1 00:00:00,060 --> 00:00:06,630 Now, active reconnaissance tool, so now we're actually going to be connecting and actually, you know, 2 00:00:06,840 --> 00:00:12,880 conducting hands on analysis of what whoever our targets are. 3 00:00:12,900 --> 00:00:19,680 So the first active reconnaissance tool that I'm going to go over is probably the most important one. 4 00:00:19,680 --> 00:00:23,750 And that is the name of the tool and it is a port scanner. 5 00:00:23,790 --> 00:00:30,540 And if you're penetration tester, ethical hacker, you're going to use and you have no way around it, 6 00:00:30,540 --> 00:00:30,960 OK? 7 00:00:30,980 --> 00:00:37,290 It's a very poor scanner that can be used to scan entire networks so that you can see what ports are 8 00:00:37,300 --> 00:00:44,220 open by looking at the ports that are open and can actually determine, you know, what operating system 9 00:00:44,220 --> 00:00:48,840 that device is, what services are running on, the devices. 10 00:00:48,870 --> 00:00:53,280 You'll be able to see, you know, what ports are like closed or filtered and actually find the open 11 00:00:53,290 --> 00:00:57,510 ones, like I said before, and discover like vulnerabilities with them. 12 00:00:57,720 --> 00:01:02,310 And also has like a built-In vulnerability scanner to which a lot of people probably don't even know 13 00:01:02,310 --> 00:01:02,810 about you. 14 00:01:02,820 --> 00:01:05,550 So let's play with a different a few different map commands. 15 00:01:05,560 --> 00:01:07,260 So I'm back on my colonics machine. 16 00:01:07,260 --> 00:01:10,200 And for this one, we're actually going to need some of our targets to be up. 17 00:01:10,800 --> 00:01:15,420 So I have my meds, portable virtual machine up and running right here. 18 00:01:15,570 --> 00:01:18,330 The IP address on this one, all of them. 19 00:01:18,330 --> 00:01:22,950 The network address, if you remember from the network news section that you should have watched the 20 00:01:22,950 --> 00:01:26,370 network addresses one nine two one six eight nine five six. 21 00:01:26,700 --> 00:01:33,960 That's the network address for our little host only network that we have and the specific address for 22 00:01:33,960 --> 00:01:40,340 the metastable machine and the one before and for our Windows 10 machine and in twenty one. 23 00:01:41,010 --> 00:01:49,980 So what we can do is see, let's do a map and let's check one nine two one six eight. 24 00:01:51,500 --> 00:01:52,670 Five, six. 25 00:01:53,890 --> 00:01:58,930 Dotts, let's check out the Métis political machine and actually you don't want to go for. 26 00:01:59,970 --> 00:02:05,100 So when it comes to a map, there's a lot of different flags that you can do, so there's a couple of 27 00:02:05,100 --> 00:02:06,910 different kinds of scans that you can do. 28 00:02:07,110 --> 00:02:10,770 So what you typically want to do is the skin scan. 29 00:02:10,950 --> 00:02:16,890 And it pretty much like it initiates the the TCBY, you know, a three way handshake, but it doesn't 30 00:02:16,890 --> 00:02:17,560 finish it. 31 00:02:17,790 --> 00:02:23,370 So this is the best way to scan undetected in the way that you're going to do that is with a dash lowercase 32 00:02:23,370 --> 00:02:25,200 s and then capital. 33 00:02:25,350 --> 00:02:29,490 So this is going to do perform a second scan. 34 00:02:29,520 --> 00:02:34,770 If you want it to do a full TCP scan, then you would put this, you would just put a T right here. 35 00:02:34,980 --> 00:02:37,860 But for right now we're going to do just assess. 36 00:02:38,250 --> 00:02:43,380 OK, after this, you might want to determine, you know, what point do you want to do, you determinists 37 00:02:43,380 --> 00:02:46,750 with Dash and you don't have to put a space right here, but you can. 38 00:02:46,770 --> 00:02:53,550 So if you wanted to do every single port, so you would do for one through six, five, five, three, 39 00:02:53,550 --> 00:02:54,060 five. 40 00:02:54,090 --> 00:02:56,990 Remember, if you watch the network section, you would know that. 41 00:02:57,000 --> 00:03:01,320 But for right now, we'll just do actually I would do a six five five, three, four. 42 00:03:01,320 --> 00:03:02,680 I would do all the points right now. 43 00:03:02,910 --> 00:03:06,630 So right now we have a set up to where we're going to do a map on our. 44 00:03:06,930 --> 00:03:12,300 But the machine is going to do a second scan, which means it's not going to complete the handshake. 