1
00:00:00,940 --> 00:00:01,570
Welcome back.

2
00:00:01,840 --> 00:00:07,420
Let us finally check out how we can figure out the version of software running on an open port.

3
00:00:08,230 --> 00:00:10,910
For now, we managed to discover open ports.

4
00:00:11,380 --> 00:00:15,450
We also learned what defense can do and which ones are better to use.

5
00:00:15,910 --> 00:00:21,390
And we learned how we can identify an operating system on some of the targets that we can.

6
00:00:22,330 --> 00:00:27,960
Now, let's see one of the most important parts that will also help us in identifying vulnerabilities.

7
00:00:28,480 --> 00:00:32,230
So why do we care about versions of software so much?

8
00:00:33,300 --> 00:00:40,170
For example, I might somehow find out that Anticipatable is running Apache Web server on PT. eight,

9
00:00:40,950 --> 00:00:44,750
but that doesn't narrow all the possible attacks too much.

10
00:00:45,600 --> 00:00:52,020
Of course, it narrows it down to only search for Apache vulnerabilities, but NT map can even go as

11
00:00:52,020 --> 00:00:56,040
far as discovering what exact version of Apache is it running.

12
00:00:56,820 --> 00:01:02,490
Then, after knowing the version, we can that version on the Internet and try to see whether there

13
00:01:02,490 --> 00:01:05,460
are any known vulnerabilities for that specific version.

14
00:01:05,910 --> 00:01:10,230
So Version Discovery helps us a lot and let's see how we can perform it.

15
00:01:10,980 --> 00:01:20,160
To perform version Discovery, we use the option Besch as we run the command and Map Desh ASV and as

16
00:01:20,160 --> 00:01:22,690
usual, we are going to be scanning our anticipatable.

17
00:01:23,490 --> 00:01:29,190
Now this command also requires the privileges, so make sure to type it at the beginning of the command.

18
00:01:30,750 --> 00:01:34,160
Pseudo map, dash, ASV and then the address.

19
00:01:35,180 --> 00:01:37,850
Press, enter, enter the password.

20
00:01:39,680 --> 00:01:46,190
This particular scan could take longer than other scans because right now we are deeply scanning the

21
00:01:46,190 --> 00:01:46,730
target.

22
00:01:47,240 --> 00:01:51,310
Let us check out at what percentage is it that so 91 percent.

23
00:01:51,350 --> 00:01:53,210
It should finish in just a few seconds.

24
00:01:53,390 --> 00:01:54,200
Let's wait for it.

25
00:01:55,400 --> 00:02:00,650
And here it is, we can see we got a bunch of result right here.

26
00:02:01,730 --> 00:02:09,560
The new thing that we got from all the previous scans is this fourth column, remember, once we scanned

27
00:02:09,560 --> 00:02:15,260
previously, we only got these first three columns, which are the port number, the state of the port

28
00:02:15,260 --> 00:02:18,090
and the service that it is running right now.

29
00:02:18,140 --> 00:02:20,600
We also get the version of the service.

30
00:02:21,620 --> 00:02:28,400
So let's go quickly through this, we got port twenty one, which is empty, and right here we got the

31
00:02:28,400 --> 00:02:33,740
exact version of what type of software does it have for the S.H.?

32
00:02:33,740 --> 00:02:34,920
We get the same thing.

33
00:02:35,000 --> 00:02:39,890
So the version of S.H. is open, S.H., four point seven Debian Ubuntu.

34
00:02:40,610 --> 00:02:44,150
We got the Telnet, the S&amp;P, the HTP.

35
00:02:44,150 --> 00:02:51,590
We got that it is running the Apache HTP two point two point eight for the S&amp;P protocol, which is port

36
00:02:51,590 --> 00:02:53,450
four for five and one three nine.

37
00:02:53,450 --> 00:02:53,990
We got that.

38
00:02:53,990 --> 00:02:54,650
It is running.

39
00:02:54,650 --> 00:03:01,370
Semba from the three point something to four point something in this range will be the version that

40
00:03:01,370 --> 00:03:02,000
it is running.

41
00:03:02,870 --> 00:03:07,670
What we would do with this information, as I already mentioned, is we would just try to search for

42
00:03:07,700 --> 00:03:10,790
some known vulnerabilities for the specified versions.

43
00:03:11,210 --> 00:03:16,310
For example, if this Apache version right here has a known vulnerability, we would discover it by

44
00:03:16,310 --> 00:03:19,040
pasting this in Google and typing vulnerabilities.

45
00:03:19,370 --> 00:03:25,520
And whatever comes up, we will test this on this target and see whether it works or not, since some

46
00:03:25,520 --> 00:03:27,940
vulnerabilities could be patched if we never know.

47
00:03:27,950 --> 00:03:29,150
So we want to try it out.

48
00:03:30,180 --> 00:03:36,030
Down here, we also got the positions for the other ports, so we get a bunch of results right here,

49
00:03:37,030 --> 00:03:40,140
what you would do with this can see this is really useful.

