1
00:00:00,060 --> 00:00:06,630
Now, active reconnaissance tool, so now we're actually going to be connecting and actually, you know,

2
00:00:06,840 --> 00:00:12,880
conducting hands on analysis of what whoever our targets are.

3
00:00:12,900 --> 00:00:19,680
So the first active reconnaissance tool that I'm going to go over is probably the most important one.

4
00:00:19,680 --> 00:00:23,750
And that is the name of the tool and it is a port scanner.

5
00:00:23,790 --> 00:00:30,540
And if you're penetration tester, ethical hacker, you're going to use and you have no way around it,

6
00:00:30,540 --> 00:00:30,960
OK?

7
00:00:30,980 --> 00:00:37,290
It's a very poor scanner that can be used to scan entire networks so that you can see what ports are

8
00:00:37,300 --> 00:00:44,220
open by looking at the ports that are open and can actually determine, you know, what operating system

9
00:00:44,220 --> 00:00:48,840
that device is, what services are running on, the devices.

10
00:00:48,870 --> 00:00:53,280
You'll be able to see, you know, what ports are like closed or filtered and actually find the open

11
00:00:53,290 --> 00:00:57,510
ones, like I said before, and discover like vulnerabilities with them.

12
00:00:57,720 --> 00:01:02,310
And also has like a built-In vulnerability scanner to which a lot of people probably don't even know

13
00:01:02,310 --> 00:01:02,810
about you.

14
00:01:02,820 --> 00:01:05,550
So let's play with a different a few different map commands.

15
00:01:05,560 --> 00:01:07,260
So I'm back on my colonics machine.

16
00:01:07,260 --> 00:01:10,200
And for this one, we're actually going to need some of our targets to be up.

17
00:01:10,800 --> 00:01:15,420
So I have my meds, portable virtual machine up and running right here.

18
00:01:15,570 --> 00:01:18,330
The IP address on this one, all of them.

19
00:01:18,330 --> 00:01:22,950
The network address, if you remember from the network news section that you should have watched the

20
00:01:22,950 --> 00:01:26,370
network addresses one nine two one six eight nine five six.

21
00:01:26,700 --> 00:01:33,960
That's the network address for our little host only network that we have and the specific address for

22
00:01:33,960 --> 00:01:40,340
the metastable machine and the one before and for our Windows 10 machine and in twenty one.

23
00:01:41,010 --> 00:01:49,980
So what we can do is see, let's do a map and let's check one nine two one six eight.

24
00:01:51,500 --> 00:01:52,670
Five, six.

25
00:01:53,890 --> 00:01:58,930
Dotts, let's check out the Métis political machine and actually you don't want to go for.

26
00:01:59,970 --> 00:02:05,100
So when it comes to a map, there's a lot of different flags that you can do, so there's a couple of

27
00:02:05,100 --> 00:02:06,910
different kinds of scans that you can do.

28
00:02:07,110 --> 00:02:10,770
So what you typically want to do is the skin scan.

29
00:02:10,950 --> 00:02:16,890
And it pretty much like it initiates the the TCBY, you know, a three way handshake, but it doesn't

30
00:02:16,890 --> 00:02:17,560
finish it.

31
00:02:17,790 --> 00:02:23,370
So this is the best way to scan undetected in the way that you're going to do that is with a dash lowercase

32
00:02:23,370 --> 00:02:25,200
s and then capital.

33
00:02:25,350 --> 00:02:29,490
So this is going to do perform a second scan.

34
00:02:29,520 --> 00:02:34,770
If you want it to do a full TCP scan, then you would put this, you would just put a T right here.

35
00:02:34,980 --> 00:02:37,860
But for right now we're going to do just assess.

36
00:02:38,250 --> 00:02:43,380
OK, after this, you might want to determine, you know, what point do you want to do, you determinists

37
00:02:43,380 --> 00:02:46,750
with Dash and you don't have to put a space right here, but you can.

38
00:02:46,770 --> 00:02:53,550
So if you wanted to do every single port, so you would do for one through six, five, five, three,

39
00:02:53,550 --> 00:02:54,060
five.

40
00:02:54,090 --> 00:02:56,990
Remember, if you watch the network section, you would know that.

41
00:02:57,000 --> 00:03:01,320
But for right now, we'll just do actually I would do a six five five, three, four.

42
00:03:01,320 --> 00:03:02,680
I would do all the points right now.

43
00:03:02,910 --> 00:03:06,630
So right now we have a set up to where we're going to do a map on our.

44
00:03:06,930 --> 00:03:12,300
But the machine is going to do a second scan, which means it's not going to complete the handshake.

