Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,150 --> 00:00:03,620 OK so now we have key objects up and running. 2 00:00:03,690 --> 00:00:08,520 We need to determine where it actually is and then we can do a little bit of scanning. 3 00:00:08,580 --> 00:00:13,460 So what we're gonna do is we're gonna go up into our applications and open our terminal. 4 00:00:13,740 --> 00:00:20,100 I'm just gonna make this a little bit bigger and we're going to run a tool called Net discover. 5 00:00:20,100 --> 00:00:22,820 So before we can do that we need to type in. 6 00:00:22,830 --> 00:00:29,800 I have config and identify your IP address and it's going to go ahead and copy this first three octet 7 00:00:29,820 --> 00:00:34,710 here and we're gonna run it discover so net Discover is gonna look like this. 8 00:00:34,740 --> 00:00:39,930 We're gonna say net discover we're gonna do a dash are for range. 9 00:00:39,930 --> 00:00:45,470 We're going to paste in this and do a dot zero slash 24. 10 00:00:45,510 --> 00:00:46,920 So what are we doing. 11 00:00:46,950 --> 00:00:52,130 We are going to be using ARP to detect all the machines on the network. 12 00:00:52,140 --> 00:00:57,690 So you should be familiar with our from the Linux lessons and from the networking lessons. 13 00:00:57,750 --> 00:01:03,870 So we're going to attempt to use ARB to address anything on the network and we're sweeping the entire 14 00:01:03,870 --> 00:01:10,350 subnet of soft 24 something go ahead and enter and in a second here. 15 00:01:10,350 --> 00:01:13,710 Our machines just start popping up and it does. 16 00:01:13,710 --> 00:01:16,890 So remember our host was at 1 thirty nine. 17 00:01:16,890 --> 00:01:20,220 This host here at 134 is likely our culprit. 18 00:01:20,250 --> 00:01:23,840 So you should only have two machines in network because you're only running two. 19 00:01:23,880 --> 00:01:27,890 You can ignore dot 1 2 and 2 5 4. 20 00:01:27,900 --> 00:01:36,220 We are only focusing on the one that looks similar to ours which is 1 9 2 1 6 8 57 1 34. 21 00:01:36,240 --> 00:01:38,050 So now we know our machine address. 22 00:01:38,070 --> 00:01:43,740 We can start attacking it some go ahead and hit control C which is going to kill this session here and 23 00:01:43,740 --> 00:01:47,160 then hey control alt to clear my screen. 24 00:01:47,260 --> 00:01:47,740 All right. 25 00:01:47,770 --> 00:01:52,670 So I'm going to open up a notepad and we'll just store this away for a rainy day. 26 00:01:52,690 --> 00:01:56,340 We need to first talk about what we're going to be doing here. 27 00:01:56,380 --> 00:02:07,960 So remember before when we ran our teepee three way handshake we had something like sin sin AK and AK 28 00:02:08,460 --> 00:02:08,830 Right. 29 00:02:09,160 --> 00:02:11,710 And we had to say sin act like this to combine it. 30 00:02:11,740 --> 00:02:13,100 So we've got three parts. 31 00:02:13,210 --> 00:02:17,230 We've got the part where we reach out to a port and we say hey port are you open. 32 00:02:17,230 --> 00:02:19,440 And the port says yeah I'm open. 33 00:02:19,470 --> 00:02:21,460 Let's go ahead and make that connection. 34 00:02:21,730 --> 00:02:23,770 And then we go ahead and connect to it. 35 00:02:24,370 --> 00:02:30,910 So what we're gonna be doing is we're gonna be using a tool called n map and map stands for network 36 00:02:30,940 --> 00:02:31,810 mapper. 37 00:02:31,810 --> 00:02:38,580 Now what network mapper is going to go out and do its is going to scan for open ports and services. 38 00:02:38,590 --> 00:02:44,230 Now this scanning is going to take place and it's going to identify these open ports with something 39 00:02:44,230 --> 00:02:46,860 similar to this three way handshake. 40 00:02:46,870 --> 00:02:49,130 So we're just gonna modify it a little bit. 41 00:02:49,240 --> 00:02:53,800 Now what the process that we're doing is called stealth scanning and it used to be written out like 42 00:02:53,800 --> 00:02:54,630 this. 43 00:02:54,670 --> 00:02:56,490 Now it's just done by default. 