1 00:00:06,243 --> 00:00:10,264 - So, we discussed our act of reconnaissance methodology. 2 00:00:10,264 --> 00:00:13,214 We're gonna do the port scanning, web service review, 3 00:00:13,214 --> 00:00:14,612 and vulnerability scanning, 4 00:00:14,612 --> 00:00:16,736 but let's look at some tools that can actually 5 00:00:16,736 --> 00:00:20,494 help us accomplish each of these tasks. 6 00:00:20,494 --> 00:00:23,140 For port scanning, we have to start with NMAP 7 00:00:23,140 --> 00:00:26,691 because it is the most versatile and stable port scanner, 8 00:00:26,691 --> 00:00:30,135 and it is also the most popular port scanner around. 9 00:00:30,135 --> 00:00:33,041 This tool has been around for a very long time, 10 00:00:33,041 --> 00:00:35,958 and it is in everybody's tool book. 11 00:00:36,906 --> 00:00:39,193 So, it is a lot of documentation. 12 00:00:39,193 --> 00:00:43,335 There's an entire NMAP book dedicated to using this tool, 13 00:00:43,335 --> 00:00:47,559 and it does everything from port scanning 14 00:00:47,559 --> 00:00:50,868 to service detection, operating system detection, 15 00:00:50,868 --> 00:00:54,242 and even starts going into vulnerability scanning. 16 00:00:54,242 --> 00:00:56,753 We're gonna get into more details as I'll show a demo 17 00:00:56,753 --> 00:00:59,503 later on how NMAP actually works. 18 00:01:01,712 --> 00:01:02,767 Masscan. 19 00:01:02,767 --> 00:01:04,186 We have to cover Masscan because 20 00:01:04,186 --> 00:01:07,005 if you're scanning a lot of IP addresses and a lot 21 00:01:07,005 --> 00:01:11,365 of services, this is the fastest scanner in the world. 22 00:01:11,365 --> 00:01:13,669 So, you can scan the entire internet 23 00:01:13,669 --> 00:01:16,565 for a single port in just minutes, 24 00:01:16,565 --> 00:01:19,871 and it operates similar to NMAP. 25 00:01:19,871 --> 00:01:23,114 It has a similar look and feel to how NMAP works, 26 00:01:23,114 --> 00:01:25,063 but it is a lot faster. 27 00:01:25,063 --> 00:01:28,228 It doesn't have all the service detection that NMAP has 28 00:01:28,228 --> 00:01:30,301 and it's not as versatile as NMAP, 29 00:01:30,301 --> 00:01:32,509 but if you're just looking for speed, 30 00:01:32,509 --> 00:01:35,009 then this is your tool to use. 31 00:01:36,002 --> 00:01:38,219 The Udpprotoscanner. 32 00:01:38,219 --> 00:01:39,624 I really like this tool because it is 33 00:01:39,624 --> 00:01:42,422 a fast UDP port scanner. 34 00:01:42,422 --> 00:01:44,334 Usually when we do our post scanning, 35 00:01:44,334 --> 00:01:46,774 we tend to focus on TCP ports, 36 00:01:46,774 --> 00:01:48,269 but if you're just looking for something 37 00:01:48,269 --> 00:01:52,352 that quickly can scan a network for UDP services, 38 00:01:53,363 --> 00:01:56,589 this is really a great tool to use and it's very easy. 39 00:01:56,589 --> 00:01:58,903 We'll show it in the demo. 40 00:01:58,903 --> 00:02:01,486 Okay, let's see NMAP in action. 41 00:02:03,160 --> 00:02:07,292 So, to run NMAP, if you just type in the NMAP command, 42 00:02:07,292 --> 00:02:10,772 it outputs all the different options that you can use 43 00:02:10,772 --> 00:02:13,453 when you run the scanner. 44 00:02:13,453 --> 00:02:17,536 You can see we're running NMAP version 7.25 Beta. 45 00:02:18,389 --> 00:02:22,184 And basically you type "nmap", you put the different types 46 00:02:22,184 --> 00:02:24,532 of switches that you want, the different options, 47 00:02:24,532 --> 00:02:28,005 and then at the end, you put the target specifications, 48 00:02:28,005 --> 00:02:32,354 so, whatever IP addresses that you are targeting. 49 00:02:32,354 --> 00:02:35,965 So, let's try scanning a particular host. 50 00:02:35,965 --> 00:02:40,132 We're doing the "-sS" command, which is a TCP send scan, 51 00:02:41,137 --> 00:02:45,310 which is also referred to as a half open connection. 