1 1 00:00:00,782 --> 00:00:03,449 Welcome to the scanning and enumeration phase. 2 2 00:00:03,449 --> 00:00:05,019 In this phase, we're going to be poking around 3 3 00:00:05,019 --> 00:00:06,615 until we can find the hole for us 4 4 00:00:06,615 --> 00:00:07,801 to exploit in our next phase. 5 5 00:00:07,801 --> 00:00:09,538 So, going back to our attacker's methodology, 6 6 00:00:09,538 --> 00:00:10,803 we've already performed our reconnaissance, 7 7 00:00:10,803 --> 00:00:12,049 and so now we're actually going to be looking 8 8 00:00:12,049 --> 00:00:13,939 at doing our scanning and enumeration. 9 9 00:00:13,939 --> 00:00:15,913 After this, we're going to move into gaining our access, 10 10 00:00:15,913 --> 00:00:17,213 which is going to be where we actually 11 11 00:00:17,213 --> 00:00:18,442 are going to do our exploit. 12 12 00:00:18,442 --> 00:00:20,032 So, scanning and enumeration. 13 13 00:00:20,032 --> 00:00:22,764 Scanning is, again, that active connecting to the system. 14 14 00:00:22,764 --> 00:00:24,799 We're actually starting to poke at the system, 15 15 00:00:24,799 --> 00:00:26,579 try to figure out what ports are open, 16 16 00:00:26,579 --> 00:00:28,046 what services they're running, 17 17 00:00:28,046 --> 00:00:29,512 and what versions they're running. 18 18 00:00:29,512 --> 00:00:30,746 Now, enumeration's when we start doing 19 19 00:00:30,746 --> 00:00:31,952 the in-depth gathering. 20 20 00:00:31,952 --> 00:00:33,341 At this point with our enumeration, 21 21 00:00:33,341 --> 00:00:35,391 we actually have found the open ports, 22 22 00:00:35,391 --> 00:00:36,975 and now we're going to identify those services 23 23 00:00:36,975 --> 00:00:37,998 on those ports. 24 24 00:00:37,998 --> 00:00:40,611 So, for example, if I found that they're running port 21 25 25 00:00:40,611 --> 00:00:42,618 as open, that's an FTP port. 26 26 00:00:42,618 --> 00:00:44,727 That's scanning, but once I go and do 27 27 00:00:44,727 --> 00:00:46,478 a little bit further research, and I figure out 28 28 00:00:46,478 --> 00:00:48,977 that they're actually using VSFTP, 29 29 00:00:48,977 --> 00:00:51,758 that actually is going to be enumeration. 30 30 00:00:51,758 --> 00:00:53,643 We're going to compile all this information 31 31 00:00:53,643 --> 00:00:55,376 so that we have a lot of information to work with 32 32 00:00:55,376 --> 00:00:56,917 as we begin doing our exploits. 33 33 00:00:56,917 --> 00:00:58,458 The last piece of this phase, 34 34 00:00:58,458 --> 00:01:00,123 after we have scanned and enumerated, 35 35 00:01:00,123 --> 00:01:02,874 is identifying what those vulnerabilities are 36 36 00:01:02,874 --> 00:01:04,730 and what exploits may be available, 37 37 00:01:04,730 --> 00:01:06,831 so that we can move into our gaining access 38 38 00:01:06,831 --> 00:01:08,413 in the next phase. 39 39 00:01:08,413 --> 00:01:11,185 So, the question always is, "What tool should I use?" 40 40 00:01:11,185 --> 00:01:13,763 And there's a lot of different tools out there for this. 41 41 00:01:13,763 --> 00:01:15,740 Now, there's no good single tool. 42 42 00:01:15,740 --> 00:01:17,234 There's no one single source, 43 43 00:01:17,234 --> 00:01:19,069 and the reason for that is every tool 44 44 00:01:19,069 --> 00:01:20,676 does something a little bit differently. 45 45 00:01:20,676 --> 00:01:21,840 Some tools you have to pay for. 46 46 00:01:21,840 --> 00:01:23,354 Some are free and open source. 47 47 00:01:23,354 --> 00:01:24,953 Some tools are easily detected, 48 48 00:01:24,953 --> 00:01:26,705 while some others are more covert. 49 49 00:01:26,705 --> 00:01:28,589 So it's really going to depend on what you want to do. 50 50 00:01:28,589 --> 00:01:30,367 There's other tools out there that when you run them, 51 51 00:01:30,367 --> 00:01:32,481 they're going to crash services on the victim machine, 52 52 00:01:32,481 --> 00:01:34,336 which then is going to create a denial of service, 53 53 00:01:34,336 --> 00:01:35,670 and you're going to get caught. 54 54 00:01:35,670 --> 00:01:38,133 So you have to be very careful with some of these tools. 55 55 00:01:38,133 --> 00:01:39,466 So what are we going to use in our class? 56 56 00:01:39,466 --> 00:01:41,093 Well, we're going to use Zenmap, 57 57 00:01:41,093 --> 00:01:43,056 and Zenmap is a graphical front end 58 58 00:01:43,056 --> 00:01:45,184 for the Nmap scanning program. 59 59 00:01:45,184 --> 00:01:47,677 Now, Nmap is by far the most popular scanning program 60 60 00:01:47,677 --> 00:01:49,995 in the world, and Zenmap lets us harness all that power 61 61 00:01:49,995 --> 00:01:52,155 in an easy-to-use graphical format. 