1
00:00:06,440 --> 00:00:09,950
- [Instructor] Let's go over
an overview of port scanning

2
00:00:10,970 --> 00:00:14,240
and also service discovery.

3
00:00:14,240 --> 00:00:16,300
And starting with port scanning,

4
00:00:16,300 --> 00:00:21,300
one of the best utilities
or best tools to use

5
00:00:21,920 --> 00:00:24,630
in order for you to actually start getting

6
00:00:24,630 --> 00:00:28,310
some experience with
poor scanning is Nmap.

7
00:00:28,310 --> 00:00:30,150
And I'm gonna be using Mmap

8
00:00:30,150 --> 00:00:34,480
throughout the demonstrations
in the next few minutes.

9
00:00:34,480 --> 00:00:38,310
But let's start going over
of what is port scanning

10
00:00:38,310 --> 00:00:40,490
and what is the purpose of it.

11
00:00:40,490 --> 00:00:44,110
As an ethical hacker you're
trying to demonstrate

12
00:00:44,110 --> 00:00:48,092
what a real life attacker can do

13
00:00:48,092 --> 00:00:50,610
to find vulnerabilities in a system

14
00:00:50,610 --> 00:00:52,800
and then exploit those vulnerabilities

15
00:00:52,800 --> 00:00:54,780
and move to post exploitation.

16
00:00:54,780 --> 00:00:57,780
So one of the main avenues

17
00:00:57,780 --> 00:01:00,200
in the active reconnaissance phase

18
00:01:00,200 --> 00:01:03,543
is to look for any ports that may be open

19
00:01:03,543 --> 00:01:05,060
in a target system.

20
00:01:05,060 --> 00:01:08,840
So I'm gonna put here T to
demonstrate a target system.

21
00:01:08,840 --> 00:01:10,430
This can be a web application,

22
00:01:10,430 --> 00:01:12,200
this can be an embedded device,

23
00:01:12,200 --> 00:01:13,690
it can be an IOT device,

24
00:01:13,690 --> 00:01:15,720
it can be pretty much anything, right?

25
00:01:15,720 --> 00:01:19,382
Now an attacker can perform port scanning

26
00:01:19,382 --> 00:01:24,382
by using TCP packets, by using UDP,

27
00:01:26,030 --> 00:01:30,570
and even though ICMP
does not have any ports,

28
00:01:30,570 --> 00:01:34,070
the ICMP protocols have types and codes,

29
00:01:34,070 --> 00:01:37,490
you can actually use
ICMP to enumerate host

30
00:01:37,490 --> 00:01:40,940
within an environment, within a subnet.

31
00:01:40,940 --> 00:01:43,040
So we're gonna concentrate mostly

32
00:01:43,040 --> 00:01:46,670
in TCP and UDP scanning here.

33
00:01:46,670 --> 00:01:51,060
Now, TCP is a connection
oriented protocol.

34
00:01:51,060 --> 00:01:55,214
So in other words TCP scan
is a lot more reliable

35
00:01:55,214 --> 00:01:57,650
than a UDP scan, right?

36
00:01:57,650 --> 00:02:01,600
Because an attacker,
whenever you use a UDP scan,

37
00:02:01,600 --> 00:02:04,160
can send a packet to a target system

38
00:02:04,160 --> 00:02:06,280
and may not get anything back.

39
00:02:06,280 --> 00:02:08,680
In some cases, the target system,

40
00:02:08,680 --> 00:02:11,530
if the port is not open it may send

41
00:02:11,530 --> 00:02:15,610
an ICMP destination unreachable message

42
00:02:15,610 --> 00:02:16,940
back to the attacker

43
00:02:16,940 --> 00:02:20,060
but that could be blocked by a firewall

44
00:02:20,060 --> 00:02:23,760
or by any other infrastructure
device that is out there.

45
00:02:23,760 --> 00:02:26,617
So that's why UDP scanning

46
00:02:26,617 --> 00:02:30,863
is a lot more unreliable than TCP scans.

47
00:02:32,360 --> 00:02:35,220
Now to demonstrate a TCP scanning here,

48
00:02:35,220 --> 00:02:36,640
I'm gonna do a SYN scan.

49
00:02:36,640 --> 00:02:40,290
So basically an attacker
or the scanner itself,

50
00:02:40,290 --> 00:02:42,040
I'm just gonna draw a scanner here,

51
00:02:45,502 --> 00:02:50,502
sends a TCP SYN message
to the target system.