45 00:03:12,300 --> 00:03:14,500 So it's pretty much undetectable for the most part. 46 00:03:14,970 --> 00:03:23,010 We're going to do a dash p specified that water scan every port from one to sixty five, five to five. 47 00:03:23,160 --> 00:03:26,940 So it's going to scan all those ports and it's going to, you know, tell us at the open. 48 00:03:26,940 --> 00:03:34,170 And I saw one neat thing that we can do is if we only want to see results because most missed out on 49 00:03:34,170 --> 00:03:34,950 a lot of results. 50 00:03:35,150 --> 00:03:39,960 If we only want to see results for open ports, we do dash dash open. 51 00:03:41,220 --> 00:03:46,670 And this is just going to show us any ports that Matt finds, you know, that's actually open. 52 00:03:46,740 --> 00:03:54,450 This will conduct a basic scan so we can go ahead and actually run this one and see what the results 53 00:03:54,450 --> 00:03:54,990 look like. 54 00:03:55,020 --> 00:03:58,500 OK, and obviously I need pseudo, right. 55 00:03:58,530 --> 00:04:03,530 So just remember, if you want to do like a pseudo dash, I so you don't have to do this, but you're 56 00:04:03,540 --> 00:04:04,260 going to be Suda. 57 00:04:05,200 --> 00:04:10,280 And then we're going to let it go and give it a couple of minutes and we're going to come back with 58 00:04:10,280 --> 00:04:12,970 some results, look at what our map scanned. 59 00:04:13,090 --> 00:04:15,490 It actually took about like three seconds. 60 00:04:15,760 --> 00:04:23,050 So it scanned all of those ports that fast on that machine and figured out which ones were actually 61 00:04:23,050 --> 00:04:24,130 open and had told us. 62 00:04:24,140 --> 00:04:29,110 So, for example, you know, there's FTP is open on that one. 63 00:04:29,110 --> 00:04:30,250 S.H. is open. 64 00:04:30,460 --> 00:04:32,320 Telnet is open as really bad. 65 00:04:32,530 --> 00:04:35,920 So we can connect over telnet on this machine. 66 00:04:35,950 --> 00:04:39,610 Remember, this is metastable, so it's supposed to be, you know, exploitable. 67 00:04:40,210 --> 00:04:45,490 So you can see all the different services that are actually running over these open ports. 68 00:04:45,490 --> 00:04:49,810 And these are definitely all things that you want to take note of because you could probably exploit 69 00:04:49,840 --> 00:04:52,270 each single one of these if you actually looked into them. 70 00:04:52,370 --> 00:04:54,850 And we're going to be looking at some of those when we actually start attacking. 71 00:04:54,860 --> 00:04:59,620 But right now, in the information gathering stage for our next scan, let's say that we want to figure 72 00:04:59,620 --> 00:05:07,270 out, you know, the like the version of the services that are running on each one of those open ports 73 00:05:07,270 --> 00:05:08,050 that we saw. 74 00:05:08,350 --> 00:05:15,500 So what we can do is actually a version scan audit over here was changed the access to Capital V and 75 00:05:15,500 --> 00:05:20,830 then now that's actually going to go look at these open ports and tell us actually what the services 76 00:05:20,830 --> 00:05:22,780 and their version is going to try to release. 77 00:05:22,820 --> 00:05:24,010 So let's go ahead and run that scan. 78 00:05:24,280 --> 00:05:26,020 And also just a quick note. 79 00:05:26,020 --> 00:05:31,480 If you want to enable verbose mode, which means just showing, like, you know, more output while 80 00:05:31,660 --> 00:05:32,200 running stuff. 81 00:05:32,210 --> 00:05:34,870 So it's kind of entertaining, honestly, to see what's happening. 82 00:05:34,870 --> 00:05:38,110 While I was having you guys do a dash of four, very verbose. 83 00:05:38,320 --> 00:05:42,180 And it's going to show you, Alpe, you know, while the skin is actually, you know, conducting. 84 00:05:42,400 --> 00:05:46,450 So you see it's actually something, hey, discover this portal, but discover that port. 85 00:05:46,600 --> 00:05:49,050 So it's going to tell us stuff, what's actually happening. 86 00:05:49,060 --> 00:05:52,880 So let's give them time and then we're going to look at the results from this very scan. 87 00:05:53,230 --> 00:05:59,380 OK, so our service get a service version scan actually completed and look at all this information that 88 00:05:59,380 --> 00:06:00,250 we figure it out. 89 00:06:00,940 --> 00:06:02,760 So remember, we did a very verbose. 