62 62 00:01:52,155 --> 00:01:53,720 It's a free and open source product. 63 63 00:01:53,720 --> 00:01:56,610 It runs on Windows, it runs on Mac, and it runs on Linux, 64 64 00:01:56,610 --> 00:01:59,183 and is installed by default in Kali Linux, 65 65 00:01:59,183 --> 00:02:01,832 which is our penetration testing platform. 66 66 00:02:01,832 --> 00:02:03,508 With Zenmap, we're going to be able to do 67 67 00:02:03,508 --> 00:02:04,719 our scanning of our targets. 68 68 00:02:04,719 --> 00:02:06,215 We're going to do this in a couple of different ways. 69 69 00:02:06,215 --> 00:02:07,549 We can do an ARP scan. 70 70 00:02:07,549 --> 00:02:08,612 We can do a ping scan. 71 71 00:02:08,612 --> 00:02:09,879 We can do NetBIOS scans, 72 72 00:02:09,879 --> 00:02:11,706 or we can even do passive collection 73 73 00:02:11,706 --> 00:02:13,202 using something like Wireshark, 74 74 00:02:13,202 --> 00:02:16,868 and we'll talk about these as we go through as well. 75 75 00:02:16,868 --> 00:02:19,100 So the first one we wanted to talk about is ARP scanning. 76 76 00:02:19,100 --> 00:02:21,357 Now, when you use this with Nmap, the command is 77 77 00:02:21,357 --> 00:02:24,352 nmap-PR, and then the IP address, 78 78 00:02:24,352 --> 00:02:26,832 and this will do the scanning using ARP. 79 79 00:02:26,832 --> 00:02:28,210 There's a lot of advantages to this. 80 80 00:02:28,210 --> 00:02:30,634 It's low-level, it looks like legitimate traffic, 81 81 00:02:30,634 --> 00:02:32,233 and it's never going to be blocked by a target 82 82 00:02:32,233 --> 00:02:33,608 because you physically have to have 83 83 00:02:33,608 --> 00:02:35,951 ARP enabled for your networks to run. 84 84 00:02:35,951 --> 00:02:37,216 Essentially what ARP does is 85 85 00:02:37,216 --> 00:02:38,715 it's address resolution protocol. 86 86 00:02:38,715 --> 00:02:40,499 It's what translates the Mac addresses 87 87 00:02:40,499 --> 00:02:42,905 into IPs and IPs into Mac addresses. 88 88 00:02:42,905 --> 00:02:45,623 Now, the disadvantages that we have with this is that 89 89 00:02:45,623 --> 00:02:47,493 you can't go across to a different subnet. 90 90 00:02:47,493 --> 00:02:49,035 So in our lab, for instance, 91 91 00:02:49,035 --> 00:02:53,151 we're going to be using the 192.168.56 dot something subnet, 92 92 00:02:53,151 --> 00:02:54,980 and so if we had somebody on the 93 93 00:02:54,980 --> 00:02:57,026 192.168.1 dot something subnet, 94 94 00:02:57,026 --> 00:02:59,139 we won't be able to use ARP to do that scanning. 95 95 00:02:59,139 --> 00:03:01,197 Now, for us, that would be fine because we're going to 96 96 00:03:01,197 --> 00:03:03,356 keep everything inside the same subnet, but by doing that, 97 97 00:03:03,356 --> 00:03:05,837 you have to have access to that network. 98 98 00:03:05,837 --> 00:03:07,767 That's a drawback of using ARP. 99 99 00:03:07,767 --> 00:03:09,099 So how do we get by that? 100 100 00:03:09,099 --> 00:03:11,715 Well, you migrate on to what we call ping. 101 101 00:03:11,715 --> 00:03:13,634 Now, when we do a ping scan, we're actually using 102 102 00:03:13,634 --> 00:03:16,460 ICMP traffic, internet control messaging protocol. 103 103 00:03:16,460 --> 00:03:18,735 And the way we do this is we can use a regular ping command 104 104 00:03:18,735 --> 00:03:20,800 in Windows or Unix, and we just do that 105 105 00:03:20,800 --> 00:03:22,370 by doing ping and the IP address. 106 106 00:03:22,370 --> 00:03:24,661 Or we can use Nmap to do it by doing 107 107 00:03:24,661 --> 00:03:27,665 Nmap-sn, and the IP address. 108 108 00:03:27,665 --> 00:03:29,238 The advantages of this is 109 109 00:03:29,238 --> 00:03:31,035 you can use this locally or remotely. 110 110 00:03:31,035 --> 00:03:32,723 It can go across subnets, which is great 111 111 00:03:32,723 --> 00:03:34,322 because we couldn't do that with ARP. 112 112 00:03:34,322 --> 00:03:35,757 The other thing that's nice about it 113 113 00:03:35,757 --> 00:03:37,316 is it uses the Layer 3 protocol, 114 114 00:03:37,316 --> 00:03:39,066 so we're going to get back a time to live. 115 115 00:03:39,066 --> 00:03:40,635 Now, the usefulness of having a time to live 116 116 00:03:40,635 --> 00:03:42,521 is we're going to be able to make a determination, 117 117 00:03:42,521 --> 00:03:44,828 at least a rough guess, on what operating system 118 118 00:03:44,828 --> 00:03:47,321 it's using, based on the time to live that we receive, 119 119 00:03:47,321 --> 00:03:48,987 and we'll talk about that in a minute as well. 120 120 00:03:48,987 --> 00:03:50,632 So, what are the disadvantages to ping? 121 121 00:03:50,632 --> 00:03:52,723 Well, it's blocked by many firewalls. 