1 00:00:00,210 --> 00:00:07,320 ‫So a few years ago, we saw how we identify which ports are scanned now and input management. 2 00:00:08,460 --> 00:00:11,550 ‫We'll see how we identify which systems are scanned. 3 00:00:12,150 --> 00:00:14,700 ‫OK, go to Carly and open a terminal window. 4 00:00:15,600 --> 00:00:20,130 ‫First, I'll prepare an end map query and because I'll play with the destination apps. 5 00:00:20,790 --> 00:00:23,160 ‫It will be the last parameter of my query. 6 00:00:24,340 --> 00:00:26,130 ‫And map is the command itself. 7 00:00:27,020 --> 00:00:34,820 ‫And to close the name resolution, a case penned to close Ping as upper case as first since scan now 8 00:00:34,860 --> 00:00:35,600 ‫to keep it simple. 9 00:00:35,870 --> 00:00:38,570 ‫Let's scan just the top three sports. 10 00:00:38,990 --> 00:00:41,930 ‫Now is the time to identify the destination systems. 11 00:00:43,040 --> 00:00:46,190 ‫Up to now, we learned to scan a single IP. 12 00:00:47,090 --> 00:00:52,040 ‫And we learned how to scan an entire sea block that zero through 24. 13 00:00:56,330 --> 00:00:59,840 ‫OK, so what are the other ways of identifying target systems? 14 00:01:01,010 --> 00:01:06,710 ‫You can select a range of any part of the IP address in the slide, the third and the fourth parts of 15 00:01:06,710 --> 00:01:09,920 ‫the IP address is given as ranges. 16 00:01:10,070 --> 00:01:16,280 ‫That means End Map will scan IPS from one nine two to one six eight eight one zero two one nine two 17 00:01:16,550 --> 00:01:19,340 ‫one six eight two five five two five five. 18 00:01:20,360 --> 00:01:21,830 ‫I'd like to keep the rain small. 19 00:01:22,160 --> 00:01:27,950 ‫I'll only define a range for the fourth part of the destination address from 100 to 150. 20 00:01:30,850 --> 00:01:37,570 ‫There's only one machine between one seven two one six nine nine one zero zero and one seven two one 21 00:01:37,570 --> 00:01:39,880 ‫six nine nine point one five zero. 22 00:01:41,920 --> 00:01:47,350 ‫You can scan more than one IP block in a single query example, and the slide scans two ranges. 23 00:01:48,190 --> 00:01:54,670 ‫The first ranges between one nine two point one six eight one zero and one nine two point one six eight 24 00:01:54,920 --> 00:01:56,440 ‫one two five five. 25 00:01:57,250 --> 00:02:06,010 ‫And the second range is between 10.0 Dot 0.0 and 10.0 got 255 Dot 255. 26 00:02:07,320 --> 00:02:11,490 ‫Since I don't have a second network, all my colleagues, I continue with a third example. 27 00:02:12,550 --> 00:02:17,410 ‫The third example is a combination of defining a range and a single number. 28 00:02:18,310 --> 00:02:26,140 ‫For example, you can scan the is between 100 and one for zero IP, two zero six and the IP between 29 00:02:26,260 --> 00:02:29,200 ‫two to zero and two three zero. 30 00:02:29,800 --> 00:02:34,840 ‫So here are the results and Map found a machine from the range of 100 through one four zero. 31 00:02:36,290 --> 00:02:38,360 ‫The machine with IP two, zero six. 32 00:02:41,060 --> 00:02:45,380 ‫And another machine from the range of two to zero through two three zero. 33 00:02:45,630 --> 00:02:50,630 ‫Another way to define the target systems is to give and map the IP addresses in a fire. 34 00:02:51,520 --> 00:02:58,420 ‫And a typical penetration test or ethical hacking, you will scan a network a lot of times first you 35 00:02:58,420 --> 00:02:59,320 ‫find the hosts. 36 00:02:59,410 --> 00:03:04,450 ‫It doesn't make sense to scan the entire network again and again you'll see huge networks. 37 00:03:04,720 --> 00:03:09,250 ‫So if you scan the entire network each time, the pen test will take a lot longer than you think. 38 00:03:10,150 --> 00:03:16,870 ‫Let's open a second terminal screen and find the host of our IP block using Ping Scan, as we learned 39 00:03:16,870 --> 00:03:17,500 ‫before. 40 00:03:17,950 --> 00:03:23,020 ‫Now clarify the output to have only the IP addresses of live hosts. 41 00:03:24,000 --> 00:03:28,000 ‫GREP command to get only the rows containing IP addresses. 42 00:03:33,270 --> 00:03:37,350 ‫And cut command to get only the IP addresses from Arroyo. 43 00:03:41,760 --> 00:03:46,650 ‫Now we can redirect the output into a text file to re-use the list and following queries. 44 00:03:47,070 --> 00:03:54,000 ‫But first, let me close a name resolution now put a greater than character and give a file name to 45 00:03:54,000 --> 00:03:54,810 ‫write the result. 46 00:03:55,290 --> 00:03:57,100 ‫IP list that text. 47 00:04:01,980 --> 00:04:06,810 ‫We're not interested in the first two IP addresses, so let's edit the file and delete them. 48 00:04:07,140 --> 00:04:09,420 ‫I use Nano Text Editor to edit the file. 49 00:04:11,010 --> 00:04:14,340 ‫In nano use control K to delete a line. 50 00:04:15,150 --> 00:04:17,580 ‫Use Control X to exit nano press. 51 00:04:17,580 --> 00:04:23,130 ‫Y to save changes and hit enter to save on the same file type cat. 52 00:04:23,430 --> 00:04:27,060 ‫IP list text to look at the file again. 