52 00:02:45,310 --> 00:02:48,546 So, you send the initial send scan. 53 00:02:48,546 --> 00:02:49,800 You're gonna receive a response 54 00:02:49,800 --> 00:02:52,620 from the server if the port is open, 55 00:02:52,620 --> 00:02:54,476 and you are not gonna respond 56 00:02:54,476 --> 00:02:56,869 to the response from the server. 57 00:02:56,869 --> 00:02:58,422 It's a really fast scan. 58 00:02:58,422 --> 00:03:00,634 You don't do the full TCP connection, 59 00:03:00,634 --> 00:03:03,078 and it is probably one of the most popular scans 60 00:03:03,078 --> 00:03:04,550 because of its speed. 61 00:03:04,550 --> 00:03:06,944 We're doing the "-vv", which means 62 00:03:06,944 --> 00:03:10,276 it's gonna output verbose information, 63 00:03:10,276 --> 00:03:13,698 so you'll know exactly what's happening during the scan. 64 00:03:13,698 --> 00:03:16,854 And we're doing "-T4", which is increasing the speed 65 00:03:16,854 --> 00:03:19,198 of our scan even further. 66 00:03:19,198 --> 00:03:23,014 The "-A" basically is going to enable 67 00:03:23,014 --> 00:03:25,950 operating system detection and version detection 68 00:03:25,950 --> 00:03:28,533 and some minor script scanning. 69 00:03:29,380 --> 00:03:33,547 And we are scanning 192.168.3.1. 70 00:03:36,136 --> 00:03:38,920 You can see the scan is really fast. 71 00:03:38,920 --> 00:03:42,920 So, as we can see from scanning the 192.168.3.1, 72 00:03:44,044 --> 00:03:45,091 right in the middle of the screen, 73 00:03:45,091 --> 00:03:47,014 it shows three open ports. 74 00:03:47,014 --> 00:03:50,154 It says, "Discovered open port 443, 75 00:03:50,154 --> 00:03:54,166 "Discovered open port 53", discovered port 80. 76 00:03:54,166 --> 00:03:58,088 So, 443 is HTTPS, 77 00:03:58,088 --> 00:04:00,049 80 is HTP, 78 00:04:00,049 --> 00:04:02,402 and port 53 is DNS, 79 00:04:02,402 --> 00:04:05,715 which are all open on this one system. 80 00:04:05,715 --> 00:04:07,427 And also, it says at the bottom 81 00:04:07,427 --> 00:04:09,552 that it's probably running some type 82 00:04:09,552 --> 00:04:11,566 of Linux operating system, 83 00:04:11,566 --> 00:04:14,451 which this system actually is. 84 00:04:14,451 --> 00:04:15,763 So, it does a pretty good job 85 00:04:15,763 --> 00:04:19,097 at operating system detection as well. 86 00:04:19,097 --> 00:04:20,130 So, let's look back at some 87 00:04:20,130 --> 00:04:23,133 of these options again for NMAP. 88 00:04:23,133 --> 00:04:26,216 The "-Pn" switch is really important. 89 00:04:29,027 --> 00:04:32,577 It's especially important from external hosts. 90 00:04:32,577 --> 00:04:36,794 Basically, the "-Pn" means treat all hosts as online. 91 00:04:36,794 --> 00:04:38,900 So, if you're running your scan from the internet, 92 00:04:38,900 --> 00:04:40,973 it's really important to have this switch 93 00:04:40,973 --> 00:04:44,257 because oftentimes firewalls will block 94 00:04:44,257 --> 00:04:47,269 most ports except for specific ones 95 00:04:47,269 --> 00:04:49,554 that the server is listening in on. 96 00:04:49,554 --> 00:04:52,570 So, if you do not treat all hosts as online, 97 00:04:52,570 --> 00:04:56,026 then the scan might skip over this one particular host 98 00:04:56,026 --> 00:04:57,907 because it thinks it's offline. 99 00:04:57,907 --> 00:04:59,720 So, when you're scanning from the internet, 100 00:04:59,720 --> 00:05:02,970 "-Pn" is a recommended switch for NMAP. 101 00:05:05,121 --> 00:05:08,142 Output is also important for NMAP. 102 00:05:08,142 --> 00:05:10,445 Basically what the output does is allows you 103 00:05:10,445 --> 00:05:13,304 to output your information into different types 104 00:05:13,304 --> 00:05:17,054 of text files, and this is especially helpful 105 00:05:18,571 --> 00:05:20,738 if you're scanning a large number of hosts. 