122 122 00:03:52,723 --> 00:03:55,628 Some Network IDSs are going to log ping activity, 123 123 00:03:55,628 --> 00:03:57,261 and so you may get caught if you're doing 124 124 00:03:57,261 --> 00:03:58,574 a bunch of ping sweeps, and it's typically used 125 125 00:03:58,574 --> 00:04:00,624 by both system admins and hackers. 126 126 00:04:00,624 --> 00:04:02,732 The good news there is, system admins use it, 127 127 00:04:02,732 --> 00:04:04,410 so it can look like legitimate traffic. 128 128 00:04:04,410 --> 00:04:06,191 The bad news is, lots of hackers use it, 129 129 00:04:06,191 --> 00:04:08,331 so it also puts you in that negative category, 130 130 00:04:08,331 --> 00:04:11,731 which is why those Network IDSs are logging this activity. 131 131 00:04:11,731 --> 00:04:14,135 So, beyond ping, we can actually move into 132 132 00:04:14,135 --> 00:04:15,869 what's called traceroute, and we talked about this 133 133 00:04:15,869 --> 00:04:17,739 in the last lecture for reconnaissance as well, 134 134 00:04:17,739 --> 00:04:19,533 and we can do that using Nmap as well. 135 135 00:04:19,533 --> 00:04:22,199 We can do nmap-traceroute, and the IP address. 136 136 00:04:22,199 --> 00:04:23,589 The nice thing about doing it this way, 137 137 00:04:23,589 --> 00:04:25,251 as opposed to a ping, is we're also going to get 138 138 00:04:25,251 --> 00:04:27,212 all the IPs of the routers along the way. 139 139 00:04:27,212 --> 00:04:28,887 Now the bad thing of this is it is blocked 140 140 00:04:28,887 --> 00:04:30,472 by some firewalls, just like ping, 141 141 00:04:30,472 --> 00:04:33,270 because again, it's that ICMP traffic. 142 142 00:04:33,270 --> 00:04:35,376 The next one that we can use is NetBIOS, 143 143 00:04:35,376 --> 00:04:38,010 and NetBIOS is actually something that's used by Windows. 144 144 00:04:38,010 --> 00:04:39,904 It blends into a Windows environment very well 145 145 00:04:39,904 --> 00:04:42,662 because Windows is sending NetBIOS requests all the time, 146 146 00:04:42,662 --> 00:04:45,565 and what NetBIOS does is it converts the IP addresses 147 147 00:04:45,565 --> 00:04:47,523 to that Windows work group name 148 148 00:04:47,523 --> 00:04:49,457 or that host name on the network. 149 149 00:04:49,457 --> 00:04:51,040 This will actually be able to give us 150 150 00:04:51,040 --> 00:04:52,088 a lot of details about the host. 151 151 00:04:52,088 --> 00:04:53,172 We can find out if it's a member 152 152 00:04:53,172 --> 00:04:54,010 of a work group or a domain. 153 153 00:04:54,010 --> 00:04:55,339 We can find out its host name. 154 154 00:04:55,339 --> 00:04:56,608 We can find out its Mac address, 155 155 00:04:56,608 --> 00:04:58,103 and we can find out if it's doing file 156 156 00:04:58,103 --> 00:05:00,502 and print sharing across Windows, and if it is, 157 157 00:05:00,502 --> 00:05:02,533 these are vulnerabilities we can later exploit. 158 158 00:05:02,533 --> 00:05:04,626 Now, the thing you have to be careful with NetBIOS is, 159 159 00:05:04,626 --> 00:05:07,963 if you try to do a NetBIOS lookup on a Unix machine, 160 160 00:05:07,963 --> 00:05:11,213 that's going to look really odd because Unix doesn't use it. 161 161 00:05:11,213 --> 00:05:12,547 This is really noticeable, 162 162 00:05:12,547 --> 00:05:14,254 and it can really flag the defenders. 163 163 00:05:14,254 --> 00:05:16,912 So we talked a minute ago about time to live. 164 164 00:05:16,912 --> 00:05:18,976 Now, when we do a ping, we do get back the time to live, 165 165 00:05:18,976 --> 00:05:20,740 and that is probably one of the simplest ways 166 166 00:05:20,740 --> 00:05:23,285 to fingerprint and figure out what OS they're running. 167 167 00:05:23,285 --> 00:05:26,544 You'll be able to tell if it's Unix, Linux, Cisco IOS, 168 168 00:05:26,544 --> 00:05:30,016 like a router, or a Mac system, based on that time to live. 169 169 00:05:30,016 --> 00:05:32,660 It's not accurate, though, because those defaults 170 170 00:05:32,660 --> 00:05:34,428 can be changed by the system administrator. 171 171 00:05:34,428 --> 00:05:36,039 Most people don't change their defaults, 172 172 00:05:36,039 --> 00:05:38,746 so it will be fairly accurate as far as that goes, 173 173 00:05:38,746 --> 00:05:40,928 but just realize that somebody could change 174 174 00:05:40,928 --> 00:05:43,059 their time to live and make it look like a Windows machine, 175 175 00:05:43,059 --> 00:05:44,446 even if they're running Linux. 