1
00:00:00,810 --> 00:00:01,830
Speaker: Welcome back.

2
00:00:01,830 --> 00:00:04,620
Let us finally check out how we can figure out

3
00:00:04,620 --> 00:00:08,250
the version of software running on an open port.

4
00:00:08,250 --> 00:00:11,400
For now, we managed to discover open ports.

5
00:00:11,400 --> 00:00:13,620
We also learned what different scans do

6
00:00:13,620 --> 00:00:15,960
and which ones are better to use.

7
00:00:15,960 --> 00:00:19,590
And we learned how we can identify an operating system

8
00:00:19,590 --> 00:00:22,350
on some of the targets that we scan.

9
00:00:22,350 --> 00:00:24,840
Now, let's see one of the most important parts

10
00:00:24,840 --> 00:00:28,470
that will also help us in identifying vulnerabilities.

11
00:00:28,470 --> 00:00:32,372
So why do we care about versions of software so much?

12
00:00:33,330 --> 00:00:35,891
For example, I might somehow find out that

13
00:00:35,891 --> 00:00:39,180
Methods Portable is running Apache of web server

14
00:00:39,180 --> 00:00:40,980
on Port 80.

15
00:00:40,980 --> 00:00:45,660
But, that doesn't narrow all the possible attacks too much.

16
00:00:45,660 --> 00:00:48,030
Of course, it narrows it down to only search

17
00:00:48,030 --> 00:00:49,770
for a patch of vulnerabilities,

18
00:00:49,770 --> 00:00:53,063
but Nmap can even go as far as discovering

19
00:00:53,063 --> 00:00:56,850
what exact version of a patch is it running.

20
00:00:56,850 --> 00:00:58,800
Then after knowing the version,

21
00:00:58,800 --> 00:01:01,598
we can search that version on internet and try to see

22
00:01:01,598 --> 00:01:04,110
whether there are any known vulnerabilities

23
00:01:04,110 --> 00:01:05,910
for that specific version.

24
00:01:05,910 --> 00:01:08,370
So version discovery helps us a lot.

25
00:01:08,370 --> 00:01:10,980
And let's see how we can perform it.

26
00:01:10,980 --> 00:01:15,870
To perform version discovery, we use the option dash sV.

27
00:01:15,870 --> 00:01:19,560
So I'll run the command and map dash sV.

28
00:01:19,560 --> 00:01:22,653
and as usual, we're going to be scanning our method plate.

29
00:01:23,520 --> 00:01:26,400
Now this command also requires sudo privileges

30
00:01:26,400 --> 00:01:29,283
so make sure to type it at the beginning of the command.

31
00:01:30,830 --> 00:01:35,190
Sudo nmap dash sV and then the IP address.

32
00:01:35,190 --> 00:01:36,033
Press enter,

33
00:01:36,930 --> 00:01:38,013
Enter the password.

34
00:01:39,570 --> 00:01:43,260
This particular scan could take longer than other scans

35
00:01:43,260 --> 00:01:44,940
because right now,

36
00:01:44,940 --> 00:01:47,250
we are deeply scanning the target.

37
00:01:47,250 --> 00:01:50,160
Let us check out at what percentage is it at.

38
00:01:50,160 --> 00:01:53,370
So 91% it should finish in just a few seconds.

39
00:01:53,370 --> 00:01:54,303
Let's wait for it.

40
00:01:55,470 --> 00:01:57,210
And here it is.

41
00:01:57,210 --> 00:02:00,783
We can see we got a bunch of result right here.

42
00:02:01,710 --> 00:02:05,400
The new thing that we got from all the previous scans

43
00:02:05,400 --> 00:02:08,190
is this 4th column.

44
00:02:08,190 --> 00:02:10,229
Remember, once we scanned previously

45
00:02:10,229 --> 00:02:12,450
we only got these first three columns,

46
00:02:12,450 --> 00:02:15,300
which are the port number, the state of the port,

47
00:02:15,300 --> 00:02:17,460
and the servers that it is running.

48
00:02:17,460 --> 00:02:20,763
Right now, we also get the version of the service.

49
00:02:21,630 --> 00:02:24,120
So let's go quickly through this.

50
00:02:24,120 --> 00:02:26,850
We got port 21, which is ftp,

51
00:02:26,850 --> 00:02:29,460
and right here we got the exact version

52
00:02:29,460 --> 00:02:32,790
of what type of ftp software does it have.

53
00:02:32,790 --> 00:02:35,010
For the ssh, we get the same thing.

54
00:02:35,010 --> 00:02:38,910
So the version of SSH is open, SSH 4.7,

55
00:02:38,910 --> 00:02:40,318
Debian 8ubuntul.

56
00:02:40,318 --> 00:02:43,320
We got the telnet, the smtp,

57
00:02:43,320 --> 00:02:48,320
the http we got that it is running the Apache http 2.2.8

58
00:02:49,382 --> 00:02:53,370
For the smbd protocol, which is port 445 and 139.

59
00:02:53,370 --> 00:02:55,590
We got that it is running Samba.

60
00:02:55,590 --> 00:02:58,503
From the three point something to four point something.

61
00:02:59,460 --> 00:03:02,880
In this range will be the version that it is running.

62
00:03:02,880 --> 00:03:04,710
What we would do with this information

63
00:03:04,710 --> 00:03:05,790
as I already mentioned,

64
00:03:05,790 --> 00:03:07,710
is we would just try to search for

65
00:03:07,710 --> 00:03:11,220
some known vulnerabilities for the specified versions.

