1
00:00:00,550 --> 00:00:07,150
Let's check out how we can figure out what operating system is our target running just by scanning it

2
00:00:07,150 --> 00:00:09,430
would jump in and map.

3
00:00:09,430 --> 00:00:16,720
This feature is quite popular as they have a database of thousands of known operating system fingerprints

4
00:00:16,870 --> 00:00:22,410
that they compare with the host that you scan in order to find out what operating system is.

5
00:00:22,420 --> 00:00:22,930
It's running.

6
00:00:23,990 --> 00:00:30,860
But for this to work, a target machine must have at least one port open and one port closed, which

7
00:00:30,860 --> 00:00:37,760
we need not to worry about, since our anticipatable has both open and closed ports, however, it could

8
00:00:37,760 --> 00:00:39,630
not work for some other targets.

9
00:00:40,310 --> 00:00:45,560
What I'm going to do in this video is I'm going to try to scan my anticipatable, which is running Linux,

10
00:00:45,800 --> 00:00:53,840
and then I will try to scan my Windows seven Votto machine that I got right here and I will try to scan

11
00:00:54,080 --> 00:00:59,420
my Windows 10 host machine and let us see what results can we get.

12
00:00:59,690 --> 00:01:03,620
Let's see whether Unmap can figure out what operating systems are they running.

13
00:01:05,030 --> 00:01:11,450
If I go back to my clinics and let's go with Anticipatable first to run the operating system feature,

14
00:01:11,450 --> 00:01:17,710
we must use pseudo and after unmap we specify Desh OK for discovery of operating system.

15
00:01:18,140 --> 00:01:20,180
Then we specify the IP address.

16
00:01:20,720 --> 00:01:25,010
And if we specify the IP address on display at the first press, enter.

17
00:01:26,260 --> 00:01:27,670
Type in my password.

18
00:01:29,400 --> 00:01:36,120
It will take just a few seconds and download the results, we can see the testing, it tells us right

19
00:01:36,120 --> 00:01:39,060
here that at this point the ball is running Linux.

20
00:01:40,300 --> 00:01:46,840
And down here in the always details, it tells us which version exactly is it running and how many cops

21
00:01:47,140 --> 00:01:48,540
is the target distance from us?

22
00:01:49,360 --> 00:01:53,200
It says one, which means host is inside of our network.

23
00:01:53,620 --> 00:01:59,500
And besides all of this, it also tells us that the machine that we are scanning is a virtual machine,

24
00:01:59,500 --> 00:02:00,970
as we can see right here.

25
00:02:01,570 --> 00:02:07,780
It managed to figure this out by the Mac address that metastable has since virtual box machines have

26
00:02:07,780 --> 00:02:09,680
Mac addresses that start the same.

27
00:02:10,030 --> 00:02:12,370
And these are these three first numbers.

28
00:02:13,940 --> 00:02:19,430
This is really interesting because it can sometimes help us to realize that our target is an actual

29
00:02:19,430 --> 00:02:25,670
war machine and not a physical machine, which could possibly indicate that we're scanning a honeypot,

30
00:02:25,790 --> 00:02:31,970
which is usually a purposely vulnerable virtual environment that is used to luring hackers in order

31
00:02:31,970 --> 00:02:34,490
to find out whether they're being attacked.

32
00:02:35,090 --> 00:02:39,980
This is because usually an attacker will go for the most vulnerable machine first, and that's how they

33
00:02:39,980 --> 00:02:40,480
catch him.

34
00:02:40,940 --> 00:02:44,460
That machine could possibly be put there on purpose.

35
00:02:45,050 --> 00:02:47,980
So for Anticipatable, we got the correct result.

36
00:02:47,990 --> 00:02:51,350
It tells us that it is running Linux, which is correct down here.

37
00:02:51,350 --> 00:02:54,050
It even tells us which version of Linux is running.

38
00:02:54,560 --> 00:02:58,360
And we can also see right here by the Mac address that this is a virtual machine.

