WEBVTT

00:07.310 --> 00:11.930
As an analyst, you may be expected to understand not only your network, but also the subnetworks that

00:11.930 --> 00:13.910
are attached to your organization as a whole.

00:13.910 --> 00:18.530
You can have a cloud environment, a hybrid environment, an on prem environment, and then several

00:18.530 --> 00:23.090
different offsets of each environment depending on what your organization entails.

00:23.090 --> 00:27.890
This can range from a couple of machines all the way to several thousands of different machines.

00:27.890 --> 00:32.390
Within this chapter, we're going to discuss vulnerability scanning methodologies as well as the concepts

00:32.390 --> 00:33.590
associated with them.

00:33.620 --> 00:37.880
Specifically, within this episode, we're going to talk about network mapping and what it entails and

00:37.880 --> 00:42.890
how to identify the different subsets of within each network, whether it's in an isolated environment

00:42.890 --> 00:44.540
or within the network as a whole.

00:44.540 --> 00:49.370
We're also going to dive into an individual item on your network and be able to fingerprint exactly

00:49.370 --> 00:51.830
what's going on with each individual system.

00:51.860 --> 00:57.530
Now we're mapping includes different aspects of scanning the network as a whole to identify the different

00:57.530 --> 01:00.450
machines or IP addresses associated with it.

01:00.450 --> 01:06.450
You have to remember that each physical device has a respective IP address associated with it to be

01:06.450 --> 01:07.170
on the network.

01:07.200 --> 01:11.610
Now, we talked about dynamic and static IP addresses, and that's not really what we're discussing

01:11.610 --> 01:12.120
here.

01:12.150 --> 01:17.880
What we're discussing is each item on your network is interconnected to another item on your network.

01:17.880 --> 01:24.180
And you, as an analyst, need to be able to formulate an exact map of each device and how it interacts

01:24.180 --> 01:26.520
physically with each other device.

01:26.550 --> 01:29.310
Now, that sounds a little bit more complicated than what it needs to be.

01:29.340 --> 01:35.340
We can usually pull this off via a different subset of networking tools in one way, such things as

01:35.340 --> 01:37.200
a ping, sweep, or port scanning.

01:37.230 --> 01:42.450
Ping sweeps really provide us a different aspect of every IP address associated on the subnet that we're

01:42.480 --> 01:45.150
operating on for each physical device.

01:45.150 --> 01:50.310
Within that, we want to know what ports are operating on it, how is that device communicating with

01:50.310 --> 01:52.470
other items or objects on our network?

01:52.470 --> 01:54.960
We also want to be able to enumerate its services.

01:54.960 --> 01:57.930
What services are associated with that specific device?

01:57.930 --> 02:01.690
Does it have a web server operational on it?

02:01.720 --> 02:09.310
Maybe it's using something weird, like RDP or a specific port or protocol that we don't normally see.

02:09.340 --> 02:14.290
We need to be aware of those because we need a baseline in order for our network to function operationally

02:14.290 --> 02:15.850
within our own organization.

02:15.880 --> 02:20.680
How do we know if something's going wrong, if we don't have a baseline to identify exactly what's on

02:20.680 --> 02:21.790
our network now?

02:21.820 --> 02:27.310
Once we've identified the different services, ports and the different IP addresses on our network,

02:27.310 --> 02:33.460
we need to dive into an individual device in order to fingerprint every known service, operating system,

02:33.460 --> 02:36.940
and expansion pack that's operating on that specific device.

02:36.940 --> 02:42.640
We want to keep a list operational within our environment so that if something does occur or if our

02:42.640 --> 02:47.920
investigation takes us to a specific operating system, we can identify everything that was originally

02:47.950 --> 02:50.650
on that device from two days ago or a week ago.

02:50.680 --> 02:55.060
If something has changed, that's an indicator of compromise that we need to be able to identify.

02:55.090 --> 03:00.020
We're going to go through right now and discuss that on an nmap and show you exactly what I'm talking

03:00.020 --> 03:01.820
about when it comes to network mapping.

03:01.850 --> 03:05.810
Once we're in our Kali environment, we're going to open up a terminal that's that little black box

03:05.840 --> 03:07.430
at the very top left hand side.

03:08.000 --> 03:11.900
I'm going to blow this up so you can see it a little bit better as I'm typing out these different commands.

03:11.930 --> 03:15.770
Now on my virtual network I have both a Windows 10 machine running.

