathering and we will and we will click the Zen map. 33 00:02:43,620 --> 00:02:50,370 You can also load this from the terminal window by typing Zen map now before we begin. 34 00:02:50,480 --> 00:03:00,620 I do have to say that when I create these modules I do my best to make each one a standalone video so 35 00:03:00,620 --> 00:03:07,680 that you can learn everything there is to know about an application simply by viewing the module that 36 00:03:07,680 --> 00:03:09,490 pertains to it. 37 00:03:09,510 --> 00:03:15,210 However in this case Zen map is literally just an map. 38 00:03:15,210 --> 00:03:23,400 So in the previous module which deals with any map I go over all of the specific particulars of how 39 00:03:23,430 --> 00:03:28,560 each different command and option within and map works. 40 00:03:28,560 --> 00:03:37,320 And it would be extremely redundant to go over all of that ground again when speaking about zen map. 41 00:03:37,350 --> 00:03:43,110 So for that reason if you haven't watched the map tutorial I strongly encourage you to do so before 42 00:03:43,110 --> 00:03:47,150 proceeding with this introduction to Zen map. 43 00:03:47,190 --> 00:03:49,260 However it's not absolutely necessary. 44 00:03:49,260 --> 00:03:55,470 You can get the gist of how this program works just based on what I'm going to show you but even so 45 00:03:55,470 --> 00:04:00,780 for the finer points you will want to see the prior module. 46 00:04:01,040 --> 00:04:09,350 So with that in mind we're going to take a look at this and as you can see this is very similar to other 47 00:04:09,350 --> 00:04:13,340 applications you may have seen already such as Sparta. 48 00:04:13,340 --> 00:04:22,230 We have our command line here which is exactly like the terminal window command for and map in this 49 00:04:22,230 --> 00:04:22,640 case. 50 00:04:22,650 --> 00:04:29,130 If you watch the prior module you will know that if we ran this in the terminal window it would have 51 00:04:29,160 --> 00:04:40,920 a timing set to 4 which is the second fastest the dash a or tack a means that it will conduct an aggressive 52 00:04:40,920 --> 00:04:50,060 scan which z map calls it intense scan but it is the same thing and TAC V would stand for verbose now 53 00:04:50,060 --> 00:05:02,770 our target to start out with is going to be scan me Dot and map dot org and as far as our profile we 54 00:05:02,770 --> 00:05:05,830 have many options for the drag down menu. 55 00:05:05,830 --> 00:05:13,560 The intense scan is the default option selected when you first loads and map we could do an intense 56 00:05:13,560 --> 00:05:16,350 scan and include UDP ports. 57 00:05:16,410 --> 00:05:24,060 If we select this notice that the command line has actually changed to include this option 58 00:05:26,860 --> 00:05:29,170 if we wish to do a quick scan instead 59 00:05:31,990 --> 00:05:37,150 we're presented with TAC F instead and those prior options are removed. 60 00:05:37,150 --> 00:05:42,790 Now bear in mind that if you know what you're doing and if you watch the previous module hopefully you 61 00:05:42,790 --> 00:05:43,430 do. 62 00:05:43,600 --> 00:05:50,050 You can manually change these commands in the command line to anything you want which you will see me 63 00:05:50,050 --> 00:05:52,780 do before this tutorial is over 64 00:05:56,810 --> 00:06:04,970 in fact I think I'm going to do that right now going to change T4 to t five the fastest scan. 65 00:06:04,960 --> 00:06:12,220 It's also the loudest but I'm scanning myself so it really doesn't matter and I am going to make my 66 00:06:12,220 --> 00:06:13,990 first target. 67 00:06:14,180 --> 00:06:17,230 The Met exploited all virtual machine I have running. 68 00:06:17,440 --> 00:06:23,260 And the reason for this is I would like to show off the topology and I've noticed that with multiple 69 00:06:23,260 --> 00:06:27,100 different scans sometimes the topology does not update correctly. 70 00:06:27,880 --> 00:06:37,900 So with that in mind let's select intense scan and we will scan all TCB ports. 71 00:06:38,040 --> 00:06:39,330 So this is an aggressive scanner. 72 00:06:39,360 --> 00:06:40,910 Change the timing again. 73 00:06:41,060 --> 00:06:48,990 OK change that back to five five is the fastest and sure this is good. 74 00:06:48,990 --> 00:06:53,060 They really need the ping in there but we'll go ahead with it and we will click scan 75 00:06:56,350 --> 00:07:02,980 and as you can see there is a small little bar over here that indicates the scan is taking place. 76 00:07:03,000 --> 00:07:04,470 This is an aggressive scan. 77 00:07:04,500 --> 00:07:09,490 So it's going to check for absolutely everything. 78 00:07:09,710 --> 00:07:17,610 We didn't expressly select any scripts but we could do that in the command line if we chose. 79 00:07:17,610 --> 00:07:22,140 Or we could go with whatever defaults come with the preloaded profiles for us and map 80 00:07:27,310 --> 00:07:29,010 information is being gathered. 81 00:07:29,020 --> 00:07:35,050 I'm going to make a small cut to the video at this point and resume recording after this is complete 82 00:07:35,080 --> 00:07:38,830 as it will probably take several minutes. 