39
00:02:58,790 --> 00:03:01,620
So we got a lot of useful results from Anticipatable.

40
00:03:02,240 --> 00:03:04,690
Let's try with my Windows 10 physical machine.

41
00:03:05,540 --> 00:03:12,630
So if I type up their show and to scan my physical machine, I must check the IP address inside of my

42
00:03:12,650 --> 00:03:13,430
command prompt.

43
00:03:14,330 --> 00:03:22,240
If I type IP config, it will tell me that my IP address one to the 168 at one seven letters typewritten

44
00:03:22,520 --> 00:03:29,110
one add to that 168 that one dot seven and run the scan.

45
00:03:29,120 --> 00:03:30,930
It should also take just a few seconds.

46
00:03:31,460 --> 00:03:36,980
Once again, you could check at what percentage is attached by pressing the upper error and it's currently

47
00:03:36,980 --> 00:03:37,820
eighty one percent.

48
00:03:37,820 --> 00:03:40,640
D'Angela, just wait for the remaining few seconds to finish.

49
00:03:41,710 --> 00:03:46,960
And it will tell me right here that it didn't manage to discover always details.

50
00:03:47,710 --> 00:03:48,640
Now, why is that?

51
00:03:49,210 --> 00:03:56,050
Well, because we can see right here all thousands can ports are either closed or filtered.

52
00:03:57,460 --> 00:04:05,290
And remember, to discover an operating system, we need at least one open port and one close port in

53
00:04:05,290 --> 00:04:10,120
this case, there is really nothing that we can do to discover operating system with that map, since

54
00:04:10,120 --> 00:04:12,280
all ports seem to be filtered.

55
00:04:12,910 --> 00:04:15,160
Let's try the same of Windows seven machine.

56
00:04:15,770 --> 00:04:21,070
I know for a fact that Windows seven virtual machine has one port open, so let's see whether it will

57
00:04:21,070 --> 00:04:26,870
manage to figure out the operating system on that machine if attached to the dashboard.

58
00:04:27,250 --> 00:04:29,950
And I already typed IP config in my Windows seven.

59
00:04:30,250 --> 00:04:33,550
The IP addresses one add to that 168, that one that 14.

60
00:04:34,270 --> 00:04:35,980
Let's specify it right here.

61
00:04:38,510 --> 00:04:39,770
Let's wait for this to finish.

62
00:04:41,550 --> 00:04:46,320
And it gives us a bunch of always details up here.

63
00:04:46,350 --> 00:04:54,090
We have a warning that says results may be unreliable because we could not find at least one open port

64
00:04:54,240 --> 00:04:55,740
and one close port.

65
00:04:56,580 --> 00:05:00,810
It did manage to find one open port, which is this port four, four, five.

66
00:05:01,680 --> 00:05:03,750
But all the other ports are filtered.

67
00:05:04,800 --> 00:05:11,790
However, based on this one open port, it try to guess what operating system it has and it was relatively

68
00:05:11,790 --> 00:05:18,870
close, it managed to guess that the operating system is windows and sometimes this could be enough

69
00:05:18,870 --> 00:05:19,360
for us.

70
00:05:20,370 --> 00:05:25,410
We can see right here it specified Windows seven, which is correct, but it also specified Windows

71
00:05:25,410 --> 00:05:29,780
Vista and Windows 2000 and eight, which are incorrect guesses.

72
00:05:30,670 --> 00:05:30,920
Hmm.

73
00:05:31,320 --> 00:05:36,670
So we can say that it managed to narrow it down for us, but it didn't really hit the correct one.

74
00:05:37,530 --> 00:05:41,550
So we checked how to figure out what operating system is the target running.

75
00:05:42,150 --> 00:05:47,970
We noticed that it doesn't always work, but this information with the information retrieval get in

76
00:05:47,970 --> 00:05:53,290
the next video will be more than enough for us to be able to conduct a vulnerability analysis.

77
00:05:54,060 --> 00:05:59,640
Let us see in the next video how to get exact version of services running on open port.