1
00:00:03,140 --> 00:00:09,350
As ethical hackers who are performing information gathering or recon and scanning one of the next steps

2
00:00:09,350 --> 00:00:14,780
we would take after we find the list of candidate servers, especially some servers that we might have

3
00:00:14,780 --> 00:00:19,280
forgotten were on our network, is to run in map against them, to figure out what was running on those

4
00:00:19,280 --> 00:00:24,920
servers and then find out if maybe there are some vulnerable services or if some servers have been compromised

5
00:00:24,920 --> 00:00:25,370
already.

6
00:00:25,790 --> 00:00:31,130
So in MAP is our network map or we're going to use that in Caleigh Linux to see what might be on our

7
00:00:31,130 --> 00:00:31,670
network.

8
00:00:33,080 --> 00:00:35,690
To do this, we actually want to run one additional.

9
00:00:36,110 --> 00:00:37,220
We could turn on both.

10
00:00:37,260 --> 00:00:42,470
We wanted to, but we at least want to run one additional server and I'm going to do the medicine floatable

11
00:00:42,530 --> 00:00:43,790
to server.

12
00:00:45,100 --> 00:00:48,620
And in this case, we're not going to leave my floatable running for very long.

13
00:00:48,980 --> 00:00:52,880
So it would be OK to open the network settings.

14
00:00:54,520 --> 00:00:57,280
And I'm going to turn it over to the public.

15
00:00:57,640 --> 00:00:58,770
Matt, Matt.

16
00:00:58,840 --> 00:00:59,820
Network public.

17
00:00:59,860 --> 00:01:07,390
Matt just said that it'll be on the same network as MSA Edge, Win Tin and our Kelly Linnik spox so

18
00:01:07,390 --> 00:01:08,680
that we'll be able to see it.

19
00:01:09,640 --> 00:01:15,100
One other option will be turning all three of these machines over to the private Matt as well.

20
00:01:16,580 --> 00:01:23,820
And remember to log into Matus floatable if you haven't before, it's MSF admen and MSF admen as the

21
00:01:23,820 --> 00:01:26,580
username and password and it will not show you that password.

22
00:01:26,580 --> 00:01:27,430
Is your logging in?

23
00:01:27,840 --> 00:01:32,430
You can see we're still set up on meds floatable from a few lessons back when we were installed it.

24
00:01:33,180 --> 00:01:36,540
I'm going to do because the I f config.

25
00:01:36,540 --> 00:01:41,850
The IP address for Meadow's political is tendo that three men are on the command pseudo I-F down or

26
00:01:41,850 --> 00:01:46,070
interface down with zero double ampersands pseudo f up ethe zero.

27
00:01:47,400 --> 00:01:54,210
And now we have a Tendo DOT nine address that will allow us to find that out on our network.

28
00:01:54,960 --> 00:01:58,230
And then for a user, go ahead and log in as well.

29
00:01:58,290 --> 00:01:59,160
Yeah, I'll log in.

30
00:01:59,730 --> 00:02:01,350
As with password.

31
00:02:06,870 --> 00:02:13,560
And remember, for these Windows 10 machines, password is capital P little a SSW zero r d exclamation.

32
00:02:15,210 --> 00:02:21,810
And once we get logged into the Windows virtual machine, I'm going to type in my search bar, CMB.

33
00:02:23,760 --> 00:02:24,740
The command prompt.

34
00:02:26,200 --> 00:02:29,260
And I'm going to choose run as administrator.

35
00:02:30,650 --> 00:02:32,330
And I'll run I.P. config.

36
00:02:34,520 --> 00:02:39,310
To get the M the IP information, the IP address.

37
00:02:41,750 --> 00:02:47,360
But you can see I did get a 10 Odah nine address on my Windows machine, so it's time to switch back

38
00:02:47,360 --> 00:02:48,050
over to Kalli.

39
00:02:49,510 --> 00:02:54,150
And let's get a clean terminal window and we'll make the font big enough so that you can read it.

40
00:02:54,690 --> 00:02:59,040
The great thing about IMAP is that we can use everything from the command line there, graphical user

41
00:02:59,040 --> 00:03:00,210
interface tools as well.

42
00:03:00,480 --> 00:03:06,600
But I'm going to say, in fact, the Zen map is one that you can install with a quick pseudo Apte install

43
00:03:07,590 --> 00:03:08,220
Zen map.

44
00:03:08,250 --> 00:03:15,810
But I'm going to use N map and map and I know that I'm on my Tendo Dot Nine Network, so I'm just going

45
00:03:15,810 --> 00:03:19,050
to see what machines are on this tendo dot Nine Network.

46
00:03:25,910 --> 00:03:35,040
And I could say turned out Odos nine, Dotto slash 24 phone to scan all 255 possible machines or addresses

47
00:03:35,040 --> 00:03:40,070
on that network, or I could say 10 dot odah nine, tattoed dash 20.

48
00:03:40,590 --> 00:03:45,810
I think most of my IP addresses are in that low range.

49
00:03:45,900 --> 00:03:48,390
I saw a tornado at nine on my Windows box.

