1
00:00:00,990 --> 00:00:07,110
By now, if you covered all of the videos that we did, you should have an intermediate knowledge of

2
00:00:07,110 --> 00:00:13,740
and map all we are left to do to check out is just some of the few options that you might find useful

3
00:00:13,740 --> 00:00:16,880
once you're performing your scans, which we will check out in this video.

4
00:00:17,220 --> 00:00:20,570
And after it, we need to check out two more things.

5
00:00:21,090 --> 00:00:23,910
One of them is running a map with scripts.

6
00:00:24,270 --> 00:00:28,140
Which part of it we are going to see right now with the results of our Desh.

7
00:00:28,140 --> 00:00:29,550
A scan from the previous video.

8
00:00:30,510 --> 00:00:36,900
And the second thing is how we can bypass firewall IDs and IPS using and map.

9
00:00:38,260 --> 00:00:43,960
So for now, we only noticed how we can perform different scans, but we never really talked about what

10
00:00:43,960 --> 00:00:46,270
if our target is well secured?

11
00:00:46,450 --> 00:00:47,780
What if they have a firewall?

12
00:00:48,340 --> 00:00:53,710
We want to perform our scans as quietly as possible in order for us to not get detected.

13
00:00:54,190 --> 00:00:58,660
But before we jump into all of that, let us check out the output of our Desh option.

14
00:00:59,320 --> 00:01:04,810
Remember, from the previous video, there are a bunch of different things, such as always detection

15
00:01:05,080 --> 00:01:09,460
versions scan and it also runs something called AMP scripts.

16
00:01:10,060 --> 00:01:15,340
You will see down here that we are getting output that we didn't get before.

17
00:01:16,400 --> 00:01:23,210
So besides the open port and the version that the open port is running, we also get the output of different

18
00:01:23,210 --> 00:01:26,630
scripts that are running on the target as we execute.

19
00:01:26,630 --> 00:01:33,410
This can see right now here we can see that it executed the script for FTP Anonymous login, and it

20
00:01:33,410 --> 00:01:34,580
says that it is allowed.

21
00:01:35,240 --> 00:01:39,230
And we will check out what the anonymous login is for now.

22
00:01:39,230 --> 00:01:44,990
And I can tell you that it is not really that secure, even though if we go all the way down here,

23
00:01:44,990 --> 00:01:51,920
it says FTP PD two point three point four, which is this version that the target has, is secure,

24
00:01:51,920 --> 00:01:52,940
fast and stable.

25
00:01:53,120 --> 00:01:59,780
And I can assure you this is one big lie as this FTP version is vulnerable.

26
00:01:59,990 --> 00:02:06,230
And we are going to see in the exploitation section how we can exploit this and gain access to our target

27
00:02:06,230 --> 00:02:07,700
machine down here.

28
00:02:07,700 --> 00:02:11,810
We also get the enumeration of the S.H. So we get the message koskie.

29
00:02:11,810 --> 00:02:13,550
Nothing really useful for us.

30
00:02:13,700 --> 00:02:17,810
The SMTP comments that are allowed, the SSL cyphers right here.

31
00:02:18,200 --> 00:02:21,290
We also get the server, Saddat, the DP title.

32
00:02:21,410 --> 00:02:26,120
And these are just some additional information that we got from running script.

33
00:02:27,230 --> 00:02:33,080
If it go all the way down, well, to get information for some other open ports and down here, we will

34
00:02:33,080 --> 00:02:37,760
see the towers can also perform the SMB enumeration.

35
00:02:38,060 --> 00:02:43,790
So we got the computer name net bias computer named domain name cybersecurity security mode down here.

36
00:02:43,790 --> 00:02:47,030
We also get the traceroute to this target's IP address.

37
00:02:47,030 --> 00:02:51,290
And this is the one hop that we have since it is in our own network.

38
00:02:52,410 --> 00:02:57,510
He tells us down here that it'll perform the oath and service detection and here is the always detection,

39
00:02:57,510 --> 00:02:58,640
but we already saw this.