03:15.770 --> 03:21.890
I also have a Archaeopteryx two, which is a vulnerable machine that we've identified before within

03:21.890 --> 03:22.640
this lab environment.

03:22.640 --> 03:26.390
So I've actually got two machines running right now on the network, plus my Kali box.

03:26.390 --> 03:31.760
In order to scan, I actually need to know what my IP address is because all of my machines are operating

03:31.760 --> 03:32.930
in the same subnet.

03:32.930 --> 03:35.690
So the very first command I'm going to input is ifconfig.

03:35.690 --> 03:40.340
And this is just going to give me the same principles that an IP config would on a windows machine.

03:40.370 --> 03:43.820
Here you can see my IP address is 10.0.2.9.

03:43.820 --> 03:47.450
And you can see my netmask as well as my broadcast address.

03:47.570 --> 03:50.870
Throughout this we're going to run a simple network ping scan.

03:50.870 --> 03:55.670
And I'm going to do that using the nmap command switch or tack Sdn.

03:55.670 --> 03:57.480
And I'm going to do a 10.0.

03:57.510 --> 03:58.230
Oh, there we go.

03:58.260 --> 04:00.060
Let me do that num lock button in there.

04:00.300 --> 04:04.470
We're going to do a ten .0.2.0.

04:04.500 --> 04:07.110
But at the very end we're going to do a slash 24.

04:07.140 --> 04:13.110
This is the final octet or what we're really scanning here is zero through 255.

04:13.140 --> 04:15.600
On that last octet right there.

04:15.630 --> 04:17.370
If I hit enter it's going to go through.

04:17.370 --> 04:22.320
And it's just going to run that ping scan very, very quickly to identify everything that's on my network.

04:22.380 --> 04:24.000
You can see here the output.

04:24.030 --> 04:25.830
Now I am in a virtual environment.

04:25.830 --> 04:30.990
And because I'm in a virtual environment using VirtualBox, this IP address right here 2.1 it's not

04:30.990 --> 04:35.670
a real IP address, it's just something VirtualBox uses so that I can see what's going on within my

04:35.670 --> 04:36.450
system.

04:36.570 --> 04:42.270
If I scroll up, I know that my IP address for my Kali box is 2.9, which is right here.

04:42.300 --> 04:45.030
Now, I did notice something and I'm sure you did too.

04:45.060 --> 04:46.830
I've only got one box operational.

04:46.830 --> 04:52.410
I've only got that 2.5, which means my windows machine is most likely not on this network.

04:52.440 --> 04:55.850
Now, I can't be sure of that because I've only got one IP address.

04:55.850 --> 05:00.170
We're going to dive into this a little bit later when we get into fingerprinting in the next little

05:00.170 --> 05:00.920
demo.

05:00.950 --> 05:06.080
The next thing I want to do is port scanning to do port scanning I'm just going to open up that nmap

05:06.080 --> 05:06.770
command again.

05:06.770 --> 05:10.640
But instead of doing Sdn we're just going to do a p switch p.

05:10.700 --> 05:16.160
This is going to provide me a very detailed port scan of every device on my slash 24 network.

05:16.190 --> 05:19.400
Again, I'm not identifying a singular IP address.

05:19.400 --> 05:21.020
I'm going through the entire Cidr.

05:21.020 --> 05:23.900
And this is what network mapping is all about.

05:23.900 --> 05:26.750
We're not identifying a specific operating system.

05:26.750 --> 05:27.920
We're not doing fingerprinting.

05:27.920 --> 05:30.350
We're doing network enumeration and mapping.

05:31.520 --> 05:35.570
This is going to take a second as it goes through the command because this is a very detailed command.

05:35.570 --> 05:40.100
So you may have to wait a few seconds for this system to finish up.

05:40.700 --> 05:41.210
Okay.

05:41.210 --> 05:42.590
So our scan has finished.

05:42.590 --> 05:45.440
And you can see here that it provided us a 2.1.

05:45.440 --> 05:49.070
But there's no ports except for 53 open bonus points.

05:49.070 --> 05:52.730
If you can remember what port 53 TCP stands for.

05:52.910 --> 05:55.070
Let's drop down to 2.5 now.

05:55.100 --> 06:02.180
2.5 is the IP address of the singular machine that's operational on my system or on my virtual network

06:02.180 --> 06:02.780
right now.

06:02.780 --> 06:07.430
And we know that because 2.5 pointed out some different aspects here.