176 176 00:05:44,446 --> 00:05:46,644 So if you're running Linux or Mac OSX, 177 177 00:05:46,644 --> 00:05:49,636 you're going to have 64 as your time to live by default. 178 178 00:05:49,636 --> 00:05:51,533 If you're running Windows, it's 128. 179 179 00:05:51,533 --> 00:05:55,171 If you're running something like Solaris or Cisco, it's 255. 180 180 00:05:55,171 --> 00:05:56,884 Now these are just some basic numbers to use, 181 181 00:05:56,884 --> 00:05:58,101 and again, they're defaults. 182 182 00:05:58,101 --> 00:05:59,901 They're not the hard and fast rule, 183 183 00:05:59,901 --> 00:06:01,575 but they do give you a good starting point, 184 184 00:06:01,575 --> 00:06:03,817 as you're trying to fingerprint that OS. 185 185 00:06:03,817 --> 00:06:05,629 So the next stage after we do our scanning 186 186 00:06:05,629 --> 00:06:06,781 is our enumeration. 187 187 00:06:06,781 --> 00:06:08,127 And we talked about this before, 188 188 00:06:08,127 --> 00:06:10,011 that enumeration is finding out those nitty, gritty details. 189 189 00:06:10,011 --> 00:06:12,079 We're going to determine the OS and the service pack 190 190 00:06:12,079 --> 00:06:14,875 that we're running, and we can identify the machine's role. 191 191 00:06:14,875 --> 00:06:17,343 Is it a workstation, a server, a router, 192 192 00:06:17,343 --> 00:06:18,960 some other infrastructure device? 193 193 00:06:18,960 --> 00:06:20,817 These are all important things to understand. 194 194 00:06:20,817 --> 00:06:22,374 And we're going to use this information to find 195 195 00:06:22,374 --> 00:06:24,733 the vulnerabilities for the identified services. 196 196 00:06:24,733 --> 00:06:26,650 Now, by doing this, and getting more information, 197 197 00:06:26,650 --> 00:06:28,282 we can be quieter in our attacks. 198 198 00:06:28,282 --> 00:06:29,493 The more we know about the victim, 199 199 00:06:29,493 --> 00:06:32,083 the more quieter and well-refined our attack can be, 200 200 00:06:32,083 --> 00:06:33,984 the less likely we're going to get caught. 201 201 00:06:33,984 --> 00:06:35,943 So, as I'm doing my scanning and enumeration, 202 202 00:06:35,943 --> 00:06:38,170 what are the kind of things I should be looking for? 203 203 00:06:38,170 --> 00:06:40,009 I need to look for ports, and the reason 204 204 00:06:40,009 --> 00:06:41,793 I want to look for ports is that there's 205 205 00:06:41,793 --> 00:06:42,964 a port associated with a service. 206 206 00:06:42,964 --> 00:06:45,050 So, for example, if I have a web server running, 207 207 00:06:45,050 --> 00:06:47,698 it's going to have port 80 or port 443 208 208 00:06:47,698 --> 00:06:49,596 if it's unsecure or secure. 209 209 00:06:49,596 --> 00:06:52,708 If I'm running FTP, I'll have port 20 and 21 open. 210 210 00:06:52,708 --> 00:06:55,177 If I'm running something like SSH, it's 22. 211 211 00:06:55,177 --> 00:06:57,572 If I'm running SMTP, it's 25. 212 212 00:06:57,572 --> 00:06:59,776 If I'm running a POP server, it's 110, 213 213 00:06:59,776 --> 00:07:02,962 IMAP, 143, Remote Desktop, 3389. 214 214 00:07:02,962 --> 00:07:04,542 All those ports that become important 215 215 00:07:04,542 --> 00:07:06,472 in your certification exams are now coming back, 216 216 00:07:06,472 --> 00:07:07,851 and we can identify those. 217 217 00:07:07,851 --> 00:07:09,080 Now, what are some of the ones 218 218 00:07:09,080 --> 00:07:10,332 that I would really want to look for? 219 219 00:07:10,332 --> 00:07:13,224 Myself, I like to identify if it's Windows or Linux. 220 220 00:07:13,224 --> 00:07:14,913 If it's Windows, I'm going to see things 221 221 00:07:14,913 --> 00:07:17,500 like 135, 139, and 445. 222 222 00:07:17,500 --> 00:07:20,103 Those are NetBIOS file sharing in Windows. 223 223 00:07:20,103 --> 00:07:21,867 They're very common in Windows environment, 224 224 00:07:21,867 --> 00:07:24,757 not very common in a Unix environment. 225 225 00:07:24,757 --> 00:07:27,528 Port 445 may be open in a Unix environment as well, 226 226 00:07:27,528 --> 00:07:29,385 and the reason for that is they will run something called 227 227 00:07:29,385 --> 00:07:32,385 Samba, but you're never going to see that port 135 open. 228 228 00:07:32,385 --> 00:07:35,049 That's pretty much a dead giveaway on the Windows side. 229 229 00:07:35,049 --> 00:07:37,117 The next thing I look for is if it's Linux. 