Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,750 --> 00:00:01,980 Instructor: Welcome back. 2 00:00:01,980 --> 00:00:05,790 Here we are ready to start our scanning phase. 3 00:00:05,790 --> 00:00:07,620 We have covered the information gathering 4 00:00:07,620 --> 00:00:08,700 which was first phase 5 00:00:08,700 --> 00:00:11,760 of penetration testing and now we'll proceed 6 00:00:11,760 --> 00:00:14,430 with the second stage by scanning our target 7 00:00:14,430 --> 00:00:18,030 in trying to get even more information about it. 8 00:00:18,030 --> 00:00:21,420 Now, the difference between information gathering 9 00:00:21,420 --> 00:00:24,750 and scanning is that scanning is performed 10 00:00:24,750 --> 00:00:26,823 on a much deeper level. 11 00:00:27,840 --> 00:00:31,440 And also while in the first phase we gathered all kinds 12 00:00:31,440 --> 00:00:34,500 of information such as emails, phone numbers, 13 00:00:34,500 --> 00:00:36,600 and bunch of other things. 14 00:00:36,600 --> 00:00:41,130 In the scanning, we are mainly focused on technology side, 15 00:00:41,130 --> 00:00:43,240 so we want to find out as much as we can 16 00:00:44,157 --> 00:00:45,900 about our target's Technical aspect. 17 00:00:45,900 --> 00:00:48,030 We're going to talk about in just a second 18 00:00:48,030 --> 00:00:49,980 as to what exactly are we looking 19 00:00:49,980 --> 00:00:54,300 for in this stage and what are all the goals of this stage. 20 00:00:54,300 --> 00:00:58,320 But first you could be wondering what are we going to scan. 21 00:00:58,320 --> 00:01:01,770 Since remember that scanning is something 22 00:01:01,770 --> 00:01:03,480 that we are not allowed to do 23 00:01:03,480 --> 00:01:05,613 on any target that we want. 24 00:01:06,630 --> 00:01:08,400 Don't worry, for this stage 25 00:01:08,400 --> 00:01:10,680 and any future stage from now on 26 00:01:10,680 --> 00:01:14,283 we're going to be using vulnerable virtual machines. 27 00:01:15,210 --> 00:01:17,880 There are lots of paid vulnerable virtual machines 28 00:01:17,880 --> 00:01:20,160 that you can buy and test on, 29 00:01:20,160 --> 00:01:24,540 but for this course I will be showing the free ones so all 30 00:01:24,540 --> 00:01:26,470 of us can download them, install them 31 00:01:27,797 --> 00:01:29,370 and then try to hack them. 32 00:01:29,370 --> 00:01:31,380 All of these virtual machines are going to 33 00:01:31,380 --> 00:01:34,260 be running some outdated vulnerable software 34 00:01:34,260 --> 00:01:37,170 that we will be able to exploit in the third stage 35 00:01:37,170 --> 00:01:41,130 and they will also require very little hardware power. 36 00:01:41,130 --> 00:01:43,200 So all of us will be able to run them 37 00:01:43,200 --> 00:01:46,050 while also running Cal Linux. 38 00:01:46,050 --> 00:01:47,160 And keep in mind 39 00:01:47,160 --> 00:01:50,130 that penetration testing process will look exactly 40 00:01:50,130 --> 00:01:52,110 like it will look in real world 41 00:01:52,110 --> 00:01:54,960 if you were to test some website or some network. 42 00:01:54,960 --> 00:01:57,360 The only difference is that right now. 43 00:01:57,360 --> 00:02:00,270 we know that these machines are vulnerable 44 00:02:00,270 --> 00:02:03,180 since I just told you and in real world 45 00:02:03,180 --> 00:02:06,480 you wouldn't essentially know that before testing them. 46 00:02:06,480 --> 00:02:09,720 However, just knowing they're vulnerable doesn't really 47 00:02:09,720 --> 00:02:12,610 help us as we need to figure out in what way are 48 00:02:13,525 --> 00:02:16,110 they vulnerable and how can we take advantage of that. 49 00:02:16,110 --> 00:02:18,900 Scanning will help us with this. 50 00:02:18,900 --> 00:02:23,900 We'll be using our Cal Linux machine to scan these machines 51 00:02:24,540 --> 00:02:27,427 and by scanning these machines, what they really 52 00:02:27,427 --> 00:02:29,670 mean is we're going to directly exchange packets 53 00:02:29,670 --> 00:02:33,030 with our target and once that target sends packets back 54 00:02:33,030 --> 00:02:36,660 to us, hopefully it'll discover something about the target 55 00:02:36,660 --> 00:02:38,913 machine that we will find useful. 