106 00:05:20,738 --> 00:05:24,060 It's nice to put that information into a text file 107 00:05:24,060 --> 00:05:26,874 that you can refer to later on. 108 00:05:26,874 --> 00:05:28,815 It's not as big of a deal for single hosts, 109 00:05:28,815 --> 00:05:31,217 but it's very handy for actually tracking 110 00:05:31,217 --> 00:05:33,411 what you've been doing. 111 00:05:33,411 --> 00:05:36,126 And the port ranges is also really important. 112 00:05:36,126 --> 00:05:40,936 So, by default, NMAP will scan the most common ports, 113 00:05:40,936 --> 00:05:43,568 but you can specify certain port ranges. 114 00:05:43,568 --> 00:05:46,804 So you can say, "-p22", like it says there, 115 00:05:46,804 --> 00:05:49,090 which is only scanning for SSH. 116 00:05:49,090 --> 00:05:52,673 Or you can do "-p1-65535" which is scanning 117 00:05:53,573 --> 00:05:56,240 every single port on the system. 118 00:05:56,240 --> 00:05:59,475 You can also scan for UDP ports and TCP ports, 119 00:05:59,475 --> 00:06:01,432 and just specify those. 120 00:06:01,432 --> 00:06:02,390 And you can choose to scan 121 00:06:02,390 --> 00:06:05,447 the ports randomly or consecutively. 122 00:06:05,447 --> 00:06:07,735 Randomly can be used to avoid different types 123 00:06:07,735 --> 00:06:10,841 of intrusion-prevention systems. 124 00:06:10,841 --> 00:06:12,022 And you can see how we can do 125 00:06:12,022 --> 00:06:15,022 different types of UDP or TCP scans. 126 00:06:16,203 --> 00:06:18,323 Now, let's take a look at Masscan. 127 00:06:18,323 --> 00:06:21,155 While NMAP is the most popular port scanner, 128 00:06:21,155 --> 00:06:23,405 Masscan is definitely the fastest. 129 00:06:23,405 --> 00:06:25,355 So, if you just type "masscan" by itself 130 00:06:25,355 --> 00:06:28,302 at the command line, you get some basic usage. 131 00:06:28,302 --> 00:06:31,047 You should be familiar with how that works 132 00:06:31,047 --> 00:06:34,156 because it's pretty similar to NMAP, 133 00:06:34,156 --> 00:06:36,775 so pretty similar command line switches, 134 00:06:36,775 --> 00:06:39,123 you can see the port specifications. 135 00:06:39,123 --> 00:06:40,877 Pretty much the same. 136 00:06:40,877 --> 00:06:43,622 If you type in "man masscan", 137 00:06:43,622 --> 00:06:46,359 you get the manual page for Masscan, 138 00:06:46,359 --> 00:06:48,648 which says it's a fast scan of the internet, 139 00:06:48,648 --> 00:06:50,386 which is really underestimating its ability 140 00:06:50,386 --> 00:06:52,218 because it's the fastest scan. 141 00:06:52,218 --> 00:06:53,474 You can see in this description 142 00:06:53,474 --> 00:06:55,933 it can scan the entire internet in three minutes 143 00:06:55,933 --> 00:06:58,634 for one port, and it can go as fast 144 00:06:58,634 --> 00:07:01,054 as 25 million packets per second. 145 00:07:01,054 --> 00:07:03,735 So, this is really useful for very large surveys 146 00:07:03,735 --> 00:07:06,931 or if you have large networks that you have to scan. 147 00:07:06,931 --> 00:07:09,297 I encourage you to get used to the different options 148 00:07:09,297 --> 00:07:13,464 that it offers, the same with all these scanners, NMAP, too. 149 00:07:14,572 --> 00:07:17,742 So, let's scan for port 80 and 443 150 00:07:17,742 --> 00:07:20,424 on the same host that we just scanned. 151 00:07:20,424 --> 00:07:24,240 Actually, we're gonna scan the entire network this time. 152 00:07:24,240 --> 00:07:25,981 Whereas before, we only scanned a single host, 153 00:07:25,981 --> 00:07:28,406 we're gonna scan the whole network. 154 00:07:28,406 --> 00:07:30,448 And, as you can see, really quickly, 155 00:07:30,448 --> 00:07:33,414 it scanned that entire network. 