40
00:02:58,740 --> 00:02:59,970
We got Linux running.

41
00:03:00,840 --> 00:03:05,520
So this is just some additional information on top of the information that we already had.

42
00:03:06,410 --> 00:03:12,950
But remember that she is an aggressive Schenn, it does give us the most output out of any other options,

43
00:03:13,250 --> 00:03:19,820
but it is also pretty aggressive and easily detectable if Target has some security measures, since

44
00:03:19,820 --> 00:03:27,200
our Anticipatable doesn't have any security measures or is not behind any of this can is best for targets

45
00:03:27,200 --> 00:03:27,680
like that.

46
00:03:27,830 --> 00:03:31,300
So we got the most information using Dash eight.

47
00:03:32,030 --> 00:03:37,970
But besides this Dash eight, let us also check a few more useful options that map gives us.

48
00:03:38,330 --> 00:03:45,860
And to do that, we're going to run the unmap manual type man and then map and it will open up the manual

49
00:03:45,860 --> 00:03:46,430
once again.

50
00:03:46,430 --> 00:03:50,450
We already know how we can go through it with upper and lower error.

51
00:03:50,930 --> 00:03:56,360
And we're going to just go really quick through it and see whether there are any useful options that

52
00:03:56,360 --> 00:03:59,210
we haven't covered but that you might want to use.

53
00:04:00,140 --> 00:04:08,330
So if we go down here, this Besch as an option is really useful option, and it is not really useful

54
00:04:08,330 --> 00:04:10,920
for discovering what abilities or open ports.

55
00:04:10,940 --> 00:04:16,700
Matter of fact, this option right here performs the same thing that our net discovered to that.

56
00:04:17,300 --> 00:04:23,750
Remember, we use net discovered to locate all of the hosts that are up and running on our network and

57
00:04:23,750 --> 00:04:28,370
Desh and pretty much does the same thing as we can see right here.

58
00:04:28,400 --> 00:04:33,850
This option tells EMAP not do a port scan, so you will not find out any open ports with the scan.

59
00:04:34,130 --> 00:04:38,920
The only useful thing we get from this is which hosts are up and running.

60
00:04:39,350 --> 00:04:40,940
So let's test it out real quick.

61
00:04:41,270 --> 00:04:46,580
And this is a scan that you would use probably on multiple machines to discover which ones are up and

62
00:04:46,580 --> 00:04:47,530
which ones aren't.

63
00:04:47,720 --> 00:04:51,440
But you can also use it on one machine if you'd like for this scan.

64
00:04:51,620 --> 00:04:57,770
I will use my whole network, Swadesh and and then one of the 168 that found that one two fifty five

65
00:04:58,340 --> 00:04:59,420
if I press enter.

66
00:05:00,450 --> 00:05:05,580
This should pretty much just a few seconds and here it is, it will give us which hosts are currently

67
00:05:05,580 --> 00:05:07,940
up, we get their IP addresses.

68
00:05:08,790 --> 00:05:11,010
So one I to the 168, one to 10.

69
00:05:11,160 --> 00:05:12,290
This is my laptop.

70
00:05:12,780 --> 00:05:17,960
We get them exploitable if we get Windows 10, probably and forget my router.

71
00:05:18,450 --> 00:05:22,460
So instead of net discover you can use this to figure out which hosts are up.

72
00:05:23,040 --> 00:05:27,570
But for me personally, I like net discover output of a little bit better than this one.

73
00:05:28,020 --> 00:05:30,050
This right here looks a little bit messy.

74
00:05:31,110 --> 00:05:38,490
OK, so the second thing that I want to show you is Desh B option, and this is an actual option that

75
00:05:38,490 --> 00:05:39,920
you will use a lot.

76
00:05:40,320 --> 00:05:45,780
So for this, we're going to scan our display to also change the IP address to the IP address.

77
00:05:45,990 --> 00:05:54,290
And what that option is, is simply you can specify what range of port you want to scan with and map.

78
00:05:55,050 --> 00:05:59,790
So remember, when we perform any other scan, it can stop one thousand ports.

