Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,000 --> 00:00:03,200 Hello everybody and welcome to this tutorial. 2 00:00:03,200 --> 00:00:07,200 Today I will start a chapter on footprinting. 3 00:00:07,200 --> 00:00:11,000 So I have explained what the act of footprinting is before 4 00:00:11,000 --> 00:00:16,400 but now we will actually go ahead and conduct a few scans to see how it all works 5 00:00:16,400 --> 00:00:20,300 and introduce you to the tools that we will be using. 6 00:00:20,300 --> 00:00:23,500 So first off, we need to find ourselves a target to scan. 7 00:00:23,500 --> 00:00:27,000 Of course I could just scan myself or something of a kind 8 00:00:27,000 --> 00:00:29,800 but that would not be a realistic thing really 9 00:00:29,800 --> 00:00:35,400 because I already know what the results are going to be, plus on top of that 10 00:00:35,400 --> 00:00:39,250 I'm not scanning long range over the Internet or something of a kind. 11 00:00:39,250 --> 00:00:41,500 I would be scanning within my own local network 12 00:00:41,500 --> 00:00:44,400 so the speeds of the scan would not be realistic 13 00:00:44,400 --> 00:00:50,400 as it would be a lot faster then, say, when you conduct a scan over the net 14 00:00:50,400 --> 00:00:53,300 some distant and remote server. 15 00:00:53,300 --> 00:00:57,000 So what I did was I went online, and you can do the same 16 00:00:57,000 --> 00:01:02,200 and I found on the official Nmap website 17 00:01:02,200 --> 00:01:08,000 they have a section devoted to actually allowing people to scan them to test their tool out. 18 00:01:08,000 --> 00:01:12,000 Now here I am selecting the permission. 19 00:01:12,000 --> 00:01:16,200 There is a written permission here that you can actually scan this website 20 00:01:16,200 --> 00:01:19,200 and they basically say you can scan it to test it out. 21 00:01:19,200 --> 00:01:26,700 A few scans a day here is fine, but do not scan a hundred times a day 22 00:01:26,700 --> 00:01:31,800 or use this to test your ssh brute-force password cracking tool, etc. 23 00:01:31,800 --> 00:01:34,000 So that's definitely something you don't want to do 24 00:01:34,000 --> 00:01:37,700 but you can run a few scans on this site per day 25 00:01:37,700 --> 00:01:41,000 and according to them, that's perfectly fine. 26 00:01:41,000 --> 00:01:43,850 You're not breaking any laws or anything of a kind 27 00:01:43,850 --> 00:01:50,000 and I am just emphasizing one more time that you do have a written permission right here on the site 28 00:01:50,000 --> 00:01:56,000 which is fantastic, because it gives us an opportunity to actually simulate real time circumstances 29 00:01:56,000 --> 00:01:59,600 and see how Nmap behaves. 30 00:01:59,600 --> 00:02:06,200 Now Nmap is an unescapable tool of pretty much any pen tester out there. 31 00:02:06,200 --> 00:02:11,700 Many people say today that it's pointless to port scan 32 00:02:11,700 --> 00:02:13,700 it doesn't do you much good, and so on and so forth. 33 00:02:13,700 --> 00:02:19,000 Well, perhaps in terms of exploiting the services running on the port themselves 34 00:02:19,000 --> 00:02:20,700 it doesn't do you much good 35 00:02:20,700 --> 00:02:24,900 but just by seeing which ports are open and which ports are closed 36 00:02:24,900 --> 00:02:26,400 you can, to a fairly good extent 37 00:02:26,400 --> 00:02:32,400 determine what operating system or what platform is being used on the other side 38 00:02:32,400 --> 00:02:35,700 and then you can find weaknesses of that same platform. 