1
00:00:00,330 --> 00:00:01,680
Hello, my name is Stephan.

2
00:00:02,010 --> 00:00:06,660
In previous lecture, we learned about the importance of information gathering and security assessments.

3
00:00:06,690 --> 00:00:14,430
We explored various techniques for Nmap and its scripts for gathering valuable information about a target's

4
00:00:14,430 --> 00:00:17,970
assets attack surface and potential vulnerabilities.

5
00:00:18,000 --> 00:00:25,080
To begin with, we discussed the scripts used for IP geolocation, namely IP geolocation, plugin,

6
00:00:25,080 --> 00:00:28,890
IP allocation, Maxmind and IP geolocation.

7
00:00:28,920 --> 00:00:29,940
IP info.

8
00:00:30,780 --> 00:00:38,250
Here we learned that IP geolocation plugin does not require an API key, while IP geolocation Maxmind

9
00:00:38,250 --> 00:00:42,240
relies on a database that needs to be downloaded separately.

10
00:00:42,240 --> 00:00:44,790
The IP geolocation IP info.

11
00:00:45,360 --> 00:00:52,040
Here script requires an IP key as well, which can be obtained for free by registering on their website.

12
00:00:52,050 --> 00:00:53,670
So here.

13
00:00:54,830 --> 00:00:57,890
We also discuss some additional options for who is script here.

14
00:00:57,890 --> 00:01:06,230
We can select specific providers using who DB argument, which we will learn in next lecture again.

15
00:01:06,230 --> 00:01:10,580
So from the scripts mentioned previously only IP geolocation.

16
00:01:10,580 --> 00:01:16,430
Your plugin does not require an API key as I said, and the IP geolocation maxmind script depends on

17
00:01:16,430 --> 00:01:19,970
the on a database that's not included in Nmap.

18
00:01:19,970 --> 00:01:27,980
By default, you can sign up and download from Maxmind light city database from their website, but

19
00:01:27,980 --> 00:01:36,380
the IP geolocation IP info DB script requires an IP key to IP API key to require IT external service

20
00:01:36,380 --> 00:01:43,550
and the service actually is free and you can only you need to only register at their website which is

21
00:01:43,580 --> 00:01:45,050
IP info db.com.

22
00:01:45,050 --> 00:01:49,250
And here what we're going to do is we will use the free version of it.

23
00:01:49,250 --> 00:01:53,720
We will not register any IP API keys and others here.

24
00:01:53,720 --> 00:01:59,160
We will just use the IP geolocation in this script here and this script here.

25
00:01:59,160 --> 00:02:00,780
So we will open a terminal.

26
00:02:00,780 --> 00:02:03,450
We will write a pseudo here Nmap.

27
00:02:03,480 --> 00:02:12,510
We can also use the SDN here to make it faster and after that we will use a script script here, script

28
00:02:12,510 --> 00:02:13,590
after script.

29
00:02:13,590 --> 00:02:17,760
Here you will enter the script and as a script name.

30
00:02:17,760 --> 00:02:25,140
In this case it's IP geolocation and after that you will enter this and this character, and after that

31
00:02:25,140 --> 00:02:28,830
you will just enter the target IP or domain.

32
00:02:28,830 --> 00:02:31,650
So in this case, it's going to be a domain code telecom.

33
00:02:31,650 --> 00:02:32,400
That's it.

34
00:02:32,400 --> 00:02:35,370
And now we will press enter.

35
00:02:35,950 --> 00:02:39,010
And as you can see here, we got this coordinates.

36
00:02:39,520 --> 00:02:46,090
So this this the test result was, uh, what output was so fast here?

37
00:02:46,090 --> 00:02:55,030
Because we, we use as n here and here, if we use it without n, we are actually, uh, would need

38
00:02:55,030 --> 00:02:57,790
to wait for like a minute or 30s here.

39
00:02:57,790 --> 00:03:03,400
So we always use as n two for using your location here.

40
00:03:03,400 --> 00:03:06,820
And as you can see, this is our coordinates here.

41
00:03:06,820 --> 00:03:17,620
What we're going to going to do is we will, uh, coordinates to IP here or coordinates to location.