44 00:02:56,500 --> 00:02:58,150 And we'll get to the switches here in a second. 45 00:02:58,150 --> 00:03:03,580 Don't worry about that just we're going to be running stealth scanning and now this stealth scanning 46 00:03:03,940 --> 00:03:05,440 used to be stealthy right. 47 00:03:05,560 --> 00:03:11,980 That's why they called it stealth scanning because it used to be undetectable nowadays very detectable 48 00:03:12,010 --> 00:03:17,950 if you run and map in a network that has good security you're going to get picked up although being 49 00:03:17,950 --> 00:03:22,960 a pen tester I would say and that probably doesn't get picked up in 80 percent of the assessments that 50 00:03:22,960 --> 00:03:23,320 I run. 51 00:03:23,320 --> 00:03:30,100 So don't expect clients to be running good security but just know that even though it says stealth it's 52 00:03:30,100 --> 00:03:31,900 not stealthy at all. 53 00:03:31,900 --> 00:03:35,760 So this stealth scanning why was it stealthy why was it called this. 54 00:03:35,770 --> 00:03:42,940 Well if we go back to the three way handshake what the stealth scan does is it does the sin says hey 55 00:03:42,940 --> 00:03:48,850 I want to connect to you in the open port if it's open we'll say yeah I want to make that connection 56 00:03:48,850 --> 00:03:50,130 back with your friend. 57 00:03:50,380 --> 00:03:53,380 And what's going to happen is we're just going to say you know what. 58 00:03:53,380 --> 00:03:56,560 I'm just kidding I'm going to send over this reset flag. 59 00:03:56,560 --> 00:03:59,100 So this asked me why. 60 00:03:59,110 --> 00:04:01,390 Well that means we don't actually establish a connection. 61 00:04:01,390 --> 00:04:06,490 So like when you go out to a Web site and you go to Google and Google loads well guess what you establish 62 00:04:06,490 --> 00:04:09,400 a connection you establish that three way handshake. 63 00:04:09,490 --> 00:04:13,420 What we're doing is we're going out and we're saying hey I want to establish connection. 64 00:04:13,420 --> 00:04:19,690 The port reveals to us that yes I am open for connection and then we're gonna say just kidding. 65 00:04:19,690 --> 00:04:23,840 Let's not make that connection because we never established that connection. 66 00:04:23,890 --> 00:04:25,830 Then it was technically stealthy. 67 00:04:25,870 --> 00:04:28,750 So that's why we're going out we're doing we're never making connections these ports. 68 00:04:28,750 --> 00:04:31,480 But this is how we're identifying them as open. 69 00:04:31,480 --> 00:04:34,540 So we're going to use a tool and we're going to use a tool like this. 70 00:04:34,540 --> 00:04:43,390 We're going to say and map and we're going to say something along the lines of dash T for Dash Pete 71 00:04:43,390 --> 00:04:45,670 Ash dash a. 72 00:04:45,760 --> 00:04:49,180 Now you have no idea what this means and I don't expect you to. 73 00:04:49,210 --> 00:04:56,230 I'm going to walk you through these and what we're doing here is we're saying hey and map I have a choice 74 00:04:56,230 --> 00:05:02,110 and speed in that choice and speed can be between a one in a five one's really slow and five is really 75 00:05:02,110 --> 00:05:03,190 fast. 76 00:05:03,220 --> 00:05:08,080 Now the default for me has always been for now I'm teaching you my preference. 77 00:05:08,800 --> 00:05:10,290 It's always been four. 78 00:05:10,330 --> 00:05:11,240 OK. 79 00:05:11,260 --> 00:05:14,450 And we utilize this in I think five five. 80 00:05:14,480 --> 00:05:17,680 OK but five kind of fast maybe you're going to miss something. 81 00:05:17,680 --> 00:05:21,600 Maybe it gets caught the slower the better in terms of detection. 82 00:05:21,610 --> 00:05:26,950 But in the instance that we're gonna be running it through this course we're gonna use for any time 83 00:05:26,950 --> 00:05:32,020 you do like a bold hub or something like a hack the box which you're going to see here in a few videos 84 00:05:32,930 --> 00:05:34,900 you're going to run T4. 85 00:05:34,930 --> 00:05:38,170 Just because you're not worried about this detection not worry about anything. 