1
00:00:03,100 --> 00:00:08,800
And last but not least, we want to see a more graphical user interface or gooey tool that we can use

2
00:00:08,800 --> 00:00:10,420
for our network scans.

3
00:00:10,750 --> 00:00:12,160
Legion is a great tool.

4
00:00:12,190 --> 00:00:19,090
It's a fork or a branched off version of the Spada tool kit that's been out there for a long time.

5
00:00:19,570 --> 00:00:22,000
It's a really nice multi-purpose scanner.

6
00:00:22,060 --> 00:00:25,630
It can even take advantage of vulnerabilities if you find them.

7
00:00:26,200 --> 00:00:30,940
It's a great tool if you're running in a capture the flag event where you are asked to scan or look

8
00:00:30,940 --> 00:00:31,900
for vulnerabilities.

9
00:00:32,260 --> 00:00:34,750
Legion is a great way to to do that.

10
00:00:35,290 --> 00:00:36,400
So let's come back over to.

11
00:00:38,260 --> 00:00:40,120
And we'll close what we were working on before.

12
00:00:40,750 --> 00:00:44,560
Come up to the Kelly man, you come to information gathering.

13
00:00:47,040 --> 00:00:52,440
And scroll down on the menu there, you should see Legian and it still has the Spartan helmet click

14
00:00:52,450 --> 00:00:52,890
Legian.

15
00:00:54,340 --> 00:00:56,110
And Legian opens up a show window.

16
00:00:56,140 --> 00:00:57,370
But let's minimize that.

17
00:00:57,400 --> 00:00:58,960
Don't close it, minimize it.

18
00:00:59,470 --> 00:01:02,110
And you should see a graphical user interface window.

19
00:01:02,560 --> 00:01:08,020
Now, this may be too big to fit on your screen, so you may have to grab the bottom edge and bring

20
00:01:08,020 --> 00:01:15,130
that up or expand the size of your viewing screen by coming up to view and changing the screen resolution

21
00:01:16,000 --> 00:01:18,160
so that you've got a different size.

22
00:01:19,030 --> 00:01:20,280
But we've got Legian.

23
00:01:20,710 --> 00:01:21,560
Let's go ahead with it.

24
00:01:21,580 --> 00:01:26,230
Just connect to this 10 dot dot nine network and see if we can add some hosts.

25
00:01:26,260 --> 00:01:33,290
So we want to say 10 dot nine, dot zero, slash twenty four.

26
00:01:33,940 --> 00:01:40,780
So this will actually be the entire network, up to 255 computers on the 10 dot nine network.

27
00:01:41,200 --> 00:01:43,270
We'll leave a few of these other things the same.

28
00:01:43,330 --> 00:01:44,740
I might bring this down a little bit.

29
00:01:45,130 --> 00:01:48,730
Aggressive is going to be really noisy on the network and even if.

30
00:01:50,190 --> 00:01:58,030
Well even though we're scanning inside our private, our public mapped, we want to keep it down to

31
00:01:58,030 --> 00:01:58,480
a minimum.

32
00:01:59,540 --> 00:02:00,620
Click submit.

33
00:02:03,100 --> 00:02:06,760
And you will see legions start to scan your network.

34
00:02:07,150 --> 00:02:11,410
And if it finds some computers, it's going to place them right up here in the list.

35
00:02:11,720 --> 00:02:13,180
Tonight, Odah nine to one.

36
00:02:13,190 --> 00:02:13,820
Done two.

37
00:02:14,060 --> 00:02:15,120
That's seven.

38
00:02:15,820 --> 00:02:18,340
That is actually Alcalay box itself right now.

39
00:02:18,590 --> 00:02:22,950
I picked up a new IP address to narrow down seven to nut Odah nine.

40
00:02:22,960 --> 00:02:23,620
Dot nine.

41
00:02:23,650 --> 00:02:25,330
We know was our Windows computer.

42
00:02:25,430 --> 00:02:28,780
That 10 is our Metis political box.

