1
00:00:00,610 --> 00:00:03,220
OK, so we know what scanning is.

2
00:00:04,030 --> 00:00:10,360
We also created our virtual machine that is vulnerable and now we are ready to see what information

3
00:00:10,360 --> 00:00:12,660
can we get by scanning that machine.

4
00:00:13,480 --> 00:00:20,410
But before we scan a single machine to discover open ports, we must first discover what machines we

5
00:00:20,410 --> 00:00:21,680
got on our network.

6
00:00:22,360 --> 00:00:28,240
So the first part of scanning a network is to figure out how many hosts you have active and what are

7
00:00:28,240 --> 00:00:29,470
their IP addresses.

8
00:00:30,100 --> 00:00:37,390
In this case, we are going to act as if we got a task to scan our home network and we want to discover

9
00:00:37,420 --> 00:00:39,740
vulnerable machines within our home network.

10
00:00:40,240 --> 00:00:43,870
So let's start by saying how many calls we got active first.

11
00:00:44,940 --> 00:00:51,150
There are many ways that we can go about doing this, since I know that all the possible hosts for my

12
00:00:51,150 --> 00:00:58,830
network must go in range from 130 to that 168 at one point one to 190 to that 168 at one that two hundred

13
00:00:58,830 --> 00:01:04,090
and fifty five since my IP address starts with these three first numbers.

14
00:01:04,110 --> 00:01:08,630
Let me just type the password and here it is, 192 to 168 at one.

15
00:01:09,270 --> 00:01:10,800
This is the part that does change.

16
00:01:11,670 --> 00:01:18,150
And to scan all two hundred and fifty for hosts inside of my network, I can just go and ping each and

17
00:01:18,150 --> 00:01:22,410
every one of them and see whether they respond to our pinging or not.

18
00:01:23,380 --> 00:01:27,550
If they respond, they are online, if not, they are offline.

19
00:01:28,480 --> 00:01:31,330
But what if I had to test more than one network?

20
00:01:31,600 --> 00:01:36,140
What if I had ten more networks besides this one that I needed to test?

21
00:01:36,760 --> 00:01:40,840
Am I about to try to ping every possible host from all those networks?

22
00:01:41,500 --> 00:01:42,270
Of course not.

23
00:01:42,850 --> 00:01:47,330
That's why we are going to use different tools to perform this much faster.

24
00:01:48,070 --> 00:01:50,380
Let us try with the first tool called AAFP.

25
00:01:51,040 --> 00:01:55,480
Now, AAFP is a tool in clinics, but it is also a packet.

26
00:01:56,080 --> 00:02:01,480
Our packets are used in Discovery hosts on the network, but more about them later on once we get to

27
00:02:01,480 --> 00:02:02,580
the man in the middle section.

28
00:02:03,070 --> 00:02:09,730
For now, just remember that they packets for discovering hosts before we use this are to make sure

29
00:02:09,730 --> 00:02:11,650
your display table is started up.

30
00:02:12,100 --> 00:02:17,890
And in case you got some other devices that you can connect to the Internet, connect them just so we

31
00:02:17,890 --> 00:02:22,370
can get various output and try to figure out which IP address belongs to which host.

32
00:02:22,810 --> 00:02:27,130
Now, our auto works based on those are packets that I mentioned.

33
00:02:27,400 --> 00:02:33,460
So if I type arc that has helped and press enter, it will tell me command, not font.

34
00:02:33,970 --> 00:02:37,800
Now this is because I must run the tool which pseudo privileges.

35
00:02:37,810 --> 00:02:40,110
So should our help.

36
00:02:40,630 --> 00:02:42,030
And here is the tool.

37
00:02:42,460 --> 00:02:44,160
He doesn't have too many options.

38
00:02:44,170 --> 00:02:51,620
We got a which displays all hosts in alternative BSD style that E display hosts in default the next.

39
00:02:52,330 --> 00:02:55,960
And these options down here are not something that we are interested in.

40
00:02:56,200 --> 00:02:58,990
All we want to do is use this Dash eight option.

41
00:03:00,180 --> 00:03:04,800
So if I go down here, clear the screen and type pseudo or dash eight.