50
00:03:48,780 --> 00:03:50,250
So I'm going to run in map.

51
00:03:50,730 --> 00:03:56,430
It'll take just a moment because it's going to run through all 20 of those possible addresses.

52
00:03:57,800 --> 00:04:03,680
But it doesn't take too long, and I found one machine, at least at 10, that Audette nine dot in my

53
00:04:03,680 --> 00:04:04,700
case 10.

54
00:04:05,630 --> 00:04:07,070
But I can go up a little bit.

55
00:04:07,550 --> 00:04:08,180
Found something.

56
00:04:08,180 --> 00:04:08,870
It turned out okay.

57
00:04:08,900 --> 00:04:09,140
Nine.

58
00:04:09,380 --> 00:04:09,890
Seven.

59
00:04:09,920 --> 00:04:11,390
But all the ports are closed.

60
00:04:12,110 --> 00:04:13,160
And then turned out okay.

61
00:04:13,190 --> 00:04:14,390
Nine to ten.

62
00:04:14,390 --> 00:04:15,070
But Odah nine.

63
00:04:15,080 --> 00:04:15,620
Not one.

64
00:04:16,070 --> 00:04:18,130
This is my gateway.

65
00:04:18,230 --> 00:04:19,940
My my connection.

66
00:04:19,970 --> 00:04:22,220
Out to the internet through my host computer.

67
00:04:22,670 --> 00:04:28,580
Here is my DHS server that gives me IP addresses so you can see a few of the things that we set up when

68
00:04:28,580 --> 00:04:30,380
we first configured our network.

69
00:04:30,640 --> 00:04:33,180
But turned out Odah nine to seven could be something 10.

70
00:04:33,260 --> 00:04:34,420
DataDot nine, dot 10.

71
00:04:34,850 --> 00:04:37,850
So this one looks like it's got a whole lot of open ports.

72
00:04:37,850 --> 00:04:39,770
In fact, some pretty interesting ones.

73
00:04:40,130 --> 00:04:46,970
So this one turns out to probably be our our Meadow's floatable box so we can do a little more information

74
00:04:46,970 --> 00:04:52,990
on in map scan by doing something like an S.V., a dash S.V. search.

75
00:04:53,040 --> 00:04:59,600
That would give us actually version information, dash lowercase s uppercase V for an ID map scan would

76
00:04:59,600 --> 00:05:03,050
show us the exact version of each of these pieces of software.

77
00:05:03,080 --> 00:05:04,660
So let's try that really fast.

78
00:05:05,900 --> 00:05:11,000
So our command would be in MAP and our server address.

79
00:05:11,030 --> 00:05:14,670
Now it's 10 dot o dot nine, dot 10.

80
00:05:14,750 --> 00:05:23,450
So I'm just scanning that one particular server and I'll do an add a dash s v a versioning scan against

81
00:05:23,450 --> 00:05:23,620
that.

82
00:05:23,630 --> 00:05:25,610
It's going to take a little bit of time, but it'll be worth it.

83
00:05:27,260 --> 00:05:34,070
When my finishes, you will see not just the ports or the logical connections that are running the services

84
00:05:34,070 --> 00:05:38,870
running on that that Metis floatable virtual machine.

85
00:05:39,230 --> 00:05:43,460
You'll also see the exact version information or at least really close.

86
00:05:44,120 --> 00:05:49,850
So in my pass, some scanning ability to gather information about which version of each one of those

87
00:05:49,850 --> 00:05:52,280
services are included on that machine.

88
00:05:52,310 --> 00:05:54,680
So some really useful information.

89
00:05:55,070 --> 00:05:59,960
In fact, you can see that somebody has already hacked into this metal split Pable box and they've left

90
00:05:59,960 --> 00:06:01,130
a root shell self.

91
00:06:01,160 --> 00:06:02,750
You know how to telnet in.

92
00:06:03,140 --> 00:06:09,860
You can connect to that fifteen 24 port and actually take over that Metis political machine remotely.

93
00:06:10,430 --> 00:06:15,600
So normally when you run in math, you're trying to gather information about the machines on the network.

94
00:06:15,650 --> 00:06:17,240
So we saw how we could do that with.

95
00:06:17,450 --> 00:06:24,250
In map with just a range of addresses, either attended Odah nine dot o slash 24 or tendered Odah nine

96
00:06:24,410 --> 00:06:26,270
oh two 30, dash 30.

97
00:06:27,500 --> 00:06:34,280
And then we can once we find individual servers, we can run scans against them like we did here to

98
00:06:34,280 --> 00:06:36,500
determine what software might be running on that.

99
00:06:36,620 --> 00:06:43,040
Even up to a possible backdoor shell into the computer that somebody had already left there.

100
00:06:43,670 --> 00:06:44,990
That happens from time to time.

101
00:06:44,990 --> 00:06:50,060
If you left a server on your network that you forgot about, a server administrator left the company

102
00:06:50,360 --> 00:06:52,490
or somebody just plugged in a device and left it running.

103
00:06:53,570 --> 00:06:55,610
Let's see one other quick scan, though.

