1 00:00:00,390 --> 00:00:01,050 Welcome back. 2 00:00:01,440 --> 00:00:03,570 Let's continue with our what we took. 3 00:00:04,890 --> 00:00:10,950 So in the previous video, we only saw how we can perform the basic stealth scan on a certain website. 4 00:00:11,790 --> 00:00:18,060 Another thing that we can do with Fastweb besides testing a website, is to test a range of IP addresses 5 00:00:18,210 --> 00:00:19,020 all at once. 6 00:00:20,040 --> 00:00:21,810 So if I open up my terminal. 7 00:00:23,320 --> 00:00:32,110 And I type what would that help once again to list out all of the available options and scroll all the 8 00:00:32,110 --> 00:00:32,590 way up? 9 00:00:35,570 --> 00:00:42,110 Here under the targets, we can see that we can specify your host names, IP addresses, but we can 10 00:00:42,110 --> 00:00:48,920 also specify IP ranges, we can specify them like this or like this. 11 00:00:50,380 --> 00:00:57,910 Now, to test this out, I'm going to scan my entire home network and to know what range of IP addresses 12 00:00:57,910 --> 00:01:06,040 should I scan for my home network, I could type down here, command I've config or pseudo config since. 13 00:01:06,430 --> 00:01:08,980 Remember, this requires route privileges. 14 00:01:09,670 --> 00:01:12,550 Press, enter, enter our password. 15 00:01:13,600 --> 00:01:20,500 And we can see that my IP addresses what I did to that 168 that found that four and what's more important 16 00:01:20,500 --> 00:01:23,320 than the IP address in this case is the net mask. 17 00:01:23,950 --> 00:01:30,340 And my net mask is two fifty five to fifty five to fifty five dot zero. 18 00:01:31,250 --> 00:01:39,380 The subnet mask right here means that only the last octet of my IP address is changeable, which is 19 00:01:39,380 --> 00:01:40,560 this last number. 20 00:01:41,060 --> 00:01:47,330 So these first three octets or these first three numbers never change in my whole network. 21 00:01:48,260 --> 00:01:55,220 This also means that the range of IP addresses that belong to my network are going to be from zero to. 22 00:01:58,500 --> 00:02:04,960 So basically, the range of the IP addresses that my network can have is this one eighty two do sixty 23 00:02:04,980 --> 00:02:06,900 eight that one dot zero. 24 00:02:08,440 --> 00:02:11,050 To 190 to that 168. 25 00:02:11,170 --> 00:02:13,060 Not one, not two fifty five. 26 00:02:13,870 --> 00:02:16,420 This is the range of my home network. 27 00:02:17,760 --> 00:02:19,980 So let me scan it now for you. 28 00:02:20,160 --> 00:02:26,100 It might be different based on what type of network you got, but in most home networks, the subnet 29 00:02:26,100 --> 00:02:28,170 mask is going to be this one. 30 00:02:29,140 --> 00:02:32,770 Therefore, just the last octet will be changeable for you. 31 00:02:33,490 --> 00:02:40,660 Now, before I actually run the scan, I don't have any websites hosted in my home network, but I do 32 00:02:40,660 --> 00:02:41,920 got some devices running. 33 00:02:41,920 --> 00:02:48,040 Something on Port 80 and Port 80 is in deep port that websites used to host their pages. 34 00:02:48,820 --> 00:02:52,300 So we should still get some result from scanning my network. 35 00:02:53,440 --> 00:02:57,340 Let go delete this and type what one. 36 00:02:59,300 --> 00:03:01,880 And then the French, all my whole network. 37 00:03:02,990 --> 00:03:08,560 Let us go with one to one idea to that 168 dot one two fifty five. 38 00:03:08,960 --> 00:03:13,790 So this is the range of IP addresses that I want to scan and all of them belong to my home network. 39 00:03:14,600 --> 00:03:21,050 And the good thing right here is that I can use whichever aggression level I want since it is my own 40 00:03:21,050 --> 00:03:21,570 network. 41 00:03:22,250 --> 00:03:24,560 Let's test out aggression level three. 42 00:03:25,370 --> 00:03:31,040 To do that, we can specify dash, dash aggression and then three. 