1
00:00:01,050 --> 00:00:10,200
OK, Big Tall is ahead of us, it's time we cover and map now what is a map where and map is shortened

2
00:00:10,200 --> 00:00:17,730
for network map and it's a tool used to pretty much map the network or discover open ports on the target

3
00:00:17,730 --> 00:00:19,050
system that you're scanning.

4
00:00:20,100 --> 00:00:25,950
With those open ports, we can also discovered which services are running on those open ports and AMAP

5
00:00:26,070 --> 00:00:32,940
can go as deep as discovering which version of a service is running on which open port on the target

6
00:00:32,940 --> 00:00:36,630
system now and does have some other options as well.

7
00:00:36,930 --> 00:00:42,240
But as we did mentioned in the previous video, we're here to only discuss the basics of unmap.

8
00:00:42,510 --> 00:00:48,030
And if you'd like to dive deeper into unmap, you can take a look at our cheat sheet or you can also

9
00:00:48,030 --> 00:00:50,240
learn it from the map manual.

10
00:00:50,850 --> 00:00:52,670
We already know how to open the manual.

11
00:00:52,710 --> 00:00:57,930
You just type men and then the tool name and it will open the manual for that tool.

12
00:00:58,920 --> 00:01:05,220
However, we are not going to read it right now, we're more interested in running the help menu of

13
00:01:05,220 --> 00:01:10,170
an map and this will be a shorter version of what are the possibilities with this tool.

14
00:01:10,500 --> 00:01:15,960
As we can see, there are a lot of options that we can run if you'd like to read through them and see

15
00:01:15,960 --> 00:01:17,160
what are the possibilities.

16
00:01:17,310 --> 00:01:23,760
But right now, we're going to perform the very basic scan with a map just to see what output do we

17
00:01:23,760 --> 00:01:26,210
get and what does this do for us?

18
00:01:27,430 --> 00:01:32,410
The very basics scan would be typing the map and then the IP address of our target.

19
00:01:34,320 --> 00:01:41,190
And as we can see, it finished in less than a second and this is the output that we get rescanned our

20
00:01:41,280 --> 00:01:47,870
over spurtle machine and all the output that we get is which ports that our machines have open.

21
00:01:48,660 --> 00:01:50,260
And there are quite a few of them.

22
00:01:50,400 --> 00:01:58,320
So we have the 20 to Port Open, which is running the service of S.H. We got our website, Holsted on

23
00:01:58,320 --> 00:02:01,380
Port 80, since it's running HTP over there.

24
00:02:01,800 --> 00:02:07,230
And as well, we got our website on Port four three, which is running https.

25
00:02:08,320 --> 00:02:13,960
But we do also get some other ports open that are running different services, and that is also why

26
00:02:13,960 --> 00:02:15,160
and MAP is useful.

27
00:02:15,160 --> 00:02:21,460
Perhaps sometimes once you're scanning a website, you will discover other ports that are hosting other

28
00:02:21,460 --> 00:02:25,410
services, even though the website might not have bugs itself.

29
00:02:25,840 --> 00:02:31,930
Maybe the machine hosting the website has other services that are vulnerable to a different attack,

30
00:02:32,140 --> 00:02:34,330
but that is out of the aspect of discourse.

31
00:02:34,360 --> 00:02:40,600
However, you can use and map to determine that, and you will use and map a lot if you perform penetration

32
00:02:40,600 --> 00:02:41,080
testing.

33
00:02:42,000 --> 00:02:48,300
So this very basic scan gave us the output of all of the open ports on the map, and it also gave us

34
00:02:48,300 --> 00:02:52,500
that it found nine hundred and ninety one closed ports.

35
00:02:52,830 --> 00:02:53,790
Now, why is that?

36
00:02:54,090 --> 00:02:59,160
Well, and by default scans, most known thousand ports.

37
00:02:59,490 --> 00:03:05,910
And out of those thousand nine hundred and ninety one were closed while as these nine ports are found

38
00:03:05,910 --> 00:03:06,630
to be opened.

39
00:03:07,790 --> 00:03:13,670
If you want to dive even deeper into these open ports and perhaps you want to discover our version of

40
00:03:13,670 --> 00:03:21,430
a service that is running on this open port, you can run this command and map dash as the and then

41
00:03:21,620 --> 00:03:24,380
the IP address of your target.

42
00:03:24,380 --> 00:03:32,320
In our case, I'm using a can of BBWAA and if I run it, it will take longer to finish than this can.

43
00:03:32,330 --> 00:03:34,750
However, it should also take about a few seconds.

44
00:03:35,300 --> 00:03:36,620
Let's wait for it to finish.

45
00:03:38,060 --> 00:03:43,280
And this is the output that we get right now, you will notice that it's quite larger than the previous

46
00:03:43,280 --> 00:03:49,850
one since besides getting the same output, which is which ports are open, we also get this column

47
00:03:49,850 --> 00:03:51,540
right here that says version.