52
00:02:53,510 --> 00:02:55,130
And then if the port is open,

53
00:02:55,130 --> 00:02:57,640
let's say this is actually over port 80,

54
00:02:57,640 --> 00:02:58,790
and if the port is open,

55
00:02:58,790 --> 00:03:00,570
of course the target system

56
00:03:00,570 --> 00:03:05,570
will actually send a SYN-ACK
message back to the scanner,

57
00:03:06,190 --> 00:03:10,410
and the scanner will say
that port 80 is open, right?

58
00:03:10,410 --> 00:03:12,520
If it then goes to a different port,

59
00:03:12,520 --> 00:03:14,410
let's say port 81,

60
00:03:14,410 --> 00:03:17,640
and it does not send
a TCP SYN-ACK message,

61
00:03:17,640 --> 00:03:22,507
and it may actually send
instead a TCP Reset message

62
00:03:23,400 --> 00:03:25,350
then the scanner actually says that

63
00:03:25,350 --> 00:03:27,723
of course the port is closed.

64
00:03:28,810 --> 00:03:32,140
Now there are different type of states

65
00:03:32,140 --> 00:03:35,470
of the scan reports that
you can get in a map.

66
00:03:35,470 --> 00:03:39,070
And later I'm gonna share
with you a cheat sheet

67
00:03:39,070 --> 00:03:41,180
that I have in my GitHub repository

68
00:03:41,180 --> 00:03:43,910
that goes over all those
different permutations

69
00:03:43,910 --> 00:03:46,613
and different options within Nmap.

70
00:03:48,240 --> 00:03:49,510
Now to demonstrate this

71
00:03:49,510 --> 00:03:52,740
I'm gonna be using Nmap using a SYN scan.

72
00:03:52,740 --> 00:03:56,530
So I'm gonna be launching a TCP SYN scan.

73
00:03:56,530 --> 00:03:59,700
And the option here is
lowercase s, uppercase s,

74
00:03:59,700 --> 00:04:00,783
so dash sS,

75
00:04:02,320 --> 00:04:04,730
with the IP address of a target system.

76
00:04:04,730 --> 00:04:08,170
And in this case it's 10.6.6.23.

77
00:04:08,170 --> 00:04:11,120
And if I hit Enter, Nmap starts the scan

78
00:04:11,120 --> 00:04:15,030
and right away it actually
tells me that port 21,

79
00:04:15,030 --> 00:04:16,233
port 22, 53,

80
00:04:17,751 --> 00:04:21,290
80, 139 and 445 are open.

81
00:04:21,290 --> 00:04:23,749
Now, what Nmap is doing
is actually scanning

82
00:04:23,749 --> 00:04:28,749
for the top 1,000 most
popular ports out there,

83
00:04:29,106 --> 00:04:30,560
not in sequence.

84
00:04:30,560 --> 00:04:32,190
So it's not going from one to 1,000;

85
00:04:32,190 --> 00:04:33,510
it is actually going

86
00:04:33,510 --> 00:04:36,323
and picking the top
1,000 most common ports

87
00:04:36,323 --> 00:04:38,160
and then it's actually doing that.

88
00:04:38,160 --> 00:04:40,550
If you want to scan for all the ports

89
00:04:40,550 --> 00:04:43,490
then you can do a dash P and another dash

90
00:04:43,490 --> 00:04:44,900
as the option here,

91
00:04:44,900 --> 00:04:47,270
and it will scan for the 6,500

92
00:04:47,270 --> 00:04:51,620
or 65,535 different ports out there.

93
00:04:51,620 --> 00:04:56,440
Now in this case the port
scan is not telling me

94
00:04:56,440 --> 00:04:59,593
if truly port 21 is actually running FTP.

95
00:05:00,997 --> 00:05:03,970
It's actually just guessing
that because port 21

96
00:05:03,970 --> 00:05:08,090
was actually open, that
FTP may be that service.

97
00:05:08,090 --> 00:05:10,530
So whenever you're doing
service enumeration

98
00:05:10,530 --> 00:05:12,300
you actually have to go further

99
00:05:12,300 --> 00:05:17,300
than a regular TCP or
normal SYN scan like this.

100
00:05:18,240 --> 00:05:21,320
You can take advantage
of additional checks,

101
00:05:21,320 --> 00:05:23,980
whether it's manual checks that you can do

102
00:05:23,980 --> 00:05:28,390
to actually launch a utility
like netcat against that port

103
00:05:28,390 --> 00:05:32,690
or by taking the advantage
of other utilities

104
00:05:32,690 --> 00:05:35,910
and other scripts that come with Nmap.