156 00:07:33,414 --> 00:07:34,915 The waiting period is just waiting 157 00:07:34,915 --> 00:07:36,873 for more information to come back, 158 00:07:36,873 --> 00:07:39,294 but it's pretty much already done at this point. 159 00:07:39,294 --> 00:07:41,320 So, you can see, in just a few seconds, 160 00:07:41,320 --> 00:07:43,663 it scanned that whole entire network just 161 00:07:43,663 --> 00:07:46,746 for those two ports, port 80 and 443. 162 00:07:48,834 --> 00:07:51,132 Now let's take a look at UDP. 163 00:07:51,132 --> 00:07:54,096 While we spend most of our time scanning TCP ports, 164 00:07:54,096 --> 00:07:57,243 UDP is often overlooked, and you can get some 165 00:07:57,243 --> 00:08:00,238 really good information from open UDP ports. 166 00:08:00,238 --> 00:08:03,261 So, as you can see right here, our UDP pro scanner, 167 00:08:03,261 --> 00:08:06,121 we're scanning an entire network, 168 00:08:06,121 --> 00:08:08,870 and it runs pretty quickly. 169 00:08:08,870 --> 00:08:10,504 You can see it immediately receive 170 00:08:10,504 --> 00:08:12,838 some UDP port 53 responses. 171 00:08:12,838 --> 00:08:17,005 Also, 137 and 123, so NTP. 172 00:08:21,171 --> 00:08:23,389 And you can see the different types of requests 173 00:08:23,389 --> 00:08:25,257 that it's sending out to the network, 174 00:08:25,257 --> 00:08:29,966 and it's hoping for some types of responses from there. 175 00:08:29,966 --> 00:08:33,108 So this scanner, unlike the others, is just fine tuned 176 00:08:33,108 --> 00:08:36,811 to specifically UDP, and it does a really great job 177 00:08:36,811 --> 00:08:39,672 of doing that very quickly and letting you know 178 00:08:39,672 --> 00:08:42,312 what the exact response is. 179 00:08:42,312 --> 00:08:45,381 For web service review, EyeWitness is the tool 180 00:08:45,381 --> 00:08:48,384 that we recommend that you check out. 181 00:08:48,384 --> 00:08:51,138 EyeWitness really helps if you have a lot 182 00:08:51,138 --> 00:08:54,245 of web services that are available. 183 00:08:54,245 --> 00:08:56,871 Let's say you're scanning a entire network, 184 00:08:56,871 --> 00:08:59,134 and you find a hundred different websites 185 00:08:59,134 --> 00:09:01,773 that you need to attack. 186 00:09:01,773 --> 00:09:04,462 Instead of individually going to every single one 187 00:09:04,462 --> 00:09:06,641 and figuring out which one to prioritize, 188 00:09:06,641 --> 00:09:11,018 a tool like EyeWitness can quickly show you which ones 189 00:09:11,018 --> 00:09:13,288 that you should prioritize, and it does this 190 00:09:13,288 --> 00:09:15,507 by visiting every single one of these websites 191 00:09:15,507 --> 00:09:19,180 for you, taking a screenshot of those, and gives you 192 00:09:19,180 --> 00:09:23,176 some details about some of the header information, 193 00:09:23,176 --> 00:09:26,309 and you can quickly look at the website report 194 00:09:26,309 --> 00:09:29,279 that this outputs and you can look at all the screenshots 195 00:09:29,279 --> 00:09:32,675 and determine which one you want to prioritize. 196 00:09:32,675 --> 00:09:34,086 Sometimes you'll see a system 197 00:09:34,086 --> 00:09:37,867 that looks like an obvious test system. 198 00:09:37,867 --> 00:09:41,060 Maybe you'll see a system with a login page. 199 00:09:41,060 --> 00:09:43,107 You know, tend to focus on some of those instead 200 00:09:43,107 --> 00:09:45,162 of focusing on some of the ones 201 00:09:45,162 --> 00:09:47,738 that really don't have much on there. 202 00:09:47,738 --> 00:09:51,463 Okay, now that we have described how EyeWitness works 203 00:09:51,463 --> 00:09:54,097 on paper, let's actually see it in action. 