1
00:00:00,150 --> 00:00:03,050
Hello everybody and welcome to this section on and map.

2
00:00:03,060 --> 00:00:09,360
I'm actually recording this in 2020 so the video you're going to see here shortly is from 20 19.

3
00:00:09,360 --> 00:00:14,520
We've had a little bit of issues with the command that I show which is net discover on how to find your

4
00:00:14,520 --> 00:00:19,110
IP address of the key objects machine to actually begin scanning this machine.

5
00:00:19,590 --> 00:00:23,580
So I'm going to show you a couple of alternatives and then I'm going to let the video play as it was

6
00:00:23,580 --> 00:00:24,180
before.

7
00:00:24,510 --> 00:00:30,130
And you'll have several options on how to find your capture machine and hopefully find the IP address.

8
00:00:30,150 --> 00:00:34,280
So at this captors log in page we can cheat just a little bit.

9
00:00:34,290 --> 00:00:39,510
So what I'm going to do is I'm actually going to give you a log in here and just go ahead and type John

10
00:00:39,540 --> 00:00:43,260
as the log in and I'm going to show you the password before I delete it.

11
00:00:43,260 --> 00:00:52,880
The password is going to be two cows too just like that t w o c o w s two with the T and A C capitalized.

12
00:00:52,890 --> 00:01:02,220
So go ahead and type in John and then two cows two and you can see we are now logged in as John Archaeopteryx.

13
00:01:02,220 --> 00:01:04,860
Now this machine is very very old.

14
00:01:04,860 --> 00:01:09,500
So the typical I have config or IPA or any of those do not work on this machine.

15
00:01:09,990 --> 00:01:15,490
However we can do a quick ping for example to anything we want we could say 8 8 8 8 8.

16
00:01:15,600 --> 00:01:17,090
It could be an internal IP address.

17
00:01:17,100 --> 00:01:22,110
It doesn't have to be an IP address that resolves Well we could say ping and as we ping I'm going to

18
00:01:22,110 --> 00:01:29,460
take control see here you can see that we see ping from 1 9 2 1 6 8 4 53.

19
00:01:29,700 --> 00:01:31,080
That's my IP address.

20
00:01:31,080 --> 00:01:35,940
Now the IP address you're going to see here in the video shortly is going to change.

21
00:01:36,000 --> 00:01:41,330
However as of right now the IP address I'm seeing for CAP tricks is for dot 53.

22
00:01:41,340 --> 00:01:46,010
Now we also use net discover but there's actually a cool tool we can utilize as well.

23
00:01:46,050 --> 00:01:53,490
Now if we come into the network you can see that I have a IP address of 1 9 2 1 6 8 4 dot 51 for myself.

24
00:01:53,490 --> 00:01:58,920
Now there is a tool built into Kelly Linux that is called ARP scan and you could do a syntax of a dash

25
00:01:58,950 --> 00:02:04,410
L with that hit enter and it's going to pull off an ARP scan as well which is what net Discover is doing

26
00:02:04,980 --> 00:02:06,350
what we need to be looking for.

27
00:02:06,360 --> 00:02:08,480
And you could see this is kind of my home network.

28
00:02:08,550 --> 00:02:14,970
What we need to be looking for is VM where you can see VMware is sitting here at 1 9 2 1 6 8 forward

29
00:02:14,980 --> 00:02:16,020
at fifty.

30
00:02:16,110 --> 00:02:20,100
The only one to be on the lookout for is possibly yourself which we're at fifty one.

31
00:02:20,100 --> 00:02:25,620
I don't see in this list it didn't pick us up so I could see one or two 168 453 VM where should be the

32
00:02:25,620 --> 00:02:29,150
only one that's running or using virtual box or something like that.

33
00:02:29,220 --> 00:02:30,490
It should show up here.

34
00:02:30,570 --> 00:02:35,520
So kind of identify either this way or you can come in and identify it through the key object log in

35
00:02:35,520 --> 00:02:36,410
itself.

36
00:02:36,720 --> 00:02:39,210
Of course you can use net discover as shown in the video.

37
00:02:39,570 --> 00:02:44,710
So without further ado let's go ahead and go into the video on scanning with and map.

38
00:02:44,810 --> 00:02:48,220
OK so now we have key objects up and running.

39
00:02:48,360 --> 00:02:53,180
We need to determine where it actually is and then we can do a little bit of scanning.