230 230 00:07:37,117 --> 00:07:40,269 If it's port 111, 631, or 2049, 231 231 00:07:40,269 --> 00:07:42,006 those are common Linux ports, 232 232 00:07:42,006 --> 00:07:44,031 111 being remote procedure call mapping, 233 233 00:07:44,031 --> 00:07:46,663 631 being Cups, which is printer services, 234 234 00:07:46,663 --> 00:07:49,900 and 2049 being NFS, which is file sharing. 235 235 00:07:49,900 --> 00:07:51,979 So these are some common ports you can identify 236 236 00:07:51,979 --> 00:07:53,794 whether it's a Windows or a Linux machine. 237 237 00:07:53,794 --> 00:07:55,765 Now just because I've identified if it's Windows or Linux, 238 238 00:07:55,765 --> 00:07:58,187 I still haven't identified whether it's Windows XP, 239 239 00:07:58,187 --> 00:08:00,957 Windows 2003, Windows 7, Windows 8, Windows 10, 240 240 00:08:00,957 --> 00:08:03,139 I just know that it's Windows in general. 241 241 00:08:03,139 --> 00:08:05,314 So we'll talk about how to get that specific version 242 242 00:08:05,314 --> 00:08:07,358 identification a little bit later on. 243 243 00:08:07,358 --> 00:08:09,063 So what are some enumeration methods? 244 244 00:08:09,063 --> 00:08:10,753 Well, we can do manual enumeration 245 245 00:08:10,753 --> 00:08:13,102 through something called banner grabbing, and what that is, 246 246 00:08:13,102 --> 00:08:15,094 is we're going to connect to the target using Telnet. 247 247 00:08:15,094 --> 00:08:18,370 So if I had, for instance, I found port 21 was open, 248 248 00:08:18,370 --> 00:08:21,693 which is an FTP server, I can Telnet against that port 21, 249 249 00:08:21,693 --> 00:08:24,697 and I'll get a response saying, "Welcome to the FTP server," 250 250 00:08:24,697 --> 00:08:26,764 and part of that will tell me the version number. 251 251 00:08:26,764 --> 00:08:27,871 That's called the banner, 252 252 00:08:27,871 --> 00:08:29,820 and so I can get the operating system this way. 253 253 00:08:29,820 --> 00:08:31,325 I can get the version of the software 254 254 00:08:31,325 --> 00:08:32,641 they're running this way, 255 255 00:08:32,641 --> 00:08:34,662 and that's going to give me more details to do more attacks. 256 256 00:08:34,662 --> 00:08:38,420 Very common things with banners: FTP, SSH, Telnet, 257 257 00:08:38,420 --> 00:08:40,679 and web browsing, so if you find those ports open, 258 258 00:08:40,679 --> 00:08:43,534 do a banner grab and find out what they've got. 259 259 00:08:43,534 --> 00:08:45,089 There's also other tools that will do 260 260 00:08:45,089 --> 00:08:46,691 automatic enumeration for you. 261 261 00:08:46,691 --> 00:08:48,308 So, what's the tool we're going to use? 262 262 00:08:48,308 --> 00:08:49,746 Again, we're going to use Nmap. 263 263 00:08:49,746 --> 00:08:50,819 I know I said earlier, 264 264 00:08:50,819 --> 00:08:52,162 "There is no single tool for everything," 265 265 00:08:52,162 --> 00:08:54,400 but Nmap is a really great tool for a lot of things, 266 266 00:08:54,400 --> 00:08:55,882 and so we're going to use it. 267 267 00:08:55,882 --> 00:08:57,543 Nmap is a great tool because it allows us 268 268 00:08:57,543 --> 00:08:59,713 to scan different layers of the TCP IP stack. 269 269 00:08:59,713 --> 00:09:02,348 We're going to be able to do pings and traceroutes, 270 270 00:09:02,348 --> 00:09:05,789 NetBIOS, TCP, UDP, and more using Nmap or Zenmap, 271 271 00:09:05,789 --> 00:09:08,471 and that's why we're going to use it for our labs. 272 272 00:09:08,471 --> 00:09:09,871 So what's the great thing about Nmap? 273 273 00:09:09,871 --> 00:09:11,159 It's going to do the scanning for us, 274 274 00:09:11,159 --> 00:09:12,716 and it's going to do the enumeration for us. 275 275 00:09:12,716 --> 00:09:14,017 So, when you run Nmap, 276 276 00:09:14,017 --> 00:09:17,006 you can run it very quietly and be very precise, 277 277 00:09:17,006 --> 00:09:18,981 or you can be more broad and more intense. 278 278 00:09:18,981 --> 00:09:20,988 We'll talk about those different profiles in a bit, 279 279 00:09:20,988 --> 00:09:23,681 but if we go more intense, we have the ability to do 280 280 00:09:23,681 --> 00:09:25,748 some of the enumeration inversion controls for us, 281 281 00:09:25,748 --> 00:09:27,244 and we're going to do that. 282 282 00:09:27,244 --> 00:09:29,291 Now, one of the ways that Nmap works 283 283 00:09:29,291 --> 00:09:31,192 is it uses different TCP flags, 284 284 00:09:31,192 --> 00:09:34,229 and the way it does that is it's going to actually use 285 285 00:09:34,229 --> 00:09:36,460 the URG, the ACK, the push, the reset, the SYN, 286 286 00:09:36,460 --> 00:09:38,420 and the FIN and tell us, 287 287 00:09:38,420 --> 00:09:40,814 based on the way that it sets or doesn't set those flags 288 288 00:09:40,814 --> 00:09:43,118 and the responses it gets what ports are open, 289 289 00:09:43,118 --> 00:09:45,737 what things are answering up, what services they are, 290 290 00:09:45,737 --> 00:09:47,650 what operating system, and what versioning. 