86 00:05:38,170 --> 00:05:40,480 So T4 is a speed purpose. 87 00:05:40,480 --> 00:05:43,000 Now dash P dash. 88 00:05:43,060 --> 00:05:48,130 Well this stands for I want to scan all ports. 89 00:05:48,130 --> 00:05:48,550 OK. 90 00:05:48,550 --> 00:05:55,860 We could say something like dash P or we could just have dash P left off completely. 91 00:05:55,870 --> 00:06:02,470 Now if we leave off dash P completely it's going to scan what are known as the top 1000 ports the top 92 00:06:02,470 --> 00:06:04,800 1000 ports are your most common ports. 93 00:06:04,810 --> 00:06:06,460 So think of like port 80. 94 00:06:06,460 --> 00:06:10,280 Port 4 4 3 1 3 9 4 4 5. 95 00:06:10,390 --> 00:06:13,660 All the ports that we covered in the networking section. 96 00:06:13,660 --> 00:06:15,350 Going to show up again here. 97 00:06:15,520 --> 00:06:21,190 But there are sixty five thousand five hundred and thirty five ports out there. 98 00:06:21,190 --> 00:06:27,940 We want to scan every single one of those because what if for example there is a service running on 99 00:06:28,180 --> 00:06:34,600 Port forty seven thousand seven hundred well that's not a common top 1000 port if we don't scan all 100 00:06:34,600 --> 00:06:36,970 ports then we're going to miss that port. 101 00:06:36,970 --> 00:06:39,090 And that could be something incredibly valuable to us. 102 00:06:39,100 --> 00:06:39,830 Right. 103 00:06:39,850 --> 00:06:44,180 So I always scan like this dash P Dash. 104 00:06:44,440 --> 00:06:47,620 You can also do things like scan specific ports. 105 00:06:47,790 --> 00:06:52,820 You could say like four for three or say you wanted to scan just for web servers you could do eighty 106 00:06:52,820 --> 00:06:55,980 four for three something like that or you can mix in. 107 00:06:55,980 --> 00:07:01,920 So you want to scan for DNS as well you can add in fifty three etc. You can scan for specifics if we're 108 00:07:01,920 --> 00:07:06,650 going to get into that in a little bit a later video on why we might do it this way. 109 00:07:06,990 --> 00:07:13,270 But for now for the beginner lesson dash P dash we're gonna scan everything. 110 00:07:13,380 --> 00:07:19,550 And lastly we've got this dash a in here so dash a stands for everything. 111 00:07:19,590 --> 00:07:21,390 I want to scan all of it. 112 00:07:21,420 --> 00:07:28,910 I want you to tell me I want you tell me the version information the operating system information anything 113 00:07:28,910 --> 00:07:31,330 you can tell me fingerprinting etc.. 114 00:07:31,400 --> 00:07:32,950 Now this may all be confusing. 115 00:07:32,960 --> 00:07:35,570 It's gonna make a lot more sense when you see a scan. 116 00:07:35,660 --> 00:07:39,500 I'm going to go ahead and open up a new tab and what I want you to do. 117 00:07:39,530 --> 00:07:41,930 Let's go ahead and I'm going to blow this up for us. 118 00:07:41,930 --> 00:07:45,310 And what I want you to do is I want you to go ahead and start running the scan. 119 00:07:45,340 --> 00:07:50,870 While we wait to go ahead and copy this here and the last thing we're going to do is we're gonna put 120 00:07:50,880 --> 00:07:57,340 in our IP address and that's how it knows where to scan where it is going to hit enter on that and now 121 00:07:57,340 --> 00:08:03,310 we're standing so from here what we're gonna do is we're going to take this. 122 00:08:03,490 --> 00:08:09,910 And I want to run an app again with a dash help and I want to talk through some of these settings in 123 00:08:09,910 --> 00:08:15,790 here so that you understand fully what we're doing now dash help is always great. 124 00:08:15,790 --> 00:08:19,120 As I said before man pages are good as well. 125 00:08:19,180 --> 00:08:21,040 But let's talk about some things here. 126 00:08:21,040 --> 00:08:27,520 So we've got this host discovery section which we're really not going to use in this course but this 127 00:08:27,520 --> 00:08:29,090 is good for say a dash. 128 00:08:29,110 --> 00:08:31,740 And so you want to do a pink sweep of the network. 