105
00:05:35,910 --> 00:05:37,530
And there's a scripting engine,

106
00:05:37,530 --> 00:05:40,630
called the Nmap Scripting Engine, NSE,

107
00:05:40,630 --> 00:05:42,750
and there's a whole bunch
of different scripts

108
00:05:42,750 --> 00:05:44,440
that you can take advantage of,

109
00:05:44,440 --> 00:05:46,510
or you can create your own.

110
00:05:46,510 --> 00:05:48,710
And in this case, I'm
actually using WebSploit,

111
00:05:48,710 --> 00:05:51,140
the learning environment that I created,

112
00:05:51,140 --> 00:05:53,600
and is running on top of Parrot OS.

113
00:05:53,600 --> 00:05:56,170
And in this case, I can do a locate *.nse

114
00:05:58,250 --> 00:06:02,290
and you can see that under
user/share/nmap/scripts,

115
00:06:02,290 --> 00:06:03,130
there are a whole bunch

116
00:06:03,130 --> 00:06:07,190
of different NSE scripts that are here

117
00:06:07,190 --> 00:06:09,950
for you to do additional enumeration

118
00:06:09,950 --> 00:06:13,040
of different shells, different files,

119
00:06:13,040 --> 00:06:15,370
and different potential vulnerabilities

120
00:06:15,370 --> 00:06:17,190
that may be in the system.

121
00:06:17,190 --> 00:06:20,890
Now a quick cheat, if you will,

122
00:06:20,890 --> 00:06:23,970
or a kind of shortcut of launching

123
00:06:23,970 --> 00:06:27,890
the most appropriate Nmap
Scripting Engine scripts

124
00:06:27,890 --> 00:06:31,360
is by using the -sC option.

125
00:06:31,360 --> 00:06:35,540
So lowers case s, and uppercase c.

126
00:06:35,540 --> 00:06:38,460
And I'm gonna launch this
against the same target,

127
00:06:38,460 --> 00:06:41,190
so 10.6.6.23.

128
00:06:41,190 --> 00:06:43,763
Now this is gonna take
a little bit more time

129
00:06:43,763 --> 00:06:46,860
than the previous scan that we just did

130
00:06:46,860 --> 00:06:48,790
which was a normal SYN scan.

131
00:06:48,790 --> 00:06:50,610
And what the scanner is doing

132
00:06:50,610 --> 00:06:54,070
is actually sending the same type of scan,

133
00:06:54,070 --> 00:06:57,440
with a default 1,000 ports to that system,

134
00:06:57,440 --> 00:06:59,920
to the 10.6.6.23.

135
00:06:59,920 --> 00:07:01,679
And then based on the results,

136
00:07:01,679 --> 00:07:04,530
like you saw that there was port 21, 22,

137
00:07:04,530 --> 00:07:08,570
port 80, 445, and all
those different ports,

138
00:07:08,570 --> 00:07:11,570
Nmap is actually picking
the most appropriate

139
00:07:11,570 --> 00:07:14,660
or the most common Nmap
Scripted Engine scripts

140
00:07:14,660 --> 00:07:17,610
to run and do further enumeration.

141
00:07:17,610 --> 00:07:19,594
Now, this is actually a lot more verbose

142
00:07:19,594 --> 00:07:23,732
than the previous scan, than the SYN scan,

143
00:07:23,732 --> 00:07:27,250
but it actually gives you a
lot of additional information.

144
00:07:27,250 --> 00:07:30,580
And as you can tell,
the scan just concluded.

145
00:07:30,580 --> 00:07:34,912
And if I scroll up, you
see that for port 21

146
00:07:34,912 --> 00:07:38,523
it was able to enumerate
that of course it is open,

147
00:07:38,523 --> 00:07:41,960
and indeed it's actually
running an FTP server

148
00:07:41,960 --> 00:07:44,517
and it was able to log in anonymously

149
00:07:44,517 --> 00:07:49,120
and it was also able to
enumerate these files.

150
00:07:49,120 --> 00:07:51,100
So file one, file two, file three,

151
00:07:51,100 --> 00:07:54,110
and this another one
called super secret file.

152
00:07:54,110 --> 00:07:59,110
Now it also was able to
enumerate additional things

153
00:07:59,400 --> 00:08:02,607
about the system, including the version

154
00:08:02,607 --> 00:08:07,100
and the program that is running FTP.

155
00:08:07,100 --> 00:08:11,270
So in this case it is
vsftpd, version 3.0.3.

156
00:08:11,270 --> 00:08:14,420
In some cases you may actually
get some false positive,

157
00:08:14,420 --> 00:08:17,330
in this case is actually correct.