48
00:03:52,070 --> 00:03:56,180
It gave us the version of each service that it is found on Open Port.

49
00:03:56,180 --> 00:04:03,830
For example, if we take a look at S.H. running on Port 22, we get the exact same version that this

50
00:04:03,950 --> 00:04:11,000
target machine has, as well as we get the exact Apache version that is being hosted on Port Eighty

51
00:04:11,240 --> 00:04:12,220
four HTTP.

52
00:04:12,770 --> 00:04:16,850
And we do see that it does match with the output that we got.

53
00:04:17,000 --> 00:04:22,400
If you remember from our what we have to remember that we got the Padget two point two point fourteen.

54
00:04:22,820 --> 00:04:27,980
Well, and MAP gave us the same results so we can pretty much determine that this is the correct output

55
00:04:27,980 --> 00:04:33,100
and that the target machine is indeed running Apache two point two point fourteen.

56
00:04:33,770 --> 00:04:36,730
We also get the versions for other ports as well.

57
00:04:37,280 --> 00:04:39,050
So this is pretty useful information.

58
00:04:39,320 --> 00:04:45,500
And we can also see that apparently HTP is being served on these ports as well.

59
00:04:45,750 --> 00:04:53,840
So it's not only Port 80, we also have HTP running on Port eighty eight, which is running Apache Tomcat

60
00:04:54,680 --> 00:05:00,290
and we got HTP being served on port eighty eighty one, which is running jete.

61
00:05:00,830 --> 00:05:03,050
Now this is something that we didn't know before.

62
00:05:03,170 --> 00:05:11,750
And now if we go for example, to our Firefox and we try to visit our Auvers Vertonghen one Port Eighty-eight

63
00:05:11,750 --> 00:05:14,330
one, so let's type it right here.

64
00:05:15,590 --> 00:05:18,800
Eight zero eight one.

65
00:05:20,700 --> 00:05:21,000
Wow.

66
00:05:21,180 --> 00:05:23,800
So we do open another Web page.

67
00:05:24,300 --> 00:05:29,940
This is a Web page that we didn't see before, since by default, every browser opens a page on Port

68
00:05:29,940 --> 00:05:32,480
80 since that is the usual HTP port.

69
00:05:32,880 --> 00:05:36,060
If we wanted to, for example, open up Web page on a different port.

70
00:05:36,090 --> 00:05:38,400
We need to manually type it like this.

71
00:05:38,760 --> 00:05:41,190
And we do open another Web page.

72
00:05:43,210 --> 00:05:44,890
Let's see, what else do we get?

73
00:05:46,180 --> 00:05:51,310
So pretty much that would be about it, all of these services version and another thing that I want

74
00:05:51,310 --> 00:05:56,600
to show you that it's possible with a map is to use something called scripts now.

75
00:05:56,620 --> 00:05:59,520
And Map can also try to find vulnerabilities.

76
00:05:59,530 --> 00:06:02,010
It can be used as a vulnerability scanner.

77
00:06:02,560 --> 00:06:03,520
How can we do that?

78
00:06:04,030 --> 00:06:08,260
Well, we can type something like this and map that script.

79
00:06:08,920 --> 00:06:16,180
Then we type one and then the IP address of our target that this will take a little bit longer to finish

80
00:06:16,180 --> 00:06:21,150
because it does perform all the scripts that are used for discovering vulnerabilities.

81
00:06:21,610 --> 00:06:29,440
And while this is running, let me show you this website called and map dot org where you can pretty

82
00:06:29,440 --> 00:06:32,710
much read anything about and map that you like.

83
00:06:33,280 --> 00:06:37,000
You can go to this page and you can also find manual here.

84
00:06:37,120 --> 00:06:43,450
Read all of the available options with MAP, read what it is used for in case you're interested in this.

85
00:06:44,140 --> 00:06:44,590
Awesome.

86
00:06:44,740 --> 00:06:47,470
Let's see if our scan is finishing.

87
00:06:47,470 --> 00:06:49,690
We did get some output right here.

88
00:06:49,960 --> 00:06:56,380
And by the way, you can check out the percentage of your scan by typing up Arrow and it will tell you

89
00:06:56,380 --> 00:06:58,570
at what percentage is État.

90
00:06:58,810 --> 00:07:00,820
So let's wait for it to finish.

91
00:07:02,520 --> 00:07:07,200
OK, and this did last much longer than I thought.

92
00:07:07,220 --> 00:07:15,050
It took quite a few minutes, but it's finally over and here is all the output that we get if we scroll

93
00:07:15,050 --> 00:07:15,840
all the way up.

94
00:07:16,010 --> 00:07:17,410
Let's start from the beginning.

95
00:07:17,930 --> 00:07:23,990
It's going to run the scripts per port so it determines first which ports are open.

96
00:07:24,320 --> 00:07:29,690
Then for each port it runs all of the scripts that are used for discovering vulnerabilities.

