1
00:00:00,360 --> 00:00:05,550
‫In those in math lectures, we have seen no port scam, also known as Ping Scan.

2
00:00:06,390 --> 00:00:08,220
‫Different ways of scanning ports.

3
00:00:09,320 --> 00:00:18,470
‫SoundScan, also known as half open scanning DHCP scan, also known as TCP Connect Scan and UDP scan.

4
00:00:19,610 --> 00:00:23,720
‫Now, let's see some more details to be able to use and map more effectively.

5
00:00:24,940 --> 00:00:27,190
‫We have found the hosts and open ports of them.

6
00:00:28,060 --> 00:00:33,850
‫Now is it time to find out the services which are listening to those port and the version of those services?

7
00:00:34,660 --> 00:00:38,740
‫In addition, let's detect the operating systems running on those systems.

8
00:00:39,750 --> 00:00:49,860
‫Suppose that you ran an end map query and it told you that ports 25 TCP, 80 TCP and 53 UDP are open.

9
00:00:50,850 --> 00:00:58,650
‫Using it in map services database of about, oh, 2000, 200 well known services and map would report

10
00:00:58,650 --> 00:01:06,510
‫that those boards probably correspond to a mail server, SMTP web server, FTP and nameserver DNS,

11
00:01:06,750 --> 00:01:07,470
‫respectively.

12
00:01:08,190 --> 00:01:09,930
‫This lookup is usually accurate.

13
00:01:10,500 --> 00:01:15,690
‫The vast majority of demons listening on TCP Port 25 are, in fact, mail servers.

14
00:01:16,500 --> 00:01:19,410
‫However, you should not bet your security on this.

15
00:01:20,450 --> 00:01:23,600
‫People can and do run services on strange ports.

16
00:01:25,100 --> 00:01:33,440
‫Even if and map is right, and the hypothetical server above is running SMTP, http and DNS servers.

17
00:01:34,600 --> 00:01:36,640
‫That is not a lot of information.

18
00:01:37,710 --> 00:01:43,320
‫When doing vulnerability assessments were even simple network inventories of your companies or clients.

19
00:01:43,950 --> 00:01:48,150
‫You really want to know which mail and DNS servers and versions are running.

20
00:01:49,130 --> 00:01:54,530
‫Having an accurate version number helps dramatically in determining which exploits a server is vulnerable

21
00:01:54,530 --> 00:02:03,500
‫to inversion detection helps you obtain this information after TCP and or UDP ports are discovered using

22
00:02:03,500 --> 00:02:04,910
‫one of the other scan methods.

23
00:02:04,910 --> 00:02:10,520
‫Version detection interrogates those ports to determine more about what is actually running.

24
00:02:10,730 --> 00:02:17,780
‫The Map Service Probes database contains probes for querying various services and match expressions

25
00:02:17,780 --> 00:02:23,780
‫to recognize and pass responses, and map tries to determine the service protocol.

26
00:02:24,140 --> 00:02:28,370
‫For example, FTP, S.H. Telnet FTP.

27
00:02:29,390 --> 00:02:35,960
‫The application name could be ISC Bind, Apache HTTPD de Solaris, Telnet de.

28
00:02:37,000 --> 00:02:43,960
‫The version, number, hostname, device type, something like a printer or a router and the Aussie

29
00:02:43,960 --> 00:02:46,540
‫family, you know, that is Windows, Linux, etc..

30
00:02:47,740 --> 00:02:52,360
‫So let's see how to use service and version detection and then map and why it's important.

31
00:02:53,880 --> 00:02:54,310
‫OK.

32
00:02:54,330 --> 00:02:56,310
‫Go to Carly and open a new terminal window.

33
00:02:56,910 --> 00:03:00,570
‫Let's create the map, scan command and map as a command itself.

34
00:03:02,170 --> 00:03:04,300
‫And is to avoid the DNS resolution.

35
00:03:05,360 --> 00:03:08,070
‫Uppercase pennies to avoid the host discovery.

36
00:03:08,090 --> 00:03:09,770
‫I'm using the sin scan this time.

37
00:03:10,690 --> 00:03:16,870
‫All right, the destination IP, which is the IP address of my Metis voidable VM and the destination

38
00:03:16,870 --> 00:03:17,380
‫ports.

39
00:03:18,100 --> 00:03:23,770
‫The top 10 ports, let's run this command first to see the results of a command without version detection.

40
00:03:24,220 --> 00:03:27,700
‫Now I open a new terminal window to create a new and map command.