129 00:08:31,750 --> 00:08:38,920 Well you can do a pink scan right where you just sweep an entire subnet a slash 24 for example and see 130 00:08:38,950 --> 00:08:40,030 what's up. 131 00:08:40,030 --> 00:08:47,270 Very quick a dash pen maybe the host isn't acting like it's online but you know it's there for sure. 132 00:08:47,410 --> 00:08:52,540 You can say dash pen and you say hey I want to leave all the hosts or treat all the hosts as if they're 133 00:08:52,540 --> 00:08:56,800 all online even if they're not responding to my ping request or anything. 134 00:08:56,860 --> 00:09:00,460 So make yourself familiar with this kind of stuff. 135 00:09:00,460 --> 00:09:04,020 This is interesting and we'll cover a lot of this as we go in the course. 136 00:09:04,030 --> 00:09:08,620 But just for the first walkthrough while we're scanning I think this is super important. 137 00:09:08,620 --> 00:09:10,390 Now scan techniques. 138 00:09:10,390 --> 00:09:13,080 This dash as SS comes back into play. 139 00:09:13,090 --> 00:09:17,450 TGP sin is what it's called but it's also known as the stealth scan. 140 00:09:17,530 --> 00:09:19,820 There's all these other types of scans. 141 00:09:20,170 --> 00:09:21,660 You're not going to need them. 142 00:09:21,790 --> 00:09:27,070 There's only maybe one scan out of all these that may be useful but you're not going to need them through 143 00:09:27,070 --> 00:09:31,140 this course and you're probably never use anything but the SS and the ESU. 144 00:09:31,150 --> 00:09:33,070 Ninety nine percent of the time. 145 00:09:33,160 --> 00:09:37,320 So for the scope of this course that's what we're going to focus on now. 146 00:09:37,330 --> 00:09:41,770 The SS We've talked about connection oriented protocols we talked about TCB. 147 00:09:42,070 --> 00:09:43,420 Well guess what. 148 00:09:43,420 --> 00:09:49,120 There's also UDP and there's sixty five thousand five hundred thirty five ports over there as well that 149 00:09:49,120 --> 00:09:55,140 we have to scan now UDP is a connection less protocol. 150 00:09:55,180 --> 00:09:57,080 So what we're going to do when we scan it. 151 00:09:57,130 --> 00:09:58,540 Let's go back to this scan. 152 00:09:58,620 --> 00:10:03,730 What we're gonna do when we scan it is we're going to actually do that Eskew in here and I'll copy this 153 00:10:03,730 --> 00:10:07,280 syntax and just move it over so it looks a little cleaner. 154 00:10:07,390 --> 00:10:08,710 We're gonna say something like 155 00:10:12,080 --> 00:10:13,520 we can put it anywhere we want big. 156 00:10:13,520 --> 00:10:19,520 The order doesn't matter but we can say something like dash as you to scan for UDP and the one little 157 00:10:19,520 --> 00:10:26,460 change that I make here to change is actually I take off the dash a and I do a dash P dash. 158 00:10:26,630 --> 00:10:29,440 Why do I do a dash I should say why do I do this. 159 00:10:29,450 --> 00:10:36,590 I do this because UDP takes for ever to scan absolutely forever to scan because it is a connection as 160 00:10:36,620 --> 00:10:37,490 protocol. 161 00:10:37,490 --> 00:10:40,250 It does not have that instant response time. 162 00:10:40,250 --> 00:10:44,540 So when we scan UDP typically we scan the top 1000. 163 00:10:44,570 --> 00:10:49,730 That is my recommendation to you or else you will be sitting here waiting for hours upon hours for a 164 00:10:49,730 --> 00:10:51,300 scan to finish. 165 00:10:51,310 --> 00:10:53,390 See now our scan over here is already finished. 166 00:10:53,390 --> 00:10:58,520 If I were to run this UDP with the same thing it will take forever going back into this before we get 167 00:10:58,520 --> 00:11:03,580 into the scan you could see here that we can specify dash P of Port. 168 00:11:03,700 --> 00:11:05,520 That's going to be very common for us. 169 00:11:05,560 --> 00:11:12,040 But here's where I really want to get into we're doing a dash s v a dash SC a dash. 170 00:11:12,220 --> 00:11:14,520 Here all with the dash a. 171 00:11:14,530 --> 00:11:18,490 OK so we're probing open ports for service information. 