1 00:00:00,510 --> 00:00:03,240 Instructor: It is time to start with the first big tool 2 00:00:03,240 --> 00:00:06,030 that is essential for ethical hackers. 3 00:00:06,030 --> 00:00:08,610 That tool is called Nmap. 4 00:00:08,610 --> 00:00:10,950 We're going to cover a lot of things inside of it, 5 00:00:10,950 --> 00:00:14,520 and unlike all the other tools that we covered by now, 6 00:00:14,520 --> 00:00:17,520 which you might or might not use in penetration tests, 7 00:00:17,520 --> 00:00:20,190 this is a tool that you will almost always use 8 00:00:20,190 --> 00:00:22,110 without any doubt. 9 00:00:22,110 --> 00:00:23,730 So what is Nmap? 10 00:00:23,730 --> 00:00:26,130 Nmap is a network mapper. 11 00:00:26,130 --> 00:00:28,650 It is a free and open-source network scanner, 12 00:00:28,650 --> 00:00:30,060 and it is used to discover 13 00:00:30,060 --> 00:00:32,520 hosts and services on computer network 14 00:00:32,520 --> 00:00:36,210 by sending packets and analyzing the responses. 15 00:00:36,210 --> 00:00:38,160 It has a lot of different options, 16 00:00:38,160 --> 00:00:41,970 and we are going to check them out in the next few videos. 17 00:00:41,970 --> 00:00:44,940 For now, let us just see how we can start Nmap 18 00:00:44,940 --> 00:00:46,800 and run a basic scan. 19 00:00:46,800 --> 00:00:49,200 First thing, make sure your Metasploitable 20 00:00:49,200 --> 00:00:50,610 is up and running, 21 00:00:50,610 --> 00:00:53,610 and also, if you got any other devices in your home network, 22 00:00:53,610 --> 00:00:56,790 turn them on, just so we can scan them as well. 23 00:00:56,790 --> 00:00:59,160 Okay. Let us see how we can run Nmap, 24 00:00:59,160 --> 00:01:01,113 and what options do we get with Nmap. 25 00:01:02,040 --> 00:01:03,660 Just like all the other tools, 26 00:01:03,660 --> 00:01:05,730 we can get the Nmap help menu 27 00:01:05,730 --> 00:01:07,810 by only specifying "nmap" in terminal 28 00:01:09,690 --> 00:01:12,267 or specifying "nmap --help". 29 00:01:14,040 --> 00:01:16,170 And you will see right away, 30 00:01:16,170 --> 00:01:19,293 we get a lot of options right here. 31 00:01:20,190 --> 00:01:23,073 And this right here is just the short help menu. 32 00:01:23,970 --> 00:01:26,820 We will see the longer menu once we start experimenting 33 00:01:26,820 --> 00:01:28,383 with these options right here, 34 00:01:29,250 --> 00:01:32,010 but for now, we're only interested in running Nmap 35 00:01:32,010 --> 00:01:33,780 with just a basic scan. 36 00:01:33,780 --> 00:01:36,390 So for basic scan, all we need to do 37 00:01:36,390 --> 00:01:38,223 is specify an IP address. 38 00:01:39,300 --> 00:01:40,530 If you go to the help menu 39 00:01:40,530 --> 00:01:42,450 and you scroll all the way to the top, 40 00:01:42,450 --> 00:01:45,063 we should see "target specification", right here; 41 00:01:45,900 --> 00:01:49,353 it tells up that we can provide a hostname, 42 00:01:50,760 --> 00:01:51,843 an IP address, 43 00:01:52,800 --> 00:01:54,813 or a network for scanning. 44 00:01:55,680 --> 00:01:58,440 And below that, we got some of the examples 45 00:01:58,440 --> 00:02:00,630 of what we can specify with Nmap 46 00:02:00,630 --> 00:02:03,600 and what is the syntax for specifying hosts. 