1 00:00:00,170 --> 00:00:05,810 So remember that while performing a penetration test, we should always test the network devices whether 2 00:00:05,810 --> 00:00:07,670 they're vulnerable to attacks. 3 00:00:08,119 --> 00:00:14,360 All the ones we've mentioned up till now, Of course, we have to discover the network devices and the 4 00:00:14,360 --> 00:00:16,340 services running on them first. 5 00:00:16,370 --> 00:00:22,820 So let's see how we discover network devices and their services and what else we can do to attack these 6 00:00:22,820 --> 00:00:23,630 services. 7 00:00:23,660 --> 00:00:24,950 Come on, it'll be fun. 8 00:00:26,540 --> 00:00:32,390 So as you already know, the first step of a penetration test is always reconnaissance. 9 00:00:32,420 --> 00:00:34,760 In other words, gathering the information. 10 00:00:35,120 --> 00:00:38,930 So how can we collect information about the network devices? 11 00:00:39,200 --> 00:00:44,390 The answer is the same with a reconnaissance of all the other parts of the penetration tests. 12 00:00:45,540 --> 00:00:51,960 We can scan the network and find the network devices according to the fingerprints or operating systems 13 00:00:51,960 --> 00:00:53,400 of the devices found. 14 00:00:53,610 --> 00:01:01,710 For example, if the operating system of a device is Cisco iOS, it's most probably a network device 15 00:01:01,710 --> 00:01:03,840 such as a switch or a router. 16 00:01:04,739 --> 00:01:08,880 Sniffing is another way to collect data about the network devices. 17 00:01:08,970 --> 00:01:13,710 You should always especially focus on the clear text services such as Telnet. 18 00:01:15,440 --> 00:01:20,960 Now, one of the brilliant ways of reconnaissance is analyzing the documents collected throughout the 19 00:01:20,960 --> 00:01:22,370 penetration test. 20 00:01:22,580 --> 00:01:28,310 In a typical penetration test, you probably find a lot of sensitive information by just looking at 21 00:01:28,310 --> 00:01:36,440 the file servers, shared files and email backups or unprotected Ascii files of compromised admin personal 22 00:01:36,440 --> 00:01:37,340 computers. 23 00:01:39,180 --> 00:01:46,170 So as we were saying before, the most common services open in the network devices are SSH, Telnet, 24 00:01:46,440 --> 00:01:49,980 Http, Https and SNMp. 25 00:01:51,150 --> 00:01:54,750 And the default ports of these services are listed in the slide. 26 00:01:56,130 --> 00:02:01,380 I want to call your attention to these are the default ports. 27 00:02:01,570 --> 00:02:01,720 Right. 28 00:02:01,770 --> 00:02:05,310 So they don't have to run on the specified port. 29 00:02:05,610 --> 00:02:13,330 You can run an SSH service on port 443 or an Https service on the port. 30 00:02:13,350 --> 00:02:16,290 I don't know, four, three, two, one, etcetera. 31 00:02:17,130 --> 00:02:22,830 You can discover more details about the network devices by analyzing these services deeply. 32 00:02:24,570 --> 00:02:25,020 Right. 33 00:02:25,020 --> 00:02:29,070 So now to have the correct results and discover even more. 34 00:02:29,400 --> 00:02:35,100 You should always scan network with OS discovery and version detection options. 35 00:02:36,810 --> 00:02:41,190 So if you look at the example in the slide, again, you see an Nmap command. 36 00:02:41,970 --> 00:02:47,970 Nmap is a security scanner which is used to discover hosts and services on a computer network. 37 00:02:48,620 --> 00:02:51,470 In the same sample command shown. 38 00:02:51,650 --> 00:03:00,170 The O parameter is used for OS detection, while s upper score V is used for version detection. 39 00:03:02,160 --> 00:03:02,790 Great. 40 00:03:03,640 --> 00:03:05,320 So just listen to the traffic. 41 00:03:06,170 --> 00:03:09,980 We can gather some information about the network devices here. 42 00:03:10,370 --> 00:03:17,330 The protocols which use clear text communication are especially important because you can see the payload 43 00:03:17,330 --> 00:03:20,150 data transferred between the endpoints. 44 00:03:21,120 --> 00:03:25,290 The most important clear text protocols are telnet. 45 00:03:26,350 --> 00:03:28,360 Cisco Discovery Protocol. 46 00:03:29,480 --> 00:03:31,400 Spanning tree protocol. 47 00:03:32,570 --> 00:03:34,040 Routing protocols. 48 00:03:35,320 --> 00:03:38,140 Vlan trunking protocol and. 49 00:03:38,830 --> 00:03:41,320 Simple network management protocol. 50 00:03:43,970 --> 00:03:48,380 So let's scan the router according to the criteria that we talked about up till now. 51 00:03:49,520 --> 00:03:50,420 In Cali. 52 00:03:50,960 --> 00:03:56,120 I opened a terminal screen, so I'll use the nmap to scan the router. 53 00:03:56,120 --> 00:03:57,020 But first. 54 00:03:57,630 --> 00:04:00,150 Let's go ahead and ping the router to check the network. 55 00:04:01,540 --> 00:04:02,590 And it's okay. 56 00:04:03,600 --> 00:04:06,480 So Nmap is the command itself. 57 00:04:07,650 --> 00:04:10,890 As subscore s to make it a Sin scan. 58 00:04:11,220 --> 00:04:17,459 A sin scan is a kind of TCP scan where three way handshake is not completed. 59 00:04:17,850 --> 00:04:23,790 But please refer to my network and vulnerability scan for hacking by Nmap and Nessus course for more 60 00:04:23,790 --> 00:04:27,330 details about the Nmap and those scan types. 61 00:04:28,470 --> 00:04:30,330 Target IP is our router. 62 00:04:31,560 --> 00:04:36,300 As upper score V is for the version detection of the open ports. 63 00:04:37,580 --> 00:04:39,920 Oh, for the operating system detection. 64 00:04:40,770 --> 00:04:46,440 Reason is to force and map to tell the reason of its decisions. 65 00:04:47,250 --> 00:04:49,350 And P is for the ports. 66 00:04:49,350 --> 00:04:55,860 So let's scan SSH, telnet https http and SNMp ports. 67 00:04:56,010 --> 00:04:57,060 Now hit enter. 68 00:05:01,000 --> 00:05:03,130 So that took 15 seconds. 69 00:05:03,440 --> 00:05:06,040 It seems the only port open is the Telnet. 70 00:05:08,800 --> 00:05:10,580 Here's the details. 71 00:05:10,600 --> 00:05:13,960 It is a Cisco device and one of these series.