1
00:00:00,760 --> 00:00:01,400
Welcome back.

2
00:00:01,960 --> 00:00:08,090
Here we are ready to start our scanning phase, we have covered the information gathering, which was

3
00:00:08,110 --> 00:00:14,410
first phase of penetration testing, and now we will proceed with the second stage by scanning our target

4
00:00:14,410 --> 00:00:17,230
and trying to get even more information about it.

5
00:00:18,010 --> 00:00:25,420
Now, the difference between information gathering and scanning is that scanning is performed on a much

6
00:00:25,600 --> 00:00:26,710
deeper level.

7
00:00:27,770 --> 00:00:33,980
And also, while in the first phase, we gathered all kinds of information, such as emails, phone

8
00:00:33,980 --> 00:00:40,450
numbers and bunch of other things in the scanning, we're mainly focused on technology side.

9
00:00:41,090 --> 00:00:45,350
So we want to find out as much as we can about our target's technical aspect.

10
00:00:45,890 --> 00:00:51,950
We're going to talk about in just a second as to what exactly are we looking for in this stage and what

11
00:00:51,950 --> 00:00:53,620
are all the goals of this stage.

12
00:00:54,260 --> 00:01:01,820
But first, you could be wondering, what are we going to scan since remember that scanning is something

13
00:01:01,820 --> 00:01:05,510
that we are not allowed to do on any target that we want?

14
00:01:06,630 --> 00:01:13,590
Don't worry, for this stage and any future stage from now on, we're going to be using vulnerable virtual

15
00:01:13,590 --> 00:01:14,160
machines.

16
00:01:15,190 --> 00:01:21,340
There are lots of paid, vulnerable virtual machines that you can buy and test on, but for this course,

17
00:01:21,340 --> 00:01:27,850
I will be showing the free ones so all of us can download them, install them, and then try to hack

18
00:01:27,850 --> 00:01:28,000
the.

19
00:01:29,320 --> 00:01:34,750
All of these virtual machines are going to be running some outdated, vulnerable software that we will

20
00:01:34,750 --> 00:01:40,700
be able to exploit in the third stage, and they will also require very little hardware power.

21
00:01:41,110 --> 00:01:45,250
So all of us will be able to run them while also running Linux.

22
00:01:45,970 --> 00:01:51,880
And keep in mind that penetration testing process will look exactly like it would look in the real world

23
00:01:52,120 --> 00:01:54,230
if you would test some website or some network.

24
00:01:54,880 --> 00:02:01,390
The only difference is that right now we know that these machines are vulnerable, since I just told

25
00:02:01,390 --> 00:02:01,600
you.

26
00:02:01,750 --> 00:02:05,700
And in real world, you wouldn't essentially know that before testing them.

27
00:02:06,430 --> 00:02:12,460
However, just knowing they are vulnerable doesn't really help us as we need to figure out in what way

28
00:02:12,460 --> 00:02:15,340
are vulnerable and how can we take advantage of that.

29
00:02:16,090 --> 00:02:18,010
Scanning will help us with this.

30
00:02:18,880 --> 00:02:23,770
We will be using our Linux machine to scan these machines.

31
00:02:24,490 --> 00:02:30,010
And by scanning these machines, what they really mean is we're going to directly exchange packets with

32
00:02:30,010 --> 00:02:30,850
our target.

33
00:02:30,850 --> 00:02:36,670
And once that target sends packets back to us, hopefully it will discover something about the target

34
00:02:36,670 --> 00:02:38,800
machine that we will find useful.

35
00:02:39,780 --> 00:02:48,660
And what we will be sending to the target, our DCP and UDP packet, DCPI and UDP are just protocols

36
00:02:48,660 --> 00:02:52,160
that are used for sending bits of data, also known as Becket's.

37
00:02:52,500 --> 00:02:56,000
And we will discuss them in a little more detail in the next video.

38
00:02:56,640 --> 00:03:02,670
For now, just think of them as different communication protocols that will allow us to get information

39
00:03:03,030 --> 00:03:04,230
from our target.

40
00:03:05,250 --> 00:03:12,000
I keep talking about information and scanning and all of that without actually explaining what do I

41
00:03:12,000 --> 00:03:14,300
mean by scanning and getting information?

42
00:03:14,910 --> 00:03:16,020
What are the goals of this?

43
00:03:16,410 --> 00:03:18,470
What are we looking for exactly?

44
00:03:19,080 --> 00:03:26,040
Well, we're looking for open ports, and I don't mean U.S. ports or some physical ports.

45
00:03:26,070 --> 00:03:32,520
I mean, we are looking for virtual open ports that every machine has, and it uses them to close their

46
00:03:32,520 --> 00:03:35,520
software and communicate with other machines over the Internet.