47 00:02:03,600 --> 00:02:05,850 We can also read our targets from a list 48 00:02:05,850 --> 00:02:09,180 by specifying option -iL, 49 00:02:09,180 --> 00:02:11,550 and if we want, we can exclude some hosts 50 00:02:11,550 --> 00:02:13,080 that we don't want to scan 51 00:02:13,080 --> 00:02:16,320 by specifying the --exclude option. 52 00:02:16,320 --> 00:02:18,600 For the first time, let us get an IP address 53 00:02:18,600 --> 00:02:19,920 from out Metasploitable, 54 00:02:19,920 --> 00:02:22,860 and let's scan it to see what results we get 55 00:02:22,860 --> 00:02:25,410 for scanning one IP address. 56 00:02:25,410 --> 00:02:28,230 We already saw how we can get Metasploitable IP address: 57 00:02:28,230 --> 00:02:32,100 you can either run netdiscover to see all the online hosts, 58 00:02:32,100 --> 00:02:33,630 or if you don't want to bother, 59 00:02:33,630 --> 00:02:35,700 you can just go to Metasploitable, 60 00:02:35,700 --> 00:02:36,533 right here, 61 00:02:38,340 --> 00:02:40,107 and type "ifconfig". 62 00:02:41,670 --> 00:02:44,010 I can see that the IP address of my Metasploitable 63 00:02:44,010 --> 00:02:46,890 is 192.168.1.6, 64 00:02:46,890 --> 00:02:49,020 so that is the IP address that I will use. 65 00:02:49,020 --> 00:02:51,720 Let's run our first Nmap scan. 66 00:02:51,720 --> 00:02:53,160 If I type "Nmap" 67 00:02:53,160 --> 00:02:56,610 and just "192.168.1.6", 68 00:02:56,610 --> 00:02:57,693 and press Enter: 69 00:02:59,070 --> 00:03:01,710 Wow. This finished pretty fast. 70 00:03:01,710 --> 00:03:03,120 But don't get used to it; 71 00:03:03,120 --> 00:03:06,180 the only reason that this can finish so fast 72 00:03:06,180 --> 00:03:10,230 is because the target is on my home network. 73 00:03:10,230 --> 00:03:14,430 True Nmap scans can sometimes take hours to finish, 74 00:03:14,430 --> 00:03:16,620 depending on where your target is, 75 00:03:16,620 --> 00:03:18,390 how many ports they have open, 76 00:03:18,390 --> 00:03:20,100 are they protected by firewall, 77 00:03:20,100 --> 00:03:22,800 and many other things that we are also going to cover. 78 00:03:22,800 --> 00:03:26,460 But for now, this is the response for our Metasploitable 79 00:03:26,460 --> 00:03:28,440 with our basic scan. 80 00:03:28,440 --> 00:03:30,900 So it tells us that host is up, 81 00:03:30,900 --> 00:03:33,660 it tells us which open ports it has, 82 00:03:33,660 --> 00:03:35,850 we get the exact number of which ports are open 83 00:03:35,850 --> 00:03:36,963 on the target machine, 84 00:03:37,950 --> 00:03:41,880 and right here, we can notice that there are a lot of ports 85 00:03:41,880 --> 00:03:43,230 that are open. 86 00:03:43,230 --> 00:03:47,335 That is because Metasploitable is running a lot of services. 87 00:03:47,335 --> 00:03:50,460 Nmap also tells you, besides the port that is opened, 88 00:03:50,460 --> 00:03:52,950 which service is running on that open port, 89 00:03:52,950 --> 00:03:55,053 and this is this third column. 90 00:03:56,160 --> 00:03:59,340 So we can see that port 21 is open, 91 00:03:59,340 --> 00:04:01,350 and it is running FTP, 92 00:04:01,350 --> 00:04:04,560 which we already know that it's File Transfer Protocol. 93 00:04:04,560 --> 00:04:07,050 We got port 22 to be open, 94 00:04:07,050 --> 00:04:08,973 and that port is for Secure Shell. 95 00:04:09,960 --> 00:04:14,550 We got port 80 that is opened, and that is an HTTP port, 96 00:04:14,550 --> 00:04:16,890 and this could mean that our Metasploitable 97 00:04:16,890 --> 00:04:19,320 could be hosting a webpage. 