56 00:02:39,840 --> 00:02:41,610 And what we will be sending 57 00:02:41,610 --> 00:02:45,423 to the target are TCP and UDP packets. 58 00:02:46,841 --> 00:02:49,200 TCP and UDP are just protocols that are used 59 00:02:49,200 --> 00:02:52,560 for sending bits of data, also known as packets 60 00:02:52,560 --> 00:02:55,170 and we will discuss them in a little more detail 61 00:02:55,170 --> 00:02:56,670 in the next video. 62 00:02:56,670 --> 00:03:00,360 For now, just think of them as different protocols 63 00:03:00,360 --> 00:03:04,323 that will allow us to get information from our target. 64 00:03:05,310 --> 00:03:09,450 I keep talking about information and scanning and all 65 00:03:09,450 --> 00:03:12,300 of that without actually explaining what do I mean 66 00:03:12,300 --> 00:03:14,940 by scanning and getting information? 67 00:03:14,940 --> 00:03:16,290 What are the goals of this? 68 00:03:17,256 --> 00:03:19,110 What are we looking for exactly? 69 00:03:19,110 --> 00:03:22,800 Well, we are looking for open ports 70 00:03:22,800 --> 00:03:26,130 and I don't mean USB ports or some physical ports. 71 00:03:26,130 --> 00:03:28,070 I mean we're looking 72 00:03:28,070 --> 00:03:30,600 for virtual open ports that every machine has 73 00:03:30,600 --> 00:03:33,150 and it uses them to host their software 74 00:03:33,150 --> 00:03:36,060 and communicate with other machines over internet. 75 00:03:36,060 --> 00:03:37,950 For example, you watching this 76 00:03:37,950 --> 00:03:41,100 over internet on a website means that the machine 77 00:03:41,100 --> 00:03:45,270 that's hosting this website has port 80 open. 78 00:03:45,270 --> 00:03:46,950 Why port 80? 79 00:03:46,950 --> 00:03:49,770 Well port 80 is used to host a web server 80 00:03:49,770 --> 00:03:54,770 it is used for HTP and it's also known as HTP port. 81 00:03:55,050 --> 00:03:56,970 So every time you visit a website 82 00:03:56,970 --> 00:03:58,770 you are essentially making a connection 83 00:03:58,770 --> 00:04:02,110 to that machine hosting that website on port 80 84 00:04:04,112 --> 00:04:04,950 or on port 443. 85 00:04:04,950 --> 00:04:09,100 Since port 80 is used for htp and Port 443 86 00:04:10,280 --> 00:04:15,280 is used for HTPs and HTPs is just a secure version of http. 87 00:04:16,320 --> 00:04:19,260 These are the two most usual ports that target 88 00:04:19,260 --> 00:04:21,990 that you're scanning externally will have open. 89 00:04:21,990 --> 00:04:24,990 And by externally scanning, I mean that you are scanning it 90 00:04:24,990 --> 00:04:27,813 while not being in the same network as the target. 91 00:04:28,710 --> 00:04:32,019 An example would be you scanning some website 92 00:04:32,019 --> 00:04:34,750 from your home and a port that could sometimes 93 00:04:35,702 --> 00:04:37,200 be open if you're scanning internally 94 00:04:37,200 --> 00:04:39,600 which means either scanning machines on your network 95 00:04:39,600 --> 00:04:41,910 or you're performing network penetration testing 96 00:04:41,910 --> 00:04:43,560 inside of some company. 97 00:04:43,560 --> 00:04:47,253 You could, for example, find port 21 to be open. 98 00:04:48,390 --> 00:04:52,050 This is an FTP port and it's used for file transferring. 