45
00:03:12,300 --> 00:03:14,500
So it's pretty much undetectable for the most part.

46
00:03:14,970 --> 00:03:23,010
We're going to do a dash p specified that water scan every port from one to sixty five, five to five.

47
00:03:23,160 --> 00:03:26,940
So it's going to scan all those ports and it's going to, you know, tell us at the open.

48
00:03:26,940 --> 00:03:34,170
And I saw one neat thing that we can do is if we only want to see results because most missed out on

49
00:03:34,170 --> 00:03:34,950
a lot of results.

50
00:03:35,150 --> 00:03:39,960
If we only want to see results for open ports, we do dash dash open.

51
00:03:41,220 --> 00:03:46,670
And this is just going to show us any ports that Matt finds, you know, that's actually open.

52
00:03:46,740 --> 00:03:54,450
This will conduct a basic scan so we can go ahead and actually run this one and see what the results

53
00:03:54,450 --> 00:03:54,990
look like.

54
00:03:55,020 --> 00:03:58,500
OK, and obviously I need pseudo, right.

55
00:03:58,530 --> 00:04:03,530
So just remember, if you want to do like a pseudo dash, I so you don't have to do this, but you're

56
00:04:03,540 --> 00:04:04,260
going to be Suda.

57
00:04:05,200 --> 00:04:10,280
And then we're going to let it go and give it a couple of minutes and we're going to come back with

58
00:04:10,280 --> 00:04:12,970
some results, look at what our map scanned.

59
00:04:13,090 --> 00:04:15,490
It actually took about like three seconds.

60
00:04:15,760 --> 00:04:23,050
So it scanned all of those ports that fast on that machine and figured out which ones were actually

61
00:04:23,050 --> 00:04:24,130
open and had told us.

62
00:04:24,140 --> 00:04:29,110
So, for example, you know, there's FTP is open on that one.

63
00:04:29,110 --> 00:04:30,250
S.H. is open.

64
00:04:30,460 --> 00:04:32,320
Telnet is open as really bad.

65
00:04:32,530 --> 00:04:35,920
So we can connect over telnet on this machine.

66
00:04:35,950 --> 00:04:39,610
Remember, this is metastable, so it's supposed to be, you know, exploitable.

67
00:04:40,210 --> 00:04:45,490
So you can see all the different services that are actually running over these open ports.

68
00:04:45,490 --> 00:04:49,810
And these are definitely all things that you want to take note of because you could probably exploit

69
00:04:49,840 --> 00:04:52,270
each single one of these if you actually looked into them.

70
00:04:52,370 --> 00:04:54,850
And we're going to be looking at some of those when we actually start attacking.

71
00:04:54,860 --> 00:04:59,620
But right now, in the information gathering stage for our next scan, let's say that we want to figure

72
00:04:59,620 --> 00:05:07,270
out, you know, the like the version of the services that are running on each one of those open ports

73
00:05:07,270 --> 00:05:08,050
that we saw.

74
00:05:08,350 --> 00:05:15,500
So what we can do is actually a version scan audit over here was changed the access to Capital V and

75
00:05:15,500 --> 00:05:20,830
then now that's actually going to go look at these open ports and tell us actually what the services

76
00:05:20,830 --> 00:05:22,780
and their version is going to try to release.

77
00:05:22,820 --> 00:05:24,010
So let's go ahead and run that scan.

78
00:05:24,280 --> 00:05:26,020
And also just a quick note.

79
00:05:26,020 --> 00:05:31,480
If you want to enable verbose mode, which means just showing, like, you know, more output while

80
00:05:31,660 --> 00:05:32,200
running stuff.

81
00:05:32,210 --> 00:05:34,870
So it's kind of entertaining, honestly, to see what's happening.

82
00:05:34,870 --> 00:05:38,110
While I was having you guys do a dash of four, very verbose.

83
00:05:38,320 --> 00:05:42,180
And it's going to show you, Alpe, you know, while the skin is actually, you know, conducting.

84
00:05:42,400 --> 00:05:46,450
So you see it's actually something, hey, discover this portal, but discover that port.

85
00:05:46,600 --> 00:05:49,050
So it's going to tell us stuff, what's actually happening.

86
00:05:49,060 --> 00:05:52,880
So let's give them time and then we're going to look at the results from this very scan.

87
00:05:53,230 --> 00:05:59,380
OK, so our service get a service version scan actually completed and look at all this information that

88
00:05:59,380 --> 00:06:00,250
we figure it out.

89
00:06:00,940 --> 00:06:02,760
So remember, we did a very verbose.