40
00:02:53,220 --> 00:02:58,060
So what we're gonna do is we're gonna go up into our applications and open our terminal.

41
00:02:58,400 --> 00:03:04,770
I'm just gonna make this a little bit bigger and we're going to run a tool called Net discover.

42
00:03:04,770 --> 00:03:11,860
So before we can do that we need to type in I have config and identify your IP address and it's going

43
00:03:11,850 --> 00:03:18,430
to go ahead and copy this first three octet here and we're going to run it discover so net Discover

44
00:03:18,430 --> 00:03:24,790
is going to look like this we're gonna say net discover we're gonna do a dash are for range we're going

45
00:03:24,790 --> 00:03:29,930
to paste in this and do a dot zero slash twenty four.

46
00:03:30,170 --> 00:03:31,540
So what are we doing.

47
00:03:31,610 --> 00:03:36,800
We are going to be using ARP to detect all the machines on the network.

48
00:03:36,800 --> 00:03:42,340
So you should be familiar with our from the Linux lessons and from the networking lessons.

49
00:03:42,410 --> 00:03:48,530
So we're going to attempt to use ARB to address anything on the network and we're sweeping the entire

50
00:03:48,530 --> 00:03:55,010
subnet of soft 24 something go ahead and enter and in a second here.

51
00:03:55,010 --> 00:03:58,370
Our machines just start popping up and it does.

52
00:03:58,370 --> 00:04:01,210
So remember our host was at 1 thirty nine.

53
00:04:01,550 --> 00:04:04,880
This host here at 134 is likely our culprit.

54
00:04:04,910 --> 00:04:08,410
So you should only have two machines in network because we're only running two.

55
00:04:08,540 --> 00:04:12,520
You can ignore dot 1 2 and 2 5 4.

56
00:04:12,560 --> 00:04:20,760
We are only focusing on the one that looks similar to ours which is 1 9 2 1 6 8 57 1 34.

57
00:04:20,900 --> 00:04:22,730
So now we know our machine address.

58
00:04:22,730 --> 00:04:24,610
We can start attacking it somewhere.

59
00:04:24,630 --> 00:04:29,540
Go ahead and hit control see which is going to kill this session here and then hey control alt to clear

60
00:04:29,540 --> 00:04:31,820
my screen.

61
00:04:31,920 --> 00:04:32,410
All right.

62
00:04:32,430 --> 00:04:37,320
So I'm going to open up a notepad and we'll just store this away for a rainy day.

63
00:04:37,350 --> 00:04:41,040
We need to first talk about what we're going to be doing here.

64
00:04:41,040 --> 00:04:52,620
So remember before when we ran our teepee three way handshake we had something like sin sin AK and AK

65
00:04:53,110 --> 00:04:53,530
Right.

66
00:04:53,820 --> 00:04:56,370
And we had to say sin act like this to combine.

67
00:04:56,400 --> 00:04:57,790
So we've got three parts.

68
00:04:57,890 --> 00:05:01,740
We've got the part where we reach out to a port and we say hey port are you open.

69
00:05:01,890 --> 00:05:04,110
And the port says yeah I'm open.

70
00:05:04,140 --> 00:05:06,110
Let's go ahead and make that connection.

71
00:05:06,390 --> 00:05:08,430
And then we go ahead and connect to it.

72
00:05:09,030 --> 00:05:15,570
So what we're going to be doing is we're going to be using a tool called n map and map stands for network

73
00:05:15,600 --> 00:05:16,470
mapper.

74
00:05:16,470 --> 00:05:23,250
Now what network mapper is going to go out and do its is going to scan for open ports and services.

75
00:05:23,250 --> 00:05:28,920
Now this scanning is going to take place and it's going to identify these open ports with something

76
00:05:28,920 --> 00:05:31,530
similar to this three way handshake.

77
00:05:31,530 --> 00:05:33,810
So we're just going to modify it a little bit.

78
00:05:33,900 --> 00:05:38,460
Now what the process that we're doing is called stealth scanning and it used to be written out like

79
00:05:38,460 --> 00:05:39,280
this.

80
00:05:39,330 --> 00:05:42,810
Now it's just done by default and we'll get to the switches here in a second.

