1
00:00:00,390 --> 00:00:05,880
‫So remember that while performing a penetration test, we should always test the network devices, whether

2
00:00:05,880 --> 00:00:09,990
‫they're vulnerable to attacks, all the ones we've mentioned up until now.

3
00:00:10,980 --> 00:00:16,170
‫Of course, we have to discover the network devices and the services running on them first.

4
00:00:16,680 --> 00:00:20,610
‫So let's see how we discover network devices and their services.

5
00:00:20,970 --> 00:00:23,490
‫And what else we can do to attack these services?

6
00:00:23,820 --> 00:00:24,810
‫Come on, it'll be fun.

7
00:00:26,800 --> 00:00:32,170
‫So as you already know, the first step of a penetration test is always reconnaissance.

8
00:00:32,650 --> 00:00:38,710
‫In other words, gathering the information, so how can we collect information about the network devices?

9
00:00:39,520 --> 00:00:44,170
‫The answer is the same with a reconnaissance of all the other parts of the penetration tests.

10
00:00:45,740 --> 00:00:52,070
‫We can scan the network and find the network devices according to the fingerprints or operating systems

11
00:00:52,070 --> 00:00:53,150
‫of the devices found.

12
00:00:53,930 --> 00:01:01,700
‫For example, if the operating system of a device is Cisco iOS, it's most probably a network device

13
00:01:01,700 --> 00:01:03,710
‫such as a switch or router.

14
00:01:05,000 --> 00:01:08,630
‫Sniffing is another way to collect data about the network devices.

15
00:01:09,290 --> 00:01:13,550
‫You should always especially focus on the clear text services such as Telnet.

16
00:01:15,620 --> 00:01:21,020
‫Now, one of the brilliant ways of reconnaissance is analyzing the documents collected throughout the

17
00:01:21,020 --> 00:01:24,320
‫penetration test in a typical penetration test.

18
00:01:24,680 --> 00:01:30,740
‫You probably find a lot of sensitive information by just looking at the file servers, shared files

19
00:01:30,740 --> 00:01:37,160
‫and email backups or unprotected ASCII files of compromised admin personal computers.

20
00:01:39,360 --> 00:01:47,520
‫So as we were saying before, the most common services open in the network devices are S.H. Telnet http

21
00:01:47,880 --> 00:01:48,720
‫https.

22
00:01:48,930 --> 00:01:50,100
‫And as an MP.

23
00:01:51,230 --> 00:01:54,540
‫And the default ports of these services are enlisted in this line.

24
00:01:56,270 --> 00:02:04,040
‫I want to call your attention to these are the default ports, right, so they don't have to run on

25
00:02:04,040 --> 00:02:05,060
‫the specified port.

26
00:02:05,900 --> 00:02:13,280
‫You can run an SSA service on Port 443 or an HD service on the port.

27
00:02:13,430 --> 00:02:13,970
‫I don't know.

28
00:02:14,510 --> 00:02:21,680
‫Three, two, one, etc. And you can discover more details about the network devices by analyzing these

29
00:02:21,680 --> 00:02:22,670
‫services deeply.

30
00:02:24,750 --> 00:02:31,410
‫Right, and now you have the correct result and discover even more, you should always scan network

31
00:02:31,410 --> 00:02:34,890
‫with OS discovery and version detection options.

32
00:02:37,050 --> 00:02:44,100
‫So if you look at the example in the slide again, you see an in map command and map is a security scanner,

33
00:02:44,400 --> 00:02:47,880
‫which is used to discover hosts and services on a computer network.

34
00:02:48,870 --> 00:02:58,590
‫In the same sample command shown the parameter is used for OAC detection, while as a score V is used

35
00:02:58,590 --> 00:02:59,970
‫for version detection.

36
00:03:02,330 --> 00:03:02,660
‫Great.

37
00:03:03,850 --> 00:03:05,170
‫So just listen to the traffic.

38
00:03:06,430 --> 00:03:13,360
‫We can gather some information about the network devices here, the protocols which use clear text communication

39
00:03:13,360 --> 00:03:19,900
‫are especially important because you can see the payload data transferred between the endpoints.

40
00:03:21,390 --> 00:03:25,110
‫The most important clear text protocols are Telnet.

41
00:03:26,550 --> 00:03:28,200
‫Cisco Discovery Protocol.

42
00:03:29,620 --> 00:03:31,210
‫Spanning tree protocol.

43
00:03:32,680 --> 00:03:33,820
‫Routing protocols.

44
00:03:35,460 --> 00:03:37,920
‫Velan trunking protocol and.

45
00:03:39,030 --> 00:03:41,100
‫Simple Network Management Protocol.

46
00:03:44,200 --> 00:03:48,220
‫So let's scan the router according to the criteria that we talked about up till now.

47
00:03:49,820 --> 00:03:56,810
‫In Cali, I opened a terminal screen, so I'll use the end map to scan the router, but first.

48
00:03:57,820 --> 00:04:00,010
‫Let's go ahead and ping the router to check the network.

49
00:04:01,730 --> 00:04:02,420
‫And it's OK.

50
00:04:03,850 --> 00:04:06,250
‫So in Mab is the command itself.

51
00:04:07,640 --> 00:04:16,280
‫As ever, score is to make it a sin scan, a sin scan is a kind of TCP scan where three way handshake

52
00:04:16,280 --> 00:04:17,210
‫is not completed.

53
00:04:18,550 --> 00:04:20,230
‫Target IP is our router.

54
00:04:21,630 --> 00:04:26,160
‫S Upper Score V is for the version detection of the open ports.

55
00:04:27,650 --> 00:04:29,780
‫Oh, for the operating system detection.

56
00:04:30,950 --> 00:04:36,260
‫Reason is to force and map to tell the reason of its decisions.

57
00:04:37,560 --> 00:04:39,330
‫And P is for the ports.

58
00:04:39,600 --> 00:04:46,980
‫So let's scan, assess each tellement each keeps its GDP and as an imports now hit enter.

59
00:04:51,340 --> 00:04:52,930
‫So that took 15 seconds.

60
00:04:53,590 --> 00:04:56,080
‫It seems the only port open is the Telnet.

61
00:04:59,060 --> 00:05:00,530
‫Here's the post details.

62
00:05:00,860 --> 00:05:03,830
‫It is a Cisco device and one of these series.