39 00:02:35,700 --> 00:02:37,920 Of course, there are some other ways of doing this. 40 00:02:37,920 --> 00:02:41,600 I will show them to you, like banner grabbing or something of a kind 41 00:02:41,600 --> 00:02:45,500 but let's just see how Nmap really works. 42 00:02:45,500 --> 00:02:51,590 Now Nmap is known to basically trigger quite a lot of alarms 43 00:02:51,590 --> 00:02:56,300 quite a lot of firewall red flags, so to say 44 00:02:56,300 --> 00:03:01,200 and you want to make sure that your Nmap scans are as quiet as possible. 45 00:03:01,200 --> 00:03:05,500 Now there are tools to actually figured this out 46 00:03:05,500 --> 00:03:10,300 but I will show you here how to actually do it by a terminal. 47 00:03:10,300 --> 00:03:13,000 There's also something called zenmap. 48 00:03:13,000 --> 00:03:18,500 Now zenmap is basically a graphical user interface of nmap, but we will not be using that. 49 00:03:18,500 --> 00:03:22,200 Rather instead, I want to teach you how to use a terminal version 50 00:03:22,200 --> 00:03:25,200 So nmap is the one most commonly used 51 00:03:25,200 --> 00:03:28,500 and it is always used in the terminal text format. 52 00:03:28,500 --> 00:03:33,000 Rarely anybody uses the actual graphical user interface. 53 00:03:33,000 --> 00:03:37,000 In the previous chapter, we have also discussed how to stay anonymous. 54 00:03:37,000 --> 00:03:41,000 So at the end of this chapter, I will be combining these things -- 55 00:03:41,000 --> 00:03:48,300 The act of scanning and anonymizing your scans. 56 00:03:48,300 --> 00:03:53,200 However, you might think about that before you get to the final tutorial of this chapter 57 00:03:53,200 --> 00:03:55,600 and perhaps try to do it yourselves. 58 00:03:55,600 --> 00:03:59,200 It doesn't matter if you fail or something or kind, it truly doesn't. 59 00:03:59,200 --> 00:04:03,800 What is important is that you give it a shot and you try it once. 60 00:04:03,800 --> 00:04:06,000 Okay, failure. Fine. No problems. 61 00:04:06,000 --> 00:04:07,500 Try it twice, thrice 62 00:04:07,500 --> 00:04:11,000 The fourth time you're bound to have some sort of results. 63 00:04:11,000 --> 00:04:13,800 As long as you keep improving yourselves, it's fine. 64 00:04:13,800 --> 00:04:21,500 In any case, without further ado, let's just type in "nmap - -help" 65 00:04:21,500 --> 00:04:25,000 Whoops, I mistyped that of course 66 00:04:25,000 --> 00:04:28,500 "nmap - -help", press ENTER, and there we go. 67 00:04:28,500 --> 00:04:30,500 There are a lot of options here. 68 00:04:30,500 --> 00:04:33,000 I mean, a ton load of options. 69 00:04:33,000 --> 00:04:37,800 Way more options than we actually need for some sort of basic things. 70 00:04:37,800 --> 00:04:41,300 However, eventually over time 71 00:04:41,300 --> 00:04:45,700 you will come to understand that all of these options are not here for nothing. 72 00:04:45,700 --> 00:04:51,000 They are here because they were needed at some point of time 73 00:04:51,000 --> 00:04:53,770 and they are pretty much all still used. 74 00:04:53,770 --> 00:04:58,000 So what you need to do is scroll down to the bottom 75 00:04:58,000 --> 00:05:02,300 and here you have examples of how nmap runs 76 00:05:02,300 --> 00:05:06,400 So you type in "nmap -v" almost always 77 00:05:06,400 --> 00:05:08,600 99% of times 78 00:05:08,600 --> 00:05:12,000 99% of time is verbose output. 79 00:05:12,000 --> 00:05:19,000 Basically you're telling your system to give you more information in regards to what it is doing. 80 00:05:19,000 --> 00:05:21,000 "-A" -- I am not sure what this function is... 81 00:05:21,000 --> 00:05:28,000 Oh here is -- "-A: Enable OS detection, version detection, script scanning, and traceroute" 82 00:05:28,000 --> 00:05:30,500 I don't think we're going to need that immediately. 