06:07.430 --> 06:11.960
You can see with our port scan that we identified several different ports that are open, starting with

06:11.960 --> 06:14.120
port 22 on SSH.

06:14.120 --> 06:20.480
We can also see port 8111, 443, 631, 825 and 3306.

06:20.480 --> 06:26.090
All of these provide us a service, but it's not a lot of information when it comes to that specific

06:26.090 --> 06:26.510
service.

06:26.540 --> 06:31.640
It's not telling us the version, it's not telling us the specific software that it might be utilizing.

06:31.640 --> 06:36.590
It's just giving us a broader categorization of the service that it's utilizing in conjunction with

06:36.590 --> 06:37.790
the port that's open.

06:37.790 --> 06:43.250
Again, it's telling me that SSH is open, but it's not telling me which version of SSH is open.

06:43.250 --> 06:45.890
This is where network enumeration kind of stops.

06:45.890 --> 06:50.480
We've identified the IP addresses associated with our network, and we've identified the ports that

06:50.480 --> 06:51.080
are open.

06:51.080 --> 06:53.210
Now let's talk about Services.

06:53.240 --> 07:02.690
If I want to run an nmap services scan, I'm going to do nmap tac or switch lowercase s, uppercase

07:02.720 --> 07:07.340
v and again 10.0.2.0 with a forward slash 24.

07:07.370 --> 07:13.340
Again, that makes sure that I'm doing that last octet of 03255 on the 24 Cidr.

07:13.370 --> 07:18.140
I'm going to hit enter, and it's going to go through and start scanning all of these IP addresses.

07:18.140 --> 07:23.930
In my case, just the one for different services that are operational on this specific machine.

07:25.190 --> 07:31.040
Again, you can recognize from the output that it's providing us that report for 2.1, which again is

07:31.040 --> 07:32.390
just VirtualBox.

07:32.390 --> 07:38.510
And it's saying hey port 53 and it has one service that is unrecognizable because it is in fact VirtualBox.

07:39.170 --> 07:39.380
Okay.

07:41.150 --> 07:46.520
If we scroll down, we can see 2.5 is pointing out and it's providing me a little bit more information

07:46.520 --> 07:47.930
to the specific machine.

07:47.930 --> 07:54.900
It's telling me that port 22 is open on TCP with an open state running SSH, and the version it's running

07:54.900 --> 07:56.130
in is OpenSSH.

07:56.160 --> 08:01.710
Version 3.9 P1 with protocol version 1.99.

08:01.740 --> 08:05.850
This provides me a lot of information specific to this specific box.

08:05.880 --> 08:12.030
Now, because I ran it for the entire octet, you can see that it's providing different aspects.

08:12.030 --> 08:17.790
And if I had other machines, it would provide that output for each and every machine on my subnet.

08:17.820 --> 08:22.950
This is where network mapping really comes into play, and where you, as a cybersecurity analyst,

08:22.980 --> 08:26.520
should be able to read this output within your Cisa exam.

08:26.520 --> 08:32.550
You may see scenario based questions with an output like I'm showing you here, going, hey, what output

08:32.550 --> 08:35.910
or what version of software is running?

08:35.910 --> 08:41.430
We'll start again from the top on this one, not from the top from the from the Cisa exam.

08:43.770 --> 08:51.220
You may see a question on your Cisa exam asking on port 80 what service is currently running and it

08:51.220 --> 08:53.890
will provide you this blank out right here.

08:53.890 --> 08:57.460
Which port 80 is running TCP open.

08:57.460 --> 09:05.350
And the correct answer would be running Apache HTTPd, and it may be version 2.0.52 and maybe even asking

09:05.350 --> 09:06.670
you what operating system.

09:06.670 --> 09:09.700
And in this case it provides us using CentOS.

09:09.700 --> 09:13.570
This is important information that you need to be aware of for you to see why I say exam, because you

09:13.570 --> 09:15.070
may see outputs like this.

09:15.100 --> 09:20.230
It may also try to trick you where it's not providing that service column right there.

09:20.230 --> 09:25.990
And it'll say something like what service is running on Https.

09:25.990 --> 09:32.350
And you may be able to opt to identify that Https is actually running on port 443, which it didn't

09:32.380 --> 09:34.510
tell you before because it's not associating with it.

09:34.510 --> 09:42.340
And then you may have to put out the version service as Apache HTTPd version 2.0.52 CentOS.