97
00:07:29,690 --> 00:07:37,580
As we can see for HTP Port 80, ETRAN First Descript HTP cross domain policy.

98
00:07:38,400 --> 00:07:45,130
Down here, it tells us that the state is vulnerable, so perhaps we found our first vulnerability.

99
00:07:46,020 --> 00:07:52,440
Keep in mind that sometimes and does know to give false positives and will show in just a second why

100
00:07:53,230 --> 00:07:54,880
let's go all the way down.

101
00:07:55,080 --> 00:07:58,850
We got to see SRF script running right here.

102
00:07:59,400 --> 00:08:03,750
It tells us found the following possible sites are fallibilities.

103
00:08:03,750 --> 00:08:10,170
So this is not really one hundred percent just says that it could be possible on these links.

104
00:08:10,380 --> 00:08:16,080
And by the way, if you don't know what these vulnerabilities are, SRF access, don't worry.

105
00:08:16,110 --> 00:08:19,690
Those are all the bugs that we will cover once we get to the bug bounty.

106
00:08:19,710 --> 00:08:22,170
And trust me, we're getting there quick.

107
00:08:22,920 --> 00:08:25,770
Nonetheless, let's just go through this.

108
00:08:25,770 --> 00:08:35,190
Here is the HTP don based access and let's see right here found the following indications of potential

109
00:08:35,190 --> 00:08:36,659
don based access.

110
00:08:36,960 --> 00:08:40,650
That's interesting on this page.

111
00:08:41,100 --> 00:08:42,780
Let's go down here.

112
00:08:42,990 --> 00:08:46,320
We got the Ezekial injection script running.

113
00:08:46,950 --> 00:08:51,360
It found impossible SQL injection queries on these links right here.

114
00:08:51,510 --> 00:08:57,870
This is all the links that we would want to test in a real penetration testing attack down here.

115
00:08:57,870 --> 00:09:04,950
We got HTP stored exercice script and here it says couldn't find any stored vulnerabilities.

116
00:09:05,370 --> 00:09:07,020
And that is false.

117
00:09:07,290 --> 00:09:16,170
I assure you that on the page or on on Wesp we will get certain pages that do have HTP stored access

118
00:09:16,290 --> 00:09:20,100
so you can never fully trust what you get from a certain tool.

119
00:09:20,280 --> 00:09:24,870
That's why we will be discovering all of our bugs manually and not with tools.

120
00:09:25,830 --> 00:09:31,920
So you can scroll all the way down and check out all the other scripts that end up and what are the

121
00:09:31,920 --> 00:09:39,480
results, or if you don't want to run these type of scans, which you use every single script to discover

122
00:09:39,480 --> 00:09:46,080
vulnerabilities, you can, for example, Copiah scripts name, which you can also find in the map dot

123
00:09:46,080 --> 00:09:53,700
org website, you can find all of the scripts that the map has and you can run a single script by typing

124
00:09:53,700 --> 00:10:03,240
and map, dash, dash scripts, then the script name and then your target IP address and it will only

125
00:10:03,240 --> 00:10:04,680
run this one script.

126
00:10:04,680 --> 00:10:11,520
In case you're trying to target just one vulnerability, you can simply just run just one script that

127
00:10:11,520 --> 00:10:14,930
discovers that vulnerability and see what the map will tell you.

128
00:10:15,570 --> 00:10:21,810
Once again, if I'm not mistaken, this is TotEx assets will give us the result that there is no such

129
00:10:21,810 --> 00:10:23,880
thing on the Spurtle machine.

130
00:10:24,180 --> 00:10:31,140
However, we will see later that stored accesses does indeed exist on our wesp virtual machine.

131
00:10:32,250 --> 00:10:33,690
And here is the response.

132
00:10:33,810 --> 00:10:41,310
So this is what we get open ports and on the ports because access is a website vulnerability, it tells

133
00:10:41,310 --> 00:10:49,170
us that it couldn't find any store and access vulnerabilities on both HTP and HTP is OK.

134
00:10:49,380 --> 00:10:54,000
Nonetheless, these are some of the basics of a map and how we can use that map.

135
00:10:54,300 --> 00:11:00,330
Now, I strongly recommend that you dive deeper into this tool and we will be leaving some resources

136
00:11:00,330 --> 00:11:06,180
for you to take a look at in order to learn and map, since it can be useful not only for website penetration

137
00:11:06,180 --> 00:11:10,150
testing, but for penetration testing and ethical hacking in general.

138
00:11:10,590 --> 00:11:13,410
This is one of the most important tools that hackers use.

139
00:11:13,980 --> 00:11:18,750
Nonetheless, as I mentioned, you will have resources where you can learn more about this tool.

140
00:11:19,020 --> 00:11:24,320
And in the next video, right before we get into it, there is one more tool that we need to cover,

141
00:11:24,330 --> 00:11:27,480
which is called McDo see in the next video.