1 00:00:07,210 --> 00:00:09,220 - [Instructor] Now that we have been able to locate things 2 00:00:09,220 --> 00:00:11,120 like names, phone numbers, 3 00:00:11,120 --> 00:00:16,120 addresses, some DNS information, IP addresses, and so on. 4 00:00:16,230 --> 00:00:17,130 Let's take a look 5 00:00:17,130 --> 00:00:21,560 at how to perform a overall network footprinting. 6 00:00:21,560 --> 00:00:24,330 Now this is going to be, you know, the initial step 7 00:00:24,330 --> 00:00:27,690 for things related to network footprinting. 8 00:00:27,690 --> 00:00:31,010 In Lesson 3, we'll go over the details 9 00:00:31,010 --> 00:00:34,110 of network scanning and the network scanning concepts, 10 00:00:34,110 --> 00:00:37,970 the different scanning tools, understanding host discovery, 11 00:00:37,970 --> 00:00:41,300 understanding port and service discovery, 12 00:00:41,300 --> 00:00:45,810 and scanning beyond the traditional security capabilities 13 00:00:45,810 --> 00:00:48,380 like the firewalls and IPS, and so on. 14 00:00:48,380 --> 00:00:50,980 So here, let's take a look at a few examples. 15 00:00:50,980 --> 00:00:52,300 The first thing that I want to do 16 00:00:52,300 --> 00:00:54,350 is do a quick host resolution, 17 00:00:54,350 --> 00:00:57,010 so DNS resolution using the host command 18 00:00:57,010 --> 00:01:00,960 to the domain hacker.org, that I own with the number 4 19 00:01:00,960 --> 00:01:03,370 and as you see, you have different IP addresses 20 00:01:03,370 --> 00:01:06,220 that are resolving to hacker.org, 21 00:01:06,220 --> 00:01:08,630 because it's actually doing DNS round-robin, 22 00:01:08,630 --> 00:01:10,210 DNS low balancing 23 00:01:10,210 --> 00:01:11,800 and also you see the information 24 00:01:11,800 --> 00:01:14,580 around the different mail entities 25 00:01:14,580 --> 00:01:18,350 so the MX records for hacker.org 26 00:01:18,350 --> 00:01:21,430 but let's actually do a quick whois, 27 00:01:21,430 --> 00:01:24,343 to the first IP address in the results. 28 00:01:25,190 --> 00:01:28,480 Now, a lot of information is being displayed here 29 00:01:28,480 --> 00:01:30,190 related to the organization. 30 00:01:30,190 --> 00:01:32,440 However, take a look at this, you know, 31 00:01:32,440 --> 00:01:37,290 if you look the results we getting, the organization GitHub. 32 00:01:37,290 --> 00:01:39,220 Why are we getting GitHub 33 00:01:39,220 --> 00:01:42,640 if we did a resolution for hacker.org 34 00:01:42,640 --> 00:01:45,710 and then of course, we selected an IP address 35 00:01:45,710 --> 00:01:48,830 that came back as, you know, the DNS resolution, 36 00:01:48,830 --> 00:01:51,160 the IP associated to hacker.org, 37 00:01:51,160 --> 00:01:52,660 why are we getting GitHub? 38 00:01:52,660 --> 00:01:54,280 Well, in this case, actually, you know, 39 00:01:54,280 --> 00:01:57,118 hacker.org is being hosted in GitHub pages 40 00:01:57,118 --> 00:02:00,050 and you see a lot of different information 41 00:02:00,050 --> 00:02:02,570 about the organization, not only, you know, 42 00:02:02,570 --> 00:02:05,520 of course, the different address 43 00:02:05,520 --> 00:02:08,160 but also the autonomous system numbers 44 00:02:08,160 --> 00:02:12,172 and the block of IP address and the network range 45 00:02:12,172 --> 00:02:17,172 that the first address that we selected it belongs to. 46 00:02:18,390 --> 00:02:20,390 In this case, this means that the target network 47 00:02:20,390 --> 00:02:22,660 has a total of 254 addresses 48 00:02:22,660 --> 00:02:26,350 because it's a 24 bit mask, a class C network 49 00:02:26,350 --> 00:02:29,070 and the attacker can now focus his efforts 50 00:02:29,070 --> 00:02:31,700 or her efforts on the range 51 00:02:31,700 --> 00:02:36,700 from the 185.199.111.0, 52 00:02:37,350 --> 00:02:40,313 so from .1 all the way to 254. 53 00:02:41,380 --> 00:02:43,020 Now, of course, as a pen tester, 54 00:02:43,020 --> 00:02:45,840 you can use a plethora of different tools 55 00:02:45,840 --> 00:02:49,260 to gather information from the network. 56 00:02:49,260 --> 00:02:52,730 You can use things as simple as a trace route 57 00:02:52,730 --> 00:02:54,080 to that IP address 58 00:02:54,080 --> 00:02:56,760 so, you know the path and all the devices 59 00:02:56,760 --> 00:02:58,960 that are in the path from your machine 60 00:02:58,960 --> 00:03:00,600 all the way to that IP address. 61 00:03:00,600 --> 00:03:03,320 Now, if you're doing an internal pen testing, 62 00:03:03,320 --> 00:03:06,070 in other words you're actually are on site, 63 00:03:06,070 --> 00:03:08,880 on premise performing a pen test, 64 00:03:08,880 --> 00:03:12,270 you know, trace route becomes a little bit more relevant 65 00:03:12,270 --> 00:03:14,450 because now you are seeing things 66 00:03:14,450 --> 00:03:16,070 that maybe in between, 67 00:03:16,070 --> 00:03:18,120 probably firewalls that maybe blocking, 68 00:03:18,120 --> 00:03:19,640 you know the trace route 69 00:03:19,640 --> 00:03:22,650 or you know, the different structures like routers 70 00:03:22,650 --> 00:03:25,070 or layer three switches and so on 71 00:03:25,070 --> 00:03:27,880 that may be in between your PC 72 00:03:27,880 --> 00:03:31,563 or your machine all the way to the target device. 73 00:03:32,710 --> 00:03:36,160 Now lesson 3 is dedicated to network scanning 74 00:03:36,160 --> 00:03:38,200 but here I'm going to do a quick introduction 75 00:03:38,200 --> 00:03:40,770 to a very popular port scanner 76 00:03:40,770 --> 00:03:43,660 that can be used for overall network discovery 77 00:03:43,660 --> 00:03:44,683 that is called Nmap. 78 00:03:46,090 --> 00:03:49,870 Now Nmap can be used for a quick network discovery 79 00:03:49,870 --> 00:03:53,210 or a ping sweep to see what host may be available 80 00:03:53,210 --> 00:03:54,860 in the network and in my case, 81 00:03:54,860 --> 00:03:57,410 I'm actually doing a quick scan 82 00:03:57,410 --> 00:03:59,860 for any device that may reside 83 00:03:59,860 --> 00:04:03,710 in the 10.6.6.0 network /24. 84 00:04:03,710 --> 00:04:06,810 So that means a class C or a, you know, 85 00:04:06,810 --> 00:04:10,660 subnet of the 10 network represented here. 86 00:04:10,660 --> 00:04:12,340 So if I launch the tool, 87 00:04:12,340 --> 00:04:14,080 it allows me to actually see 88 00:04:14,080 --> 00:04:16,430 what devices are available in the network. 89 00:04:16,430 --> 00:04:19,170 Then of course, we can go into a lot more detail 90 00:04:19,170 --> 00:04:23,430 like performing DCP scans, UDP scans, and so on 91 00:04:23,430 --> 00:04:26,543 but we will cover that in lesson 3.