1 00:00:06,230 --> 00:00:08,280 - [Narrator] Active reconnaissance attacks 2 00:00:08,280 --> 00:00:13,090 are attacks that include the scanning of the network 3 00:00:13,090 --> 00:00:15,560 to find out which IP addresses respond 4 00:00:15,560 --> 00:00:18,000 and then to further scan those devices 5 00:00:18,000 --> 00:00:20,590 to see which ports of the devices, 6 00:00:20,590 --> 00:00:22,883 those IP addresses are actually open. 7 00:00:23,820 --> 00:00:27,210 Active scans are carried by tools called scanners. 8 00:00:27,210 --> 00:00:28,923 So pretty self explanatory. 9 00:00:29,930 --> 00:00:32,540 I'm shown here a few commercial 10 00:00:32,540 --> 00:00:35,890 and open source application and vulnerability scanners. 11 00:00:35,890 --> 00:00:38,490 One of the most popular ones is actually, Nmap. 12 00:00:38,490 --> 00:00:41,930 I'm gonna show you Nmap in a few minutes. 13 00:00:41,930 --> 00:00:43,730 There's also another one called Nessus 14 00:00:43,730 --> 00:00:45,650 by Tenable Network Security. 15 00:00:45,650 --> 00:00:49,950 They actually have a commercial entity or license for it, 16 00:00:49,950 --> 00:00:52,363 but you can download it for free as well. 17 00:00:53,410 --> 00:00:58,220 There's a very popular one called NeXpose by Rapid7. 18 00:00:58,220 --> 00:01:01,970 That's actually very popular among penetration testers. 19 00:01:01,970 --> 00:01:06,760 Qualys scan is another scanner 20 00:01:06,760 --> 00:01:08,530 that also includes web application scanning, 21 00:01:08,530 --> 00:01:10,980 is developed by Qualys. 22 00:01:10,980 --> 00:01:15,760 There are many, many others, especially for application 23 00:01:15,760 --> 00:01:19,600 and web application vulnerability scanning 24 00:01:19,600 --> 00:01:23,140 such as AppScan from IBM, Burp Suite. 25 00:01:23,140 --> 00:01:26,290 Burp actually has free and a commercial version. 26 00:01:26,290 --> 00:01:29,270 That's a great tool to actually look for vulnerabilities 27 00:01:29,270 --> 00:01:32,603 in a web application, ParosPro. 28 00:01:33,510 --> 00:01:35,560 The list goes on and on as you can actually see here. 29 00:01:35,560 --> 00:01:37,050 So this is for your reference. 30 00:01:37,050 --> 00:01:40,150 So be aware that these attacks are not launch 31 00:01:40,150 --> 00:01:43,600 only from individuals outside of the company 32 00:01:43,600 --> 00:01:46,830 but they're also launch from people and devices 33 00:01:46,830 --> 00:01:49,470 inside of your company sometimes, right? 34 00:01:49,470 --> 00:01:53,747 So it is what we call the insider threat. 35 00:01:55,090 --> 00:01:58,010 So in a lot of places actually, 36 00:01:58,010 --> 00:02:02,670 you see scanning actually being done not only by humans, 37 00:02:02,670 --> 00:02:06,280 but compromised machines that are already in the network 38 00:02:07,183 --> 00:02:10,310 that are trying to actually find all the devices 39 00:02:10,310 --> 00:02:12,050 that they can actually compromise 40 00:02:12,050 --> 00:02:13,710 and steal information from. 41 00:02:13,710 --> 00:02:18,610 So this vector is of particular concern these days 42 00:02:18,610 --> 00:02:21,960 with the proliferation of organizations allowing employees 43 00:02:21,960 --> 00:02:23,507 to even bring their own devices, 44 00:02:23,507 --> 00:02:27,770 what we call BYOD that allows them to access 45 00:02:27,770 --> 00:02:30,520 data applications and devices in the corporate network. 46 00:02:34,100 --> 00:02:36,290 Some of those devices may actually be compromised, right? 47 00:02:36,290 --> 00:02:37,993 So as soon as actually they come into the network 48 00:02:37,993 --> 00:02:41,080 they actually start scanning and looking for vulnerabilities 49 00:02:41,080 --> 00:02:44,100 that they can actually exploit. 50 00:02:44,100 --> 00:02:46,673 Perhaps the user is also curious, right? 51 00:02:47,670 --> 00:02:50,710 So these applications are actually commonly used 52 00:02:50,710 --> 00:02:52,000 for even troubleshooting, right? 