90 00:06:02,760 --> 00:06:05,230 So he showed us, you know, the open ports when it found it. 91 00:06:05,420 --> 00:06:06,760 But look at this now. 92 00:06:06,760 --> 00:06:16,600 We have a column that says Virgin, and it's telling us, hey, you know, overreport twenty one, it's 93 00:06:16,600 --> 00:06:20,310 running FTP D two point three point four. 94 00:06:20,620 --> 00:06:26,590 Now we can use that information and we're going to talk about it later on, like how to find a place 95 00:06:26,590 --> 00:06:27,220 for these things. 96 00:06:27,220 --> 00:06:30,600 So I can guarantee that any of these are exploitable. 97 00:06:30,790 --> 00:06:33,750 And it's going to be pretty funny actually when we actually get to attack. 98 00:06:33,760 --> 00:06:36,860 And so this is the type of stuff that you want to document. 99 00:06:37,150 --> 00:06:41,940 And one other thing that you could do also just for any of these commands, if you do want to, I'll 100 00:06:41,950 --> 00:06:42,970 put it into a file. 101 00:06:42,970 --> 00:06:51,240 You would just do oh, and then filename like, you know, notes, text, and it'll put it into that, 102 00:06:51,250 --> 00:06:54,910 into it'll create that file and those that's in the current directory. 103 00:06:55,060 --> 00:06:59,770 Or you can specify, you know, where you want to go, like, you know, like slash, I don't know, 104 00:06:59,770 --> 00:07:01,510 slash roots slash something. 105 00:07:01,750 --> 00:07:02,740 I don't know, it doesn't matter. 106 00:07:02,860 --> 00:07:10,120 So it'll put that, it'll create that file and put all the output into that file and then you'll be 107 00:07:10,120 --> 00:07:10,600 good to go. 108 00:07:10,600 --> 00:07:15,250 You give our office at any time, maybe during your penetrations, as you know, you're coming back 109 00:07:15,250 --> 00:07:19,450 to see you checking through like one thing at a time, going to see if it is vulnerable. 110 00:07:19,450 --> 00:07:23,910 And I then come back for the next thing you want to document everything very, very powerful. 111 00:07:24,250 --> 00:07:28,300 Another command that I like to run, that's actually a very, very useful command. 112 00:07:28,480 --> 00:07:29,780 Now you can add. 113 00:07:29,860 --> 00:07:33,790 So when these switches you can add the these are called switches. 114 00:07:34,030 --> 00:07:37,090 You can add these like you can do different types at the same time. 115 00:07:37,090 --> 00:07:41,860 But when I what I've noticed is that when I do this kind of overwhelmed with the information. 116 00:07:42,070 --> 00:07:45,850 So I like to just, you know, have one switch at a time and have them in separate scenes. 117 00:07:46,000 --> 00:07:49,630 So there's a I like to call it the all option. 118 00:07:49,630 --> 00:07:56,020 They all switch as well to call it, because it does know the version and it looks for versions of services. 119 00:07:56,020 --> 00:07:58,030 It'll do a port scan for you. 120 00:07:58,060 --> 00:08:04,840 It will also, you know, do operating system discovery and also, like, break down more about each 121 00:08:04,840 --> 00:08:08,380 service that is discovered, you know, on these reports. 122 00:08:08,650 --> 00:08:11,520 So let's go ahead and run this and see what kind of results that we get. 123 00:08:11,530 --> 00:08:12,730 So the scan is finished. 124 00:08:12,730 --> 00:08:17,260 And look at this wealth of information just from this one scan. 125 00:08:17,440 --> 00:08:18,880 So let's break it down a little bit. 126 00:08:18,890 --> 00:08:26,830 So as you can see, it discovered open because it had a regular and map scan, also went through and 127 00:08:26,830 --> 00:08:28,550 scanned and services set up there. 128 00:08:28,690 --> 00:08:31,960 And now it found, OK, Port twenty one is open. 129 00:08:31,960 --> 00:08:35,260 It's running this as we saw before, but it's a little bit more of a breakdown. 130 00:08:35,430 --> 00:08:40,360 Like I said, hey, anonymous FTP login is allowed, so it actually went untested. 131 00:08:40,630 --> 00:08:46,330 So now we know that's a potential entry point for us so that, you know, maybe something to take note 132 00:08:46,330 --> 00:08:46,660 of. 133 00:08:46,660 --> 00:08:54,160 And then also like right here, Port twenty two is open, is running S.H. It gives us the open version 134 00:08:54,160 --> 00:08:54,940 that is running. 