42
00:03:17,620 --> 00:03:19,690
And here we will use DuckDuckGo.

43
00:03:19,690 --> 00:03:20,890
Here, enter.

44
00:03:22,100 --> 00:03:25,700
And now we will select some website here.

45
00:03:26,090 --> 00:03:28,730
Let's GPS coordinates.

46
00:03:31,660 --> 00:03:32,910
And here we are.

47
00:03:32,930 --> 00:03:33,670
Go.

48
00:03:33,700 --> 00:03:40,150
We're going to go use longitude and latitude and longitude here.

49
00:03:40,180 --> 00:03:42,280
Uh, the latitude is first one.

50
00:03:42,280 --> 00:03:47,230
Latitude is the first one, and longitude is second place here.

51
00:03:47,230 --> 00:03:50,230
And now we are going to press get address.

52
00:03:50,230 --> 00:03:53,170
And here, as you can see here, we need to.

53
00:03:54,720 --> 00:03:55,920
See map here.

54
00:03:55,920 --> 00:04:05,100
And this is the geolocation of our web server or IP address where the IP address belongs here.

55
00:04:06,290 --> 00:04:11,270
And here we can zoom it in and here it's on a.

56
00:04:11,300 --> 00:04:14,060
Weslo wheel low here.

57
00:04:19,060 --> 00:04:19,840
Okay.

58
00:04:26,730 --> 00:04:33,430
As you can see, capital is seafood and seek settlers Restaurant and pastry.

59
00:04:33,750 --> 00:04:35,900
Sierra West.

60
00:04:36,240 --> 00:04:39,210
Western Guilford High School.

61
00:04:39,720 --> 00:04:41,160
Doris Henderson.

62
00:04:41,490 --> 00:04:42,240
Newcomers.

63
00:04:42,240 --> 00:04:46,410
School, Korean First Parish Church and so on.

64
00:04:46,410 --> 00:04:52,350
So this is how IP geolocation or geolocation works here.

65
00:04:52,350 --> 00:04:56,790
You can also use this markers to mark on the places.

66
00:04:56,790 --> 00:04:57,480
That's it.

67
00:04:57,480 --> 00:05:01,410
So now we are going to close this.

68
00:05:01,410 --> 00:05:06,750
And here this is the scanner report for this Nmap plugin here.

69
00:05:06,750 --> 00:05:09,720
So let's think about firstly how it works.

70
00:05:09,720 --> 00:05:15,120
So the script IP geolocation options initialize all the scripts here.

71
00:05:15,120 --> 00:05:22,260
So here with this we initialize all the scripts starting with the file name pattern IP geolocation.

72
00:05:22,260 --> 00:05:26,830
So at the moment there are three scripts available to geolocate IP addresses.

73
00:05:26,830 --> 00:05:32,050
The first is geo plugin maxmind and IP info here.

74
00:05:32,050 --> 00:05:38,980
So IP geolocation geo plugin IP geolocation Maxmind and IP geolocation IP info database DB here.

75
00:05:38,980 --> 00:05:44,440
So the service providers will not return information about certain IP addresses, so it's recommended

76
00:05:44,440 --> 00:05:47,470
to use them all and compare the results.

77
00:05:47,470 --> 00:05:53,980
So the information returned by these scripts includes at least the latitude and longitude coordinates

78
00:05:53,980 --> 00:06:00,160
and other fields such as country, state, address and city when available.

79
00:06:00,160 --> 00:06:02,500
So and there is a more, of course.

80
00:06:02,500 --> 00:06:09,100
So the IP geolocation Geo Plug-in Mnsi scripts works by creating a free public service.

81
00:06:09,490 --> 00:06:14,890
So consider the number of queries you need to send and be considered.

82
00:06:14,890 --> 00:06:20,890
Otherwise the provider will restrict the service as the other providers have done in the past.

83
00:06:20,890 --> 00:06:29,050
So it's a common misconception that IP to geolocation services provide a 100% accurate location of the

84
00:06:29,050 --> 00:06:30,130
computer or device.