43
00:02:30,880 --> 00:02:33,820
And you can see as it runs through different stages.

44
00:02:35,910 --> 00:02:37,370
Of map searches.

45
00:02:38,970 --> 00:02:44,400
And it's even gathering screenshots of Web pages of servers are running a Web page.

46
00:02:45,900 --> 00:02:51,150
It's going to show us information about what services are running on each computer, look at that.

47
00:02:51,160 --> 00:02:54,930
We've got a ton of services running on this.

48
00:02:54,930 --> 00:02:59,370
Meadow's floatable box specifically turned out Audette nine to 10 on my network.

49
00:02:59,850 --> 00:03:01,140
And it's done several things.

50
00:03:01,140 --> 00:03:06,540
It's gathered some information about vulnerabilities from Nito, which is one of the other tools here

51
00:03:06,540 --> 00:03:07,020
in Kalli.

52
00:03:07,530 --> 00:03:11,250
It's taken a screen shot of the the Web server.

53
00:03:11,670 --> 00:03:17,310
Not much information there because it's just a plain text page and it's got other information that may

54
00:03:17,310 --> 00:03:19,830
get filled in as we go on a little bit further.

55
00:03:20,130 --> 00:03:27,860
But you can see a lot of information about possible vulnerabilities just on this one scan of Almeida's

56
00:03:27,990 --> 00:03:28,980
floatable box.

57
00:03:29,460 --> 00:03:31,140
When we come up to our.

58
00:03:32,350 --> 00:03:36,790
Windows Computer, we can see some SMB enumeration.

59
00:03:37,210 --> 00:03:43,420
It's gathering some information to see if you can access without a username and password.

60
00:03:44,320 --> 00:03:46,570
You might have heard of the eternal blue exploit.

61
00:03:47,050 --> 00:03:49,360
That's checking for that along with a few of the things.

62
00:03:49,390 --> 00:03:54,400
But we can see that even on our Windows computer, there are several services available because we turned

63
00:03:54,400 --> 00:03:56,410
off the firewall in the previous lesson.

64
00:03:57,460 --> 00:03:59,330
This is our Kelly computer itself.

65
00:03:59,350 --> 00:04:02,500
That's our D.H S.P. server and that's our gateway.

66
00:04:02,560 --> 00:04:04,240
So no other information there.

67
00:04:04,480 --> 00:04:10,420
But on this menace floatable box, if this was a computer that you had left running on your network,

68
00:04:10,660 --> 00:04:14,080
you really would need to check this one out, because there are a lot of vulnerabilities and needs to

69
00:04:14,080 --> 00:04:14,710
be updated.

70
00:04:15,040 --> 00:04:16,240
It needs to be patched.

71
00:04:16,280 --> 00:04:18,550
But that's what Meadow's floatable is built for.

72
00:04:18,610 --> 00:04:20,560
So it can find vulnerabilities like this.

73
00:04:21,970 --> 00:04:27,220
Now, there's one other thing that we can show you with a legion of that will at least mentioned to

74
00:04:27,220 --> 00:04:31,900
you if you wanted to scan your own home network.

75
00:04:32,470 --> 00:04:33,670
This is very important.

76
00:04:33,670 --> 00:04:39,040
This needs to be a network that not only do you pay for and you own and you have the full permission

77
00:04:39,410 --> 00:04:44,860
to to read scans against, it needs to be okay with your Internet service provider.

78
00:04:44,860 --> 00:04:47,620
They may have a ban on scanning there.

79
00:04:48,530 --> 00:04:51,250
There can't be any other users on your network.

80
00:04:52,210 --> 00:04:58,960
So be careful if you're running scans on a network like in a big building or if you are in an apartment

81
00:04:58,960 --> 00:05:03,460
complex or someplace where you share an Internet connection among a lot of people.

82
00:05:03,880 --> 00:05:05,290
This is really important.