104
00:06:55,610 --> 00:06:58,370
I want to try to scan my Windows computer.

105
00:06:58,370 --> 00:07:05,330
So this was a good, thorough scan of my Kelly from my Kelly Box into my Matus floatable.

106
00:07:05,690 --> 00:07:12,920
But let's take a look at the other machine so I know that my Windows I.P. address was turned out okay.

107
00:07:12,970 --> 00:07:13,760
Ninety nine.

108
00:07:13,790 --> 00:07:15,410
But I didn't see a computer.

109
00:07:15,410 --> 00:07:16,160
It turned out okay.

110
00:07:16,210 --> 00:07:19,250
Ninety nine from my Kelly computer.

111
00:07:19,730 --> 00:07:22,690
Well, the reason for that is actually the Windows firewall.

112
00:07:22,820 --> 00:07:28,140
So the Windows firewall gets a bad rap, but it actually does something important.

113
00:07:28,160 --> 00:07:33,320
So just by default, with Windows 10, it's almost always on the windows.

114
00:07:33,320 --> 00:07:36,990
Firewall is blocking you from these drive by scans.

115
00:07:37,220 --> 00:07:39,620
These IMAP scans like the one I just performed.

116
00:07:40,010 --> 00:07:43,910
But we can turn that firewall off just for this one test.

117
00:07:44,300 --> 00:07:50,300
We can say net S.H. Advance firewall, ATV firewall.

118
00:07:52,080 --> 00:07:56,690
Set all profiles state off.

119
00:07:56,780 --> 00:08:02,010
Now it's a long command and I'll put a comment down below so that you'll be able to copy and paste that

120
00:08:02,010 --> 00:08:02,700
if you want to.

121
00:08:04,600 --> 00:08:09,000
But that command will turn off the Windows firewall and you'll see windows in our virtual machine pop

122
00:08:09,000 --> 00:08:12,090
up and say, wait a minute, the Windows firewall is turned off.

123
00:08:12,120 --> 00:08:17,670
Well, now we know the IP address and our Windows machine is not protected from those scans.

124
00:08:18,000 --> 00:08:19,680
So let's switch back over to Kelly.

125
00:08:21,270 --> 00:08:24,260
It's clear the screen with the control l or the word clear.

126
00:08:24,680 --> 00:08:25,390
And now let's.

127
00:08:25,430 --> 00:08:25,880
In math.

128
00:08:25,930 --> 00:08:27,980
That Windows computer.

129
00:08:28,400 --> 00:08:32,720
So it's going to be almost the same as the scan for my Matus portable box.

130
00:08:32,780 --> 00:08:34,220
But the I.P. address is different.

131
00:08:34,240 --> 00:08:40,040
So I just press the up arrow and then I'll replace that tendo Doda nine dot tin with Tendo Dot nine

132
00:08:40,040 --> 00:08:41,810
dot nine is the IP address.

133
00:08:42,320 --> 00:08:43,880
My Windows computer got this time.

134
00:08:45,300 --> 00:08:49,020
So we'll do a C version scan against that turned out okay.

135
00:08:49,050 --> 00:08:50,070
Nine dot nine.

136
00:08:50,520 --> 00:08:56,580
And now without the Windows firewall running, we should be able to see a few services there.

137
00:08:56,580 --> 00:08:57,120
We do.

138
00:08:57,630 --> 00:08:59,820
So you can see that this is running a few things.

139
00:09:00,660 --> 00:09:01,920
Port 135.

140
00:09:02,430 --> 00:09:05,140
That's an Arpey C or mote procedure call.

141
00:09:05,160 --> 00:09:09,690
That's a handy port to have open if you're managing this computer across the network.

142
00:09:09,720 --> 00:09:16,380
But it's also a potential vulnerability if we're searching for the ability to break into that computer.

143
00:09:16,770 --> 00:09:21,870
You can see we've got a couple of other services running on their net bias and see information about

144
00:09:21,870 --> 00:09:23,100
the computer for the network.

145
00:09:23,520 --> 00:09:29,460
So just by turning off the Windows firewall, we've not only opened up this machine to a drive by scan,

146
00:09:29,850 --> 00:09:35,040
we've done a full version scan against similar services so we can see exactly what's running on each

147
00:09:35,040 --> 00:09:36,000
of those ports.

148
00:09:36,330 --> 00:09:41,580
So if you don't take anything else out of the house of the windows scanning, at least now, you know,

149
00:09:41,580 --> 00:09:44,270
the Windows firewall does do something.

150
00:09:44,280 --> 00:09:49,080
It protects you from just a quick drive by in maps scan of your network.

151
00:09:49,410 --> 00:09:54,570
So it's important to leave that firewall running and to have antivirus and a firewall to protect you

152
00:09:54,570 --> 00:09:57,000
from snooping eyes out on the Internet.

153
00:09:57,780 --> 00:10:03,360
Well, coming up in the next section, we're going to see how to take it one step further and use a

154
00:10:03,390 --> 00:10:08,610
graphical tool that will help us do a quick scan of a network and more.