291 291 00:09:47,650 --> 00:09:48,715 That's how it does it. 292 292 00:09:48,715 --> 00:09:50,395 It's all about TCP flag manipulation. 293 293 00:09:50,395 --> 00:09:52,396 For example, the URG, which is urgent, 294 294 00:09:52,396 --> 00:09:55,003 even if it's out of order, it's going to transmit first 295 295 00:09:55,003 --> 00:09:56,686 because it wants to get those packets out 296 296 00:09:56,686 --> 00:09:57,644 as quickly as possible. 297 297 00:09:57,644 --> 00:09:59,273 This goes back to our TCP fundamentals 298 298 00:09:59,273 --> 00:10:02,039 that you may have learned in earlier networking classes. 299 299 00:10:02,039 --> 00:10:04,392 ACK is the acknowledgement of the sender's request. 300 300 00:10:04,392 --> 00:10:07,448 Push is push the buffer data to the receiving application 301 301 00:10:07,448 --> 00:10:08,879 as quickly as possible. 302 302 00:10:08,879 --> 00:10:11,122 Reset is when you want to tear down the connection. 303 303 00:10:11,122 --> 00:10:14,191 SYN is used to agree on the number of sequences 304 304 00:10:14,191 --> 00:10:16,645 and start beginning that sequence of exchanges, 305 305 00:10:16,645 --> 00:10:19,186 and then FIN is when we do the graceful shutdown. 306 306 00:10:19,186 --> 00:10:20,610 We finish the connection, we say, 307 307 00:10:20,610 --> 00:10:22,946 "Hey, I'm done sending you stuff, you may now reset." 308 308 00:10:22,946 --> 00:10:24,648 So, normally when we do a handshake, 309 309 00:10:24,648 --> 00:10:26,578 we do a SYN that says, 310 310 00:10:26,578 --> 00:10:28,179 "Hey, I want to make a connection with you." 311 311 00:10:28,179 --> 00:10:30,379 A SYN-ACK is received back from that server, saying, 312 312 00:10:30,379 --> 00:10:32,385 "I acknowledge that you want to talk with me," 313 313 00:10:32,385 --> 00:10:35,359 and then we send back the ACK, which acknowledges it, 314 314 00:10:35,359 --> 00:10:36,993 and then we can start communicating. 315 315 00:10:36,993 --> 00:10:38,623 Well, Nmap is going to do some of that, 316 316 00:10:38,623 --> 00:10:40,280 whether it's a full three-way handshake 317 317 00:10:40,280 --> 00:10:41,973 or parts of that handshake, 318 318 00:10:41,973 --> 00:10:43,170 and that's how it's going to do the manipulation 319 319 00:10:43,170 --> 00:10:45,701 to figure out what is being used on the distant side. 320 320 00:10:45,701 --> 00:10:47,813 Nmap also has the ability to do OS detection. 321 321 00:10:47,813 --> 00:10:49,784 It can determine what the operating system is. 322 322 00:10:49,784 --> 00:10:51,538 Now, when we do an OS detection, 323 323 00:10:51,538 --> 00:10:53,311 this is a noisy process in Nmap. 324 324 00:10:53,311 --> 00:10:55,971 So it's actually going to scan 1,000 ports 325 325 00:10:55,971 --> 00:10:58,087 on the remote host, and it's going to do it twice. 326 326 00:10:58,087 --> 00:10:59,850 So it's going to do it once, and it's going to do it again. 327 327 00:10:59,850 --> 00:11:01,848 Now, when it does it, it sends out 328 328 00:11:01,848 --> 00:11:04,016 six TCP packets with the SYN flag set. 329 329 00:11:04,016 --> 00:11:06,600 It gets back with the sequence numbers and the window size, 330 330 00:11:06,600 --> 00:11:08,485 and based on those sequence number and window size, 331 331 00:11:08,485 --> 00:11:10,198 it can determine if it's Windows or Linux. 332 332 00:11:10,198 --> 00:11:13,435 Now, it's also going to send out two ICMP echo packets, 333 333 00:11:13,435 --> 00:11:15,278 and when it does that, it's checking the reply 334 334 00:11:15,278 --> 00:11:17,163 and the sequence numbers that it gets, and by doing that, 335 335 00:11:17,163 --> 00:11:19,497 it's able to get a more refined understanding 336 336 00:11:19,497 --> 00:11:21,291 of what version of Windows 337 337 00:11:21,291 --> 00:11:23,178 or what version of Linux you're using. 338 338 00:11:23,178 --> 00:11:25,794 It also has one UDP packet that's sent out to a closed port 339 339 00:11:25,794 --> 00:11:28,130 because closed ports are just as important as open ports. 340 340 00:11:28,130 --> 00:11:30,166 When I send something to a closed port, 341 341 00:11:30,166 --> 00:11:31,242 and I see that response, 342 342 00:11:31,242 --> 00:11:33,338 it tells me a lot about that operating system. 