1
00:00:00,600 --> 00:00:01,589
Instructor: Let us check out

2
00:00:01,589 --> 00:00:04,350
how we can figure out what operating system

3
00:00:04,350 --> 00:00:08,580
is our target running just by scanning it with Nmap.

4
00:00:08,580 --> 00:00:11,710
In Nmap, this feature is quite popular,

5
00:00:11,710 --> 00:00:15,060
as they have a database of thousands of known

6
00:00:15,060 --> 00:00:18,150
operating system fingerprints that they compare with

7
00:00:18,150 --> 00:00:20,940
the host that you scan in order to find out

8
00:00:20,940 --> 00:00:23,013
what operating system is it running.

9
00:00:24,000 --> 00:00:25,380
But for this to work,

10
00:00:25,380 --> 00:00:28,650
a target machine must have at least one port open

11
00:00:28,650 --> 00:00:30,570
and one port closed.

12
00:00:30,570 --> 00:00:33,420
Which we need not to worry about since our metasploitable

13
00:00:33,420 --> 00:00:36,690
has both open and closed ports.

14
00:00:36,690 --> 00:00:40,380
However, it could not work for some other targets.

15
00:00:40,380 --> 00:00:42,270
What I'm going to do in this video is,

16
00:00:42,270 --> 00:00:44,430
I'm going to try to scan my metasploitable,

17
00:00:44,430 --> 00:00:45,840
which is running Linux,

18
00:00:45,840 --> 00:00:48,330
and then I will try to scan my Windows 7

19
00:00:48,330 --> 00:00:52,110
virtual machine that I got right here,

20
00:00:52,110 --> 00:00:56,850
and I will try to scan my Windows 10 host machine,

21
00:00:56,850 --> 00:00:59,670
and let us see what results can we get.

22
00:00:59,670 --> 00:01:01,710
Let's see whether Nmap can figure out

23
00:01:01,710 --> 00:01:03,710
what operating systems are they running.

24
00:01:05,099 --> 00:01:07,080
If I go back to my Kali Linux,

25
00:01:07,080 --> 00:01:09,720
and let's go with metasploitable first.

26
00:01:09,720 --> 00:01:11,490
To run the operating system feature,

27
00:01:11,490 --> 00:01:15,870
we must use sudo and after nmap, we specify dash O,

28
00:01:15,870 --> 00:01:18,180
for discovery of operating system.

29
00:01:18,180 --> 00:01:20,411
Then we specify the IP address.

30
00:01:20,411 --> 00:01:24,270
And if I specify the IP address on my metabolizable first,

31
00:01:24,270 --> 00:01:27,723
press enter, type in my password.

32
00:01:29,400 --> 00:01:31,020
It will take just a few seconds.

33
00:01:31,020 --> 00:01:35,310
And down in the results, we can see the OS testing.

34
00:01:35,310 --> 00:01:39,846
It tells us right here that metabolizable is running Linux.

35
00:01:39,846 --> 00:01:42,450
And down here, in the OS details,

36
00:01:42,450 --> 00:01:45,510
it tells us which version exactly is it running

37
00:01:45,510 --> 00:01:49,380
and how many hops is the target distance from us.

38
00:01:49,380 --> 00:01:53,700
It says one, which means host is inside of our network.

39
00:01:53,700 --> 00:01:55,200
And besides all of this,

40
00:01:55,200 --> 00:01:57,990
it also tells us that the machine that we are scanning

41
00:01:57,990 --> 00:02:01,590
is a virtual machine, as we can see right here.

42
00:02:01,590 --> 00:02:04,050
It managed to figure this out by the MAC address

43
00:02:04,050 --> 00:02:07,560
that metabolizable has, since virtual box machines

44
00:02:07,560 --> 00:02:10,080
have MAC addresses that start the same.

45
00:02:10,080 --> 00:02:12,513
And these are these three first numbers.

46
00:02:13,950 --> 00:02:15,690
This is really interesting because

47
00:02:15,690 --> 00:02:18,750
it can sometimes help us to realize that our target

48
00:02:18,750 --> 00:02:22,140
is an actual virtual machine and not a physical machine,

49
00:02:22,140 --> 00:02:24,450
which could possibly indicate that we are

50
00:02:24,450 --> 00:02:25,800
scanning a honey pot,

51
00:02:25,800 --> 00:02:29,220
which is usually a purposely vulnerable virtual environment

52
00:02:29,220 --> 00:02:32,100
that is used to lure in hackers in order to

53
00:02:32,100 --> 00:02:35,100
find out whether they're being attacked.

54
00:02:35,100 --> 00:02:36,990
This is because usually an attacker

55
00:02:36,990 --> 00:02:39,150
will go for the most vulnerable machine first,

56
00:02:39,150 --> 00:02:40,950
and that's how they catch him.

57
00:02:40,950 --> 00:02:42,930
That vulnerable machine could possibly

58
00:02:42,930 --> 00:02:45,090
be put there on purpose.

59
00:02:45,090 --> 00:02:47,940
So for our metabolizable, we got the correct result.

60
00:02:47,940 --> 00:02:50,820
It tells us that it is running Linux, which is correct.

61
00:02:50,820 --> 00:02:52,350
Down here it even tells us

62
00:02:52,350 --> 00:02:54,660
which version of Linux is it running.