83
00:05:06,130 --> 00:05:11,350
When you run this scan, it will scan every computer and they'll send a lot of traffic.

84
00:05:11,750 --> 00:05:16,420
And so people will be able to know that you are scanning them if they're looking for that with any intrusion

85
00:05:16,420 --> 00:05:19,420
detection software or a good antivirus.

86
00:05:19,510 --> 00:05:21,400
A good endpoint protection.

87
00:05:22,060 --> 00:05:26,170
It'll tell them that they're being scanned over the Internet and might freak your neighbors out.

88
00:05:26,200 --> 00:05:31,000
So please don't do this anyplace where you don't have explicit permission and control of the network.

89
00:05:31,450 --> 00:05:32,380
But you notice everything.

90
00:05:32,380 --> 00:05:35,020
Here's an item that Odah nine network.

91
00:05:35,980 --> 00:05:38,680
We could actually change our network settings.

92
00:05:40,030 --> 00:05:46,000
For just our Caleigh box, so we changed the network settings for just the Caleigh virtual machine.

93
00:05:47,340 --> 00:05:48,450
I'm going to talk through this.

94
00:05:48,470 --> 00:05:54,350
I'm not actually going to perform it, even on my network here at home, I've got a dozen devices on

95
00:05:54,350 --> 00:06:00,470
the network at any one time, and my sons might be watching Netflix or another video channel.

96
00:06:00,860 --> 00:06:03,440
I don't want to disturb the network because it's a buffer for them.

97
00:06:03,890 --> 00:06:06,920
But you can change this to a abridged adapter.

98
00:06:07,370 --> 00:06:13,970
That bridge to Dafter makes it look like your Kalli VM is actually another direct connection to your

99
00:06:13,970 --> 00:06:16,250
Wi-Fi already or wired network.

100
00:06:16,790 --> 00:06:22,280
And that will give your Caleigh computer access to other machines on your Wi-Fi network.

101
00:06:22,970 --> 00:06:30,470
Once you change to the bridge that after you would do us pseudo service network dash manager restart

102
00:06:30,500 --> 00:06:33,350
so that you get a new IP address out on the public network.

103
00:06:33,770 --> 00:06:39,110
If your network allows that type of connection and then there's one other change.

104
00:06:39,180 --> 00:06:40,520
I'll change just briefly.

105
00:06:40,550 --> 00:06:41,540
But I want to switch back.

106
00:06:41,860 --> 00:06:43,460
Notice this would be over Wi-Fi.

107
00:06:44,600 --> 00:06:47,890
And this one other piece for some scans.

108
00:06:47,930 --> 00:06:51,860
And Kelly, you actually want to allow promiscuous mode.

109
00:06:51,890 --> 00:06:57,200
That means you can listen or sniff packets that were not meant for this particular computer.

110
00:06:57,830 --> 00:07:05,360
Anytime you're in a coffee shop or in a library or any place with public Wi-Fi or open Wi-Fi, you need

111
00:07:05,360 --> 00:07:07,490
to know that people can see your traffic.

112
00:07:07,520 --> 00:07:14,060
So it's really important to use a VPN and you only serve secure HTP s Web pages, especially if you're

113
00:07:14,060 --> 00:07:18,030
ending your username and password, because this one little change.

114
00:07:18,390 --> 00:07:23,540
Go into abridged adapter and allowing promiscuous mode so that it can look at any packets that fly by

115
00:07:24,020 --> 00:07:29,330
can allow somebody to look in on your network, traffic on your username and password if you're logging

116
00:07:29,330 --> 00:07:31,420
and insecurely to regular H.

117
00:07:31,420 --> 00:07:32,360
CCP Web site.

118
00:07:32,690 --> 00:07:34,310
Don't do that from a public network.

119
00:07:34,370 --> 00:07:40,610
Make sure you're doing that from a network that you can control and that you own or have permission

120
00:07:40,610 --> 00:07:41,090
to use.