53 00:02:52,000 --> 00:02:55,390 So you can scan to see what IP addresses 54 00:02:55,390 --> 00:02:57,620 actually are available in the network 55 00:02:57,620 --> 00:02:59,420 and what type of ports are actually open 56 00:02:59,420 --> 00:03:00,253 and things like that. 57 00:03:00,253 --> 00:03:05,253 So it may be used by a non-malicious user of course as well, 58 00:03:05,690 --> 00:03:09,320 or maybe of course a backdoor is installed on the computer 59 00:03:09,320 --> 00:03:12,970 which the user is actually logged into 60 00:03:12,970 --> 00:03:16,110 and then in that case an outsider attacker 61 00:03:16,110 --> 00:03:20,400 can be actually launching an attack in stealth mode. 62 00:03:20,400 --> 00:03:22,860 So in either case it's important to implement 63 00:03:22,860 --> 00:03:26,580 a security policy that takes nothing for granted, right? 64 00:03:26,580 --> 00:03:28,340 So that's very important. 65 00:03:28,340 --> 00:03:30,020 Don't take anything for granted 66 00:03:30,020 --> 00:03:32,390 and be prepared to mitigate risk at several levels 67 00:03:32,390 --> 00:03:35,087 including insider threat, right? 68 00:03:35,087 --> 00:03:37,070 Now there are different types of port 69 00:03:37,070 --> 00:03:39,030 and network scanning techniques. 70 00:03:39,030 --> 00:03:42,150 The following are some of the most common ones. 71 00:03:42,150 --> 00:03:43,730 First one is basic port scan. 72 00:03:43,730 --> 00:03:46,670 It actually involves the scanning of a predetermined 73 00:03:46,670 --> 00:03:51,670 TCP or UDP port by sending a specifically configure packet 74 00:03:52,060 --> 00:03:55,013 that contains the port number of the port 75 00:03:55,013 --> 00:03:56,260 that was actually selected. 76 00:03:56,260 --> 00:03:58,660 So this is typically used to determine 77 00:03:58,660 --> 00:04:02,290 what ports are actually open or available in a given system. 78 00:04:02,290 --> 00:04:03,550 There's also a TCP scan, 79 00:04:03,550 --> 00:04:07,700 which of course is a TCP-based scan to a series ports 80 00:04:07,700 --> 00:04:09,310 on the machine to determine 81 00:04:09,310 --> 00:04:13,730 the port availability within TCP. 82 00:04:13,730 --> 00:04:17,070 There's also many different variances of it, right? 83 00:04:17,070 --> 00:04:20,210 So you can do a TCP SYN scan 84 00:04:20,210 --> 00:04:23,260 which is one of the most common types of TCP scanning 85 00:04:23,260 --> 00:04:26,760 that is also referred to as a half-open scanning. 86 00:04:26,760 --> 00:04:29,530 And that's because it never actually opens 87 00:04:29,530 --> 00:04:31,050 a full TCP connection. 88 00:04:31,050 --> 00:04:34,160 So it doesn't do a full TCP three way handshake. 89 00:04:34,160 --> 00:04:37,450 So the scanner sends a SYN packet, 90 00:04:37,450 --> 00:04:40,800 if the target responds then with a SYN-ACK 91 00:04:40,800 --> 00:04:42,400 then the scanner typically says, 92 00:04:43,400 --> 00:04:44,660 this port is actually open 93 00:04:44,660 --> 00:04:48,220 and it may actually even reply back with a RST packet. 94 00:04:48,220 --> 00:04:53,080 So another TCP scan type is a TCP ACK. 95 00:04:53,080 --> 00:04:55,970 So this type of scan does not actually 96 00:04:55,970 --> 00:04:59,560 or exactly determine the TCP ports 97 00:04:59,560 --> 00:05:01,790 that are open or closed however, 98 00:05:01,790 --> 00:05:06,650 it checks if the port is filtered or unfiltered 99 00:05:06,650 --> 00:05:10,010 by that application or system. 100 00:05:10,010 --> 00:05:13,180 So TCP ACK scans are typically used 101 00:05:13,180 --> 00:05:16,430 when trying to see if a firewall is deployed 102 00:05:16,430 --> 00:05:19,730 and its rule sets are taking effect, right? 103 00:05:19,730 --> 00:05:24,730 So there are also TCP FIN packets that in some cases 104 00:05:25,440 --> 00:05:29,880 they can bypass legacy firewalls since closed ports 105 00:05:31,305 --> 00:05:34,400 may cause a system to reply to a FIN packet 106 00:05:34,400 --> 00:05:36,720 with a corresponding RST packet 107 00:05:36,720 --> 00:05:39,700 because the nature of TCP. 108 00:05:39,700 --> 00:05:43,010 Now there's a type of scanning 109 00:05:43,010 --> 00:05:45,890 that is called a UDP scan. 110 00:05:45,890 --> 00:05:49,080 Now, UDP is a connectionless protocol. 