343 343 00:11:33,338 --> 00:11:35,907 And then, I'm also going to send out six TCP packets 344 344 00:11:35,907 --> 00:11:37,850 to open ports with various flag sets, 345 345 00:11:37,850 --> 00:11:40,444 going back with that acknowledge, the SYN, the reset, 346 346 00:11:40,444 --> 00:11:41,851 and see how those respond. 347 347 00:11:41,851 --> 00:11:44,752 Based on all those sending and receiving of responses, 348 348 00:11:44,752 --> 00:11:46,740 I'm going to be able to get a really good idea 349 349 00:11:46,740 --> 00:11:48,941 and get pretty accurate in knowing if it's Windows, 350 350 00:11:48,941 --> 00:11:51,316 Linux, and what version of Windows or Linux it is, 351 351 00:11:51,316 --> 00:11:53,353 and we're going to go through that in the lab as well. 352 352 00:11:53,353 --> 00:11:55,076 The next thing that Nmap can do for us 353 353 00:11:55,076 --> 00:11:56,631 is it can do version scanning. 354 354 00:11:56,631 --> 00:11:59,312 So, because we've identified that port 21 is FTP, 355 355 00:11:59,312 --> 00:12:01,613 we can actually do a version scan and determine, 356 356 00:12:01,613 --> 00:12:04,906 not only is it FTP, but it's VSFTP, version 2.3. 357 357 00:12:04,906 --> 00:12:07,151 It's going to be based on when we send packets of data 358 358 00:12:07,151 --> 00:12:09,138 to that port and the responses we get back. 359 359 00:12:09,138 --> 00:12:10,900 Again, the scans take a long time, 360 360 00:12:10,900 --> 00:12:12,406 so it's best to use less ports. 361 361 00:12:12,406 --> 00:12:13,683 It's also very noisy. 362 362 00:12:13,683 --> 00:12:16,797 So if I have 1,000 ports, I don't want to scan all 1,000. 363 363 00:12:16,797 --> 00:12:19,731 I might choose FTP, and I might choose web browsing 364 364 00:12:19,731 --> 00:12:21,436 and go after those two first. 365 365 00:12:21,436 --> 00:12:22,677 It's going to send a SYN. 366 366 00:12:22,677 --> 00:12:24,953 It's going to get back a SYN/ACK, and once it receives that, 367 367 00:12:24,953 --> 00:12:26,230 it's going to send a reset 368 368 00:12:26,230 --> 00:12:27,507 which is going to tear down that link. 369 369 00:12:27,507 --> 00:12:29,144 The nice thing about this is it doesn't make 370 370 00:12:29,144 --> 00:12:31,971 a full connection, so it doesn't get logged into those IDSs, 371 371 00:12:31,971 --> 00:12:33,507 but as soon as it's done with that, 372 372 00:12:33,507 --> 00:12:35,872 it actually will go ahead and do a full three-way handshake, 373 373 00:12:35,872 --> 00:12:37,473 which is, again, going to be logged, 374 374 00:12:37,473 --> 00:12:39,198 and that's where it's going to review that response 375 375 00:12:39,198 --> 00:12:41,887 to be able to determine exactly the version you have. 376 376 00:12:41,887 --> 00:12:44,310 So that first SYN, SYN/ACK and reset 377 377 00:12:44,310 --> 00:12:46,090 is just to find if the port's open. 378 378 00:12:46,090 --> 00:12:47,899 The second one is really to understand the response, 379 379 00:12:47,899 --> 00:12:49,859 and then do that version scanning. 380 380 00:12:49,859 --> 00:12:51,868 So earlier, I talked about the fact that we're going 381 381 00:12:51,868 --> 00:12:53,840 to use Zenmap, which is a graphical environment, 382 382 00:12:53,840 --> 00:12:56,099 and Zenmap has five default profiles, 383 383 00:12:56,099 --> 00:12:57,718 five basic default profiles. 384 384 00:12:57,718 --> 00:12:59,883 They are ping, quick, regular, 385 385 00:12:59,883 --> 00:13:01,754 intense, and slow comprehensive. 386 386 00:13:01,754 --> 00:13:03,641 Now, what a ping does is just that. 387 387 00:13:03,641 --> 00:13:04,852 It just sends out pings. 388 388 00:13:04,852 --> 00:13:06,755 It tells you is the host up or down? 389 389 00:13:06,755 --> 00:13:08,746 When we do our lab later, we're going to start out with ping 390 390 00:13:08,746 --> 00:13:11,033 and determine what hosts are available on the network. 391 391 00:13:11,033 --> 00:13:13,306 So we're going to start with a slash 24 392 392 00:13:13,306 --> 00:13:15,747 which has 254 possible hosts on it, 393 393 00:13:15,747 --> 00:13:17,523 and we're going to do a ping to find out 394 394 00:13:17,523 --> 00:13:19,264 that there's only two that are actually up. 395 395 00:13:19,264 --> 00:13:21,013 Then, based on knowing those two are up, 396 396 00:13:21,013 --> 00:13:22,615 we're going to do a quick scan of those two. 397 397 00:13:22,615 --> 00:13:24,095 And what a quick scan does, 398 398 00:13:24,095 --> 00:13:26,610 is it does the first 100 common ports 399 399 00:13:26,610 --> 00:13:29,122 and comes back with the information on those. 