172 00:11:18,670 --> 00:11:25,360 We could say dash SUV and we can say dash I see you could pick these you know one or the other a mixture 173 00:11:25,360 --> 00:11:29,380 of some of these but we could also do script scanning which we'll get into script scanning here and 174 00:11:29,380 --> 00:11:35,890 a little bit as well but we can do OS detection where it goes out and tries to define an operating system 175 00:11:35,890 --> 00:11:37,890 and you're going to see all this with our scan. 176 00:11:38,260 --> 00:11:41,200 But when we use dash a it does it all for us. 177 00:11:41,230 --> 00:11:43,440 So why why not use dash. 178 00:11:44,290 --> 00:11:49,290 So you can see it does OS detection version detection script scanning and trace round. 179 00:11:49,870 --> 00:11:55,120 Now there's one caveat to dash a we're going to talk about this in another video and a thought process 180 00:11:56,230 --> 00:12:00,660 it is much faster to remove the dash a and scan a dash P dash. 181 00:12:00,960 --> 00:12:07,980 Typically that'll come back much much much faster than what you can do is you can define the open port. 182 00:12:07,980 --> 00:12:11,150 So say there's Port 20 to port 80 OK. 183 00:12:11,160 --> 00:12:12,400 Just go through this. 184 00:12:12,480 --> 00:12:15,510 You can specify those ports specifically. 185 00:12:15,510 --> 00:12:21,950 You could say dash P like we did an example earlier with 18 4 4 3 and then do a dash 8 on those. 186 00:12:21,990 --> 00:12:28,500 Now that will this scan only these specific ports with all instead of going out to every single port 187 00:12:28,560 --> 00:12:31,160 in attempting to do all on every single port. 188 00:12:31,260 --> 00:12:32,890 It's just a little bit faster. 189 00:12:32,970 --> 00:12:38,010 Now if your wheels are spinning and you're thinking about it maybe even you can script this right. 190 00:12:38,010 --> 00:12:45,960 You can script something to say hey Ed map I want to take I want to take these ports from a basic scan 191 00:12:46,290 --> 00:12:52,290 anything that you pull back and I'm going to go ahead and I'm going to run a new scan on it with a dash 192 00:12:52,320 --> 00:12:57,430 a only specifying the ports that we found back gets your wheels spinning. 193 00:12:57,430 --> 00:12:59,200 This is where scripting becomes important. 194 00:12:59,350 --> 00:13:01,540 If you want an improvement on speed. 195 00:13:01,660 --> 00:13:05,590 For me personally I've never ever done that. 196 00:13:05,650 --> 00:13:08,880 I don't think for me personally that it's made much of a difference. 197 00:13:08,890 --> 00:13:13,560 I just let my scans run as they run and I work on other things while scans are running. 198 00:13:13,570 --> 00:13:17,370 There's plenty of time to do other things while you're doing your scanning. 199 00:13:17,440 --> 00:13:24,270 So in typically another thing to note is typically we're doing scanning when we're doing our O.S. as 200 00:13:24,270 --> 00:13:28,740 well so if we start up a client assessment one of the first things I'm going to do is probably kick 201 00:13:28,740 --> 00:13:30,840 off a NASA scan or an end map scan. 202 00:13:30,850 --> 00:13:36,000 And while I'm doing that I'm going to go look for those breech credentials or I'm going to look for 203 00:13:36,000 --> 00:13:43,500 that juicy information on Google or social media or I can find it and utilize that time. 204 00:13:43,500 --> 00:13:47,970 While this is scanning or else I'll just be sitting on my hands doing nothing while these wait. 205 00:13:47,970 --> 00:13:52,910 So we're gonna take this information now and we're going to start reviewing it. 206 00:13:53,070 --> 00:13:58,980 So we have here our scan results and you can see the scan results come back and the first thing we notice 207 00:13:59,100 --> 00:14:00,530 are open ports. 208 00:14:01,340 --> 00:14:02,720 That's what we want to look at. 209 00:14:02,750 --> 00:14:08,120 We want to look at these open ports and we want to look at what's running on these open ports. 