41
00:03:31,530 --> 00:03:33,660
‫I prepared the command with the same configuration.

42
00:03:35,890 --> 00:03:36,640
‫Since scan.

43
00:03:37,650 --> 00:03:38,490
‫Metasploit voidable.

44
00:03:39,410 --> 00:03:40,640
‫And Top 10 port.

45
00:03:43,340 --> 00:03:48,980
‫I add s uppercase v parameter for version detection and hit enter.

46
00:03:49,990 --> 00:03:52,750
‫As you see, the query takes longer this time.

47
00:03:54,500 --> 00:04:00,530
‫The in scan without the version detection took less than a second, and this in scan with version detection

48
00:04:00,530 --> 00:04:02,210
‫took about 12 seconds.

49
00:04:03,770 --> 00:04:09,440
‫In the first query, service names are estimated by end map, according to the default services running

50
00:04:09,440 --> 00:04:15,830
‫on those ports in the second query, on the other hand, and Map probed the ports to determine more

51
00:04:15,830 --> 00:04:18,110
‫about what is actually running.

52
00:04:19,460 --> 00:04:25,970
‫Now, I want to show you the most important reason of using version detection and map queries in Cali,

53
00:04:25,970 --> 00:04:31,580
‫I'm going to run Sage on Port 443 and then scan the port within Map.

54
00:04:32,480 --> 00:04:34,010
‫Let's perform the demo together.

55
00:04:35,020 --> 00:04:41,470
‫First look at the listing services if Assange is running netstat NLP.

56
00:04:42,690 --> 00:04:45,600
‫As Ice Age is running on Port 22 at the moment.

57
00:04:46,760 --> 00:04:51,680
‫Type service S.H. stop the stop as a service and hit enter.

58
00:04:53,450 --> 00:04:57,980
‫Now, to change the port of S-H, we're going to change the configuration.

59
00:04:59,000 --> 00:05:03,740
‫Open the SS HD underscore config file with a text editor, change it.

60
00:05:05,070 --> 00:05:14,550
‫I use nano text editor for this type, nano slash Etsy slash speech slash, SS HD underscore and fig

61
00:05:14,970 --> 00:05:15,740
‫and hit enter.

62
00:05:16,320 --> 00:05:20,490
‫Find the port line, delete the sharp to make it a valid configuration line.

63
00:05:21,180 --> 00:05:23,250
‫The sharp was used to make it a comment line.

64
00:05:23,520 --> 00:05:25,740
‫Change the port number to four four three.

65
00:05:26,310 --> 00:05:32,550
‫Control X to exit Nano Y to save changes and hit enter to save over the existing file.

66
00:05:33,960 --> 00:05:38,340
‫Start S.H. again using the service, say, Start Command.

67
00:05:40,540 --> 00:05:44,140
‫Look at the listening ports to double check netstat NLP.

68
00:05:46,300 --> 00:05:53,050
‫Such service is running on Port 443 now, let's scan Port 443 of Kali within Map.

69
00:05:53,470 --> 00:05:55,630
‫Prepare the maps and scan command.

70
00:05:55,990 --> 00:05:57,760
‫No version detection for this query.

71
00:06:02,910 --> 00:06:11,550
‫And map, the text of the port is open, look at the service and map, says the services GPS using it

72
00:06:11,550 --> 00:06:18,870
‫and map services database and Map reported that this port probably corresponds to a web server for HTTPS,

73
00:06:19,050 --> 00:06:20,760
‫and we know that's not true.

74
00:06:22,070 --> 00:06:29,690
‫So let's prepare the maps since scan again, but this time use as uppercase V parameter to run the version

75
00:06:29,690 --> 00:06:30,830
‫detection mechanism.

76
00:06:31,250 --> 00:06:40,940
‫Now, as you see, Port 443 is running and the service is S.H., not HTTPS version detection interrogated

77
00:06:40,940 --> 00:06:47,540
‫the port to determine more about what is actually running and map query the port using the probes of

78
00:06:47,540 --> 00:06:53,750
‫the end map service probes database and matched expressions to recognize and pass responses.

79
00:06:54,680 --> 00:07:00,320
‫And the version of S.H. is open source eight version seven, but 6P one.

80
00:07:00,470 --> 00:07:07,740
‫So if you are not 100 percent sure about the type of the running service on a port run version detection.

81
00:07:08,120 --> 00:07:08,510
‫Got it.

82
00:07:08,840 --> 00:07:09,170
‫Good.