90
00:06:02,760 --> 00:06:05,230
So he showed us, you know, the open ports when it found it.

91
00:06:05,420 --> 00:06:06,760
But look at this now.

92
00:06:06,760 --> 00:06:16,600
We have a column that says Virgin, and it's telling us, hey, you know, overreport twenty one, it's

93
00:06:16,600 --> 00:06:20,310
running FTP D two point three point four.

94
00:06:20,620 --> 00:06:26,590
Now we can use that information and we're going to talk about it later on, like how to find a place

95
00:06:26,590 --> 00:06:27,220
for these things.

96
00:06:27,220 --> 00:06:30,600
So I can guarantee that any of these are exploitable.

97
00:06:30,790 --> 00:06:33,750
And it's going to be pretty funny actually when we actually get to attack.

98
00:06:33,760 --> 00:06:36,860
And so this is the type of stuff that you want to document.

99
00:06:37,150 --> 00:06:41,940
And one other thing that you could do also just for any of these commands, if you do want to, I'll

100
00:06:41,950 --> 00:06:42,970
put it into a file.

101
00:06:42,970 --> 00:06:51,240
You would just do oh, and then filename like, you know, notes, text, and it'll put it into that,

102
00:06:51,250 --> 00:06:54,910
into it'll create that file and those that's in the current directory.

103
00:06:55,060 --> 00:06:59,770
Or you can specify, you know, where you want to go, like, you know, like slash, I don't know,

104
00:06:59,770 --> 00:07:01,510
slash roots slash something.

105
00:07:01,750 --> 00:07:02,740
I don't know, it doesn't matter.

106
00:07:02,860 --> 00:07:10,120
So it'll put that, it'll create that file and put all the output into that file and then you'll be

107
00:07:10,120 --> 00:07:10,600
good to go.

108
00:07:10,600 --> 00:07:15,250
You give our office at any time, maybe during your penetrations, as you know, you're coming back

109
00:07:15,250 --> 00:07:19,450
to see you checking through like one thing at a time, going to see if it is vulnerable.

110
00:07:19,450 --> 00:07:23,910
And I then come back for the next thing you want to document everything very, very powerful.

111
00:07:24,250 --> 00:07:28,300
Another command that I like to run, that's actually a very, very useful command.

112
00:07:28,480 --> 00:07:29,780
Now you can add.

113
00:07:29,860 --> 00:07:33,790
So when these switches you can add the these are called switches.

114
00:07:34,030 --> 00:07:37,090
You can add these like you can do different types at the same time.

115
00:07:37,090 --> 00:07:41,860
But when I what I've noticed is that when I do this kind of overwhelmed with the information.

116
00:07:42,070 --> 00:07:45,850
So I like to just, you know, have one switch at a time and have them in separate scenes.

117
00:07:46,000 --> 00:07:49,630
So there's a I like to call it the all option.

118
00:07:49,630 --> 00:07:56,020
They all switch as well to call it, because it does know the version and it looks for versions of services.

119
00:07:56,020 --> 00:07:58,030
It'll do a port scan for you.

120
00:07:58,060 --> 00:08:04,840
It will also, you know, do operating system discovery and also, like, break down more about each

121
00:08:04,840 --> 00:08:08,380
service that is discovered, you know, on these reports.

122
00:08:08,650 --> 00:08:11,520
So let's go ahead and run this and see what kind of results that we get.

123
00:08:11,530 --> 00:08:12,730
So the scan is finished.

124
00:08:12,730 --> 00:08:17,260
And look at this wealth of information just from this one scan.

125
00:08:17,440 --> 00:08:18,880
So let's break it down a little bit.

126
00:08:18,890 --> 00:08:26,830
So as you can see, it discovered open because it had a regular and map scan, also went through and

127
00:08:26,830 --> 00:08:28,550
scanned and services set up there.

128
00:08:28,690 --> 00:08:31,960
And now it found, OK, Port twenty one is open.

129
00:08:31,960 --> 00:08:35,260
It's running this as we saw before, but it's a little bit more of a breakdown.

130
00:08:35,430 --> 00:08:40,360
Like I said, hey, anonymous FTP login is allowed, so it actually went untested.

131
00:08:40,630 --> 00:08:46,330
So now we know that's a potential entry point for us so that, you know, maybe something to take note

132
00:08:46,330 --> 00:08:46,660
of.

133
00:08:46,660 --> 00:08:54,160
And then also like right here, Port twenty two is open, is running S.H. It gives us the open version

134
00:08:54,160 --> 00:08:54,940
that is running.