81
00:05:42,810 --> 00:05:48,210
Don't worry about that just we're going to be running stealth scanning and now this stealth scanning

82
00:05:48,600 --> 00:05:50,100
used to be stealthy right.

83
00:05:50,220 --> 00:05:56,640
That's why they called it stealth scanning because it used to be undetectable nowadays very detectable

84
00:05:56,670 --> 00:06:02,610
if you run and map in a network that has good security you're going to get picked up although being

85
00:06:02,610 --> 00:06:07,620
a pen tester I would say and that probably doesn't get picked up in 80 percent of the assessments that

86
00:06:07,620 --> 00:06:07,980
I run.

87
00:06:07,980 --> 00:06:14,760
So don't expect clients to be running good security but just know that even though it says stealth it's

88
00:06:14,760 --> 00:06:16,560
not stealthy at all.

89
00:06:16,560 --> 00:06:20,420
So this stealth scanning why was it stealthy why was it called this.

90
00:06:20,430 --> 00:06:27,360
Well if we go back to the three way handshake what the stealth scan does is it does the sin it says

91
00:06:27,360 --> 00:06:33,510
hey I want to connect to you in the open port if it's open we'll say yeah I want to make that connection

92
00:06:33,510 --> 00:06:34,790
back with your friend.

93
00:06:35,040 --> 00:06:38,040
And what's going to happen is we're just going to say you know what.

94
00:06:38,040 --> 00:06:41,220
I'm just kidding I'm going to send over this reset flag.

95
00:06:41,220 --> 00:06:43,770
So this asked me why.

96
00:06:43,770 --> 00:06:46,050
Well that means we don't actually establish a connection.

97
00:06:46,050 --> 00:06:51,150
So like when you go out to a Web site and you go to Google and Google loads well guess what you establish

98
00:06:51,150 --> 00:06:54,080
that connection you establish that three way handshake.

99
00:06:54,150 --> 00:06:58,080
What we're doing is we're going out and we're saying hey I want to establish connection.

100
00:06:58,080 --> 00:07:04,340
The port reveals to us that yes I am open for connection and then we're gonna say just kidding.

101
00:07:04,350 --> 00:07:08,550
Let's not make that connection because we never established that connection.

102
00:07:08,550 --> 00:07:10,350
Then it was technically stealthy.

103
00:07:10,530 --> 00:07:13,400
So that's why we're going out we're doing we're never making connections these ports.

104
00:07:13,410 --> 00:07:16,140
But this is how we're identifying them as open.

105
00:07:16,140 --> 00:07:19,230
So we're going to use a tool and we're going to use a tool like this.

106
00:07:19,230 --> 00:07:28,050
We're going to say and map and we're going to say something along the lines of dash T for Dash Pete

107
00:07:28,050 --> 00:07:30,320
Ash dash a.

108
00:07:30,420 --> 00:07:33,850
Now you have no idea what this means and I don't expect you to.

109
00:07:33,880 --> 00:07:40,890
I'm going to walk you through these and what we're doing here is we're saying hey and map I have a choice

110
00:07:40,890 --> 00:07:46,770
and speed in that choice and speed can be between a one in a five one's really slow and fives really

111
00:07:46,770 --> 00:07:47,880
fast.

112
00:07:47,880 --> 00:07:53,460
Now the default for me has always been for and I'm teaching you my preference.

113
00:07:53,460 --> 00:07:54,930
It's always been four.

114
00:07:54,990 --> 00:07:55,880
OK.

115
00:07:55,920 --> 00:07:59,130
And we utilize this in I think five five.

116
00:07:59,170 --> 00:08:03,820
OK but five kind of fast maybe you're going to miss something maybe it gets caught.

117
00:08:03,840 --> 00:08:06,260
The slower the better in terms of detection.

118
00:08:06,270 --> 00:08:11,610
But in the instance that we're gonna be running it through this course we're going to use for any time

119
00:08:11,610 --> 00:08:16,680
you do like a bold hub or something like a hack the box which you're going to see here in a few videos

120
00:08:17,610 --> 00:08:19,560
you're going to run T4.

121
00:08:19,590 --> 00:08:22,830
Just because you're not worried about this detection not worry about anything.

122
00:08:22,830 --> 00:08:25,000
So T4 is a speed purpose.

123
00:08:25,140 --> 00:08:27,650
Now dash P dash.