135 00:08:55,090 --> 00:09:00,790 It just gives us a lot more detail and breakdown of what's actually found, you know, running on these 136 00:09:00,790 --> 00:09:01,330 ports. 137 00:09:01,600 --> 00:09:04,420 I really recommend that you use the Dash eight switch and. 138 00:09:04,500 --> 00:09:08,930 Be a little bit overwhelming at first, but it's actually really good information is actually informative, 139 00:09:08,940 --> 00:09:09,640 not too bad. 140 00:09:09,840 --> 00:09:13,260 You get used to looking at, you know, all these different textures, though. 141 00:09:13,410 --> 00:09:19,000 And what I what I also wanted to show was that it actually did a operating system scan. 142 00:09:19,070 --> 00:09:26,430 So, you know, oh, is running Linux to point the two point six kernel and just gives you information 143 00:09:26,430 --> 00:09:26,970 about that. 144 00:09:27,000 --> 00:09:28,980 So it's pretty positive. 145 00:09:28,980 --> 00:09:33,750 Sometimes it'll give you a yes of the operating system with this one and knew exactly just based on 146 00:09:33,750 --> 00:09:36,070 the fingerprints that it was able to get from the scan. 147 00:09:36,270 --> 00:09:40,770 So there's a lot of stuff that we can get, you know, with and maps. 148 00:09:40,770 --> 00:09:47,130 I really recommend that you go in and actually, you know, play around with and map because this is 149 00:09:47,130 --> 00:09:51,930 going to be your bread and butter when it comes to, you know, penetration testing. 150 00:09:52,320 --> 00:09:58,380 OK, so another type of skin is very useful that you're going to want to do is a UDP skin, and that 151 00:09:58,380 --> 00:09:59,250 is dignified. 152 00:09:59,250 --> 00:10:03,960 But remember where we had to dash in the capital espersen skin. 153 00:10:03,990 --> 00:10:06,840 So we want to do a dash cap ex capital. 154 00:10:06,840 --> 00:10:12,210 You here to signify, you know, hey, go do a YouTube scan because remember from the networking section, 155 00:10:12,900 --> 00:10:19,410 this ports, the sixty five thousand five is that if I put on TCP but also on UDP and the service is 156 00:10:19,410 --> 00:10:20,530 running on Euterpe as well. 157 00:10:20,700 --> 00:10:26,820 So you definitely want to check, you know, into, you know, specific systems like, you know, if 158 00:10:27,000 --> 00:10:29,070 they have services running over UDP. 159 00:10:29,100 --> 00:10:34,800 I've definitely seen on Assessment's where there's not really many services running on TCP, but when 160 00:10:34,800 --> 00:10:38,260 I do a scan, I find services that I could potentially exploit. 161 00:10:38,430 --> 00:10:44,070 So I'm just doing ports one to 100 just to show and see if we can actually get anything from it. 162 00:10:44,220 --> 00:10:45,440 So let's go, everybody command. 163 00:10:47,150 --> 00:10:53,230 OK, so to finish those actually look at it, so it went through and actually told us, hey, this was 164 00:10:53,240 --> 00:10:59,420 close, close, close, it says open filtered most likely is probably a close port that's just filtered, 165 00:10:59,900 --> 00:11:02,030 which is not going to get your response that you want. 166 00:11:02,660 --> 00:11:07,280 I believe that it actually found like UDP, P3 is open. 167 00:11:07,280 --> 00:11:14,070 So, you know, DNS is running over that port with also new version scans on these ports as well. 168 00:11:14,090 --> 00:11:19,190 So if we can do it on that specific point, just see, you know, just just for the heck of it, just 169 00:11:19,190 --> 00:11:20,270 see, you know, what's on it. 170 00:11:20,280 --> 00:11:21,410 So let's do that really quick. 171 00:11:21,590 --> 00:11:27,560 So, you know, how are we we've been doing range is typically what we can actually just specify a specific 172 00:11:27,560 --> 00:11:27,950 port. 173 00:11:28,190 --> 00:11:35,960 So right here we'd be scanning DNS over UDP and try to see. 174 00:11:36,440 --> 00:11:36,950 See. 175 00:11:38,610 --> 00:11:44,820 We want to figure out a version so we do dash ASV and figure out maybe we can figure out what version 176 00:11:44,820 --> 00:11:46,170 of what's bringing over that port. 177 00:11:46,380 --> 00:11:52,780 So see, right here, it was saying, hey, it's running DNS and you know who's running this right here. 178 00:11:52,800 --> 00:11:55,490 So this version right here pretty useful. 