85
00:06:30,130 --> 00:06:37,120
So the location accuracy heavily depends on the database, and each service provider may have used different

86
00:06:37,120 --> 00:06:43,180
methods of collecting data and keep it in mind when interpreting results from external providers here.

87
00:06:43,330 --> 00:06:43,840
Right?

88
00:06:43,840 --> 00:06:52,840
So it's a misconception that IP to geolocation services provide a 100% accurate location of the computer

89
00:06:52,840 --> 00:06:53,590
or device.

90
00:06:53,590 --> 00:06:54,250
So.

91
00:06:55,670 --> 00:06:59,810
And here you can also map that your location marker.

92
00:06:59,810 --> 00:07:05,990
So the IP geolocation map scripts can be used for generating graphical representations of the markers

93
00:07:05,990 --> 00:07:07,730
obtained by the previous scripts.

94
00:07:07,730 --> 00:07:14,210
And similarly, they require API keys that are free but require signing up to get hold of.

95
00:07:14,240 --> 00:07:18,350
So consider using them to view and interpret results easily.

96
00:07:18,350 --> 00:07:25,250
After all, most of us are already familiar with the Google Maps and other service providers, so you

97
00:07:25,250 --> 00:07:33,350
can, instead of using this and registering to some websites, you can use online tools for geo locating

98
00:07:33,350 --> 00:07:37,490
a map and seeing the graphical placement of the map here.

99
00:07:37,490 --> 00:07:41,210
So you can also submit a new geolocation provider.

100
00:07:41,210 --> 00:07:47,330
So if you know a better IP to geolocation provider and don't hesitate in submitting your geolocation

101
00:07:47,330 --> 00:07:48,710
script to the official mailing list.

102
00:07:48,710 --> 00:07:55,190
So don't forget to document if the script requires an external API or database, or if you know an excellent

103
00:07:55,290 --> 00:08:01,680
service but do not have experience developing the scripts, you may add your idea to scripts.

104
00:08:01,770 --> 00:08:07,530
Visualize located at their Security.org and map script idea link here.

105
00:08:07,650 --> 00:08:13,380
So now let's get get information from Whois records here.

106
00:08:13,380 --> 00:08:14,310
So.

107
00:08:15,480 --> 00:08:15,920
Now.

108
00:08:16,020 --> 00:08:19,920
Now what we are going to do, we will get information from Whois Records.

109
00:08:19,920 --> 00:08:26,430
So the Whois records contains useful information, right?

110
00:08:26,430 --> 00:08:31,440
Such as register organization, name creation and expiration date.

111
00:08:31,440 --> 00:08:38,280
So geographical location and abuse, contact information among some potential interesting fields.

112
00:08:38,280 --> 00:08:45,510
So system administrators, IT staff and other security professionals have been using who is records

113
00:08:45,510 --> 00:08:46,950
for years now.

114
00:08:46,950 --> 00:08:53,880
And although there are many tools and websites available to query this information and Map can process

115
00:08:53,910 --> 00:08:59,970
IP range targets lists in many formats to perform this tasks in batch.

116
00:08:59,970 --> 00:09:08,400
So this is I will show you how to retrieve the Whois records of an IP address or domain name with Nmap

117
00:09:08,430 --> 00:09:08,670
here.

118
00:09:08,670 --> 00:09:13,740
So what we're going to do is we will use the sudo SDN and script here.

119
00:09:13,740 --> 00:09:16,960
We will use Whois and we will do that again.

120
00:09:16,960 --> 00:09:23,710
We will use all the scripts that start with who is here and after that we will enter our target here

121
00:09:23,780 --> 00:09:32,470
code Silicom and here we get sudo nmap here of course sudo nmap that's it now.

122
00:09:33,410 --> 00:09:36,290
And as you can see here, it's almost completed.

123
00:09:36,290 --> 00:09:37,880
50% is done.

124
00:09:38,620 --> 00:09:42,880
So now we're going to get the output here.

125
00:09:55,000 --> 00:09:58,720
And as you can see here, we got the output here.

126
00:09:58,720 --> 00:10:04,180
So now we have the register in a register here.

127
00:10:04,180 --> 00:10:07,030
Namecheap here, expired date.