79
00:06:00,330 --> 00:06:04,080
But what if we, for example, only wanted to scan one port?

80
00:06:05,010 --> 00:06:08,570
For example, let's say we wanted to scan Port 80 on the metal.

81
00:06:09,090 --> 00:06:09,790
Can we do that?

82
00:06:10,560 --> 00:06:18,180
Well, if you specify that and then 80 and then the I.P. address here, it will tell us port at open

83
00:06:18,390 --> 00:06:23,160
and service that it is running so we can scan only one port if we want.

84
00:06:23,820 --> 00:06:25,020
This option is useful.

85
00:06:25,020 --> 00:06:31,140
If you're only attacking one port and you don't want to bother really and let em scan one thousand port

86
00:06:31,140 --> 00:06:34,380
when you only want to enumerate one single port.

87
00:06:34,890 --> 00:06:36,840
You can also do it on multiple ports.

88
00:06:36,840 --> 00:06:41,550
For example, port at port twenty two, port one hundred.

89
00:06:41,620 --> 00:06:43,470
And let's see what the output is.

90
00:06:44,500 --> 00:06:52,090
And here we can see Port 80 in Port Two are open, while the Port 100 is closed, we separate different

91
00:06:52,090 --> 00:06:58,450
ports with CUMA and instead of separating them with Cuma, if you want to scan a range of ports, you

92
00:06:58,450 --> 00:07:00,070
can also do this.

93
00:07:00,850 --> 00:07:04,630
You can do port one to port one hundred.

94
00:07:05,620 --> 00:07:08,010
And here are the results not shown.

95
00:07:08,260 --> 00:07:14,070
Ninety four closed ports and we got six ports are open in first one hundred ports.

96
00:07:14,410 --> 00:07:18,510
And remember when I told you that there are over sixty five thousand ports.

97
00:07:18,700 --> 00:07:24,550
Well this is the option that we can use in order to scan all sixty five thousand if I type the same

98
00:07:24,550 --> 00:07:31,120
command, just a scan from one to sixty five thousand five hundred and thirty five and press enter.

99
00:07:31,930 --> 00:07:38,110
This scan will take longer than any previous scan that we did since it is scanning sixty five thousand

100
00:07:38,110 --> 00:07:38,500
ports.

101
00:07:39,520 --> 00:07:46,240
Here we can see the output, it finished in seven point seventy four seconds and here all the open ports

102
00:07:46,390 --> 00:07:52,510
that it managed to discover, here are some of the ports that we never really discovered with previous

103
00:07:52,510 --> 00:07:54,460
scans that we did in last few meters.

104
00:07:55,270 --> 00:07:56,560
So this is really useful.

105
00:07:56,890 --> 00:08:03,820
If we used regular scans and we only scan first one thousand ports, we would never really know that

106
00:08:03,820 --> 00:08:06,010
these ports are also open.

107
00:08:07,390 --> 00:08:13,690
Now, on the contrary, instead of scanning thousand ports or sixty five thousand ports, we can use

108
00:08:13,690 --> 00:08:17,860
a call option, which is Desh F and it is Capital F.

109
00:08:18,460 --> 00:08:24,640
And what this option does is instead of scanning one thousand ports, it scans first one hundred ports.

110
00:08:25,720 --> 00:08:31,420
So in case you want to perform a quicker scan and you also want to scan top one hundred U.S. ports,

111
00:08:31,780 --> 00:08:33,490
you would use the dash F option.

112
00:08:33,790 --> 00:08:37,960
If I press enter, you can see it finished in less than one second.

113
00:08:38,910 --> 00:08:45,660
And it can't top 100 ports now, this doesn't mean that it can port from one to one hundred days simply

114
00:08:45,660 --> 00:08:49,900
means it can't first 100 ports that are usually most used.

115
00:08:50,520 --> 00:08:55,310
So we got twenty one, twenty two, twenty five, fifty three and a bunch of others as well.

116
00:08:55,740 --> 00:09:01,200
But whenever you really want to find out everything you can about the target, this can will be more

117
00:09:01,200 --> 00:09:01,570
useful.