09:42.340 --> 09:47.830
So again, just like Security+, you need to know what port and protocols are matched and they may not

09:47.830 --> 09:52.190
provide you everything when it comes to that, a specific attribute I expect to see.

09:52.220 --> 09:55.460
Different questions associated with that on your CSA exam.

09:56.240 --> 10:01.190
We talked about network mapping and how it includes mapping your entire network and how those physical

10:01.190 --> 10:02.630
connections take place.

10:02.660 --> 10:07.040
When we talk about fingerprinting, we're specifically talking about a single device on your network.

10:07.070 --> 10:08.810
This could be a server, a client.

10:08.810 --> 10:11.690
It could even be an IDs or IPS or a firewall.

10:11.690 --> 10:12.560
It doesn't really matter.

10:12.560 --> 10:14.960
It's just dependent upon what you're actually scanning.

10:14.990 --> 10:20.390
We're going to provide you an example today on nmap again of actually fingerprinting a specific device.

10:20.390 --> 10:21.740
From our previous scan.

10:21.740 --> 10:28.520
We know that 2.5 or 1 0.0.2.5 is actually running our soul machine on our network, associated with

10:28.520 --> 10:29.330
what we're doing here.

10:29.360 --> 10:33.410
Now I know what that machine is, but let's pretend for a minute that I didn't.

10:33.440 --> 10:38.420
If I've already done the ping sweep scan, which I have, and next thing I may want to identify is the

10:38.420 --> 10:40.010
operating system as a whole.

10:40.010 --> 10:45.110
Now, in our previous scan, we identified that as possibly being a CentOS operating system.

10:45.110 --> 10:51.570
But if I want to know for sure, I can do a tag or switch capital O and then provide the exact IP address.

10:51.570 --> 10:55.590
You'll notice in fingerprinting I'm not doing a scan or a Cidr.

10:55.590 --> 11:00.870
I'm doing an individual IP address, specifically 10.02.5.

11:01.740 --> 11:05.040
You can see here that within my system it's telling me I need root privileges.

11:05.040 --> 11:11.100
And like anything in Linux, I'm just going to provide that sudo or sudo command in there.

11:11.100 --> 11:16.440
And again I'm going to run nmap switch o capital O10 .0.2.5.

11:16.440 --> 11:19.050
And it should run okay for me now.

11:22.020 --> 11:27.390
If we see here you can see at the very bottom it's providing me what the operating system is.

11:27.390 --> 11:30.150
I am running a Linux 2.6. x.

11:30.150 --> 11:35.280
It's not sure exactly what the last version is for that, but we are fairly confident that it is running

11:35.280 --> 11:38.160
on a Linux platform of 2.6.

11:38.160 --> 11:41.970
If I drop down one line, we can see the operating system CP.

11:42.180 --> 11:46.950
This tells us that it's running Linux Linux kernel version 2.6.

11:46.980 --> 11:47.800
Right here.

11:47.800 --> 11:51.520
And if I look at the operating system details, it's making a best guess here.

11:51.520 --> 12:00.040
And it's saying it's running Linux 2.6.9 through 2.6.30, which means it's fairly confident that our

12:00.070 --> 12:02.110
operating system is one of these versions.

12:02.110 --> 12:08.080
Between that, we can also see, unlike before, there is only one hop between my machine, in which

12:08.080 --> 12:09.460
case I'm running the scan.

12:09.460 --> 12:14.230
And the virtual machine that's associated with that means there's nothing in between, because one hop

12:14.230 --> 12:15.610
is actually the machine.

12:15.610 --> 12:19.420
There's no route switching or anything else in between our two devices.

12:19.420 --> 12:23.890
This is important to note when we're doing a fingerprinting, because it really tells us how many machines

12:23.890 --> 12:29.770
or how many systems are between me and the operating system or the fingerprinting system that I'm actually

12:29.770 --> 12:31.990
trying to communicate with.

12:32.110 --> 12:34.990
You may see exam questions here specific to this.

12:34.990 --> 12:40.480
And again, you just need to know how to read something like nmap that provides us this detailed information.

12:41.350 --> 12:45.700
The next thing that we want to run is the software for software.

12:45.730 --> 12:50.600
A lot of times we're going to run a basic nmap scan with the SRV command, which we showed you specifically

12:50.600 --> 12:54.230
with the network mapping, except we're doing it on the client base as well.

12:54.230 --> 12:59.600
If you don't remember it's just nmap with a switch or tac lowercase s uppercase V.