47
00:03:36,030 --> 00:03:41,940
For example, you watching this over Internet on a website means that the machine that's hosting this

48
00:03:41,940 --> 00:03:49,410
website has bought 80 open wide port at well, 48 is used to host a Web server.

49
00:03:49,770 --> 00:03:54,270
It is used for HDB and it's also known as HTP Port.

50
00:03:55,020 --> 00:04:00,210
So every time you visit a website, you are essentially making a connection to that machine, hosting

51
00:04:00,210 --> 00:04:08,160
that website, one point eighty or one port, four for three since Port 80 is used for HTP and Port

52
00:04:08,160 --> 00:04:15,140
four for three is used for DP's and HTTPS is just a secure version of HTP.

53
00:04:16,290 --> 00:04:22,550
These are the two most usual ports that target that you're scanning externally will have open and by

54
00:04:22,560 --> 00:04:27,750
external scanning, I mean that you're scanning it while not being in the same network as the target.

55
00:04:28,650 --> 00:04:31,860
An example would be you scanning some website from your home.

56
00:04:32,940 --> 00:04:38,460
And a report that could sometimes be open if you're scanning internally, which means either scanning

57
00:04:38,460 --> 00:04:43,770
machines on your network or your performing net for penetration testing inside of some company, you

58
00:04:43,770 --> 00:04:47,130
could, for example, find Port 21 to be open.

59
00:04:48,390 --> 00:04:54,800
This is an nifty port and it's used for file transferring, FPP stands for file transfer protocol.

60
00:04:55,620 --> 00:04:59,160
These are just two of the ports and there are a lot of them.

61
00:04:59,610 --> 00:05:06,150
You could, for example, have for 20 to open, which is SSA port or secure port.

62
00:05:06,780 --> 00:05:10,950
It is used to log into the target machine and execute commands on it remotely.

63
00:05:11,490 --> 00:05:18,840
We could also have, for example, Port 53 open, which is DanceSport, or we could have Port twenty

64
00:05:18,840 --> 00:05:20,910
five open, which is SMTP port.

65
00:05:21,780 --> 00:05:23,460
So there are a lot of ports.

66
00:05:23,850 --> 00:05:31,020
Matter of fact, every machine has sixty five thousand five hundred and thirty five ports for both DCPI

67
00:05:31,020 --> 00:05:32,030
and UDP.

68
00:05:32,700 --> 00:05:39,060
And if there is just one open port with one vulnerable software running on that open port, then that

69
00:05:39,060 --> 00:05:41,970
target is vulnerable and it could be exploited.

70
00:05:42,420 --> 00:05:46,940
Now the high secure machines are the ones that have all ports closed.

71
00:05:47,730 --> 00:05:54,300
These are usually your home devices, such as laptops or computers that you use just for browsing online

72
00:05:54,330 --> 00:05:56,100
or playing video games or something.

73
00:05:56,820 --> 00:06:01,500
They don't need to be hosting any software since they are not a server that someone will connect to

74
00:06:01,560 --> 00:06:02,670
for a certain service.

75
00:06:03,120 --> 00:06:05,310
They're just home devices that you use.

76
00:06:05,580 --> 00:06:12,240
But websites, for example, must have Port 80 or port four for three open since they are hosting a

77
00:06:12,240 --> 00:06:12,960
Web page there.

78
00:06:13,470 --> 00:06:17,490
Also in companies, their machines could have some port open.

79
00:06:18,090 --> 00:06:23,820
Maybe they use that port on all their machines within that company to internally transfer files between

80
00:06:23,820 --> 00:06:24,600
different machines.

81
00:06:24,930 --> 00:06:26,280
It could be anything, basically.

82
00:06:26,430 --> 00:06:33,240
Now, the problem, of course, if that software they use on their open ports is outdated and has a

83
00:06:33,240 --> 00:06:41,040
vulnerability, then our job as a hacker is to scan that machine for open ports and exploit that machine

84
00:06:41,400 --> 00:06:44,750
through that vulnerable software running on the open port.

85
00:06:45,060 --> 00:06:51,330
But the goal for now in the scanning section is only to scan the target for the open ports.

86
00:06:51,750 --> 00:06:58,590
Then we want to discover what software are running on those open ports, and we want to go as deep as

87
00:06:58,590 --> 00:07:02,610
discovering what version of software is on that open port.

88
00:07:03,530 --> 00:07:04,160
Are you ready?

89
00:07:04,790 --> 00:07:10,290
We are going to be covering a lot in this section and in this section we will cover one of the most

90
00:07:10,290 --> 00:07:13,170
important tools that the hacker must master.

91
00:07:13,680 --> 00:07:15,690
That tool is called and map.

92
00:07:16,800 --> 00:07:17,970
Let's dive into scanning.