83 00:05:30,500 --> 00:05:35,000 There is -o function, which is just for OS detection. 84 00:05:35,000 --> 00:05:41,640 Anyway. and then you can pass either this one -- scanme.nmap.org 85 00:05:41,640 --> 00:05:46,200 which is basically the domain name, which will get resolved to an IP address 86 00:05:46,200 --> 00:05:48,600 or you can actually pass it an IP address 87 00:05:48,600 --> 00:05:52,500 and if you're wondering what this is, this is a mask 88 00:05:52,500 --> 00:05:56,600 and it would be very difficult to explain in great detail what this is 89 00:05:56,600 --> 00:06:02,200 but for the time being, know that this is actually an IP address range. 90 00:06:02,200 --> 00:06:06,300 So it goes from a certain IP address to a certain IP address 91 00:06:06,300 --> 00:06:11,700 because this goes way into networking and binary numbers, and so on and so forth 92 00:06:11,700 --> 00:06:13,800 but you do not actually need to use this format. 93 00:06:13,800 --> 00:06:18,600 Not that many people actually use this particular format with the mask. 94 00:06:18,600 --> 00:06:22,300 They just tend to specify very specific ranges 95 00:06:22,300 --> 00:06:27,200 because they usually don't have the permissions to scan the entire subnet. 96 00:06:27,200 --> 00:06:30,390 Rather instead, they have to create lists 97 00:06:30,390 --> 00:06:35,200 and then skip certain IP addresses, and then continue again from a certain point. 98 00:06:35,200 --> 00:06:40,000 So they do need to create lists, and that can be a problem. 99 00:06:40,000 --> 00:06:46,400 Now up here, at the top, you have another very important option that will come in handy. 100 00:06:46,400 --> 00:06:51,200 You have "-iL 101 00:06:51,200 --> 00:06:58,000 So you can actually create a list in a file, a list of IP addresses 102 00:06:58,000 --> 00:07:02,000 and then you can scan those particular IP addresses. 103 00:07:02,000 --> 00:07:05,200 You also have an ability to do this 104 00:07:05,200 --> 00:07:07,300 Look at what's written here 105 00:07:07,300 --> 00:07:10,700 So just take a look at this segment --It's 10.0 106 00:07:10,700 --> 00:07:17,700 and then this segment here, this octet -- It's 0.255 107 00:07:17,700 --> 00:07:22,200 and then the last octet is 1 - 254 108 00:07:22,200 --> 00:07:26,000 If you're wondering why I'm calling these things octets 109 00:07:26,000 --> 00:07:29,600 it's because they have eight bits. 110 00:07:29,600 --> 00:07:34,000 Each one of these has 8 bits and it is represented in a binary form. 111 00:07:34,000 --> 00:07:41,300 So it can have eight zeros or, I don't know, eight ones or a combination of ones and zeros 112 00:07:41,300 --> 00:07:45,000 but it has eight bits...so eight positions. 113 00:07:45,000 --> 00:07:47,900 That's why they're called octets. 114 00:07:47,900 --> 00:07:51,000 This is a very common form that people tend to use 115 00:07:51,000 --> 00:07:54,500 and this is what you will find yourselves using. 116 00:07:54,500 --> 00:07:58,500 Either this -- This will be a method in which will specify the IP addresses 117 00:07:58,500 --> 00:08:02,200 or you will be passing files. 118 00:08:02,200 --> 00:08:08,600 So these files, usually people either make them themselves 119 00:08:08,600 --> 00:08:12,300 or they can find these IP addresses on the internet. 120 00:08:12,300 --> 00:08:17,400 So in addition to this site -- nmap.org 121 00:08:17,400 --> 00:08:30,000 you also have this one here... 122 00:08:30,000 --> 00:08:34,000 This is a fantastic website. 