124
00:08:27,720 --> 00:08:33,210
Well this stands for I want to scan all ports OK.

125
00:08:33,210 --> 00:08:40,520
We could say something like dash P or we could just have dash P left off completely.

126
00:08:40,530 --> 00:08:47,130
Now if we leave off dash P completely it's going to scan what are known as the top 1000 ports the top

127
00:08:47,130 --> 00:08:49,470
1000 ports are your most common ports.

128
00:08:49,470 --> 00:08:57,450
So think of like Port 80 port for 4 3 1 3 9 4 4 or 5 all the ports that we covered in the networking

129
00:08:57,450 --> 00:08:58,190
section.

130
00:08:58,320 --> 00:08:59,980
Going to show up again here.

131
00:09:00,180 --> 00:09:05,710
But there are sixty five thousand five hundred and thirty five ports out there.

132
00:09:05,850 --> 00:09:12,600
We want to scan every single one of those because what if for example there is a service running on

133
00:09:12,840 --> 00:09:19,260
Port forty seven thousand seven hundred well that's not a common top 1000 port if we don't scan all

134
00:09:19,260 --> 00:09:21,510
ports then we're going to miss that port.

135
00:09:21,630 --> 00:09:23,750
And that could be something incredibly valuable to us.

136
00:09:23,760 --> 00:09:24,480
Right.

137
00:09:24,510 --> 00:09:28,840
So I always scan like this dash P dash.

138
00:09:29,100 --> 00:09:35,990
You can also do things like scans Pacific ports you could say like 4 4 3 or say you under the skin just

139
00:09:35,990 --> 00:09:39,680
for web servers you could do 80 for 4 3 something like that.

140
00:09:39,680 --> 00:09:45,830
Or you can mix in so you want to scan for DNS as well you can add in fifty three etc. You can scan for

141
00:09:45,830 --> 00:09:51,340
specifics if we're going to get into that in a little bit later video on why we might do it this way.

142
00:09:51,650 --> 00:09:58,070
But for now for the beginner lesson dash P dash we're gonna scan everything.

143
00:09:58,070 --> 00:10:05,950
And lastly we've got this dash a in here so dash a stands for everything I want to scan all of it.

144
00:10:06,080 --> 00:10:12,830
I want you to tell me I want you to tell me the version information the operating system information

145
00:10:13,160 --> 00:10:16,000
anything you can tell me fingerprinting etc..

146
00:10:16,040 --> 00:10:17,620
Now this may all be confusing.

147
00:10:17,630 --> 00:10:20,220
It's gonna make a lot more sense when you see a scan.

148
00:10:20,330 --> 00:10:24,170
I'm going to go ahead and open up a new tab and what I want you to do.

149
00:10:24,200 --> 00:10:26,570
Let's go ahead and I'm going to blow this up for us.

150
00:10:26,570 --> 00:10:31,610
And what I want you to do is I want you to go ahead and start running the scan while we wait to go ahead

151
00:10:31,610 --> 00:10:33,830
and copy this here.

152
00:10:33,830 --> 00:10:37,550
And the last thing we're gonna do is we're gonna put in our IP address and that's how it knows where

153
00:10:37,550 --> 00:10:38,570
to scan.

154
00:10:38,570 --> 00:10:46,570
We're just gonna hit enter on that and now we're scanning so from here what we're gonna do is we're

155
00:10:46,570 --> 00:10:47,960
going to take this.

156
00:10:48,160 --> 00:10:54,450
And I want to run an app again with a dash dash help and I want to talk through some of these settings

157
00:10:54,450 --> 00:11:00,450
in here so that you understand fully what we're doing now dash help is always great.

158
00:11:00,450 --> 00:11:03,840
As I said before man pages are good as well.

159
00:11:03,840 --> 00:11:05,700
But let's talk about some things here.

160
00:11:05,700 --> 00:11:12,180
So we've got this host discovery section which we're really not going to use in this course but this

161
00:11:12,180 --> 00:11:13,720
is good for say a dash.

162
00:11:13,750 --> 00:11:16,400
And so you want to do a pink sweep of the network.

163
00:11:16,410 --> 00:11:23,580
Well you can do a pink scan right where you just sweep an entire subnet a slash 24 for example and see

164
00:11:23,610 --> 00:11:24,690
what's up.

165
00:11:24,690 --> 00:11:32,070
Very quick a dash pen maybe the host isn't acting like it's online but you know it's there for sure.