204 00:09:54,097 --> 00:09:57,316 We'll start by doing an NMAP scan of the local network 205 00:09:57,316 --> 00:10:00,816 for two web ports: port 80, which is HTTP, 206 00:10:02,122 --> 00:10:04,539 and port 443, which is HTTPS. 207 00:10:06,025 --> 00:10:09,158 We can see that there are three systems on the network 208 00:10:09,158 --> 00:10:13,360 that have either one of those ports open. 209 00:10:13,360 --> 00:10:15,956 So, we'll take those three systems, 210 00:10:15,956 --> 00:10:18,670 and what we need to do for EyeWitness is 211 00:10:18,670 --> 00:10:23,634 put them all into a text file, and then we could run 212 00:10:23,634 --> 00:10:26,128 EyeWitness just by itself. 213 00:10:26,128 --> 00:10:28,317 If you just run EyeWitness, you can see 214 00:10:28,317 --> 00:10:31,215 that it says you did not specify a file, 215 00:10:31,215 --> 00:10:35,324 and you need to basically specify a file name 216 00:10:35,324 --> 00:10:37,109 when you run the tool. 217 00:10:37,109 --> 00:10:41,094 So, EyeWitness "--web", which means we're going to 218 00:10:41,094 --> 00:10:45,177 scan for systems listening in on port 80 and 443. 219 00:10:46,946 --> 00:10:50,766 "-f", which is the file name, and we have our 220 00:10:50,766 --> 00:10:54,933 three systems that are listening in on port 80 or 443 221 00:10:56,188 --> 00:10:58,021 in that "ip_list.txt". 222 00:11:00,407 --> 00:11:03,875 So we'll run EyeWitness against that, 223 00:11:03,875 --> 00:11:07,263 and you can see it's sending requests to three hosts. 224 00:11:07,263 --> 00:11:11,143 It's attempting to take screenshots of these systems. 225 00:11:11,143 --> 00:11:14,449 And it says "Finished in 16 seconds". 226 00:11:14,449 --> 00:11:17,643 And it's asking if we'd like to open the report. 227 00:11:17,643 --> 00:11:22,277 So, we'll say, "yes", and it opens this report. 228 00:11:22,277 --> 00:11:25,292 So, you can see those three systems that we scanned, 229 00:11:25,292 --> 00:11:27,300 it took screenshots for them. 230 00:11:27,300 --> 00:11:31,861 We see the first system looks like a PF Sense box, 231 00:11:31,861 --> 00:11:33,698 which is a firewall. 232 00:11:33,698 --> 00:11:37,865 It makes sense the .1 one address is the firewall. 233 00:11:38,836 --> 00:11:42,736 The .11 is some secret admin site page, 234 00:11:42,736 --> 00:11:45,187 which is interesting. 235 00:11:45,187 --> 00:11:47,080 And then the third one, .12, 236 00:11:47,080 --> 00:11:49,790 looks like a generic Ubuntu box. 237 00:11:49,790 --> 00:11:52,015 I think the one that we would focus on 238 00:11:52,015 --> 00:11:53,922 would be this secret admin site. 239 00:11:53,922 --> 00:11:55,569 You could see that it has user name 240 00:11:55,569 --> 00:11:59,736 and password field for that, and the title of the system, 241 00:12:01,156 --> 00:12:03,198 you can see over to the left side, 242 00:12:03,198 --> 00:12:06,251 is "sec-training", so you can imagine this is 243 00:12:06,251 --> 00:12:10,171 probably a more vulnerable site on the network. 244 00:12:10,171 --> 00:12:13,962 And you could really see the true power of this tool now. 245 00:12:13,962 --> 00:12:17,872 If we have several hundred sites that we wanted 246 00:12:17,872 --> 00:12:19,549 to figure out which ones to focus on, 247 00:12:19,549 --> 00:12:22,109 if we can just run EyeWitness against it, 248 00:12:22,109 --> 00:12:24,245 against the network, and it'll take screenshots 249 00:12:24,245 --> 00:12:27,082 of all the websites, then we can quickly look 250 00:12:27,082 --> 00:12:29,627 at the websites in this nice report 251 00:12:29,627 --> 00:12:33,108 to see which ones we want to focus on first. 252 00:12:33,108 --> 00:12:34,825 And that's much faster than browsing 253 00:12:34,825 --> 00:12:38,117 to each individual website manually, 254 00:12:38,117 --> 00:12:40,450 and taking up valuable time.