98 00:04:19,320 --> 00:04:20,310 We can check this out 99 00:04:20,310 --> 00:04:22,620 if we type the IP address of our Metasploitable 100 00:04:22,620 --> 00:04:24,420 inside of our Firefox; 101 00:04:24,420 --> 00:04:27,573 so let's go up here, open up our Firefox, 102 00:04:29,370 --> 00:04:32,397 and if I go up here and type "192.168.1.6", 103 00:04:34,710 --> 00:04:35,970 press Enter, 104 00:04:35,970 --> 00:04:37,440 this will automatically go 105 00:04:37,440 --> 00:04:39,930 and try to connect to the port 80, 106 00:04:39,930 --> 00:04:43,173 and indeed, it is hosting a webpage. 107 00:04:44,040 --> 00:04:47,400 But more about this webpage later on in the course, 108 00:04:47,400 --> 00:04:50,790 as it holds bunch of vulnerabilities which we will cover. 109 00:04:50,790 --> 00:04:52,380 For now, let us just see 110 00:04:52,380 --> 00:04:54,930 what other things we got with our Nmap. 111 00:04:54,930 --> 00:04:58,080 So besides these known ports that we got right here, 112 00:04:58,080 --> 00:05:00,450 we also discovered a bunch of other ports 113 00:05:00,450 --> 00:05:02,790 hosting different services, 114 00:05:02,790 --> 00:05:04,713 and some of them could be vulnerable. 115 00:05:05,760 --> 00:05:07,357 We also see this right here that says 116 00:05:07,357 --> 00:05:10,707 "Not shown: 977 closed ports". 117 00:05:11,580 --> 00:05:15,840 But wait a second; I said that there are over 65000 ports. 118 00:05:15,840 --> 00:05:20,580 Why does it say that it didn't show only 977 ports, 119 00:05:20,580 --> 00:05:24,330 or it shows that only 977 ports are closed? 120 00:05:24,330 --> 00:05:26,670 That is because Nmap, by default, 121 00:05:26,670 --> 00:05:29,820 scans the most known 1000 ports. 122 00:05:29,820 --> 00:05:32,760 It doesn't scan all 65000. 123 00:05:32,760 --> 00:05:34,890 We can tell it to scan all 65000, 124 00:05:34,890 --> 00:05:36,480 which we will see later on, 125 00:05:36,480 --> 00:05:38,913 but in most cases it is not necessary. 126 00:05:39,900 --> 00:05:44,160 Okay, cool. Our first Nmap scan gave us some results. 127 00:05:44,160 --> 00:05:46,530 And all of these results from our scans, 128 00:05:46,530 --> 00:05:50,310 you would write down in a report in a real penetration test. 129 00:05:50,310 --> 00:05:52,620 Now that we know how we can scan one IP address, 130 00:05:52,620 --> 00:05:55,650 let us see how we can scan a range of IP addresses. 131 00:05:55,650 --> 00:05:57,810 Let's say we want to scan our entire network; 132 00:05:57,810 --> 00:05:59,190 and for this, once again, 133 00:05:59,190 --> 00:06:01,470 you must know your subnet of your network 134 00:06:01,470 --> 00:06:03,510 or your network's IP range. 135 00:06:03,510 --> 00:06:05,100 We talked about this earlier. 136 00:06:05,100 --> 00:06:08,790 For me, it is from 192.168.1.1 137 00:06:08,790 --> 00:06:12,453 up to 192.168.1.255. 138 00:06:13,320 --> 00:06:16,740 So we can specify this in two different ways: 139 00:06:16,740 --> 00:06:21,740 we can type "nmap 192.168.1.1-255", 140 00:06:23,880 --> 00:06:27,580 or we can type it like this: "192.168.1.1/24". 141 00:06:30,840 --> 00:06:32,700 And if you're new to subnetting, 142 00:06:32,700 --> 00:06:35,917 you can think of this "/24" as something that says, 143 00:06:35,917 --> 00:06:38,640 "First three octets are not changeable." 