210 00:14:08,120 --> 00:14:13,040 So we see here that what's running on Port 22 is SS age. 211 00:14:13,610 --> 00:14:14,380 OK. 212 00:14:14,510 --> 00:14:17,020 On top of that it's got a version here for us. 213 00:14:17,030 --> 00:14:23,950 So open SSA SS H two point nine P to and then we see Apaches running on port 80. 214 00:14:23,950 --> 00:14:30,890 We've also got Apache running on port four for three and we've got this RPG bind in one thirty nine. 215 00:14:30,900 --> 00:14:34,520 Now remember from the networking lesson these kind of always play together. 216 00:14:34,570 --> 00:14:43,780 So we've got SMB open basically samba shares and what we can do is first step is usually enumeration 217 00:14:43,780 --> 00:14:48,670 once we see this we take the scan and we scroll down a little bit as well and we can look at some things 218 00:14:48,670 --> 00:14:51,070 and see OK there's no OS information. 219 00:14:51,080 --> 00:14:54,120 It found Linux here two point four point x. 220 00:14:54,400 --> 00:15:00,810 And it's most likely pulling that down from from the the Apache. 221 00:15:00,810 --> 00:15:05,910 It's probably a best guess because it's running red hat that it's running Linux and taking a stab at 222 00:15:05,910 --> 00:15:11,110 it here or may have actually determined that from sort of header or some other location. 223 00:15:11,250 --> 00:15:15,370 A lot of times this isn't so sure as it's saying it is here. 224 00:15:15,480 --> 00:15:20,870 A lot of times we'll give you a percentage so the OS is not always definitive as it is here. 225 00:15:20,880 --> 00:15:25,830 So we've got the OS which could be useful for us later when we do enumeration and you'll see how that 226 00:15:25,830 --> 00:15:27,250 comes into play. 227 00:15:27,390 --> 00:15:34,680 What I want you to take in right now is that so far we've got a scan result back and that scan has gone 228 00:15:34,710 --> 00:15:40,080 out and it has looked for open ports doing that modified stealth handshake. 229 00:15:40,110 --> 00:15:49,500 So it says Cin Sinek reset Aristide doing that it's found a few open ports now it is our job to look 230 00:15:49,740 --> 00:15:55,100 up the information that we are seeing on these open ports and try to find exploits on them. 231 00:15:55,140 --> 00:15:59,880 So that's what we're going to do and I'm going to cover in the next video we're going to go kind of 232 00:15:59,970 --> 00:16:06,930 step by step and I'll talk through the methodology and why I attack certain ports first what ports those 233 00:16:06,930 --> 00:16:13,920 are how we can enumerate those ports and then we'll enumerate everything get all the details down once 234 00:16:13,920 --> 00:16:14,940 we have all the details down. 235 00:16:14,940 --> 00:16:16,980 We're going to move into the section of exploitation. 236 00:16:16,980 --> 00:16:22,100 It's going to get really fun and we'll exploit this machine in multiple ways. 237 00:16:22,110 --> 00:16:28,680 So from here just take apart or take that away from the lesson that you've officially successfully scan 238 00:16:28,680 --> 00:16:29,540 this machine. 239 00:16:29,580 --> 00:16:36,180 I encourage you to maybe go back and take notes or to go back and scan it again get the syntax down 240 00:16:36,180 --> 00:16:38,540 in your head keep typing this out remember it. 241 00:16:38,550 --> 00:16:41,860 This is the one thing you probably can type up more than anything else. 242 00:16:42,030 --> 00:16:47,700 And then also go through and look at the different types of options you have there. 243 00:16:47,700 --> 00:16:51,180 If there's one that interests you just run it against the machine play around with it. 244 00:16:51,180 --> 00:16:52,750 This is your lab time. 245 00:16:52,860 --> 00:16:54,200 Make the most of it. 246 00:16:54,210 --> 00:16:56,190 So for now that's it. 247 00:16:56,220 --> 00:16:58,890 In the next video we're going to start enumerating these ports. 248 00:16:58,890 --> 00:17:00,830 So I will catch you over in the next video. 25623