123 00:08:34,000 --> 00:08:39,000 The entire range of pretty much all the IP addresses are listed here 124 00:08:39,000 --> 00:08:41,900 and it also says who owns what 125 00:08:41,900 --> 00:08:45,400 it doesn't say for every one of them who owns which one 126 00:08:45,400 --> 00:08:50,000 but for example, you can search and find 127 00:08:50,000 --> 00:08:56,200 and it's gonna give you the appropriate IP addresses for that particular country 128 00:08:56,200 --> 00:08:58,900 and it's gonna give you the owner of those IP addresses. 129 00:08:58,900 --> 00:09:04,400 Usually just telecoms, but you also have other people who own them as well. 130 00:09:04,400 --> 00:09:06,430 So let's just give it a shot 131 00:09:06,430 --> 00:09:17,000 Let's just type in Germany or, I don't know, France... 132 00:09:17,000 --> 00:09:21,600 Okay, this is not the proper search, but not a problem. 133 00:09:21,600 --> 00:09:26,500 You can actually can find it down here 134 00:09:26,500 --> 00:09:32,500 or I could CTRL F France 135 00:09:32,500 --> 00:09:34,800 and there we go. 136 00:09:34,800 --> 00:09:39,200 So you have a range -- This is a given range here 137 00:09:39,200 --> 00:09:46,600 It's from 2.0.0.0 to 2.15.255.255 138 00:09:46,600 --> 00:09:51,100 This is a massive range. This is a humongous range. 139 00:09:51,100 --> 00:09:54,600 This is how many IP addresses you can have in total. 140 00:09:54,600 --> 00:09:57,200 How many of them you can generate within this range. 141 00:09:57,200 --> 00:09:58,800 It's quite a lot 142 00:09:58,800 --> 00:10:01,000 It's French telecom 143 00:10:01,000 --> 00:10:05,000 For some reason they need it, so you can sort them out by the owner 144 00:10:05,000 --> 00:10:10,050 and you can see that a lot of them are actually not listed here. 145 00:10:10,050 --> 00:10:13,400 France has a lot of IP addresses assigned to it. 146 00:10:13,400 --> 00:10:15,300 They're not free, they cost money. 147 00:10:15,300 --> 00:10:22,100 Let's just go ahead and see down below... Where is it? Where is it? 148 00:10:22,100 --> 00:10:25,200 Okay, so you see all of these IP addresses 149 00:10:25,200 --> 00:10:27,800 and this is a pretty massive range... 150 00:10:27,800 --> 00:10:34,000 So this is a telecom in France. 151 00:10:34,000 --> 00:10:38,000 Look at how many IP addresses ranges they have. 152 00:10:38,000 --> 00:10:39,300 That's quite a lot 153 00:10:39,300 --> 00:10:45,200 and this site, as I said previously, you can use to figure out which IP address range do you wish scan 154 00:10:45,200 --> 00:10:48,500 but you usually do not have the permission to scan the entire range. 155 00:10:48,500 --> 00:10:52,800 You can scan certain IP addresses within that range for which you have a permission 156 00:10:52,800 --> 00:10:57,200 but also very nice site to determine where the IP address is from or something like that. 157 00:10:57,200 --> 00:11:00,200 However, always remember -- 158 00:11:00,200 --> 00:11:06,000 Once you get an IP address, your search engines on the net are your best friends. 159 00:11:06,000 --> 00:11:11,300 This is one of the major components of footprinting. 160 00:11:11,300 --> 00:11:12,900 You can do the following -- 161 00:11:12,900 --> 00:11:18,000 You can type in "who is" and then type an IP address. 162 00:11:18,000 --> 00:11:22,200 I'm just gonna type in this random IP address. 163 00:11:22,200 --> 00:11:27,000 So if you don't want to see it here, you can have a look at it here. 164 00:11:27,000 --> 00:11:35,500 Somebody is going to tell me who this guy is 165 00:11:35,500 --> 00:11:36,700 There we go 166 00:11:36,700 --> 00:11:41,600 So I've typed in "who is" and I've picked the first website out that I could find 167 00:11:41,600 --> 00:11:46,500 and here I have all the information in regards to that particular IP address. 