135
00:08:55,090 --> 00:09:00,790
It just gives us a lot more detail and breakdown of what's actually found, you know, running on these

136
00:09:00,790 --> 00:09:01,330
ports.

137
00:09:01,600 --> 00:09:04,420
I really recommend that you use the Dash eight switch and.

138
00:09:04,500 --> 00:09:08,930
Be a little bit overwhelming at first, but it's actually really good information is actually informative,

139
00:09:08,940 --> 00:09:09,640
not too bad.

140
00:09:09,840 --> 00:09:13,260
You get used to looking at, you know, all these different textures, though.

141
00:09:13,410 --> 00:09:19,000
And what I what I also wanted to show was that it actually did a operating system scan.

142
00:09:19,070 --> 00:09:26,430
So, you know, oh, is running Linux to point the two point six kernel and just gives you information

143
00:09:26,430 --> 00:09:26,970
about that.

144
00:09:27,000 --> 00:09:28,980
So it's pretty positive.

145
00:09:28,980 --> 00:09:33,750
Sometimes it'll give you a yes of the operating system with this one and knew exactly just based on

146
00:09:33,750 --> 00:09:36,070
the fingerprints that it was able to get from the scan.

147
00:09:36,270 --> 00:09:40,770
So there's a lot of stuff that we can get, you know, with and maps.

148
00:09:40,770 --> 00:09:47,130
I really recommend that you go in and actually, you know, play around with and map because this is

149
00:09:47,130 --> 00:09:51,930
going to be your bread and butter when it comes to, you know, penetration testing.

150
00:09:52,320 --> 00:09:58,380
OK, so another type of skin is very useful that you're going to want to do is a UDP skin, and that

151
00:09:58,380 --> 00:09:59,250
is dignified.

152
00:09:59,250 --> 00:10:03,960
But remember where we had to dash in the capital espersen skin.

153
00:10:03,990 --> 00:10:06,840
So we want to do a dash cap ex capital.

154
00:10:06,840 --> 00:10:12,210
You here to signify, you know, hey, go do a YouTube scan because remember from the networking section,

155
00:10:12,900 --> 00:10:19,410
this ports, the sixty five thousand five is that if I put on TCP but also on UDP and the service is

156
00:10:19,410 --> 00:10:20,530
running on Euterpe as well.

157
00:10:20,700 --> 00:10:26,820
So you definitely want to check, you know, into, you know, specific systems like, you know, if

158
00:10:27,000 --> 00:10:29,070
they have services running over UDP.

159
00:10:29,100 --> 00:10:34,800
I've definitely seen on Assessment's where there's not really many services running on TCP, but when

160
00:10:34,800 --> 00:10:38,260
I do a scan, I find services that I could potentially exploit.

161
00:10:38,430 --> 00:10:44,070
So I'm just doing ports one to 100 just to show and see if we can actually get anything from it.

162
00:10:44,220 --> 00:10:45,440
So let's go, everybody command.

163
00:10:47,150 --> 00:10:53,230
OK, so to finish those actually look at it, so it went through and actually told us, hey, this was

164
00:10:53,240 --> 00:10:59,420
close, close, close, it says open filtered most likely is probably a close port that's just filtered,

165
00:10:59,900 --> 00:11:02,030
which is not going to get your response that you want.

166
00:11:02,660 --> 00:11:07,280
I believe that it actually found like UDP, P3 is open.

167
00:11:07,280 --> 00:11:14,070
So, you know, DNS is running over that port with also new version scans on these ports as well.

168
00:11:14,090 --> 00:11:19,190
So if we can do it on that specific point, just see, you know, just just for the heck of it, just

169
00:11:19,190 --> 00:11:20,270
see, you know, what's on it.

170
00:11:20,280 --> 00:11:21,410
So let's do that really quick.

171
00:11:21,590 --> 00:11:27,560
So, you know, how are we we've been doing range is typically what we can actually just specify a specific

172
00:11:27,560 --> 00:11:27,950
port.

173
00:11:28,190 --> 00:11:35,960
So right here we'd be scanning DNS over UDP and try to see.

174
00:11:36,440 --> 00:11:36,950
See.

175
00:11:38,610 --> 00:11:44,820
We want to figure out a version so we do dash ASV and figure out maybe we can figure out what version

176
00:11:44,820 --> 00:11:46,170
of what's bringing over that port.

177
00:11:46,380 --> 00:11:52,780
So see, right here, it was saying, hey, it's running DNS and you know who's running this right here.

178
00:11:52,800 --> 00:11:55,490
So this version right here pretty useful.