43 00:03:32,020 --> 00:03:39,280 After it, we can also specify the dash of option to better output all of this and let's press enter. 44 00:03:42,150 --> 00:03:47,400 You will notice we are getting some of the results, but there is a lot of this error happening on the 45 00:03:47,400 --> 00:03:54,210 screen now for this area right here is let me just control C, since we're not going to wait for this 46 00:03:54,210 --> 00:03:54,750 to finish. 47 00:03:55,080 --> 00:04:01,530 And what this error is, is all of the hosts that it tried to scan but couldn't manage to. 48 00:04:02,040 --> 00:04:06,590 And the reason why it couldn't manage to scan these hosts is because they do not exist. 49 00:04:07,020 --> 00:04:13,380 I currently only have around two or three devices on my home network and all of these other IP addresses 50 00:04:13,380 --> 00:04:14,340 are out of use. 51 00:04:15,500 --> 00:04:21,350 So let me go up here to see what it found, it found the result for the IP address, 192, that 168 52 00:04:21,350 --> 00:04:22,060 that found that one. 53 00:04:22,220 --> 00:04:25,070 And this is my router down here. 54 00:04:25,070 --> 00:04:29,060 We can see all of the plug ins that it managed to detect for my router. 55 00:04:30,370 --> 00:04:35,500 We can see an interesting plugin which is password filled, this is something that we would write down 56 00:04:35,500 --> 00:04:41,470 since any password that we find we can use later on in something like a brute force attack to try to 57 00:04:41,470 --> 00:04:45,180 guess the password and try to brute force the login credentials. 58 00:04:46,030 --> 00:04:51,070 But nonetheless, this is just a router, so we're not really interested in it at the moment. 59 00:04:51,430 --> 00:04:54,280 This is just an example of a test of how it would look like. 60 00:04:54,490 --> 00:04:58,730 And since I don't have any website on my home network, it didn't really give much result. 61 00:04:58,870 --> 00:04:59,890 We can see right here. 62 00:05:00,130 --> 00:05:02,260 Here is another IP address that is active. 63 00:05:02,500 --> 00:05:04,870 It is 192 DOT 168 at 110. 64 00:05:04,870 --> 00:05:08,440 And this is an IP address on my laptop, which is currently up and running. 65 00:05:09,250 --> 00:05:17,080 It detected this FTP server on it, but it got this status code of four or three forbidden so it is 66 00:05:17,080 --> 00:05:18,440 not allowed to visit that page. 67 00:05:18,910 --> 00:05:25,420 Therefore, this is as much information as it's managed to get and all the other ones down here are 68 00:05:25,420 --> 00:05:26,620 simply just offline. 69 00:05:27,550 --> 00:05:34,780 Now, if you don't want this outputted, this text, you can use the same comment and at the end at 70 00:05:34,900 --> 00:05:44,170 Dash Dash, no errors, but this no errors option does is it simply just doesn't print these offline 71 00:05:44,200 --> 00:05:45,010 IP addresses? 72 00:05:45,730 --> 00:05:46,660 Let's test it out. 73 00:05:46,690 --> 00:05:53,220 If I run the same comment just with no errors, you will see we are not going to get any red text anymore. 74 00:05:53,590 --> 00:05:59,290 It will only scan these to live IP addresses, which is my home router and the laptop. 75 00:05:59,470 --> 00:06:01,510 And that is basically it. 76 00:06:01,520 --> 00:06:03,100 That is everything that it will output. 77 00:06:04,050 --> 00:06:09,690 OK, so it took just a few seconds to finish and keep in mind that since we are running level three 78 00:06:09,690 --> 00:06:16,200 of aggressions, can it will take a little bit more time to scan something then with level one, since 79 00:06:16,200 --> 00:06:20,580 it is performing a deeper scan than just did level one stealthy scan. 80 00:06:21,310 --> 00:06:28,770 OK, so if we ran this comment and we use the aggression level three, we use that to output all the 81 00:06:28,770 --> 00:06:31,080 detected plugins as well as their description. 82 00:06:32,020 --> 00:06:40,000 And we use no errors to not print out these offline IP addresses, but what if we, for example, wanted 83 00:06:40,000 --> 00:06:45,730 to save this output that we got in a file for some future references? 