111 00:05:49,080 --> 00:05:51,980 So it doesn't have a three way handshake like TCP. 112 00:05:51,980 --> 00:05:55,440 So the UDP scans have to rely on ICMP port 113 00:05:55,440 --> 00:05:57,510 on reachable messages to determine 114 00:05:57,510 --> 00:05:59,500 if the port is actually open. 115 00:05:59,500 --> 00:06:03,420 So when the scanner sends a UDP packet 116 00:06:03,420 --> 00:06:07,420 the port is actually not open on the victim site 117 00:06:07,420 --> 00:06:09,130 or the victim system, 118 00:06:09,130 --> 00:06:12,280 that system will respond back with an ICMP port 119 00:06:12,280 --> 00:06:13,890 on reachable message. 120 00:06:13,890 --> 00:06:17,010 And this type of scanning will definitely be affected 121 00:06:17,010 --> 00:06:20,210 by firewalls and devices that actually 122 00:06:20,210 --> 00:06:24,150 rate limit or blocked ICMP, right? 123 00:06:24,150 --> 00:06:26,480 So that's the reason that a lot of people actually say that 124 00:06:26,480 --> 00:06:29,610 UDP scanning is not that effective. 125 00:06:29,610 --> 00:06:33,980 Now there's another type of scan called strobe scan. 126 00:06:33,980 --> 00:06:35,690 And typically it's used by an attacker 127 00:06:35,690 --> 00:06:38,960 to find the ports that he or she already knows 128 00:06:38,960 --> 00:06:40,320 how to actually exploit. 129 00:06:40,320 --> 00:06:44,670 So he already knows there's an open port 130 00:06:44,670 --> 00:06:48,710 but they actually want to strobe scan to execute 131 00:06:48,710 --> 00:06:51,960 on a more confined level of scanning. 132 00:06:51,960 --> 00:06:54,720 Now there's a stealth scan and basically a stealth scan 133 00:06:54,720 --> 00:06:59,210 is any scan that is designed to go undetected 134 00:06:59,210 --> 00:07:00,693 by network auditing tools. 135 00:07:01,610 --> 00:07:06,500 So, again there's many different type of scanning mechanisms 136 00:07:06,500 --> 00:07:08,540 that we actually have in here. 137 00:07:08,540 --> 00:07:11,300 The first example that I'm showing here 138 00:07:11,300 --> 00:07:13,740 is the Nmap scanner. 139 00:07:13,740 --> 00:07:16,470 And basically here I'm actually just doing what we call 140 00:07:16,470 --> 00:07:19,970 a ping sweep to network with the IP addresses of 141 00:07:19,970 --> 00:07:24,150 192.168.78.0 with the 24 bit mask. 142 00:07:24,150 --> 00:07:28,170 And as you can see here actually it scans the network 143 00:07:29,290 --> 00:07:32,500 and finds what devices are actually up. 144 00:07:32,500 --> 00:07:34,850 And it actually even provides a little bit more information. 145 00:07:34,850 --> 00:07:36,400 So it provides the MAC address. 146 00:07:38,611 --> 00:07:42,050 If we can determine what type of devices, 147 00:07:42,050 --> 00:07:44,450 some of them maybe Cisco devices, 148 00:07:44,450 --> 00:07:46,930 other ones like I'm seeing here.... 149 00:07:46,930 --> 00:07:48,870 This is actually my house. 150 00:07:48,870 --> 00:07:50,800 I have a couple of Google Chromecast. 151 00:07:50,800 --> 00:07:53,290 I have a smart home device, 152 00:07:53,290 --> 00:07:56,356 several Cisco devices in my house, 153 00:07:56,356 --> 00:07:59,710 even Raspberry Pi that actually you're seeing here 154 00:07:59,710 --> 00:08:03,740 you can determine that of course there's a Raspberry Pi 155 00:08:03,740 --> 00:08:05,840 in that specific network. 156 00:08:05,840 --> 00:08:07,900 So again this this is actually what we call 157 00:08:07,900 --> 00:08:10,830 the ping scan or ping sweep 158 00:08:10,830 --> 00:08:12,930 and basically just ICMP package to see 159 00:08:12,930 --> 00:08:16,100 what devices are there and gathers information from that. 160 00:08:16,100 --> 00:08:20,820 Then after that you can launch a more specific scan, right? 161 00:08:20,820 --> 00:08:24,440 So in this case I'm actually just doing a light scan 162 00:08:24,440 --> 00:08:28,980 for TCP for a host of 191.68.78.8. 163 00:08:28,980 --> 00:08:32,080 That's a Linux host that I have in this network. 164 00:08:32,080 --> 00:08:36,080 And if you can see here that device actually has 165 00:08:36,080 --> 00:08:41,080 SSH open support 22, port 25 for mail SMTP actually open, 166 00:08:43,230 --> 00:08:46,280 has a bind DNS server as well, 167 00:08:46,280 --> 00:08:51,280 is running actually the HTTP server and a port 80. 