99 00:04:52,050 --> 00:04:55,590 FTP stands for file transfer protocol. 100 00:04:55,590 --> 00:04:59,640 These is just two of the ports and there are a lot of them. 101 00:04:59,640 --> 00:05:03,090 You could, for example, have port 22 open 102 00:05:03,090 --> 00:05:06,840 which is SSH port or secure shell port. 103 00:05:06,840 --> 00:05:07,770 It is used to log 104 00:05:07,770 --> 00:05:11,490 into the target machine and execute commands on it remotely. 105 00:05:11,490 --> 00:05:15,240 We could also have, for example, port 53 open 106 00:05:15,240 --> 00:05:17,160 which is DNS port 107 00:05:17,160 --> 00:05:21,810 or we could have port 25 open, which is SMTP port. 108 00:05:21,810 --> 00:05:23,880 So there are are a lot of ports. 109 00:05:23,880 --> 00:05:28,263 Matter of fact, every machine has 65,535 ports 110 00:05:29,850 --> 00:05:34,850 for both DCP and udp, and if there is just one open port 111 00:05:35,130 --> 00:05:38,280 with one vulnerable software running on that open port 112 00:05:38,280 --> 00:05:42,450 then that target is vulnerable and it could be exploited. 113 00:05:42,450 --> 00:05:44,970 Now the highest secured machines are the ones 114 00:05:44,970 --> 00:05:47,730 that have all ports closed. 115 00:05:47,730 --> 00:05:49,800 These are usually your home devices such 116 00:05:49,800 --> 00:05:53,190 as laptops or computers that you use just 117 00:05:53,190 --> 00:05:56,790 for browsing online or playing video games or something. 118 00:05:56,790 --> 00:05:58,890 They don't need to be hosting any software 119 00:05:58,890 --> 00:06:02,187 since they're not a server that someone will connect 120 00:06:02,187 --> 00:06:03,120 to for a certain service. 121 00:06:03,120 --> 00:06:05,580 They're just home devices that you use. 122 00:06:05,580 --> 00:06:08,890 But websites, for example, must have port 80 123 00:06:09,815 --> 00:06:13,500 or port 443 open since they're hosting a webpage there. 124 00:06:13,500 --> 00:06:18,090 Also in companies, their machines could have some port open. 125 00:06:18,090 --> 00:06:21,367 Maybe they use that port on all their machines 126 00:06:21,367 --> 00:06:23,400 within that company to internally transfer files 127 00:06:23,400 --> 00:06:24,930 between different machines. 128 00:06:24,930 --> 00:06:26,460 It could be anything basically. 129 00:06:26,460 --> 00:06:29,820 Now the problem occurs if that software they use 130 00:06:29,820 --> 00:06:34,500 on their open ports is outdated and has a vulnerability 131 00:06:34,500 --> 00:06:38,280 then our job as a hacker is to scan that machine 132 00:06:38,280 --> 00:06:41,400 for open ports and exploit that machine 133 00:06:41,400 --> 00:06:45,090 through that vulnerable software running on that open port. 134 00:06:45,090 --> 00:06:46,920 But the goal for now 135 00:06:46,920 --> 00:06:50,280 in the scanning section is only to scan the target 136 00:06:50,280 --> 00:06:51,780 for the open ports. 137 00:06:51,780 --> 00:06:55,080 Then we want to discover what software are they running 138 00:06:55,080 --> 00:06:56,790 on those open ports. 139 00:06:56,790 --> 00:07:00,360 And we want to go as deep as discovering what version 140 00:07:00,360 --> 00:07:03,540 of software is on that open port. 141 00:07:03,540 --> 00:07:04,800 Are you ready? 142 00:07:04,800 --> 00:07:07,620 We're going to be covering a lot in this section. 143 00:07:07,620 --> 00:07:09,780 And in this section we will cover one 144 00:07:09,780 --> 00:07:13,710 of the most important tools that a hacker must master. 145 00:07:13,710 --> 00:07:15,783 That tool is called and enmap. 146 00:07:16,800 --> 00:07:18,063 Let's dive into scanning. 11822