144 00:06:38,640 --> 00:06:42,030 And by "first three octets" I mean first three numbers, 145 00:06:42,030 --> 00:06:45,660 which leaves us with only last octet, or last number, 146 00:06:45,660 --> 00:06:49,290 that will be changeable inside of our IP range. 147 00:06:49,290 --> 00:06:53,010 So let's scan it. If I press Enter... 148 00:06:53,010 --> 00:06:56,400 Now, this scan right here might take a little bit more time 149 00:06:56,400 --> 00:06:58,560 since it is not only scanning one host, 150 00:06:58,560 --> 00:07:01,230 it is scanning multiple hosts. 151 00:07:01,230 --> 00:07:03,780 And even though it's scanning multiple hosts, 152 00:07:03,780 --> 00:07:06,210 it finished relatively fast because it is scanning 153 00:07:06,210 --> 00:07:07,533 my own network. 154 00:07:08,460 --> 00:07:10,230 Let us read the results. 155 00:07:10,230 --> 00:07:15,230 So, these right here are the results for the Metasploitable, 156 00:07:15,840 --> 00:07:17,550 as we can see by the IP address, 157 00:07:17,550 --> 00:07:19,470 and we got the same results as before, 158 00:07:19,470 --> 00:07:23,430 which ports are open and what services are they running. 159 00:07:23,430 --> 00:07:26,850 Down here we get that it scanned 256 IP addresses 160 00:07:26,850 --> 00:07:29,250 and three hosts are up; 161 00:07:29,250 --> 00:07:31,800 let's see what other two hosts are up 162 00:07:31,800 --> 00:07:34,140 besides our Metasploitable. 163 00:07:34,140 --> 00:07:39,140 We got a device with the IP address of 192.168.1.4, 164 00:07:39,210 --> 00:07:40,770 and it says right here, 165 00:07:40,770 --> 00:07:43,803 all 1000 scanned ports on this device are closed. 166 00:07:44,670 --> 00:07:46,080 And you remember when I told you 167 00:07:46,080 --> 00:07:47,550 that this is the more secure version, 168 00:07:47,550 --> 00:07:51,900 since right now we cannot connect to any one of these ports. 169 00:07:51,900 --> 00:07:53,580 And this is probably some home device, 170 00:07:53,580 --> 00:07:55,080 possibly my laptop, 171 00:07:55,080 --> 00:07:57,840 it has all 1000 scanned ports closed 172 00:07:57,840 --> 00:08:01,383 because it doesn't host any service to other machines. 173 00:08:02,250 --> 00:08:05,073 And the last device that we got is my router. 174 00:08:05,910 --> 00:08:07,500 We got its IP address, 175 00:08:07,500 --> 00:08:10,890 and we also got which ports it has open. 176 00:08:10,890 --> 00:08:13,380 So it has port 22 for SSH, 177 00:08:13,380 --> 00:08:17,310 port 23 for Telnet, port 53 for the domain, 178 00:08:17,310 --> 00:08:22,310 port 80 and port 443 for HTTP and HTTPS, 179 00:08:22,320 --> 00:08:26,130 and this port right here that says service unknown. 180 00:08:26,130 --> 00:08:28,350 This is because Nmap couldn't figure out 181 00:08:28,350 --> 00:08:30,663 what service is running on this open port. 182 00:08:31,590 --> 00:08:34,950 Okay, great. For now, we performed a basic Nmap scan 183 00:08:34,950 --> 00:08:38,130 without adding any additional options to it, 184 00:08:38,130 --> 00:08:41,039 and with this we managed to discover open ports 185 00:08:41,039 --> 00:08:42,929 on our target machines. 186 00:08:42,929 --> 00:08:45,060 That is good for the start. 187 00:08:45,060 --> 00:08:46,860 In the next video, we will see 188 00:08:46,860 --> 00:08:49,260 what else can we discover using Nmap, 189 00:08:49,260 --> 00:08:51,303 and what other cool options it has.