WEBVTT

00:00.560 --> 00:05.660
One of the big challenges we have when we're looking at a network is we need to know what is in this

00:05.660 --> 00:06.620
network.

00:06.620 --> 00:11.870
Now other episodes we talk about tools like for example net stat which allow us to know what's happening

00:11.870 --> 00:14.990
on an individual host our local host.

00:14.990 --> 00:20.420
But what if you have a whole bunch of computers there's a zillion scenarios within the I.T. security

00:20.420 --> 00:26.870
world where you want to be sitting at one computer and you want to start checking out other computers.

00:26.870 --> 00:31.790
Now what I'm talking about chicken and other computers we're talking about using powerful tools that

00:31.790 --> 00:38.840
will queery not just one system but all the systems within a certain say network ID to determine what

00:38.840 --> 00:40.030
is going on.

00:40.220 --> 00:46.040
So I call these in general network scanners but they go by a lot of other names as well.

00:46.040 --> 00:48.700
Port scanner's is another name you hear quite a bit.

00:48.700 --> 00:54.140
The bottom line is is that on security plus you're going to be running into certain tools that will

00:54.140 --> 00:58.540
go out and sniff a network and that's what I want to talk about right now.

00:58.550 --> 01:04.250
Now the first one I want to talk about is probably the most famous called and map and map is a powerful

01:04.250 --> 01:05.520
powerful tool.

01:05.600 --> 01:10.640
It is used for inventorying of networks it's used for looking for bad guys it's used for all kinds of

01:10.640 --> 01:14.150
stuff but it's not the easiest one in the world to use.

01:14.150 --> 01:16.090
However I'm not too bad at it.

01:16.100 --> 01:22.070
So let's take a moment and use it now I need to warn you and map is more commonly used in Linux systems

01:22.100 --> 01:27.410
but I'm a Windows guy so I've got it running right here so anybody out there who likes Linux don't yell

01:27.410 --> 01:28.080
at me.

01:28.400 --> 01:30.130
All right so here I am at a command prompt.

01:30.130 --> 01:31.860
I've got unmap installed.

01:31.970 --> 01:36.890
So there's a lot of different ways to run and map so the first thing I'm going to do is I'm going to

01:36.890 --> 01:38.850
just check out the network around me.

01:39.110 --> 01:44.580
So I'm going to type and map give me lots of verbose information.

01:45.840 --> 01:52.630
And then do what's known as a Ping's scan and then I'm going to give it a network to check out which

01:52.630 --> 01:56.060
is the local network for this right here.

01:56.230 --> 01:58.180
And let's see what happens.

01:58.930 --> 02:01.420
When I run this now it's going to be taking a minute.

02:01.420 --> 02:09.380
So that's the one downside and mapping sometimes you've got to sit around and wait a little bit.

02:09.450 --> 02:11.390
OK so we've got to tell about it here.

02:11.520 --> 02:14.710
Let me scroll up to the top so we can see this.

02:14.710 --> 02:22.810
So basically what I've asked and mapped to do is I said look out on the entire 192 168 for with a wack

02:22.810 --> 02:27.820
24 subnet mask and just give me a quick idea of what's out there.

02:27.820 --> 02:29.770
I'm not asking for much information.

02:29.920 --> 02:36.090
So let's pick individual ones so you'll see it just starts at 0 and goes all the way through.

02:36.550 --> 02:38.970
And here it found like this is my router.

02:39.010 --> 02:41.680
These are some more unused IP addresses.

02:42.130 --> 02:47.270
And as we go through you'll notice what it's doing is it's giving me an idea of how many up and live

02:47.270 --> 02:49.330
systems are out there.

02:49.420 --> 02:50.610
Right this very moment.

02:50.610 --> 02:54.000
So there's a lot of computers on my little network.

02:54.000 --> 02:55.300
No big surprise there.

02:56.670 --> 02:58.440
Now it doesn't stop there.

02:58.440 --> 03:00.280
We can actually go a lot deeper now.

03:00.360 --> 03:05.520
One of the things I want to do this time is I'm going to run and map again this time but this time instead

03:05.520 --> 03:10.890
of just looking on my own little local network I'm actually going to go to a very specific computer

03:10.920 --> 03:16.050
out on the Internet that and map has been nice enough to set up for us to play with.

03:16.140 --> 03:21.010
And it's the infamous and mapped out scanned me computer so let me type this in real quick.

03:21.180 --> 03:22.670
So you type and map again.