158
00:08:17,330 --> 00:08:19,640
Now for SSH you see that it's getting

159
00:08:19,640 --> 00:08:23,510
the SSH keys for DNS,

160
00:08:23,510 --> 00:08:26,230
is not only able to find

161
00:08:26,230 --> 00:08:28,780
that DNS is actually
running in the system,

162
00:08:28,780 --> 00:08:31,620
but the type of DNS server,

163
00:08:31,620 --> 00:08:35,500
in this case is actually
BIND and the version as well.

164
00:08:35,500 --> 00:08:39,580
Then for port 139 and 445 you actually see

165
00:08:39,580 --> 00:08:44,300
that was actually able to
enumerate additional things like,

166
00:08:44,300 --> 00:08:45,970
that it is not a Window system;

167
00:08:45,970 --> 00:08:49,120
that it is actually a
Debian system running Samba

168
00:08:49,120 --> 00:08:53,660
and is running an old version
of Samba 4.9.5 for Debian.

169
00:08:53,660 --> 00:08:56,351
And it was also able to
enumerate additional things,

170
00:08:56,351 --> 00:08:59,839
including the system time

171
00:08:59,839 --> 00:09:04,450
and the smb-security-mode and so on.

172
00:09:04,450 --> 00:09:06,980
Now to launch a specific script

173
00:09:06,980 --> 00:09:11,980
you can run or use the dash
dash script tag or keyword,

174
00:09:13,120 --> 00:09:16,070
followed by the specific
location of the script.

175
00:09:16,070 --> 00:09:19,760
And in this case we're gonna
be doing enumeration of shares

176
00:09:19,760 --> 00:09:24,760
of that same Samba
implementation on the 10.6.6.23.

177
00:09:26,830 --> 00:09:27,663
And as a matter of fact

178
00:09:27,663 --> 00:09:30,410
you can be even more specific and say,

179
00:09:30,410 --> 00:09:35,410
I'm gonna be only running
this scan against port 445,

180
00:09:36,530 --> 00:09:38,440
so with a dash P option.

181
00:09:38,440 --> 00:09:39,603
Whenever I hit Enter,

182
00:09:40,560 --> 00:09:44,640
now what it's doing is
actually scanning the system

183
00:09:44,640 --> 00:09:48,650
only on port 445 and then
enumerating different shares.

184
00:09:48,650 --> 00:09:50,770
And as you can see, it was actually able

185
00:09:50,770 --> 00:09:54,570
to actually find a
directory called work files,

186
00:09:54,570 --> 00:09:55,880
and there's a comment there

187
00:09:55,880 --> 00:09:58,250
about confidential work files, right?

188
00:09:58,250 --> 00:10:02,860
So once again, we went over
the different scan types.

189
00:10:02,860 --> 00:10:07,640
We went over a very brief
introduction to the Nmap scanner,

190
00:10:07,640 --> 00:10:10,790
how to use the Nmap Scripting Engine,

191
00:10:10,790 --> 00:10:13,980
how to verify additional
system enumeration,

192
00:10:13,980 --> 00:10:16,600
and there are plenty of
additional tools for that.

193
00:10:16,600 --> 00:10:19,560
And then one more thing that
I want to share with you

194
00:10:19,560 --> 00:10:24,560
is that in my GitHub
repository, under cheat sheets,

195
00:10:28,350 --> 00:10:30,510
you have a lot of different cheat sheets

196
00:10:30,510 --> 00:10:32,200
for many different things

197
00:10:32,200 --> 00:10:35,950
including Exploit Development, Metasploit,

198
00:10:35,950 --> 00:10:37,760
even memory forensics.

199
00:10:37,760 --> 00:10:40,544
There's one specifically
for Nmap that I created

200
00:10:40,544 --> 00:10:44,360
and it has the different
scan types, port status;

201
00:10:44,360 --> 00:10:47,200
as I mentioned to you,
the states of the ports,

202
00:10:47,200 --> 00:10:50,200
and the different results
you can get from the scanner,

203
00:10:50,200 --> 00:10:54,350
the different scan types,
probing options, timing options.

204
00:10:54,350 --> 00:10:57,400
And especially if you
want to be more stealth

205
00:10:57,400 --> 00:11:00,816
and potentially bypass
intrusion detection systems

206
00:11:00,816 --> 00:11:02,820
and monitoring tools

207
00:11:02,820 --> 00:11:05,040
that the security
operations center may have

208
00:11:05,040 --> 00:11:06,958
you can use these different timing options

209
00:11:06,958 --> 00:11:11,958
to tweak your scans and
be a lot more stealthy.

210
00:11:12,460 --> 00:11:15,320
So I have tons and tons
of different references

211
00:11:15,320 --> 00:11:16,858
in here for you

212
00:11:16,858 --> 00:11:19,903
for your benefit and for your learning.