400 400 00:13:29,122 --> 00:13:30,875 After that, we can go to a regular, 401 401 00:13:30,875 --> 00:13:33,596 which does the 1,000 most common ports, 402 402 00:13:33,596 --> 00:13:35,034 and then we can even go into an intense 403 403 00:13:35,034 --> 00:13:37,404 or a slow comprehensive, which again, gets us more detail. 404 404 00:13:37,404 --> 00:13:38,867 When I do something like an intense scan, 405 405 00:13:38,867 --> 00:13:41,607 I actually run about 150 different scripts on it, 406 406 00:13:41,607 --> 00:13:44,376 so that I can get NetBIOS information, version information, 407 407 00:13:44,376 --> 00:13:45,884 operating system information. 408 408 00:13:45,884 --> 00:13:47,484 All of that enumeration is done for me 409 409 00:13:47,484 --> 00:13:48,996 inside that intense scan. 410 410 00:13:48,996 --> 00:13:50,702 So again, it's a little bit noisier, 411 411 00:13:50,702 --> 00:13:53,143 but I'm going to get a lot of great details back. 412 412 00:13:53,143 --> 00:13:54,562 And then, slow comprehensive, 413 413 00:13:54,562 --> 00:13:56,057 it's going to do even more of that. 414 414 00:13:56,057 --> 00:13:57,434 It's going to scan every port. 415 415 00:13:57,434 --> 00:13:59,362 It's going to scan every host on the network, 416 416 00:13:59,362 --> 00:14:01,160 and it's going to really run a ton of scripts 417 417 00:14:01,160 --> 00:14:03,092 just to find out as much information as it can. 418 418 00:14:03,092 --> 00:14:04,496 This is really, really noisy. 419 419 00:14:04,496 --> 00:14:05,753 If you're not the system administrator, 420 420 00:14:05,753 --> 00:14:07,700 you don't want to be running slow comprehensive. 421 421 00:14:07,700 --> 00:14:10,287 I would not run slow comprehensive if I was a hacker. 422 422 00:14:10,287 --> 00:14:12,127 I would get caught too easily. 423 423 00:14:12,127 --> 00:14:13,696 And finally, that brings us down to, 424 424 00:14:13,696 --> 00:14:15,595 now that we have done our scanning and our enumeration, 425 425 00:14:15,595 --> 00:14:17,367 what are we going to do with that information? 426 426 00:14:17,367 --> 00:14:18,890 Well, let's assume that I went 427 427 00:14:18,890 --> 00:14:21,194 and I scanned a Windows machine, 428 428 00:14:21,194 --> 00:14:23,052 and on that Windows machine, I found that 429 429 00:14:23,052 --> 00:14:25,949 port 135, 139, and 445 were open. 430 430 00:14:25,949 --> 00:14:27,705 That's Windows file share. 431 431 00:14:27,705 --> 00:14:30,744 Now, I can go to cve.mitre.org, 432 432 00:14:30,744 --> 00:14:33,552 which is the common vulnerability and exposure database. 433 433 00:14:33,552 --> 00:14:36,188 In there, I can search for the operating system version 434 434 00:14:36,188 --> 00:14:38,225 I found, Microsoft XP, for instance. 435 435 00:14:38,225 --> 00:14:40,930 I can search for the fact that they're using file sharing, 436 436 00:14:40,930 --> 00:14:42,323 because I found those ports open, 437 437 00:14:42,323 --> 00:14:44,013 and find out what vulnerabilities exist. 438 438 00:14:44,013 --> 00:14:45,540 Now, as I go through there, 439 439 00:14:45,540 --> 00:14:46,978 I'm going to find a vulnerability that exists, 440 440 00:14:46,978 --> 00:14:50,715 for instance the one we're going to use, Microsoft 08-067. 441 441 00:14:50,715 --> 00:14:53,444 That particular code is the Microsoft knowledge base 442 442 00:14:53,444 --> 00:14:56,149 article for a bug that they found in 2008 443 443 00:14:56,149 --> 00:14:58,524 to the Windows XP operating system. 444 444 00:14:58,524 --> 00:15:00,544 Now, what we're going to do is we're going to match 445 445 00:15:00,544 --> 00:15:03,148 that vulnerability to that code, and that code 446 446 00:15:03,148 --> 00:15:05,586 we're then going to use inside our exploitation 447 447 00:15:05,586 --> 00:15:07,310 in our next phase, which we're going to use 448 448 00:15:07,310 --> 00:15:08,808 a program called Metasploit. 449 449 00:15:08,808 --> 00:15:10,929 And in there, we're going to be able to set that exploit. 450 450 00:15:10,929 --> 00:15:13,366 So now we have a vulnerability and an exploit, 451 451 00:15:13,366 --> 00:15:16,031 and when we match those up, we then have an exploitation, 452 452 00:15:16,031 --> 00:15:18,154 and that's how we're going to gain our access. 453 453 00:15:18,154 --> 00:15:20,002 So, at this point, we're going to move on 454 454 00:15:20,002 --> 00:15:21,608 and go into our lab environment. 455 455 00:15:21,608 --> 00:15:23,033 Here we're going to actually practice 456 456 00:15:23,033 --> 00:15:24,889 some of these scanning techniques that we just talked about.