179
00:11:55,500 --> 00:12:00,720
So I definitely recommend play, go around, play with it, make sure that you do your UDP scans.

180
00:12:01,110 --> 00:12:05,970
OK, something interesting and map, like I said, it comes with a vulnerability scanner.

181
00:12:06,210 --> 00:12:13,220
So what you can actually do is you can use it comes with scripts as well that can do different things.

182
00:12:13,230 --> 00:12:20,850
I'm not going to go over all the scripts, but for example, if we wanted to pull this back up so that

183
00:12:20,850 --> 00:12:27,690
we have our target right here, what we can do is actually run an EMAP script to figure out, you know,

184
00:12:27,690 --> 00:12:34,470
if there is any SMB or something like that available on this system so we can do a map and then we have

185
00:12:34,470 --> 00:12:44,760
our target and then we can actually do a dash to script and then say equals and some B dash os dash

186
00:12:44,760 --> 00:12:50,670
discovery is going to go actually run this script that's built into and map and actually let us know,

187
00:12:50,670 --> 00:12:52,790
you know, if it's what it finds.

188
00:12:52,800 --> 00:12:53,850
So let's go ahead and run this.

189
00:12:53,880 --> 00:12:55,010
So it's done.

190
00:12:55,020 --> 00:13:00,750
So it did a quick AMP scan of like, you know, just some default points that I would look for.

191
00:13:00,930 --> 00:13:06,600
We don't like specify specific ports, but right here is the, you know, the script results that we

192
00:13:06,600 --> 00:13:06,940
wanted.

193
00:13:07,170 --> 00:13:13,140
So it pretty much used SMB to try to figure out, you know, what the OS was.

194
00:13:13,150 --> 00:13:20,250
So, you know, it's saying, hey, the OS is Unix or Linux and Somma 3.0 is actually being run.

195
00:13:20,490 --> 00:13:25,150
So that's something that's very useful and it's something that we kind of figured out before from different

196
00:13:25,150 --> 00:13:25,590
scans.

197
00:13:25,830 --> 00:13:31,950
But the point is, is different ways to find out, you know, the different information and that has

198
00:13:31,950 --> 00:13:34,950
a bunch of different scripts that we can actually use it.

199
00:13:34,960 --> 00:13:40,950
There's a DNS transfer, a script that you can use, actually a script that you can call waspish, that

200
00:13:40,950 --> 00:13:41,400
you can call.

201
00:13:41,400 --> 00:13:48,900
So you do a map, dash, dash script, dash help and then you can put the script names.

202
00:13:48,900 --> 00:13:52,860
So like, let's say DNS transfer.

203
00:13:52,860 --> 00:13:54,330
How do I use this script?

204
00:13:55,400 --> 00:13:57,810
And it'll actually spit out some help for you.

205
00:13:57,830 --> 00:14:04,310
So here's the deal, as well as a description of what it does and just some help on how to use it and

206
00:14:04,310 --> 00:14:04,640
such.

207
00:14:04,760 --> 00:14:10,790
So definitely look into the different scripts that Matt provides us with because it's very useful.

208
00:14:10,820 --> 00:14:16,640
And you can actually look for vulnerabilities because there's some scripts that actually will look for

209
00:14:16,640 --> 00:14:18,800
like SMB vulnerabilities, for example.

210
00:14:19,130 --> 00:14:21,680
Also, if you're wondering, you can take a look.

211
00:14:21,680 --> 00:14:27,380
I guess you do a quick ls the directory with ADMET Scripts and see what scripts are available so that

212
00:14:27,380 --> 00:14:28,340
you could run them with that.

213
00:14:28,340 --> 00:14:37,010
Dastan script equals command along with EMAP so you could do a lot of us are slideshare such and map

214
00:14:37,580 --> 00:14:40,640
scripts and it's going to give you a list of all the scripts.

215
00:14:40,640 --> 00:14:43,940
So all kinds of stuff you man so you can find out all kinds of stuff.

216
00:14:44,450 --> 00:14:45,050
So it's pretty good.

217
00:14:45,050 --> 00:14:51,370
They have the Mongo DB scripts, the actual scripts that we're Métis, Bloy, a lot different.

218
00:14:51,380 --> 00:14:54,320
The firewall bypassing Firewalker.

219
00:14:54,340 --> 00:14:58,130
That's the thing I like to use when I'm, you know, conducting penetration tests a lot.

220
00:14:58,850 --> 00:15:05,000
I like to figure out, you know, what rules might be in place, you know, for a firewall so you can

221
00:15:05,000 --> 00:15:06,340
play your attack a little bit better.