128
00:10:07,150 --> 00:10:12,310
This is the expired date of this domain creation date update date.

129
00:10:12,370 --> 00:10:16,090
And we also have the register Whois server in this case.

130
00:10:16,090 --> 00:10:16,510
Who is that?

131
00:10:16,510 --> 00:10:21,580
Namecheap.com and domain name called telecom, which we obviously need that.

132
00:10:21,580 --> 00:10:28,030
And here we have the name servers here, DNS one, DNS two here, Namecheap hosting.com and the URL

133
00:10:28,030 --> 00:10:31,840
of the icon who is inaccurate, accurate, complete form, and that's it.

134
00:10:31,840 --> 00:10:37,840
So here we have some notices, we have the register database here and so on.

135
00:10:37,840 --> 00:10:41,200
So here let's actually think about how it works.

136
00:10:41,200 --> 00:10:51,100
So the nmap here nmap is n script whois nmap command scripts, the port scanning phase with s n here,

137
00:10:51,100 --> 00:11:00,170
which makes it more fast and executes the scripts that match the file name pattern from that starts

138
00:11:00,170 --> 00:11:01,220
with the who is here.

139
00:11:01,220 --> 00:11:05,810
So there there are two scripts that match this expression here.

140
00:11:06,260 --> 00:11:09,110
Uh, let me actually do that here.

141
00:11:12,140 --> 00:11:15,740
There are two scripts that match to this expression.

142
00:11:16,340 --> 00:11:21,430
The the first is who is IP and who is domain.

143
00:11:21,440 --> 00:11:30,470
So the who is IP script queries I regional regional internet whois database and who is domain script

144
00:11:30,470 --> 00:11:38,000
queries the iana that org who is to obtain records until it finds the requested information.

145
00:11:38,000 --> 00:11:46,010
But there is more of course, so the behavior or behavior of the who is IP and its script can be configured

146
00:11:46,010 --> 00:11:54,050
to enable or disable the lookup catch so you can select a specific server provider and ignore referral

147
00:11:54,050 --> 00:11:54,890
records.

148
00:11:54,890 --> 00:12:00,460
So we can let's actually see how we can use these options.

149
00:12:00,470 --> 00:12:04,910
Now what we're going to do is we will select a service provider specifically.

150
00:12:04,910 --> 00:12:16,680
So the Who is IP script uses Ian's assignment, E A and a assignment data to select the RA and it catches

151
00:12:16,680 --> 00:12:18,270
the results locally.

152
00:12:18,270 --> 00:12:23,760
Alternatively, you could override this behavior and select the order of the service providers to use

153
00:12:23,760 --> 00:12:25,980
in the Who DB argument here.

154
00:12:25,980 --> 00:12:31,740
In order to do that, we will use the sudo and after that Nmap here we will enter the script.

155
00:12:31,770 --> 00:12:33,840
Who is that?

156
00:12:33,900 --> 00:12:35,190
Who is IP here?

157
00:12:35,190 --> 00:12:42,810
And after that we will enter the we need to use the call signs here and after that we will enter the

158
00:12:43,410 --> 00:12:48,870
script script arguments here.

159
00:12:48,870 --> 00:12:50,310
And who is that?

160
00:12:50,340 --> 00:12:50,700
Who?

161
00:12:50,730 --> 00:12:52,080
DB Here.

162
00:12:53,390 --> 00:13:01,010
Arin ripe and AfriNIC, and after that you will enter the target here in this case silly.com.

163
00:13:01,010 --> 00:13:05,360
And here we have failed to resolve this script here.

164
00:13:05,360 --> 00:13:08,270
So what we're going to do is we will add the.

165
00:13:09,890 --> 00:13:10,670
To.

166
00:13:11,640 --> 00:13:12,060
Here.

167
00:13:14,880 --> 00:13:18,840
And here we also had a we had arc here.

168
00:13:18,840 --> 00:13:19,590
We need to.

169
00:13:21,710 --> 00:13:24,750
Add argument, script arguments.

170
00:13:24,770 --> 00:13:25,550
That's it.

171
00:13:25,550 --> 00:13:28,070
And here our scan is started.

172
00:13:30,900 --> 00:13:31,680
And that's it.