50
00:03:40,480 --> 00:03:43,850
We would have this report and we would use for the future references.

51
00:03:44,520 --> 00:03:45,060
For now.

52
00:03:45,090 --> 00:03:48,540
Let me show you another option that you can use with the version scan.

53
00:03:49,170 --> 00:03:52,950
And that option is intensity of scanning versions.

54
00:03:53,430 --> 00:03:54,570
We can type it like this.

55
00:03:55,110 --> 00:04:00,300
See, if I use the same comment, let me just clear the screen so we can see it better if I use the

56
00:04:00,300 --> 00:04:11,160
same command and after Desh S.V. I type dash dash version dash intensity and after the version intensity,

57
00:04:11,160 --> 00:04:14,060
we need to specify how high we want the intensity to be.

58
00:04:14,580 --> 00:04:17,640
And it can be said between zero and nine.

59
00:04:18,330 --> 00:04:21,710
The default one which we used in the last scan is seven.

60
00:04:22,200 --> 00:04:26,580
So every time you don't specify this option, it will be seven by default.

61
00:04:27,210 --> 00:04:34,170
If we set it all the way up to nine, then we will have higher possibility of identifying the correct

62
00:04:34,170 --> 00:04:34,840
service version.

63
00:04:35,520 --> 00:04:40,020
However, in ninety nine percent of Americans, this option is not needed.

64
00:04:40,380 --> 00:04:42,330
You can just leave it on default, which is seven.

65
00:04:43,050 --> 00:04:45,450
If you set it to nine, it will take longer time.

66
00:04:45,450 --> 00:04:51,060
And since we are scanning a target that is on our own network, it will still do it in just a few seconds

67
00:04:51,060 --> 00:04:51,570
or minutes.

68
00:04:52,020 --> 00:04:58,260
But if you were to scan the real target and the scans could take a lot more time to accomplish, so

69
00:04:58,290 --> 00:05:03,990
you always want to consider not only performing most accurate scan possible, but also performing as

70
00:05:03,990 --> 00:05:06,950
can be equally fast and accurate.

71
00:05:07,770 --> 00:05:11,940
So sometimes we have to lose one thing in order to gain the other.

72
00:05:12,810 --> 00:05:15,470
That would be pretty much all for the scanning.

73
00:05:15,840 --> 00:05:20,190
Now, we're not going to be running this command since I can tell you right now that will give us the

74
00:05:20,190 --> 00:05:22,260
same output as the previous one.

75
00:05:22,620 --> 00:05:26,670
So in this case, increase in diversion intensity won't help us too much.

76
00:05:27,660 --> 00:05:33,000
And as far as these options go, there are more options for the version of Discovery that you can check

77
00:05:33,000 --> 00:05:34,620
out inside of the manual.

78
00:05:35,100 --> 00:05:40,950
But before I end this video, I want to show you another thing that they also use a lot, and that is

79
00:05:40,950 --> 00:05:42,440
the Dash eight option.

80
00:05:43,080 --> 00:05:47,820
So let me show you right here, if instead of all of this, I specify Dash A.

81
00:05:48,860 --> 00:05:52,400
And there is so-called aggressive option.

82
00:05:53,430 --> 00:05:58,720
It enables some advanced features of unmap, those advanced features are, well, first.

83
00:05:58,740 --> 00:06:01,830
It enables or as detection without specifying the dash.

84
00:06:01,830 --> 00:06:03,110
Oh, that we already covered.

85
00:06:03,840 --> 00:06:10,860
It also enables the version detection without specifying the dash S.V. and it enables something called

86
00:06:10,860 --> 00:06:16,760
and map script scanning what and map scripts are are something that we will cover shortly.

87
00:06:16,920 --> 00:06:22,290
For now, just remember that Dash eight enables all of those things that we covered in the previous

88
00:06:22,290 --> 00:06:24,540
videos, including and map script.

89
00:06:25,660 --> 00:06:31,750
And since this is one of the more aggressive and map options, please do not try this on targets that

90
00:06:31,750 --> 00:06:33,220
you do not have permission to scan.

91
00:06:33,950 --> 00:06:36,990
However, let us test it out no matter what political target.

92
00:06:37,000 --> 00:06:41,290
And if you want, you can also try to scan your whole network with it.

93
00:06:42,200 --> 00:06:48,010
Just keep in mind that since it is using all of these options, it will take some time, even if it

94
00:06:48,010 --> 00:06:49,540
is scanning our whole network.

95
00:06:50,750 --> 00:06:57,080
So if I run this comment, this will take some time, if I press upper error, it is seventy eight percent

96
00:06:57,080 --> 00:07:03,260
done and the output of this option we're going to see in the next video, as well as some other useful

97
00:07:03,260 --> 00:07:10,250
things that we can do with EMAP as soon as we check that we are going to get into final evasion using

98
00:07:10,250 --> 00:07:10,640
and map.

99
00:07:11,450 --> 00:07:12,050
See you there.