168 00:08:52,892 --> 00:08:55,360 It's running again a mail server 169 00:08:55,360 --> 00:08:58,840 which supports POP3 and IMAP. 170 00:08:58,840 --> 00:09:02,840 You can even see the OS type and the kernel version. 171 00:09:02,840 --> 00:09:04,270 So it was actually able to do 172 00:09:04,270 --> 00:09:06,790 what we call OS fingerprinting. 173 00:09:06,790 --> 00:09:09,210 So the operating system fingerprinting. 174 00:09:09,210 --> 00:09:11,530 It actually has a whole bunch of other information 175 00:09:11,530 --> 00:09:14,010 about the device itself. 176 00:09:14,010 --> 00:09:19,010 So again, this is a type of fairly basic scanning 177 00:09:19,399 --> 00:09:22,710 that provides you with a lot of information, right? 178 00:09:22,710 --> 00:09:27,710 So there's also a GUI or graphic user interface for Nmap 179 00:09:28,690 --> 00:09:29,523 called Zenmap. 180 00:09:29,523 --> 00:09:31,350 And that's what I'm actually showing here. 181 00:09:31,350 --> 00:09:33,140 So basically I launched the same attack 182 00:09:33,140 --> 00:09:35,370 that you saw in the CLI, 183 00:09:35,370 --> 00:09:39,290 but in this case I'm doing it through the GUI. 184 00:09:39,290 --> 00:09:42,140 In there you can actually see the Nmap output 185 00:09:42,140 --> 00:09:45,170 with the ports that we went over already. 186 00:09:45,170 --> 00:09:50,170 You can see if you click on the port and host a tab 187 00:09:50,410 --> 00:09:53,430 you can see those in a little bit more graphical interface. 188 00:09:53,430 --> 00:09:55,390 You can see a topology in this case, 189 00:09:55,390 --> 00:09:57,980 I'm actually just going directly connected 190 00:09:57,980 --> 00:10:00,850 to that device and so I'm in the same network 191 00:10:00,850 --> 00:10:02,250 but if I was not in the same network 192 00:10:02,250 --> 00:10:04,820 perhaps you would be able to actually see 193 00:10:04,820 --> 00:10:08,860 a better graphical every representation of the network. 194 00:10:08,860 --> 00:10:11,210 You can also see the host details, 195 00:10:11,210 --> 00:10:13,763 TCP sequencing information, 196 00:10:13,763 --> 00:10:16,750 other information that you can gather 197 00:10:16,750 --> 00:10:18,750 from the system itself, 198 00:10:18,750 --> 00:10:21,063 even the one with last boot. 199 00:10:24,012 --> 00:10:27,113 So again you can actually this type of scanning 200 00:10:28,300 --> 00:10:33,050 through the GUI or through the CLI. 201 00:10:33,050 --> 00:10:35,780 And here I'm actually just showing you a reference 202 00:10:35,780 --> 00:10:40,780 of an Nmap cheat sheet or tutorial that actually goes over 203 00:10:41,224 --> 00:10:46,224 a lot of different command examples or scanning examples 204 00:10:47,650 --> 00:10:49,333 using the Nmap scanner. 205 00:10:50,860 --> 00:10:52,350 Again, this is actually a free scanner 206 00:10:52,350 --> 00:10:56,190 I will probably suggest for you as you prepare for the exam 207 00:10:56,190 --> 00:10:58,400 to actually use it, downloaded and use it. 208 00:10:58,400 --> 00:11:01,730 Just use it in your network against your own machine 209 00:11:01,730 --> 00:11:03,770 just become familiar of the actual output, right? 210 00:11:03,770 --> 00:11:06,180 So this is one of the first steps 211 00:11:06,180 --> 00:11:09,640 that in a lot of cases actually pen testers and attackers 212 00:11:09,640 --> 00:11:11,210 actually use to gather information 213 00:11:11,210 --> 00:11:13,600 about a network and a system 214 00:11:13,600 --> 00:11:16,730 and then once it enumerates this type of ports 215 00:11:16,730 --> 00:11:20,235 then it can carry over potentially 216 00:11:20,235 --> 00:11:21,790 a more sophisticated attacks, right? 217 00:11:21,790 --> 00:11:24,240 So it can look for vulnerabilities in the system, 218 00:11:24,240 --> 00:11:25,830 exploit those vulnerabilities. 219 00:11:25,830 --> 00:11:28,210 Once the vulnerabilities are actually compromised 220 00:11:28,210 --> 00:11:31,230 or exploited and the system is actually compromised 221 00:11:31,230 --> 00:11:34,400 they can launch other attacks throughout their organization. 222 00:11:34,400 --> 00:11:36,830 So they can do lateral movement 223 00:11:36,830 --> 00:11:40,240 and potentially exfiltrate information 224 00:11:40,240 --> 00:11:42,123 from your organization.