118
00:09:01,980 --> 00:09:03,000
The one where we can.

119
00:09:03,000 --> 00:09:08,700
Sixty five thousand ports since you can see there a lot more ports that are open than with this kind.

120
00:09:09,620 --> 00:09:15,770
OK, cool, let me show you one more option before we proceed to the next video, and that option is

121
00:09:15,770 --> 00:09:17,720
how to output and scan.

122
00:09:18,410 --> 00:09:24,470
So there are a few ways that we can do that if I run and map and then we use the same scan which we

123
00:09:24,470 --> 00:09:24,890
covered.

124
00:09:25,580 --> 00:09:30,860
Now let's see if we can do at this point, there are two ways that we can do this if we want the output

125
00:09:30,860 --> 00:09:32,460
to be inside of a file.

126
00:09:32,710 --> 00:09:38,110
We can use to Aros to the right and then output of scan data.

127
00:09:39,380 --> 00:09:40,750
Let me see your request.

128
00:09:40,760 --> 00:09:42,770
The scan type, which requires route privileges.

129
00:09:42,780 --> 00:09:48,800
So let us run it with food and press enter type and password.

130
00:09:49,800 --> 00:09:56,760
And you will see we get no output to our terminal, that is because all of the output is stored in this

131
00:09:56,760 --> 00:10:01,090
file if we use the cat command to output the results.

132
00:10:01,680 --> 00:10:04,840
Here is our scan that is being stored inside of this file.

133
00:10:05,250 --> 00:10:06,180
So this is useful.

134
00:10:06,180 --> 00:10:11,220
Once you want to, for example, add this to your report, so you just save it in a file and then later

135
00:10:11,220 --> 00:10:13,350
on, copy and paste this on our report.

136
00:10:13,690 --> 00:10:20,790
Another point that you can do this in case you want the results to be saved, both in a file and also

137
00:10:20,790 --> 00:10:22,200
outputted in your terminal.

138
00:10:22,740 --> 00:10:31,200
We can use the dash or option so that when I'm not sure if it is with capital end or lower case, and

139
00:10:31,560 --> 00:10:34,220
we're going to check that out with the help menu.

140
00:10:34,290 --> 00:10:39,060
So let's go to the output settings and it is Desh or one option.

141
00:10:39,540 --> 00:10:43,580
And we can see right here that one option is output can in normal.

142
00:10:43,740 --> 00:10:45,990
So we can simply just save this in a normal file.

143
00:10:46,620 --> 00:10:52,590
If you want some other file type, you can use OpEx for the XML and to get some other options here as

144
00:10:52,590 --> 00:10:54,780
well that you might find interesting for now.

145
00:10:54,780 --> 00:10:56,700
And we are just going to check out this one.

146
00:10:57,640 --> 00:11:02,560
So if I go down here and type and map dash on and then Dash S.

147
00:11:02,560 --> 00:11:11,310
S, of course we need to run this with pseudo and we specify one or two that 168 that one dot five output

148
00:11:11,320 --> 00:11:12,570
file begins with.

149
00:11:12,580 --> 00:11:15,920
Yeah, we need to specify the name of the file that we want to save it.

150
00:11:15,950 --> 00:11:18,040
So let's just call it output.

151
00:11:19,810 --> 00:11:20,710
And here it is.

152
00:11:20,710 --> 00:11:26,060
We get the output to our terminal, but I also type less and get the output file.

153
00:11:26,560 --> 00:11:29,380
We also get the results saved inside of this file.

154
00:11:30,650 --> 00:11:31,310
OK, great.

155
00:11:31,730 --> 00:11:36,550
These are just some of the basic options that I wanted to mention, since you might find them useful

156
00:11:37,040 --> 00:11:43,170
and by now, as I already told you, you can consider yourself an intermediate and map scanner.

157
00:11:43,760 --> 00:11:48,980
Now, to take this to the advanced level, we're going to check out in the next few videos how we can

158
00:11:48,980 --> 00:11:53,510
bypass favorable ideas and IPS using and map scans.