166
00:11:32,070 --> 00:11:37,200
You can say dash pen and you say hey I want to leave all the hosts or treat all the hosts as if they're

167
00:11:37,200 --> 00:11:40,680
all online even if they're not responding to my ping requests or anything.

168
00:11:41,520 --> 00:11:45,120
So make yourself familiar with this kind of stuff.

169
00:11:45,120 --> 00:11:48,580
This is interesting and we'll cover a lot of this as we go in the course.

170
00:11:48,690 --> 00:11:53,180
But just for the first walkthrough while we're scanning I think this is super important.

171
00:11:53,280 --> 00:11:54,960
Now scan techniques.

172
00:11:55,050 --> 00:11:57,720
This dash as SS comes back into play.

173
00:11:57,730 --> 00:12:01,570
TCT sin is what it's called but it's also known as the stealth scan.

174
00:12:02,190 --> 00:12:04,500
There's all these other types of scans.

175
00:12:04,830 --> 00:12:06,320
You're not going to need them.

176
00:12:06,450 --> 00:12:11,730
There's only maybe one scan out of all these that may be useful but you're not going to need them through

177
00:12:11,730 --> 00:12:15,810
this course and you're probably never use anything but the SS and the s you.

178
00:12:15,810 --> 00:12:17,730
Ninety nine percent of the time.

179
00:12:17,820 --> 00:12:21,970
So for the scope of this course that's what we're going to focus on now.

180
00:12:21,990 --> 00:12:26,730
The SS We've talked about connection oriented protocols we talked about TCB.

181
00:12:26,730 --> 00:12:27,620
Well guess what.

182
00:12:28,080 --> 00:12:33,780
There's also UDP and there's sixty five thousand five hundred thirty five ports over there as well that

183
00:12:33,780 --> 00:12:39,800
we have to scan now UDP is a connection less protocol.

184
00:12:39,840 --> 00:12:41,730
So what we're going to do when we scan it.

185
00:12:41,790 --> 00:12:43,310
Let's go back to this scan.

186
00:12:43,350 --> 00:12:48,390
We're going gonna do when we scan it is we're going to actually do that SEIU in here and I'll copy this

187
00:12:48,390 --> 00:12:51,940
syntax and just move it over so it looks a little cleaner.

188
00:12:52,050 --> 00:12:53,340
We're gonna say something like

189
00:12:56,740 --> 00:12:58,170
we can put it anywhere we want big.

190
00:12:58,180 --> 00:13:04,180
The order doesn't matter but we can say something like dash as you to scan for UDP and the one little

191
00:13:04,180 --> 00:13:08,910
change that I make here to change is actually I take off the dash a.

192
00:13:09,340 --> 00:13:10,830
And I do a dash P dash.

193
00:13:11,290 --> 00:13:14,100
Why do I do a dash P I should say why do I do this.

194
00:13:14,110 --> 00:13:22,150
I do this because UDP takes for ever to scan absolutely forever to scan because it is a connection protocol.

195
00:13:22,150 --> 00:13:24,900
It does not have that instant response time.

196
00:13:24,910 --> 00:13:29,200
So when we scan UDP typically we scan the top 1000.

197
00:13:29,230 --> 00:13:30,940
That is my recommendation to you.

198
00:13:30,940 --> 00:13:35,950
Or else you will be sitting here waiting for hours upon hours for a scan to finish.

199
00:13:35,950 --> 00:13:38,050
See now our scan over here is already finished.

200
00:13:38,050 --> 00:13:43,180
If I were to run this UDP with the same thing it will take forever going back into this before we get

201
00:13:43,180 --> 00:13:48,240
into the scan you can see here that we can specify dash P of Port.

202
00:13:48,390 --> 00:13:50,060
That's going to be very common for us.

203
00:13:50,220 --> 00:13:58,380
But here's where I really want to get into we're doing a dash s v a dash SC a dash o here all with the

204
00:13:58,380 --> 00:13:59,180
dash a.

205
00:13:59,190 --> 00:13:59,630
OK.

206
00:13:59,640 --> 00:14:03,330
So we're probing open ports for service information.