12:59.600 --> 13:05.570
And then the specific IP address in this case 10.0.2.5 and pressing enter to let it go through.

13:05.690 --> 13:10.730
Uh, this isn't the only software that you should be associated with or understand on your network.

13:10.730 --> 13:15.980
Uh, nmap doesn't have a specific command to identify every piece of software on an individual client

13:15.980 --> 13:22.130
or a server, but it does provide us a basically a high level overview of what's going on.

13:22.130 --> 13:28.910
If you're in the CSA or if you're an analyst, you should have a list of, uh, software or assets associated

13:28.910 --> 13:30.980
with every client on your network.

13:30.980 --> 13:37.790
Meaning if you're running a windows system and it uses Microsoft Office Excel, maybe it uses outlook

13:37.790 --> 13:42.950
for its email or other proprietary software or even common software like Java.

13:42.980 --> 13:47.550
You should have a list of every software that's associated with that specific device.

13:47.580 --> 13:52.260
A lot of times that software is held at the IT team, because that's more of their primary responsibility

13:52.260 --> 13:54.450
than ours is cybersecurity specialists.

13:54.450 --> 13:59.640
But we want access to those services and software that are associated specifically with that machine.

13:59.640 --> 14:03.600
Because if we're doing patching, if we have a piece of malware or we have something that's going on,

14:03.600 --> 14:07.980
we obviously need to know what was associated with that specific machine, because it could lead us

14:07.980 --> 14:11.430
down some interesting pathways as we're doing our investigation.

14:11.460 --> 14:15.570
However, for nmap, we're just going to run a basic services scan like we saw before.

14:15.570 --> 14:19.740
In this case it really nothing has changed because we only did it for a specific machine.

14:19.740 --> 14:21.900
And you should know how to read this again.

14:21.900 --> 14:29.610
You may see questions specific to a Https or even EIP where it's not really providing you the port number,

14:29.610 --> 14:33.630
but expecting you to understand the correlated port address for it.

14:33.660 --> 14:36.810
Again, with open ports, we're going to run the same command as before.

14:36.810 --> 14:39.210
We can do that switch p switch just like before.

14:39.210 --> 14:42.720
I'm not going to show that again because I feel like we've already covered that in the network scan.

14:42.720 --> 14:48.070
And it's really no different except we're going to provide that same scan to an individual IP address

14:48.070 --> 14:50.470
rather than a network as a whole.

14:50.500 --> 14:54.520
Now, you may be asking yourselves for network scanning and then again for fingerprinting.

14:54.520 --> 14:59.620
Why would I run the same command twice on an individual machine if I already have it on a network scan?

14:59.650 --> 15:04.420
A lot of times it's because of the reporting feature or the output feature of the actual software.

15:04.420 --> 15:05.260
And nmap.

15:05.260 --> 15:10.570
You could actually do an output for a report based on the entire IP address range that you're utilizing.

15:10.570 --> 15:15.700
For instance, if I'm doing network mapping, maybe I want to fill out a report for every IP address

15:15.700 --> 15:21.670
that provides me all the port numbers and associated services for the entire gambit of the Cidr address.

15:21.670 --> 15:27.820
But maybe I have an individual report on a shared drive that tells me, hey, I have a windows IP address

15:27.850 --> 15:33.400
associated with Windows 10 running this, uh, this service and this software.

15:33.400 --> 15:37.120
And here's the open ports associated directly with that specific device.

15:37.120 --> 15:39.820
So I have an individual report for that specific machine.

15:39.820 --> 15:41.830
But I also have one for the network as a whole.

15:41.830 --> 15:43.130
And they should match up.

15:43.160 --> 15:46.340
If they don't, then that could pose some possible issues.

15:46.760 --> 15:50.600
Again, I can run services on the system using SRV.

15:50.900 --> 15:54.800
I can also identify the specific Mac address associated with it.

15:54.830 --> 16:02.030
To do that, I would run an nmap command to the specific IP address, in this case 10.0.5.

16:02.030 --> 16:06.200
And I could run through and grab that specific IP address.

16:06.230 --> 16:13.580
Now if I wanted to find out the specific Mac address to identify a specific Mac address on our specific

16:13.580 --> 16:15.320
machine, we're going to again run nmap.

16:15.320 --> 16:19.970
I'm just going to throw sudo in front of it because and then we'll do nmap.

16:20.330 --> 16:22.010
I can't type today nmap.