168 00:11:46,500 --> 00:11:53,000 I have a country, I have the username of the admin I suppose 169 00:11:53,000 --> 00:11:57,000 I have its status, remarks, source 170 00:11:57,000 --> 00:12:07,000 There's actually an address, a physical address of the IP, which is ridiculous. 171 00:12:07,000 --> 00:12:15,400 So as I said, search engines are your best, absolutely best, friends. 172 00:12:15,400 --> 00:12:20,400 If you want to find pretty much anything on the net or something like that 173 00:12:20,400 --> 00:12:25,800 in regards to an IP address, to do any sort of research. 174 00:12:25,800 --> 00:12:30,000 Those are the two tools that I have showed you, actually three of them 175 00:12:30,000 --> 00:12:35,960 well, one tool, one website, and one search method 176 00:12:35,960 --> 00:12:41,500 which you can use in order to determine where the IP address is from or who is using it 177 00:12:41,500 --> 00:12:46,900 and even to determine its physical location, although its physical location can be assigned to a telecom 178 00:12:46,900 --> 00:12:53,700 and that telecom can assign it to a city, to a specific region in the city, or something of a kind 179 00:12:53,700 --> 00:12:58,400 and then you can find it on Google Earth or something of a kind 180 00:12:58,400 --> 00:13:00,700 but usually those things are not that precise. 181 00:13:00,700 --> 00:13:05,500 What is precise, however, is that the IP address belongs to telecom or something or kind 182 00:13:05,500 --> 00:13:08,300 and they keep rotating them in between the cities 183 00:13:08,300 --> 00:13:14,300 So if you have like a hundred thousand IP addresses that you scan, and you wish to sort them out by the city 184 00:13:14,300 --> 00:13:22,000 you will like 70% to 90% accuracy, depending for which country did you do it. 185 00:13:22,000 --> 00:13:24,800 This can be problematic because you're gonna miss out on some things 186 00:13:24,800 --> 00:13:26,540 but you don't need 100% accuracy. 187 00:13:26,540 --> 00:13:28,700 You can get your sorting done pretty well. 188 00:13:28,700 --> 00:13:30,900 There are databases which you can update. 189 00:13:30,900 --> 00:13:32,400 I will show you these things. 190 00:13:32,400 --> 00:13:35,000 They are called goip lookups 191 00:13:35,000 --> 00:13:42,500 but before we do that, you also have something called "nslookup" 192 00:13:42,500 --> 00:13:49,000 and I'm just going to use this generic name here -- scanme,nmap.org 193 00:13:49,000 --> 00:13:52,500 paste it, and here we go 194 00:13:52,500 --> 00:14:01,200 I have basically said I want to look up files on scanme.nmap.org 195 00:14:01,200 --> 00:14:05,600 and okay, this is my DNS server, which is basically my router. 196 00:14:05,600 --> 00:14:07,200 You see it says port 53 197 00:14:07,200 --> 00:14:15,500 You know immediately that it's DNS because all the units traffic runs on port 53 198 00:14:15,500 --> 00:14:18,240 and then we have the results. 199 00:14:18,240 --> 00:14:22,200 So this is the domain name, and you get the IP address down below. 200 00:14:22,200 --> 00:14:26,900 So this is also one of the ways in which you can get the IP address of a site within a domain 201 00:14:26,900 --> 00:14:28,700 because once you know the domain 202 00:14:28,700 --> 00:14:32,400 you don't actually know the IP address until you look it up or something like that 203 00:14:32,400 --> 00:14:33,800 but there is a far simpler method. 204 00:14:33,800 --> 00:14:36,200 You don't need to use nslookup. 205 00:14:36,200 --> 00:14:38,600 Oh, by the way, nslookup also works in reverse. 