03:22.710 --> 03:28.220
I want verbose output this time I'm saying I want to know what the operating systems are

03:34.170 --> 03:35.870
and we're going to let this puppy go.

03:36.180 --> 03:39.030
Now in this particular case we're not scanning an entire network.

03:39.030 --> 03:42.640
I'm actually trying to zero in on one very specific computer.

03:42.700 --> 03:44.070
So let's see what he came up with.

03:44.070 --> 03:44.400
All right.

03:44.400 --> 03:45.360
Fantastic.

03:45.360 --> 03:49.780
So let's take a look at what's happening on just this one little machine.

03:49.800 --> 03:54.000
Now if you think about this they're going to put some fun stuff for us to find here.

03:54.000 --> 03:54.570
All right.

03:54.570 --> 03:58.040
First of all here's all the different types of work it's trying to do.

03:58.050 --> 03:59.840
But here's what I'm interested in.

03:59.880 --> 04:03.430
I notice that port 22 is open so it's an S-sh server.

04:03.450 --> 04:09.960
I see that port 80 is open so I know automatically that's a web server and then port 90 9:29 which is

04:09.960 --> 04:16.410
a nonstandard port number is also available and I can go ahead and start doing stuff with this.

04:16.620 --> 04:22.780
So that's one of the most important aspects to unmap is that and that by itself doesn't have anything.

04:22.920 --> 04:29.970
What unmap allows me to do is to go in query a system and then I can start doing stuff if I know that

04:29.970 --> 04:31.380
port 22 is open.

04:31.410 --> 04:36.410
I might turn to some S-sh attack tools to try to break into the system via S-sh.

04:36.600 --> 04:41.370
If I'm just a network administrator and all of a sudden I see one of my services running S-sh I might

04:41.370 --> 04:44.130
be making some phone calls to shut that port off.

04:44.160 --> 04:51.200
So when we're talking about a tool like unmap keep in mind different scenarios require different actions.

04:51.210 --> 04:56.390
But this is actually pretty cool because not only that it not only does it show that it's S-sh.

04:56.490 --> 05:00.960
Here's my S-sh keys that are involved with that particular one.

05:00.960 --> 05:09.230
And I've got some other I know this is a Windows machine because I see it's running 135 1:39 for 445.

05:09.470 --> 05:13.880
And then it gives me a little trace route so I know the process I went through to get to that particular

05:13.880 --> 05:15.470
system.

05:15.480 --> 05:19.700
So here's just one example of how that can really be handy now.

05:19.860 --> 05:21.270
I like that quite a bit.

05:21.270 --> 05:25.770
It is on every thumb you come up and say hi to me I'm going to have a thumb drive on me and on that

05:25.770 --> 05:27.780
thumb drive is going to be Unmap.

05:27.780 --> 05:33.960
But one of the downsides and map is that it's a little hard to read as like this so there's a wonderful

05:33.960 --> 05:41.820
tool that comes with unmap called Zenn map and awls and map is is a graphical user interface an overlay

05:41.880 --> 05:45.460
that runs on top of the map so let's fire him up.

05:45.510 --> 05:47.120
OK so welcome to Zenn map.

05:47.120 --> 05:52.120
Now one of the things you're going to learn about Zenn map is that you basically just as he saw me type

05:52.120 --> 05:57.490
in those strange commands at the command prompt you're really doing the same thing it just organizes

05:57.490 --> 05:58.520
it a little bit better.

06:03.600 --> 06:06.170
So let's go ahead and have him do so.

06:06.360 --> 06:08.390
He has all these pre-made scans.

06:08.580 --> 06:14.020
I'm going to do what's called a ping scan which is not super aggressive.

06:14.040 --> 06:17.450
Now while this guy scanning there's a couple of things I need to warn you about.

06:17.670 --> 06:23.880
Any decent intrusion detection system either host based or network base is going to go bananas if you

06:23.880 --> 06:29.580
start running scans like this onto a network so be warned if you you're in the office and you actually

06:29.610 --> 06:34.360
get to try and map you may end up getting a phone call.

06:34.370 --> 06:36.690
OK so we've got some output here.

06:36.810 --> 06:41.180
So now we can see we've got a whole bunch of systems on this network.

06:41.250 --> 06:45.630
I want to keep that a little bit close because I don't want you guys seeing exactly my DNS settings

06:45.630 --> 06:46.400
on everything.

06:46.500 --> 06:50.050
But the bottom line is I've got tons and tons of systems.

06:50.070 --> 06:55.020
It's a little bit easier to use than running and map from a command prompt because I can click around

06:55.020 --> 06:55.930
a little bit.