16:22.010 --> 16:26.870
And then we're going to do a switch or tag lowercase s uppercase p.

16:27.290 --> 16:30.950
And then we're going to do a switch in lowercase space.

16:30.950 --> 16:35.990
And then the specific IP address we want to run in this case 10.0.2.5.

16:35.990 --> 16:37.130
And it should run through.

16:37.130 --> 16:37.850
And here you go.

16:37.850 --> 16:40.010
We can see our Mac address right here.

16:40.340 --> 16:43.050
The Mac address in this case right here.

16:43.080 --> 16:48.720
0800 2742887 for our Mac address again.

16:48.750 --> 16:54.630
CBSA isn't going to specifically identify nmap commands that you may have to remember.

16:54.630 --> 17:01.050
If I'm showing you the nmap command here on today's lesson and on our previous lab, I would memorize

17:01.050 --> 17:01.350
those.

17:01.350 --> 17:06.480
I really would because there are labs specific in your hands on material there.

17:06.480 --> 17:09.300
You may have to identify specific commands for nmap.

17:09.300 --> 17:11.670
They are few and far between, but they are there.

17:11.670 --> 17:15.780
It's not uncommon for your Cisa exam to ask for a specific command.

17:15.810 --> 17:19.680
Usually this is Sdn or in order to run a port scan.

17:19.680 --> 17:26.910
And normally it's asking hey this nmap command nmap switch lowercase s uppercase V runs what type of

17:26.910 --> 17:29.400
command expect to see those types of questions.

17:29.400 --> 17:31.800
Don't expect to see questions like.

17:32.130 --> 17:36.420
Input the command for nmap to run this type of scan.

17:36.540 --> 17:42.480
Their testing material or testing database doesn't really form Warm around that type of test question,

17:42.480 --> 17:47.220
but it does form around giving you the command and expecting you to understand what the output of that

17:47.220 --> 17:48.390
command may offer.

17:48.420 --> 17:52.020
That's the type of questions you can expect to see for IP addresses.

17:52.020 --> 17:56.910
We've kind of already covered that with the basic command of switch Sdn, which does a port scan or,

17:56.940 --> 18:00.690
excuse me, an IP scan which identifies the IP address associated with it.

18:00.690 --> 18:04.650
And then again configuration settings for configuration settings.

18:04.650 --> 18:09.990
They're really more talking about specific IP addresses that aren't associated with operating systems.

18:09.990 --> 18:16.470
You're talking about firmware versions or that type of thing where we're looking more at IPS, routers,

18:16.470 --> 18:20.280
firewalls, items on your network that actually take configuration.

18:20.310 --> 18:25.260
A lot of times in my own past, what we used to do is we would share those configuration settings onto

18:25.290 --> 18:31.020
a USB drive, as well as a shared folder that was secured in our own databases, so that if I had a

18:31.020 --> 18:35.670
device like a firewall crash on me, all of a sudden I could take that USB drive which had the past

18:35.670 --> 18:40.090
configuration settings already on it, and it would make setting up that new firewall that much easier

18:40.090 --> 18:44.020
because it's literally loading the configuration settings onto the new device.

18:44.050 --> 18:48.250
It's also nice if I'm troubleshooting a firewall and it has some specific issues with it.

18:48.250 --> 18:51.760
Maybe it took a hiccup in power and it's just not operating properly.

18:51.760 --> 18:56.710
I can already have those configuration settings setting aside where I can plug it in and just streamline

18:56.710 --> 18:58.900
the process all the way from the start to the finish.

18:58.930 --> 19:03.820
Not all network devices have that capability, but it is nice to have that already set aside if you

19:03.820 --> 19:04.720
have an issue.

19:04.870 --> 19:09.460
Remember, configuration settings are something that you should save and provide if nothing else, just

19:09.460 --> 19:13.300
screenshots that you can follow along if something happens within those devices.

19:13.330 --> 19:18.130
As a cybersecurity professional, you should have access to those settings on a case by case basis.

19:18.160 --> 19:20.890
In most cases, we want those settings all the time.

19:20.950 --> 19:24.790
And it just again provides us a little bit of error correction if something goes on with that network.

19:24.970 --> 19:26.860
And then finally unique identifiers.

19:26.860 --> 19:30.790
Unique identifiers can be anything from a one off from a normal configuration.

19:30.790 --> 19:36.010
In my own line of work, we used to have 5 or 6 different routers, and other than the actual IP address,

19:36.010 --> 19:37.540
they were exactly the same.