83 00:07:39,230 --> 00:07:41,500 And here we can see that the scan is complete. 84 00:07:41,510 --> 00:07:46,640 The bar has stopped flashing so scroll down and take a look 85 00:07:53,070 --> 00:07:58,140 as you can see by the readout it'll give you a step by step report along the way. 86 00:07:58,140 --> 00:08:04,440 In this case it's telling us that the Syn stealth scan was about forty six point seven two percent done 87 00:08:04,470 --> 00:08:11,840 at that point in time and it gave an estimated time to completion of five minutes and forty seven seconds 88 00:08:19,180 --> 00:08:23,710 several NSC scripts were initiated whatever was default for that part of the profile 89 00:08:27,220 --> 00:08:29,020 and now if we come all the way down 90 00:08:35,620 --> 00:08:36,970 we can see the full readout 91 00:08:44,890 --> 00:08:52,700 and we can see in multiple places that it is a Metis Floyd ABL machine using a Linux kernel OS detection 92 00:08:52,700 --> 00:08:53,690 puts it at Linux. 93 00:08:53,690 --> 00:08:58,750 Two point six nine two point six point nine excuse me. 94 00:08:58,900 --> 00:09:04,300 It takes guesses about its uptime its network distance which of course in this case is only one hop 95 00:09:05,830 --> 00:09:06,660 and so forth. 96 00:09:06,670 --> 00:09:13,720 And if we come over here to ports and hosts we can see everything that is currently open on the target. 97 00:09:13,720 --> 00:09:20,800 Now since this was just a generic aggressive scan with really very little specifications we're not going 98 00:09:20,800 --> 00:09:22,810 to see UDP ports. 99 00:09:22,810 --> 00:09:27,400 We would have had to have specified that in the scan line or in the command line. 100 00:09:27,400 --> 00:09:28,700 Excuse me. 101 00:09:28,750 --> 00:09:38,030 So what we're going to see here is open and closed ports but that is the limit only opening closed for 102 00:09:38,030 --> 00:09:39,650 TCE. 103 00:09:39,890 --> 00:09:42,460 It's coming over to the topology tab. 104 00:09:42,530 --> 00:09:46,940 It's quite small because obviously this is a virtual machine that we're scanning. 105 00:09:47,510 --> 00:09:55,190 However if you were scanning a remote network from a distance you would essentially see a network map 106 00:09:55,250 --> 00:09:57,800 of ever growing circles. 107 00:09:58,040 --> 00:10:00,830 And each hop would be demonstrated along the map 108 00:10:08,140 --> 00:10:14,770 and this is not something I can demonstrate when we go up against scan me dawg because unfortunately 109 00:10:14,770 --> 00:10:20,470 this that would reveal my office IP address which wouldn't be prudent. 110 00:10:20,470 --> 00:10:27,430 But when you try this yourself you will see the map in all its glory it tends to be quite large and 111 00:10:27,430 --> 00:10:34,540 will demonstrate all of the hops between you and your target and here we can see host details 112 00:10:38,130 --> 00:10:44,460 things like number of ports open the operating system the accuracy of the Guess which in this case is 113 00:10:44,460 --> 00:10:51,970 100 percent ports used did it did detect a closed UDP port. 114 00:10:51,970 --> 00:10:52,870 That's interesting 115 00:10:55,880 --> 00:10:57,130 most cases 116 00:11:00,350 --> 00:11:07,430 and so forth and you have the opportunity to add comments to this profile over here. 117 00:11:07,720 --> 00:11:13,440 Remember that as you're using z map you can generate a lot of different targets. 118 00:11:13,450 --> 00:11:17,890 So keeping keeping careful comments is a wise policy 119 00:11:24,760 --> 00:11:27,130 and this is just the services tab. 120 00:11:27,130 --> 00:11:35,870 And if we click on this and then let's say each TTP it will narrow down the results to open each TTP 121 00:11:37,230 --> 00:11:39,420 ports on our target. 122 00:11:39,480 --> 00:11:49,140 So it's just another way of looking at the data. 123 00:11:49,190 --> 00:11:54,920 So now we're going to go ahead and do scan me dawg. 124 00:11:55,220 --> 00:12:03,380 And the reason that I want to show both of these is I want to illustrate how easy it is to toggle between 125 00:12:03,830 --> 00:12:15,070 multiple target data using z map so paste and we're going to make this a quick scan actually we'll go 126 00:12:15,070 --> 00:12:21,990 ahead and make it a an intense scan but we're not going to do UDP that would be a very very long process 127 00:12:23,260 --> 00:12:27,160 and we're going to switch this to five 128 00:12:30,710 --> 00:12:32,290 everything else is in order. 129 00:12:32,420 --> 00:12:33,860 So I'm going to click scan. 130 00:12:38,210 --> 00:12:45,240 And once again I'm going to make it past the video at this point and resume when the scan is complete. 131 00:12:45,520 --> 00:12:45,890 All right. 132 00:12:45,890 --> 00:12:53,950 And we're back now I can't show you all of this data because if I were to scroll down my office I.P. 133 00:12:53,950 --> 00:12:59,690 address is displayed and that's the same reason I can't click on the topology button. 