173
00:13:31,680 --> 00:13:32,340
So.

174
00:13:33,590 --> 00:13:43,160
Here we selected the in ripe and AfriNIC to scan catholic.com and it's almost done.

175
00:13:43,550 --> 00:13:45,440
I guess here 93.

176
00:13:52,090 --> 00:13:53,260
It's almost done.

177
00:14:31,770 --> 00:14:33,590
And here this is the output.

178
00:14:33,600 --> 00:14:38,880
Here we have the again with results from different scripts here.

179
00:14:40,130 --> 00:14:40,960
And that's it.

180
00:14:40,970 --> 00:14:43,240
We have open ports and so on.

181
00:14:43,250 --> 00:14:49,010
So here we can also use the ignore the referral records.

182
00:14:49,250 --> 00:14:57,530
So the Whois script, the Whois IP script requires a list of who is providers in sequential order until

183
00:14:57,530 --> 00:15:00,890
the record or a referral to the record is fine.

184
00:15:01,480 --> 00:15:07,870
So taking out the Ripper records, you can use the nofollow script argument.

185
00:15:07,870 --> 00:15:10,960
In order to do that, we will just change Nmap script.

186
00:15:10,990 --> 00:15:15,850
Who is IP, IPS, IP script arguments here and now.

187
00:15:15,850 --> 00:15:20,950
What we're going to do is we is that after instead of deleting the airfield ripe and so on, we will

188
00:15:20,950 --> 00:15:25,090
just write nofollow and after that you enter the target.

189
00:15:25,090 --> 00:15:26,860
So sometimes catch it.

190
00:15:26,860 --> 00:15:32,560
Responses will be preferred over curing the Whois service and this might prevent the discovery of an

191
00:15:32,560 --> 00:15:33,700
IP address.

192
00:15:33,700 --> 00:15:39,610
So we will we can also disable the catch with no catch here.

193
00:15:39,610 --> 00:15:42,760
So actually let it complete.

194
00:15:42,760 --> 00:15:45,790
So we will just we will use the option.

195
00:15:45,790 --> 00:15:47,860
We don't need the ports here for now.

196
00:15:47,860 --> 00:15:51,220
So it will get get us the.

197
00:15:52,470 --> 00:15:53,640
Outputs so faster.

198
00:15:53,640 --> 00:16:03,570
And here, as you can see here, this is the Ethernet and we scanned with ignoring referral records.

199
00:16:03,570 --> 00:16:07,590
So now what we're going to do is we will disable the catch here.

200
00:16:07,590 --> 00:16:13,650
So in order to disable the catch, we just we will just delete the nofollow and we will add no catch

201
00:16:13,650 --> 00:16:14,100
here.

202
00:16:14,100 --> 00:16:21,840
So here and as you can see here, we the catch responses will be preferred over querying the Whois services

203
00:16:21,840 --> 00:16:25,350
and this might prevent the discovery of an IP address assignment.

204
00:16:25,350 --> 00:16:28,590
And here we disabled the catch here.

205
00:16:28,590 --> 00:16:34,320
So as with every free service, we need to consider the number of queries that we need to make to avoid

206
00:16:34,320 --> 00:16:41,070
reaching the daily limit and getting banned, or even worse, ruining the free services for everyone

207
00:16:41,070 --> 00:16:41,940
else here.

208
00:16:41,940 --> 00:16:44,850
So this is our lecture.

209
00:16:46,450 --> 00:16:54,250
And in summary, this lecture covers the practical aspects of IP geolocation using Nmap NSA scripts,

210
00:16:54,250 --> 00:16:59,860
including the set of requirements for specific scripts, the execution commands and the interpretation

211
00:16:59,860 --> 00:17:00,870
of results.

212
00:17:00,880 --> 00:17:05,860
We also explore the retrieval of Whois records and learned about the additional configuration options

213
00:17:05,860 --> 00:17:07,990
for the Whois IP script.

214
00:17:07,990 --> 00:17:13,720
So by applying these techniques, security professionals can gather essential information to enhance

215
00:17:13,720 --> 00:17:17,830
their security assessment and make informed decisions.