207
00:14:03,330 --> 00:14:10,020
We could say dash SD and we can say dash I see you could pick these you know one or the other a mixture

208
00:14:10,020 --> 00:14:14,040
of some of these but we could also do script scanning which we'll get into script scanning here and

209
00:14:14,040 --> 00:14:15,460
a little bit as well.

210
00:14:15,930 --> 00:14:20,850
But we can do OS detection where it goes out and tries to define an operating system and you're going

211
00:14:20,850 --> 00:14:22,640
to see all this with our scan.

212
00:14:22,920 --> 00:14:25,860
But when we use dash a it does it all for us.

213
00:14:25,890 --> 00:14:28,120
So why why not use dash.

214
00:14:28,950 --> 00:14:34,020
So you can see it does OS detection version detection script scanning and trace route.

215
00:14:34,530 --> 00:14:39,780
Now there's one caveat to dash a we're going to talk about this in another video and a thought process

216
00:14:40,900 --> 00:14:47,730
it is much faster to remove the dash a and scan a dash P dash typically that'll come back much much

217
00:14:47,730 --> 00:14:52,620
much faster than what you can do is you can define the open port.

218
00:14:52,620 --> 00:14:55,330
So say there's Port 20 to port 80.

219
00:14:55,470 --> 00:14:55,820
OK.

220
00:14:55,820 --> 00:14:57,060
Just go through this.

221
00:14:57,150 --> 00:14:59,920
You can specify those ports specifically.

222
00:15:00,180 --> 00:15:06,660
You could say dash P like we did an example earlier with 80 and 443 and then do a dash around those.

223
00:15:06,660 --> 00:15:13,140
Now that will this scan only these specific ports with all instead of going out to every single port

224
00:15:13,230 --> 00:15:15,820
in attempting to do all on every single port.

225
00:15:15,930 --> 00:15:17,560
It's just a little bit faster.

226
00:15:17,640 --> 00:15:22,670
Now if your wheels are spinning and you're thinking about it maybe even you can script this right.

227
00:15:22,680 --> 00:15:30,630
You can script something to say hey end map I want to take I want to take these ports from a basic scan

228
00:15:30,960 --> 00:15:36,960
anything that you pull back and I'm going to go ahead and I'm going to run a new scan on it with a dash

229
00:15:36,990 --> 00:15:43,200
a only specifying the ports that we found back at your wheels spinning this is where scripting becomes

230
00:15:43,200 --> 00:15:43,950
important.

231
00:15:44,010 --> 00:15:46,220
If you want an improvement on speed.

232
00:15:46,320 --> 00:15:50,270
For me personally I've never ever done that.

233
00:15:50,310 --> 00:15:53,540
I don't think for me personally that it's made much of a difference.

234
00:15:53,550 --> 00:15:58,220
I just let my scans run as they run and I work on other things while scans are running.

235
00:15:58,230 --> 00:16:01,880
There's plenty of time to do other things while you're doing your scanning.

236
00:16:02,120 --> 00:16:08,950
So in typically another thing to note is typically we're doing scanning when we're doing our O.S. as

237
00:16:08,950 --> 00:16:09,250
well.

238
00:16:09,250 --> 00:16:13,780
So if we start up a client assessment one of the first things I'm going to do is probably kick off a

239
00:16:13,780 --> 00:16:15,500
NASA scan or an end map scan.

240
00:16:15,520 --> 00:16:20,680
And while I'm doing that I'm going to go look for those breech credentials or I'm going to look for

241
00:16:20,680 --> 00:16:28,010
that juicy information on Google or social media where I can find it and utilize that time.

242
00:16:28,150 --> 00:16:32,060
While this is scanning or else I'll just be sitting on my hands doing nothing while these wait.

243
00:16:32,650 --> 00:16:37,640
So we're going to take this information now and we're going to start reviewing it.

244
00:16:37,750 --> 00:16:42,100
So we have here our scan results and you can see the scan results come back.

245
00:16:42,280 --> 00:16:45,930
And the first thing we notice are open ports.

246
00:16:46,000 --> 00:16:47,380
That's what we're want to look at.

247
00:16:47,410 --> 00:16:52,710
We want to look at these open ports and we want to look at what's running on these open ports.

248
00:16:52,780 --> 00:16:57,810
So we see here that what's running on Port 22 is SS age.

249
00:16:58,270 --> 00:16:59,050
OK.

250
00:16:59,170 --> 00:17:01,680
On top of that it's got a version here for us.