84 00:06:46,960 --> 00:06:52,570 Well, if I type the comment, what web does this help? 85 00:06:54,350 --> 00:07:00,320 And I go through this health plan once again, I will get to this part, which is logging. 86 00:07:01,660 --> 00:07:09,100 And down here, we can see that there are a bunch of options that we can use to log our file or to save 87 00:07:09,150 --> 00:07:15,280 our file, so let's just go with the first one, or we can even use the second one, which is to log 88 00:07:15,340 --> 00:07:16,300 verbose output. 89 00:07:17,350 --> 00:07:23,200 To do that, we use this option right here and then equals and then the file name that we wanted to 90 00:07:23,200 --> 00:07:23,470 save. 91 00:07:24,460 --> 00:07:31,090 So if I go down here and another useful comment, once you have a bunch of things happening in your 92 00:07:31,090 --> 00:07:36,970 terminal and buy a bunch of things, I mean, just a bunch of text printed out, what we can do to get 93 00:07:36,970 --> 00:07:39,220 rid of this is run the command, clear. 94 00:07:39,940 --> 00:07:42,630 This will clear our terminal so we get much cleaner. 95 00:07:42,640 --> 00:07:50,410 Look, now you press our Pereiro to find the comment that we ran previously and at the end I add lock 96 00:07:50,410 --> 00:07:53,170 and then dash for both equals. 97 00:07:53,500 --> 00:07:56,950 And here I can call the results, for example. 98 00:07:58,180 --> 00:08:05,200 If I press here, enter now, you will notice that both sides of this are putting it to the terminal. 99 00:08:05,500 --> 00:08:07,820 It will also save it inside of a file. 100 00:08:08,050 --> 00:08:10,780 Let's wait for this to finish to check out the file that we got. 101 00:08:12,100 --> 00:08:18,910 OK, so it finished let us clear the screen once again, and if we type s right here, we will see our 102 00:08:19,060 --> 00:08:19,960 results file. 103 00:08:20,840 --> 00:08:27,740 Let's lower the terminal and open this file to see what it got saved and find a logit, we will see 104 00:08:27,740 --> 00:08:35,690 that we got our results saved for both IP addresses, for my laptop IP address and for my route right 105 00:08:36,920 --> 00:08:38,510 now, for your scan. 106 00:08:38,510 --> 00:08:44,270 If you send your whole network, you will probably have more devices or less devices or you might not 107 00:08:44,270 --> 00:08:50,990 get any result in case none of your devices is having an open port 80 or in case none of your devices 108 00:08:50,990 --> 00:08:52,840 is running in HTP server. 109 00:08:53,480 --> 00:08:55,490 So don't worry if you didn't get any device. 110 00:08:56,000 --> 00:09:02,960 This is just an example to see that we can even run the ranges of IP addresses and to test out this 111 00:09:02,960 --> 00:09:07,850 aggression level triscuit since we can only do it on the websites that we own or have permission to 112 00:09:07,850 --> 00:09:08,180 scan. 113 00:09:09,200 --> 00:09:09,770 OK, great. 114 00:09:09,800 --> 00:09:14,930 So look at all of the commands that we crafted with all of these options right here. 115 00:09:15,910 --> 00:09:22,930 And this is just a part of this, what you don't need to be learning all of these comments, you can 116 00:09:22,930 --> 00:09:28,210 always just from the health comment and read through its help menu to discover what you want to run. 117 00:09:28,990 --> 00:09:34,150 We will be going through all of these options in what we do, since there is too much of them. 118 00:09:34,420 --> 00:09:39,550 But I encourage you to play with it a little bit and see if it has any other interesting options. 119 00:09:40,270 --> 00:09:40,660 Great. 120 00:09:41,260 --> 00:09:47,230 In the next video, we're going to see how we can harvest or gather as much emails as possible from 121 00:09:47,230 --> 00:09:48,820 just knowing a domain. 122 00:09:49,360 --> 00:09:49,950 See you there.