53 00:04:27,450 --> 00:04:29,970 ‫Now we have four IP addresses in the file. 54 00:04:30,690 --> 00:04:37,930 ‫Let's create a new map query, and this time let's give the destination systems in a file IP list. 55 00:04:40,350 --> 00:04:45,690 ‫And here are the results of the four systems which are listed in the AP list that file. 56 00:04:46,960 --> 00:04:53,470 ‫So let's talk about the output management in a map now up to now we've run a lot of map queries and 57 00:04:53,470 --> 00:04:55,300 ‫got the results on the terminal screen. 58 00:04:55,600 --> 00:05:02,760 ‫This is the default output behavior called interactive output, and it is sent to standard output study 59 00:05:02,800 --> 00:05:05,050 ‫out in a penetration test. 60 00:05:05,740 --> 00:05:12,010 ‫We should say the results of the queries to be able to analyze them later on, hopefully, and map as 61 00:05:12,010 --> 00:05:14,050 ‫its own output management skills. 62 00:05:15,010 --> 00:05:15,820 ‫So let's have a look. 63 00:05:16,240 --> 00:05:19,420 ‫There are three major outputs saving formats and then map. 64 00:05:20,310 --> 00:05:23,850 ‫Normal output, which is similar to interactive output. 65 00:05:24,880 --> 00:05:30,280 ‫That's what you see on the screen up to now, except that it displays less run time information and 66 00:05:30,280 --> 00:05:36,130 ‫morning since it is expected to be analyzed after the scan completes rather than interactively. 67 00:05:37,420 --> 00:05:44,410 ‫Graspable output, which includes most information for target host on a single line, so you can use 68 00:05:44,410 --> 00:05:50,320 ‫it to collect the information you want using the excellent grip command, we've already seen a few examples 69 00:05:50,320 --> 00:05:52,150 ‫of grab command in this course. 70 00:05:53,500 --> 00:05:59,710 ‫Maximal output is one of the most important output takes, as it can be converted to your mill easily 71 00:05:59,710 --> 00:06:06,100 ‫passed by programs such as in graphical user interfaces or imported into databases. 72 00:06:06,280 --> 00:06:13,840 ‫There is one more magic parameter which is oh uppercase a to let you generate the output in all formats. 73 00:06:14,620 --> 00:06:17,260 ‫Now let's see the map output management in action. 74 00:06:18,980 --> 00:06:20,690 ‫Go to college and open a terminal screen. 75 00:06:21,920 --> 00:06:24,440 ‫Prepare an end map query for this example. 76 00:06:24,590 --> 00:06:26,360 ‫I want to prepare a skin scan. 77 00:06:27,340 --> 00:06:29,530 ‫Now we're ready for output management options. 78 00:06:30,370 --> 00:06:37,780 ‫First, I want to generate the XML output using oh uppercase x parameter o uppercase x parameter needs 79 00:06:37,780 --> 00:06:38,950 ‫the output file name. 80 00:06:39,580 --> 00:06:45,460 ‫You can give the file name with a full path if you don't specify a path, just as in this example, 81 00:06:45,970 --> 00:06:48,760 ‫the file is created in the current folder. 82 00:06:50,110 --> 00:06:50,770 ‫Be careful. 83 00:06:51,370 --> 00:06:56,320 ‫000X, OGE and Olwen parameters require the full file name. 84 00:06:57,010 --> 00:07:03,850 ‫So if you want the file to have an extension such as got XML, you should specify it here it enter to 85 00:07:03,850 --> 00:07:04,570 ‫run the command. 86 00:07:05,550 --> 00:07:07,140 ‫To see the generated file. 87 00:07:08,450 --> 00:07:08,900 ‫Here it is. 88 00:07:09,740 --> 00:07:16,760 ‫And use the less command to see the content of the file, so it's typical XML file with tags. 89 00:07:17,700 --> 00:07:21,120 ‫Here's a host tag, starts and ends. 90 00:07:22,640 --> 00:07:29,030 ‫All the results about a host is listed between the start tag and the end tag, IP address and ports 91 00:07:29,330 --> 00:07:31,700 ‫and of course, the scan result. 92 00:07:32,690 --> 00:07:36,150 ‫Here is another host tag in the scan results of the second host as well. 93 00:07:37,500 --> 00:07:38,520 ‫Rescue to quit. 94 00:07:38,850 --> 00:07:39,570 ‫Less command. 95 00:07:41,550 --> 00:07:46,230 ‫Now, let's call back our map query with the up down arrow keys of the keyboard. 96 00:07:47,130 --> 00:07:49,950 ‫Now I want to generate all types of outputs. 97 00:07:51,860 --> 00:07:53,810 ‫Type o upper case A. 98 00:07:53,840 --> 00:07:55,280 ‫And the base name of the files. 99 00:07:55,910 --> 00:07:56,540 ‫Be careful. 100 00:07:56,840 --> 00:07:57,590 ‫Oh, upper case. 101 00:07:57,620 --> 00:08:03,980 ‫A parameter requires the base file name of the files, not the full names of a file, and it'll put 102 00:08:03,980 --> 00:08:05,510 ‫the file extensions itself. 103 00:08:06,700 --> 00:08:12,340 ‫Let's look at the content of that Ben Map file using the less Linux command. 104 00:08:13,220 --> 00:08:15,860 ‫This is almost the same as you'll see on the screen. 105 00:08:16,220 --> 00:08:18,230 ‫Now let's look at the grapple output. 106 00:08:19,830 --> 00:08:21,990 ‫Here there are two lines for each host. 107 00:08:22,680 --> 00:08:24,420 ‫One to show the status of the host. 108 00:08:25,110 --> 00:08:27,210 ‫And another one to show the port scan results.