19:37.540 --> 19:43.370
And those instances, we may have a offset where one switch is operating against the norm.

19:43.370 --> 19:47.240
We would try to identify those unique identifiers specific to that switch.

19:47.270 --> 19:51.410
Normally we'd save those in configuration files, or maybe we would color code it.

19:51.410 --> 19:54.590
I remember on one rack we had five different switches.

19:54.590 --> 20:00.020
And so for that specific switch we would color it green with a nice juicy tag and some spray paint.

20:00.020 --> 20:04.670
I know we were high tech, but we would identify that switch as being unique, and that was a unique

20:04.670 --> 20:06.080
identifier we'd utilize with it.

20:06.080 --> 20:08.360
And it would tell everybody that was working on that switch.

20:08.360 --> 20:11.540
There's a different configuration file for this switch than the rest of them.

20:11.540 --> 20:15.830
We only did that because we constantly had people going in, and then readdressing that same switch

20:15.830 --> 20:17.570
to the normal switch.

20:17.570 --> 20:19.430
Configuration files that we always use.

20:19.460 --> 20:24.320
Unique identifiers can be anything from a color code to a specific IP address associated with it, or

20:24.320 --> 20:26.750
technology that isn't used on our normal switches.

20:26.780 --> 20:31.400
Throughout this episode, we talked about both network mapping and fingerprinting, and how to utilize

20:31.400 --> 20:34.610
those and the differences in between with the network mapping.

20:34.610 --> 20:39.420
We're really talking about the network as a whole and getting that logical or logical point of view

20:39.420 --> 20:41.940
of how our network map actually functions.

20:41.940 --> 20:46.500
This is more utilized for it to identify, hey, the router connects to this switch and this switch

20:46.500 --> 20:48.150
goes to here, and this goes to here.

20:48.150 --> 20:52.500
So that visually you could see all the different physical outputs or ports being utilized.

20:52.500 --> 20:55.560
And the cable throughputs between one device and another.

20:55.560 --> 21:00.870
While it usually supports this mechanism, we as cybersecurity professionals need to know it as well.

21:00.870 --> 21:03.330
And we should have a copy of the network mapping.

21:03.330 --> 21:08.790
We also want the logical perspective where we're identifying each IP address through nmap or some other

21:08.790 --> 21:12.540
form where we can quickly identify what's interconnected between it.

21:12.540 --> 21:17.760
So we want that physical mapping perspective, which we may see from a topological point of view.

21:17.760 --> 21:21.960
But you also want the software version where we can actually see the different IP addresses and how

21:21.960 --> 21:23.490
they're associated with one another.

21:24.240 --> 21:29.580
With fingerprinting, we're actually talking about the specific device and how it operates on an individual

21:29.580 --> 21:34.920
level, what ports are open, what services is operating, the different software that's on it as well.

21:34.920 --> 21:38.320
Within CSA expect to see a lot of outputs within there.

21:38.320 --> 21:43.450
And when I say a lot, I really mean 1 or 2 questions that are associated with specific nmap outputs

21:43.450 --> 21:48.310
or other software that you've been accustomed with, maybe angry IP or something similar to it.

21:48.310 --> 21:52.630
You should be able to read those different outputs and identify what's going on with the device based

21:52.630 --> 21:54.100
on the information they provide.

21:54.100 --> 21:59.170
This seems pretty common sense and should be somewhat easy for you to read as a cyber professional,

21:59.170 --> 22:02.680
but I would brush up on it, especially if I haven't seen those outputs in a while.

22:02.680 --> 22:07.570
A lot of times as analysts, we get pigeonholed into one career field or one aspect of our job.

22:07.570 --> 22:13.060
Remember that Cisa is a broad scope of different jobs, all formulated at a high level, and so you

22:13.060 --> 22:15.490
need to be aware of how those different outputs are read.

22:15.520 --> 22:18.130
I would just go over it once or twice before you take the exam.

22:18.130 --> 22:19.330
You should be okay.

22:19.330 --> 22:24.280
Remember, it isn't uncommon to see a nmap command associated with the exam.

22:24.280 --> 22:29.290
I myself have seen at least one nmap command as a quiz question, so be prepared for those high level

22:29.290 --> 22:34.270
quiz questions associated with those basic commands that you expect to see as part of nmap, and you

22:34.270 --> 22:35.230
should be okay.