06:55.950 --> 07:03.660
It also has some handy tools for example a typology tool he's a little bit of a challenge to work but

07:03.660 --> 07:04.980
we can make him work.

07:05.150 --> 07:06.380
Let me zoom in a little bit.

07:06.500 --> 07:11.760
And all this is doing is representing all the different systems on this individual land.

07:12.020 --> 07:15.050
So it's got of pretty in the way that it just shows all this stuff.

07:15.050 --> 07:20.080
Let me scroll it a little more if I can get this fish I have to bring up a little bit more he's not

07:20.080 --> 07:21.550
going to play that's OK.

07:22.660 --> 07:28.750
And I could actually click on individual systems and I can do whatever research I need to do on it.

07:28.750 --> 07:30.720
What are reports and whatever.

07:30.750 --> 07:37.720
Now that was a bad example but I can go through and look at all these individual systems and figure

07:37.720 --> 07:41.490
out what's going on to see if this one little bit more interesting.

07:41.500 --> 07:41.980
There we go.

07:41.980 --> 07:47.200
So on that one particular system which happens to be my router I can get whatever information is going

07:47.200 --> 07:48.820
on on that particular system.

07:48.830 --> 07:57.020
So zen that is just a semi graphical and map and it is an incredibly powerful tool.

07:57.040 --> 08:00.920
Now IMAP is great but it's not the only one out there.

08:00.920 --> 08:06.800
In fact there's a lot of really wonderful absolutely free tools out there and I'm going to show you

08:06.800 --> 08:08.980
one real quick let me close him out.

08:10.480 --> 08:15.400
And what I have here is a wonderful free tool called Advanced poort scanner's is completely free it

08:15.400 --> 08:22.370
works fantastic and it's kind of doing the same job that we saw with unmap or at least the Zen mat interface.

08:22.390 --> 08:29.370
You can see that I've told him to scan everything from 192 168 4.1 to 192 168 for 254.

08:29.550 --> 08:35.890
And this guy right here gives me all kinds of information for example I can click on a particular system

08:36.190 --> 08:40.600
I can see what ports are open on this.

08:40.680 --> 08:42.250
I can run tools there.

08:42.330 --> 08:46.470
I could run an S-sh against it and see if that actually works.

08:46.860 --> 08:50.580
So I can connect into something if I want to.

08:51.720 --> 08:57.870
But the bottom line is is that I know all the different systems that are on the network and I also can

08:57.870 --> 08:59.590
tell what ports are open.

08:59.610 --> 09:03.450
So that's really what these type of network scanners can do.

09:03.450 --> 09:08.470
So when you're using network scanners keep in mind there's going to be three big areas where you're

09:08.490 --> 09:09.170
going to be using them.

09:09.170 --> 09:13.560
Number one you're looking for open ports maybe not necessarily on one machine.

09:13.560 --> 09:19.500
Maybe you are but these types of tools tell you all the open ports on all the different systems on your

09:19.500 --> 09:23.100
network and then you can decide to do if you're doing a vulnerability assessment.

09:23.100 --> 09:28.110
Well maybe you can use that as a way to attack a system if you're a network administrator and you're

09:28.110 --> 09:30.440
trying to stop these guys.

09:30.450 --> 09:35.400
This is where you can then go over to that system and turn off whatever open ports are running.

09:35.400 --> 09:39.510
The other big thing that makes these incredibly popular is network inventory.

09:39.540 --> 09:44.590
It shocks us how many times we don't know what's on our own networks.

09:44.610 --> 09:49.580
Now I'm not talking about individual desktops and things like that but people bringing in smartphones

09:49.590 --> 09:53.790
and people plugging in their own little laptops or anything like that.

09:53.790 --> 09:55.330
Tools like this will find them.

09:55.350 --> 09:59.190
It's got to have an IP address to be on the network and they'll help you with it.

09:59.190 --> 10:04.920
The last thing you want to watch out for is what I call rogue systems a rogue system is generally any

10:04.920 --> 10:06.910
system that really shouldn't be on the network.

10:06.910 --> 10:08.640
That doesn't always mean evil.

10:08.640 --> 10:13.770
For example it's really common for people to bring in an extra system and they plug it in.

10:13.770 --> 10:21.150
It's just their home system and that could cause problems in terms of does that system have good anti-malware

10:21.160 --> 10:22.140
whatever it might be.

10:22.140 --> 10:43.240
So when you're thinking about these tools keep in mind of those different types of scenarios.