206 00:14:38,600 --> 00:14:45,500 Just type in "nslookup", and you can type in the IP address. 207 00:14:45,500 --> 00:14:49,440 So let's just go ahead and press Enter 208 00:14:49,440 --> 00:14:57,000 Okay, so this has run through a process of some sort down below. 209 00:14:57,000 --> 00:15:01,300 These are authoritative answers from the name server. 210 00:15:01,300 --> 00:15:04,000 Basically what that means they're DNS servers 211 00:15:04,000 --> 00:15:08,000 and they're giving you responses and telling you who the domain belongs to 212 00:15:08,000 --> 00:15:09,000 and so on and so forth 213 00:15:09,000 --> 00:15:15,500 Ignore this part, and for the time being we can also ignore this part 214 00:15:15,500 --> 00:15:20,800 until we get into spoofing the DNS and changing it 215 00:15:20,800 --> 00:15:22,000 and so on and so forth. 216 00:15:22,000 --> 00:15:27,200 What I want to show you here is that you can actually get a domain name by typing in nslookup 217 00:15:27,200 --> 00:15:28,800 and then the IP address 218 00:15:28,800 --> 00:15:32,380 and here, where it says "Non-authoritative answer" 219 00:15:32,380 --> 00:15:38,000 you get the IP address and then you get the name, which the domain name. 220 00:15:38,000 --> 00:15:41,200 However, you might notice that there was a problem here -- 221 00:15:41,200 --> 00:15:46,000 That this IP address does not match this one. 222 00:15:46,000 --> 00:15:48,400 Well guess what? It actually does. 223 00:15:48,400 --> 00:15:50,800 Try looking it in reverse. 224 00:15:50,800 --> 00:15:55,130 So it's 74, 74 here 225 00:15:55,130 --> 00:16:02,200 207, 207 here, 244, 244 here, 221 here, and 221 here. 226 00:16:02,200 --> 00:16:08,000 So when you do an nslookup and when you pass in an IP address 227 00:16:08,000 --> 00:16:13,500 it's gonna do a reverse lookup in the DNS MX records or something of a kid. 228 00:16:13,500 --> 00:16:18,700 It's gonna query the DNS servers and the DNS servers are going to give it a response 229 00:16:18,700 --> 00:16:22,400 but in the MX records, this is basically how things are written. 230 00:16:22,400 --> 00:16:28,800 You write an IP address in reverse and then you put this in "in-addr.arpa" 231 00:16:28,800 --> 00:16:32,200 but this part really is not that interesting to us. 232 00:16:32,200 --> 00:16:38,100 This is more interesting to server admins who configure the DNS servers or something of a kind. 233 00:16:38,100 --> 00:16:39,600 In any case, for the time being 234 00:16:39,600 --> 00:16:44,600 but don't worry, we will get to DNS servers in the later stages of this tutorial 235 00:16:44,600 --> 00:16:47,000 once we are done with these things. 236 00:16:47,000 --> 00:16:51,300 In any case, what is important for you here is you've typed in an IP address 237 00:16:51,300 --> 00:16:58,000 you've use tool called nslookup and you have gotten a domain name in return 238 00:16:58,000 --> 00:17:01,500 and now you can start doing some other things as well 239 00:17:01,500 --> 00:17:05,780 but we will be dealing primarily with nmap. 240 00:17:05,780 --> 00:17:11,530 Nmap as a tool in order to scan networks and retrieve information from them 241 00:17:11,530 --> 00:17:14,800 but this what I've showed you now is some basic information retrieval 242 00:17:14,800 --> 00:17:18,470 and some basic external sources that you can use. 243 00:17:18,470 --> 00:17:25,200 In any case, I'll see you in part two of nmap introduction 244 00:17:25,200 --> 00:17:29,200 and there, we're going to actually conduct some scans and see how it all works. 245 00:17:29,200 --> 00:17:34,000 Thank you for watching and I hope to see you next time. 24129