179 00:11:55,500 --> 00:12:00,720 So I definitely recommend play, go around, play with it, make sure that you do your UDP scans. 180 00:12:01,110 --> 00:12:05,970 OK, something interesting and map, like I said, it comes with a vulnerability scanner. 181 00:12:06,210 --> 00:12:13,220 So what you can actually do is you can use it comes with scripts as well that can do different things. 182 00:12:13,230 --> 00:12:20,850 I'm not going to go over all the scripts, but for example, if we wanted to pull this back up so that 183 00:12:20,850 --> 00:12:27,690 we have our target right here, what we can do is actually run an EMAP script to figure out, you know, 184 00:12:27,690 --> 00:12:34,470 if there is any SMB or something like that available on this system so we can do a map and then we have 185 00:12:34,470 --> 00:12:44,760 our target and then we can actually do a dash to script and then say equals and some B dash os dash 186 00:12:44,760 --> 00:12:50,670 discovery is going to go actually run this script that's built into and map and actually let us know, 187 00:12:50,670 --> 00:12:52,790 you know, if it's what it finds. 188 00:12:52,800 --> 00:12:53,850 So let's go ahead and run this. 189 00:12:53,880 --> 00:12:55,010 So it's done. 190 00:12:55,020 --> 00:13:00,750 So it did a quick AMP scan of like, you know, just some default points that I would look for. 191 00:13:00,930 --> 00:13:06,600 We don't like specify specific ports, but right here is the, you know, the script results that we 192 00:13:06,600 --> 00:13:06,940 wanted. 193 00:13:07,170 --> 00:13:13,140 So it pretty much used SMB to try to figure out, you know, what the OS was. 194 00:13:13,150 --> 00:13:20,250 So, you know, it's saying, hey, the OS is Unix or Linux and Somma 3.0 is actually being run. 195 00:13:20,490 --> 00:13:25,150 So that's something that's very useful and it's something that we kind of figured out before from different 196 00:13:25,150 --> 00:13:25,590 scans. 197 00:13:25,830 --> 00:13:31,950 But the point is, is different ways to find out, you know, the different information and that has 198 00:13:31,950 --> 00:13:34,950 a bunch of different scripts that we can actually use it. 199 00:13:34,960 --> 00:13:40,950 There's a DNS transfer, a script that you can use, actually a script that you can call waspish, that 200 00:13:40,950 --> 00:13:41,400 you can call. 201 00:13:41,400 --> 00:13:48,900 So you do a map, dash, dash script, dash help and then you can put the script names. 202 00:13:48,900 --> 00:13:52,860 So like, let's say DNS transfer. 203 00:13:52,860 --> 00:13:54,330 How do I use this script? 204 00:13:55,400 --> 00:13:57,810 And it'll actually spit out some help for you. 205 00:13:57,830 --> 00:14:04,310 So here's the deal, as well as a description of what it does and just some help on how to use it and 206 00:14:04,310 --> 00:14:04,640 such. 207 00:14:04,760 --> 00:14:10,790 So definitely look into the different scripts that Matt provides us with because it's very useful. 208 00:14:10,820 --> 00:14:16,640 And you can actually look for vulnerabilities because there's some scripts that actually will look for 209 00:14:16,640 --> 00:14:18,800 like SMB vulnerabilities, for example. 210 00:14:19,130 --> 00:14:21,680 Also, if you're wondering, you can take a look. 211 00:14:21,680 --> 00:14:27,380 I guess you do a quick ls the directory with ADMET Scripts and see what scripts are available so that 212 00:14:27,380 --> 00:14:28,340 you could run them with that. 213 00:14:28,340 --> 00:14:37,010 Dastan script equals command along with EMAP so you could do a lot of us are slideshare such and map 214 00:14:37,580 --> 00:14:40,640 scripts and it's going to give you a list of all the scripts. 215 00:14:40,640 --> 00:14:43,940 So all kinds of stuff you man so you can find out all kinds of stuff. 216 00:14:44,450 --> 00:14:45,050 So it's pretty good. 217 00:14:45,050 --> 00:14:51,370 They have the Mongo DB scripts, the actual scripts that we're Métis, Bloy, a lot different. 218 00:14:51,380 --> 00:14:54,320 The firewall bypassing Firewalker. 219 00:14:54,340 --> 00:14:58,130 That's the thing I like to use when I'm, you know, conducting penetration tests a lot. 220 00:14:58,850 --> 00:15:05,000 I like to figure out, you know, what rules might be in place, you know, for a firewall so you can 221 00:15:05,000 --> 00:15:06,340 play your attack a little bit better.