251
00:17:01,690 --> 00:17:08,610
So open SS H two point nine P to and then we see Apaches running on port 80.

252
00:17:08,610 --> 00:17:15,560
We've also got Apache running on port four for three and we've got this RPG bind in one thirty nine.

253
00:17:15,560 --> 00:17:18,970
Now remember from the networking lesson these kind of always play together.

254
00:17:19,230 --> 00:17:21,930
So we've got SMB open basically samba shares.

255
00:17:22,860 --> 00:17:30,480
And what we can do is first step is usually enumeration once we see this we take the scan and we scroll

256
00:17:30,480 --> 00:17:34,120
down a little bit as well and we can look at some things and see OK.

257
00:17:34,130 --> 00:17:35,720
There's no OS information.

258
00:17:35,730 --> 00:17:39,030
It found Linux here two point four point x.

259
00:17:39,060 --> 00:17:45,450
And it's most likely pulling that down from from the the Apache.

260
00:17:45,450 --> 00:17:50,580
It's probably a best guess because it's running red hat that it's running Linux and taking a stab at

261
00:17:50,580 --> 00:17:50,960
it here.

262
00:17:50,970 --> 00:17:55,780
Or may have actually determined that from sort of header or some other location.

263
00:17:55,920 --> 00:18:00,090
A lot of times this isn't so sure as it's saying it is here.

264
00:18:00,150 --> 00:18:05,510
A lot of times we'll give you a percentage so the OS is not always definitive as it is here.

265
00:18:05,520 --> 00:18:10,470
So we've got the OS which could be useful for us later when we do enumeration and you'll see how that

266
00:18:10,470 --> 00:18:12,060
comes into play.

267
00:18:12,060 --> 00:18:19,350
What I want you to take in right now is that so far we've got a scan result back and that scan has gone

268
00:18:19,380 --> 00:18:24,720
out and it has looked for open ports doing that modified stealth handshake.

269
00:18:24,750 --> 00:18:27,130
So it says Cin Sinek reset.

270
00:18:27,180 --> 00:18:29,330
Aristide doing that.

271
00:18:29,370 --> 00:18:36,750
It's found a few open ports now it is our job to look up the information that we are seeing on these

272
00:18:36,750 --> 00:18:39,360
open ports and try to find exploits on them.

273
00:18:39,780 --> 00:18:41,190
So that's what we're going to do.

274
00:18:41,340 --> 00:18:46,380
And I'm going to cover in the next video we're going to go kind of step by step and I'll talk through

275
00:18:46,380 --> 00:18:53,430
the methodology and why I attack certain ports first what ports those are how we can enumerate those

276
00:18:53,430 --> 00:18:56,390
ports and then we'll enumerate everything.

277
00:18:56,390 --> 00:18:58,180
Get all the details down.

278
00:18:58,380 --> 00:19:01,650
Once we have all the details down we're going move into the section of exploitation.

279
00:19:01,650 --> 00:19:06,740
It's gonna get really fun and we'll exploit this machine in multiple ways.

280
00:19:06,750 --> 00:19:13,350
So from here just take apart or take that away from the lesson that you've officially successfully scan

281
00:19:13,350 --> 00:19:14,220
this machine.

282
00:19:14,250 --> 00:19:19,610
I encourage you to maybe go back and take notes or to go back and scan it again.

283
00:19:19,650 --> 00:19:21,350
Get the syntax down in your head.

284
00:19:21,360 --> 00:19:22,620
Keep typing this out.

285
00:19:22,620 --> 00:19:23,210
Remember it.

286
00:19:23,220 --> 00:19:26,580
This is the one thing you're probably gonna type up more than anything else.

287
00:19:26,670 --> 00:19:32,370
And then also go through and look at the different types of options you have there.

288
00:19:32,370 --> 00:19:35,010
If there's one that interests you just run it against the machine.

289
00:19:35,010 --> 00:19:35,850
Play around with it.

290
00:19:35,850 --> 00:19:37,530
This is your lab time.

291
00:19:37,530 --> 00:19:38,850
Make the most of it.

292
00:19:38,850 --> 00:19:40,890
So for now that's it.

293
00:19:40,890 --> 00:19:43,480
In the next video we're going to start enumerating these ports.

294
00:19:43,560 --> 00:19:45,480
So I will catch you over in the next video.