1 00:00:06,659 --> 00:00:10,579 - [Instructor] So lets talk more about the recon phase. 2 00:00:10,579 --> 00:00:15,210 Some of the things we might do in a recon phase are 3 00:00:15,210 --> 00:00:18,490 running an NMAP scan to identify the open ports 4 00:00:18,490 --> 00:00:21,570 that are listening on the target server. 5 00:00:21,570 --> 00:00:25,487 We need to first know which doors are available 6 00:00:27,146 --> 00:00:31,122 before we can start picking the locks essentially. 7 00:00:31,122 --> 00:00:34,712 We might also scan using tools like niKto 8 00:00:34,712 --> 00:00:37,723 to identify the version of the server 9 00:00:37,723 --> 00:00:41,010 and some information about the code that's running 10 00:00:41,010 --> 00:00:44,107 and if there's any insecure methods being used. 11 00:00:44,107 --> 00:00:46,939 Of course automated scanners can also pick up 12 00:00:46,939 --> 00:00:50,128 this kind of information for us. 13 00:00:50,128 --> 00:00:52,818 In the following demo we will show how 14 00:00:52,818 --> 00:00:57,042 to run a quick NMAP scan against our target server. 15 00:00:57,042 --> 00:00:59,285 The results will tell us what ports the server 16 00:00:59,285 --> 00:01:03,100 is listening on as well as the service type. 17 00:01:03,100 --> 00:01:06,472 Then we'll also run a niKto scan to get a quick dump 18 00:01:06,472 --> 00:01:10,507 of information about the web server and the application. 19 00:01:10,507 --> 00:01:13,410 So we're going to do this in our be kali VM. 20 00:01:13,410 --> 00:01:15,897 Let's start with the simple NMAP scan. 21 00:01:15,897 --> 00:01:19,688 First, we need a terminal window because 22 00:01:19,688 --> 00:01:22,831 NMAP we're going to run from the command line. 23 00:01:22,831 --> 00:01:27,449 NMAP of course comes installed by default on Kali. 24 00:01:27,449 --> 00:01:31,616 If you run an NMAP dash dash help it will give you a list 25 00:01:34,167 --> 00:01:36,303 of some of the common commands and options 26 00:01:36,303 --> 00:01:38,171 that can be used with NMAP. 27 00:01:38,171 --> 00:01:42,592 There's many more options as well as scripts to explore 28 00:01:42,592 --> 00:01:45,599 the NMAP.org website is a great reference 29 00:01:45,599 --> 00:01:49,786 for that type of information and there is also tutorials 30 00:01:49,786 --> 00:01:51,953 on how to use the scripts. 31 00:01:53,620 --> 00:01:56,940 What we're going to run here is a SynScan 32 00:01:56,940 --> 00:01:59,888 so at the command line we'll run the command 33 00:01:59,888 --> 00:02:01,721 NMAP dash lower case s 34 00:02:04,490 --> 00:02:06,375 capital s which tells it 35 00:02:06,375 --> 00:02:10,542 to run a SynScan dash lower case p which specifies 36 00:02:12,807 --> 00:02:16,033 the ports and then we're going to tell it to 37 00:02:16,033 --> 00:02:18,200 scan every port available. 38 00:02:20,161 --> 00:02:21,244 The target is 39 00:02:24,615 --> 00:02:25,615 hackazon.net 40 00:02:28,900 --> 00:02:31,198 The SynScan is a very quick and fairly 41 00:02:31,198 --> 00:02:33,744 quiet scan since it never actually completes 42 00:02:33,744 --> 00:02:35,879 the TCP connection. 43 00:02:35,879 --> 00:02:39,479 We ran it against our target website hackazon.net 44 00:02:39,479 --> 00:02:43,562 and the reason why we specified all the TCP ports 45 00:02:45,744 --> 00:02:49,236 as an attacker we want to leave no stone unturned. 46 00:02:49,236 --> 00:02:53,770 We're looking for a port that may have been left open 47 00:02:53,770 --> 00:02:57,937 or a running service that the target does not know about. 48 00:02:59,664 --> 00:03:03,024 So after we run the scan we can see that the only 49 00:03:03,024 --> 00:03:06,384 opening listening port is port 80 which 50 00:03:06,384 --> 00:03:09,551 is typically used for HTP web servers. 51 00:03:11,581 --> 00:03:15,888 To verify this we can simply browse to that port 52 00:03:15,888 --> 00:03:19,638 on the web server, so we'll fire up IceWeasel 53 00:03:20,914 --> 00:03:24,492 which is our browser in Kali and we'll type in 54 00:03:24,492 --> 00:03:27,409 hackazon.net, we'll specify port 80 55 00:03:29,559 --> 00:03:33,726 and of course we see there is a web server running there. 56 00:03:34,969 --> 00:03:37,248 We now want to gather more information about 57 00:03:37,248 --> 00:03:40,765 that specific web server and the application 58 00:03:40,765 --> 00:03:43,015 that is running on port 80. 59 00:03:44,077 --> 00:03:48,244 So for this we are going to use a simple tool called Nikto. 60 00:03:49,405 --> 00:03:52,944 This tool is also installed in Kali be default. 61 00:03:52,944 --> 00:03:56,807 We'll again run this from the command line. 62 00:03:56,807 --> 00:04:00,807 Let's start again with running the help command. 63 00:04:03,565 --> 00:04:06,445 This gives us some information on how the commands work 64 00:04:06,445 --> 00:04:10,297 you can see there's options for specifying the host 65 00:04:10,297 --> 00:04:13,214 and the port as well as credentials 66 00:04:14,500 --> 00:04:16,804 so for instance if you have a web application 67 00:04:16,804 --> 00:04:20,426 that required authentication we would need to provide 68 00:04:20,426 --> 00:04:24,519 the tool the credentials to log into the application 69 00:04:24,519 --> 00:04:28,295 to scan it, so what we're going to do is 70 00:04:28,295 --> 00:04:30,878 to just run a simple scan here. 71 00:04:35,213 --> 00:04:38,909 niKo will take a few minutes to run but we can see 72 00:04:38,909 --> 00:04:42,160 the information that is gathering as it's running 73 00:04:42,160 --> 00:04:44,215 through in the terminal. 74 00:04:44,215 --> 00:04:46,205 Some of the initial information that it gives us 75 00:04:46,205 --> 00:04:49,530 is the type of operating system as well as 76 00:04:49,530 --> 00:04:51,447 the web server version. 77 00:04:52,875 --> 00:04:56,458 We can see here that version is Apache 247. 78 00:04:57,991 --> 00:05:00,282 The rest of the results can also give us hints 79 00:05:00,282 --> 00:05:03,293 to possible vulnerabilities. 80 00:05:03,293 --> 00:05:05,833 So what we're going to do is we're going to 81 00:05:05,833 --> 00:05:09,337 record this information for use in later phases 82 00:05:09,337 --> 00:05:10,504 of our attack.