121
00:07:41,780 --> 00:07:49,010
So those two changes would be all it would take to connect to my public, my Wi-Fi network here throughout

122
00:07:49,010 --> 00:07:49,670
my house.

123
00:07:50,150 --> 00:07:52,160
And it would give me the ability to run.

124
00:07:52,400 --> 00:07:53,300
I'm going to change your backs.

125
00:07:53,300 --> 00:07:59,030
That and don't forget, it gives me the ability to run the Legion scan.

126
00:08:00,240 --> 00:08:05,850
That we just saw right here against every device on my Wi-Fi throughout my house.

127
00:08:06,210 --> 00:08:07,480
That would be my printer.

128
00:08:07,500 --> 00:08:11,520
That would be all of my computers, tablets, my son's chrome books.

129
00:08:12,510 --> 00:08:15,930
All the devices that we have for smart televisions.

130
00:08:16,500 --> 00:08:22,860
Anything in your home network, if you have surveillance cameras, those can be seen on a bridge network

131
00:08:23,190 --> 00:08:24,000
adapter like that.

132
00:08:24,030 --> 00:08:25,530
I'm not going to run that scan.

133
00:08:25,560 --> 00:08:30,930
I just wanted to talk you through it just in case, because this is a really useful tool to run in your

134
00:08:30,930 --> 00:08:31,590
organization.

135
00:08:31,590 --> 00:08:34,470
First of all, make sure you have your organization's permission.

136
00:08:34,500 --> 00:08:38,620
You should probably be an I.T. employee or contractor before you.

137
00:08:39,010 --> 00:08:43,380
You run a scan like this and you do have to have the organization's permission, but it can help you

138
00:08:43,380 --> 00:08:46,590
turn up devices even in your own home that you might have forgotten.

139
00:08:46,590 --> 00:08:53,670
Were there, for example, of if you leave an old video game player connected, if it's not patched,

140
00:08:53,670 --> 00:08:59,460
it might be a device out there on your network that somebody could find somebody could compromise and

141
00:08:59,580 --> 00:09:05,310
turn into a way to access your personal information across your network.

142
00:09:06,060 --> 00:09:11,760
Old Blu ray players that you might have put in the garage but left him plugged in or left home, turned

143
00:09:11,760 --> 00:09:12,030
on.

144
00:09:12,450 --> 00:09:13,290
They may have.

145
00:09:14,250 --> 00:09:15,390
A network connection.

146
00:09:15,510 --> 00:09:17,910
And they may be communicating out over the Internet.

147
00:09:18,360 --> 00:09:24,250
And whether you use Legian use in map net, discover any of the tons of tools that are built into Kalli.

148
00:09:25,530 --> 00:09:30,440
It's a great way to check to see if there are things on your network that you don't recognize or that

149
00:09:30,450 --> 00:09:34,560
maybe shouldn't be there in our public map network.

150
00:09:34,590 --> 00:09:38,640
We had our gateway in our d.H S.P. server that gives us IP addresses.

151
00:09:38,970 --> 00:09:44,580
We had a Caleigh box on Windows and our Met hospitable VIMS and those are the only things that should

152
00:09:44,580 --> 00:09:45,000
be in there.

153
00:09:45,000 --> 00:09:46,650
They're the only things that are there.

154
00:09:47,130 --> 00:09:54,510
So it's really good to be able to do these types of scans to check for devices and then check for using

155
00:09:54,510 --> 00:10:00,450
Legian vulnerabilities in those devices that could make it easy for an attacker to.

156
00:10:01,960 --> 00:10:08,530
Take advantage of vulnerabilities or weaknesses in your network and compromise an old machine.

157
00:10:09,460 --> 00:10:13,090
Well, that wraps it up for what we're going to do with recon and scanning.

158
00:10:13,120 --> 00:10:16,690
But I hope this information gathering has been useful for you, and I hope it's something you can put

159
00:10:16,690 --> 00:10:19,420
to use in your organization and in your own home.