42
00:03:05,940 --> 00:03:13,010
It will tell me it only discovered my router, but why is that I got my anticipatable running.

43
00:03:13,230 --> 00:03:17,800
I also got my laptop running, so it should be discovering other hosts as well.

44
00:03:18,480 --> 00:03:24,540
Sometimes we must think first before it appears right here, since this information is being read from

45
00:03:24,540 --> 00:03:25,530
our card tables.

46
00:03:26,660 --> 00:03:30,690
For example, try to ping my portable.

47
00:03:31,620 --> 00:03:33,150
It will get responses back.

48
00:03:33,150 --> 00:03:40,220
And if I run our there again now, we will see that we got an entry 40 meters portable inside of our

49
00:03:40,220 --> 00:03:40,880
arc tables.

50
00:03:41,520 --> 00:03:46,890
So this tool doesn't seem to be that good for discovering cause sometimes it will have all the hosts

51
00:03:46,890 --> 00:03:49,370
available since you already communicated to them before.

52
00:03:49,830 --> 00:03:53,300
But sometimes it seems that we must be the host first before the shows.

53
00:03:53,340 --> 00:04:00,750
Then that's why a much better option is still called net discover to run and discover if we can simply

54
00:04:00,750 --> 00:04:08,760
type through the net, discover inside of your terminal press, enter and this tool will find all of

55
00:04:08,760 --> 00:04:11,330
the available devices on your network on its own.

56
00:04:11,820 --> 00:04:13,440
You don't have to ping anything.

57
00:04:13,590 --> 00:04:15,360
You don't have to communicate with anything.

58
00:04:15,360 --> 00:04:19,920
You can just leave this tool to run and it will find all the devices on your network.

59
00:04:20,980 --> 00:04:23,590
So right here, it managed to find five of them.

60
00:04:24,750 --> 00:04:30,090
We can see up here that is still standing and it is just scanning different subnets, so it already

61
00:04:30,090 --> 00:04:35,850
finished mine and you can control this if you already see the result, since this will scan all the

62
00:04:35,850 --> 00:04:42,600
usual subnets that occur in our network right here, we see that we captured five hour packets and there

63
00:04:42,630 --> 00:04:44,430
are requests in our replies.

64
00:04:44,440 --> 00:04:46,150
But once again, more about that later.

65
00:04:46,350 --> 00:04:52,380
This just means that we managed to discover five hosts using these packets and these are those five

66
00:04:52,380 --> 00:04:52,770
hosts.

67
00:04:53,220 --> 00:04:57,630
Let me control see this since it wasn't really managed to find any more host.

68
00:04:58,690 --> 00:05:05,980
And right here, we got their IP addresses, they are Mac addresses and they're Mac vendor name or hostname.

69
00:05:07,330 --> 00:05:14,340
So right here, I know that this is Minmetals floatable, which is this one, this one I to the 168

70
00:05:14,340 --> 00:05:20,080
that fund the seven is Miko's machine or my physical machine that time running my colonics on these

71
00:05:20,080 --> 00:05:22,330
two down here are two laptops, I believe.

72
00:05:22,600 --> 00:05:24,610
And this right here is my router.

73
00:05:25,510 --> 00:05:27,570
And how do I know that this is my router?

74
00:05:27,580 --> 00:05:30,520
Well, usually routers start with the first number.

75
00:05:30,640 --> 00:05:33,370
Either it will be something like zero or that one.

76
00:05:34,330 --> 00:05:40,210
And just you can be sure which IP addresses you're out there, you can type the comment nets that mesh

77
00:05:40,360 --> 00:05:41,170
and armed.

78
00:05:41,770 --> 00:05:48,400
And under this Gateway column, we should see the IP address of the router so you can see they do match.

79
00:05:49,540 --> 00:05:52,570
The next step would be to go about scanning each and every one of them.

80
00:05:53,110 --> 00:05:55,880
And for this, we're going to be scanning government exploitable.

81
00:05:56,170 --> 00:05:59,590
And you can also scan your whole machines just for even more practice.

82
00:06:00,040 --> 00:06:01,000
See you in the next video.