134 00:12:59,710 --> 00:13:07,610 However if I come over to ports and hosts we can see what is listed as available on scan meta and map 135 00:13:07,610 --> 00:13:09,310 dawg. 136 00:13:09,390 --> 00:13:17,240 And as you can see we can easily switch between scans now if you're scanning a very large network with 137 00:13:17,300 --> 00:13:20,560 a great many different targets. 138 00:13:20,580 --> 00:13:30,020 This is a very efficient way of keeping all of your scan results organized and quickly moving from one 139 00:13:30,020 --> 00:13:31,360 to another. 140 00:13:31,370 --> 00:13:38,870 So in this respect Zen map is a little bit better than the terminal version and map because of course 141 00:13:38,870 --> 00:13:45,380 with the terminal version you can save files such as an Excel file or grep BL file but she can really 142 00:13:45,380 --> 00:13:51,020 only deal with one at a time unless you want to have a lot of different scan results on your terminal 143 00:13:51,020 --> 00:13:56,480 screen and scroll up and down her have multiple different terminal windows open some people like to 144 00:13:56,480 --> 00:13:57,020 do that. 145 00:13:57,020 --> 00:14:04,310 I I know that there is a certain class of pen Tester who feels that you know if you're a pro you only 146 00:14:04,310 --> 00:14:08,120 use the terminal and you know goodies are for beginners. 147 00:14:08,120 --> 00:14:13,040 You know that kind of an attitude but as you can see this is actually very useful. 148 00:14:13,040 --> 00:14:20,570 So it's literally just an map if you watched the map module hopefully you know all the commands and 149 00:14:20,570 --> 00:14:28,430 you know the differences between say intent scan or a UDP scan or a ping scan and you also know and 150 00:14:28,490 --> 00:14:35,230 it bears mentioning again that even one map says something is passive or stealth. 151 00:14:35,480 --> 00:14:43,280 You still need to take additional steps to really and truly be anonymous and again if that is a concern 152 00:14:43,280 --> 00:14:50,660 for you please see the modules dealing with anonymity particularly the ones dealing with virtual private 153 00:14:50,660 --> 00:14:52,840 networks and proxies. 154 00:14:52,850 --> 00:14:59,510 So with that being said this has been and map I'm not really sure what else to add. 155 00:14:59,520 --> 00:15:06,510 You can of course save your scans just like with the command line version and you can quickly load them 156 00:15:06,510 --> 00:15:11,180 up again just with open scan you can also open scan in this window. 157 00:15:11,520 --> 00:15:17,220 So if you wanted to I don't know mix here you know have it all on screen at one time you could do that 158 00:15:18,230 --> 00:15:27,010 it's possible to compare results of your various scans filter hosts so we'll analyze and map is a handy 159 00:15:27,010 --> 00:15:34,360 little tool and I think one of the best things about it is that it's a good way of presenting information 160 00:15:34,900 --> 00:15:46,450 about a particular target relating to a pen test or targets to an employer or to anyone who is not shall 161 00:15:46,450 --> 00:15:51,790 we say initiated in the ways of the command line because of course when you're looking at this information 162 00:15:51,790 --> 00:15:57,370 the command line when you know what you're looking at it's very straightforward but it can be very either 163 00:15:57,370 --> 00:16:03,040 intimidating or confusing for people who are more used to this sort of a presentation. 164 00:16:03,050 --> 00:16:11,510 And and it's good if you're giving a presentation to a large organization going over the security vulnerabilities 165 00:16:11,510 --> 00:16:19,180 that you've discovered because it's something that they can look at and see and immediately understand 166 00:16:20,350 --> 00:16:23,140 so that's pretty much all I have to say about Z map. 167 00:16:23,140 --> 00:16:29,950 As I said it's a pretty straightforward tool and I hope you know enough between this module and the 168 00:16:29,950 --> 00:16:34,780 prior module on and map to be able to use it effectively and have fun with it. 169 00:16:34,900 --> 00:16:41,170 It is definitely a much beloved tool both in map and Zend map. 170 00:16:41,170 --> 00:16:47,870 Have a great deal of support in the online community. 171 00:16:48,030 --> 00:16:54,800 You can find additional scripts on GitHub that can be utilized by both end map and z map. 172 00:16:54,840 --> 00:17:01,470 Although as I mentioned in the previous module you will need to do your due diligence and only download 173 00:17:01,470 --> 00:17:05,690 from trusted sources and ensure that what you're downloading is actually what you want. 174 00:17:07,800 --> 00:17:15,950 And of course you can get more scripts off these and map and map Web site simply by updating. 175 00:17:16,050 --> 00:17:20,320 So there is that and that's pretty much all I had to cover. 176 00:17:20,330 --> 00:17:24,310 This is a great utility and I hope it will be of great use to you. 177 00:17:24,320 --> 00:17:24,680 Thank you.