63
00:02:54,660 --> 00:02:56,970
And we can also see right here, by the MAC address,

64
00:02:56,970 --> 00:02:58,800
that this is a virtual machine.

65
00:02:58,800 --> 00:03:02,280
So we got a lot of useful results for metasploitable.

66
00:03:02,280 --> 00:03:05,550
Let's try with my Windows 10 physical machine.

67
00:03:05,550 --> 00:03:08,910
So if I type sudo nmap dash O.

68
00:03:08,910 --> 00:03:10,380
And to scan my physical machine,

69
00:03:10,380 --> 00:03:14,370
I must check the IP address inside of my command prompt.

70
00:03:14,370 --> 00:03:16,676
If I type IP config,

71
00:03:16,676 --> 00:03:21,270
it will tell me that my IP address is 192.168.1.7.

72
00:03:21,270 --> 00:03:25,327
Let us type it in, 192.168.1.7,

73
00:03:27,900 --> 00:03:29,130
and run this scan.

74
00:03:29,130 --> 00:03:31,500
It should also take just a few seconds.

75
00:03:31,500 --> 00:03:34,350
Once again, you can check at what percentage is it at

76
00:03:34,350 --> 00:03:38,040
by pressing the upper arrow key and it's currently 81% done.

77
00:03:38,040 --> 00:03:41,760
So let's just wait for the remaining few seconds to finish.

78
00:03:41,760 --> 00:03:44,280
And it'll tell me right here that

79
00:03:44,280 --> 00:03:47,760
it didn't manage to discover OS details.

80
00:03:47,760 --> 00:03:49,230
Now why is that?

81
00:03:49,230 --> 00:03:51,240
Well, because we can see right here,

82
00:03:51,240 --> 00:03:56,073
all thousand canned ports are either closed or filtered.

83
00:03:57,510 --> 00:04:00,960
And remember, to discover operating system,

84
00:04:00,960 --> 00:04:05,070
we need at least one open port and one closed port.

85
00:04:05,070 --> 00:04:07,440
In this case, there is really nothing that we can do

86
00:04:07,440 --> 00:04:09,720
to discover operating system with Nmap,

87
00:04:09,720 --> 00:04:12,900
since all ports seem to be filtered.

88
00:04:12,900 --> 00:04:15,840
Let's try the same of Windows 7 virtual machine.

89
00:04:15,840 --> 00:04:18,540
I know for a fact that the Windows 7 virtual machine

90
00:04:18,540 --> 00:04:20,130
has one port open.

91
00:04:20,130 --> 00:04:22,260
So let's see whether it'll manage to figure out

92
00:04:22,260 --> 00:04:24,840
the operating system on that machine.

93
00:04:24,840 --> 00:04:27,330
If I type sudo nmap dash O,

94
00:04:27,330 --> 00:04:30,270
and I already typed IP config in my Windows 7,

95
00:04:30,270 --> 00:04:34,290
the IP addresses 192.168.1.14.

96
00:04:34,290 --> 00:04:36,123
Let's specify it right here.

97
00:04:38,550 --> 00:04:40,050
Let's wait for this to finish.

98
00:04:41,610 --> 00:04:44,943
And it gives us bunch of OS details.

99
00:04:45,780 --> 00:04:48,930
Up here, we have a warning that says,

100
00:04:48,930 --> 00:04:52,590
results may be unreliable because we could not find

101
00:04:52,590 --> 00:04:56,580
at least one open port and one closed port.

102
00:04:56,580 --> 00:04:58,830
It did manage to, however, find one open port,

103
00:04:58,830 --> 00:05:01,710
which is this port 445,

104
00:05:01,710 --> 00:05:03,873
but all the other ports are filtered.

105
00:05:04,800 --> 00:05:07,590
However, based on this one open port,

106
00:05:07,590 --> 00:05:10,680
it tried to guess what operating system it has,

107
00:05:10,680 --> 00:05:12,570
and it was relatively close.

108
00:05:12,570 --> 00:05:16,143
It managed to guess that the operating system is Windows.

109
00:05:17,070 --> 00:05:19,533
And sometimes this could be enough for us.

110
00:05:20,400 --> 00:05:22,590
We can see right here it's specified Windows 7,

111
00:05:22,590 --> 00:05:23,730
which is correct,

112
00:05:23,730 --> 00:05:28,470
but it also specified Windows Vista and Windows 2008,

113
00:05:28,470 --> 00:05:30,690
which are incorrect guesses.

114
00:05:30,690 --> 00:05:34,680
Hmm. So we can say that it managed to narrow it down for us,

115
00:05:34,680 --> 00:05:37,530
but it didn't really hit the correct one.

116
00:05:37,530 --> 00:05:40,530
So we checked how to figure out what operating system

117
00:05:40,530 --> 00:05:42,150
is the target running.

118
00:05:42,150 --> 00:05:44,400
We noticed that it doesn't always work,

119
00:05:44,400 --> 00:05:45,930
but this information,

120
00:05:45,930 --> 00:05:47,730
which the information which we will get

121
00:05:47,730 --> 00:05:49,020
in the next video,

122
00:05:49,020 --> 00:05:51,060
will be more than enough for us to be able to

123
00:05:51,060 --> 00:05:53,530
conduct a vulnerability analysis.

124
00:05:53,530 --> 00:05:55,590
Let us see in the next video

125
00:05:55,590 --> 00:05:59,793
how to get exact version of services running on open ports.