66
00:03:11,220 --> 00:03:12,053
For example,

67
00:03:12,053 --> 00:03:15,210
if this Apache version right here has a known vulnerability

68
00:03:15,210 --> 00:03:17,358
we would discover it by pasting this in Google

69
00:03:17,358 --> 00:03:19,440
and typing vulnerabilities.

70
00:03:19,440 --> 00:03:21,000
And whatever comes up,

71
00:03:21,000 --> 00:03:22,740
we will test this on this target

72
00:03:22,740 --> 00:03:24,840
and see whether it works or not.

73
00:03:24,840 --> 00:03:27,240
Since some vulnerabilities could be patched.

74
00:03:27,240 --> 00:03:29,240
We never know, so we want to try it out.

75
00:03:30,180 --> 00:03:32,906
Down here, we also got the versions for the other ports

76
00:03:32,906 --> 00:03:36,153
so we get a bunch of results right here.

77
00:03:37,110 --> 00:03:38,580
What you would do with this scan,

78
00:03:38,580 --> 00:03:40,470
since this is really useful,

79
00:03:40,470 --> 00:03:41,880
we would type this on our report

80
00:03:41,880 --> 00:03:44,520
and we would use for the future references.

81
00:03:44,520 --> 00:03:47,040
For now, let me show you another option that you can use

82
00:03:47,040 --> 00:03:49,230
with the version scan

83
00:03:49,230 --> 00:03:53,430
and that option is intensity of scanning versions.

84
00:03:53,430 --> 00:03:55,080
We can type it like this.

85
00:03:55,080 --> 00:03:57,240
So if I use the same command,

86
00:03:57,240 --> 00:03:59,760
let me just clear the screen so we can see it better.

87
00:03:59,760 --> 00:04:02,280
If I use the same command and after dash SV,

88
00:04:02,280 --> 00:04:06,933
I type dash dash, version, dash intensity.

89
00:04:08,940 --> 00:04:11,250
And after the version intensity,

90
00:04:11,250 --> 00:04:14,640
we need to specify how high we want the intensity to be.

91
00:04:14,640 --> 00:04:18,360
And it can be set between zero and nine.

92
00:04:18,360 --> 00:04:22,200
The default one, which we used in the last scan is seven.

93
00:04:22,200 --> 00:04:24,690
So every time you don't specify this option,

94
00:04:24,690 --> 00:04:27,240
it'll be seven by default.

95
00:04:27,240 --> 00:04:29,973
If we set it all the way up to nine,

96
00:04:30,810 --> 00:04:32,640
then we will have higher possibility

97
00:04:32,640 --> 00:04:35,550
of identifying the correct service version.

98
00:04:35,550 --> 00:04:40,410
However, in 99% of nmap scans, this option is not needed.

99
00:04:40,410 --> 00:04:43,020
You can just leave it on default, which is seven.

100
00:04:43,020 --> 00:04:45,420
If you set it at nine, it'll take longer time.

101
00:04:45,420 --> 00:04:47,550
And since we're scanning a target that is

102
00:04:47,550 --> 00:04:51,060
on our own network, it'll still do it in just a few seconds

103
00:04:51,060 --> 00:04:52,080
or minutes.

104
00:04:52,080 --> 00:04:54,195
But if you were to scan a real target,

105
00:04:54,195 --> 00:04:57,930
nmap scans could take a lot more time to accomplish.

106
00:04:57,930 --> 00:05:00,350
So you always want to consider not only performing

107
00:05:00,350 --> 00:05:02,987
most accurate scan possible, but also performing on scan

108
00:05:02,987 --> 00:05:07,800
that will be equally fast and accurate.

109
00:05:07,800 --> 00:05:10,680
So sometimes we have to lose one thing

110
00:05:10,680 --> 00:05:12,810
in order to gain the other.

111
00:05:12,810 --> 00:05:15,469
That would be pretty much all for diversion scanning.

112
00:05:15,469 --> 00:05:17,880
Now we're not going to be running this command

113
00:05:17,880 --> 00:05:20,040
since I can tell you right now that it'll give us

114
00:05:20,040 --> 00:05:22,650
the same output as the previous one.

115
00:05:22,650 --> 00:05:25,230
So in this case, increase in diversion intensity

116
00:05:25,230 --> 00:05:26,823
won't help us too much.

117
00:05:27,720 --> 00:05:29,438
And as far as these options go, there are more options

118
00:05:29,438 --> 00:05:32,250
for the version discovery

119
00:05:32,250 --> 00:05:35,160
that you can check out inside of the nmap manual.

120
00:05:35,160 --> 00:05:36,930
But before I end this video,

121
00:05:36,930 --> 00:05:40,260
I want to show you another thing that I also use a lot

122
00:05:40,260 --> 00:05:43,110
and that is the dash A option.

123
00:05:43,110 --> 00:05:44,850
So let me show you right here.

124
00:05:44,850 --> 00:05:47,860
If instead of all of this I specify dash A

125
00:05:48,930 --> 00:05:52,503
and dash A is so-called aggressive option.

126
00:05:53,460 --> 00:05:56,520
It enables some advanced features of nmap.

127
00:05:56,520 --> 00:05:58,740
Those advanced features are, well, first,

128
00:05:58,740 --> 00:06:02,010
it enables OS detection without specifying the dash O

129
00:06:02,010 --> 00:06:03,870
that we already covered.

130
00:06:03,870 --> 00:06:06,150
It also enables the version detection

131
00:06:06,150 --> 00:06:08,459
without specifying the dash sV,

132
00:06:08,459 --> 00:06:13,290
and it enables something called nmap script scanning.

133
00:06:13,290 --> 00:06:15,060
What nmap scripts are,

134
00:06:15,060 --> 00:06:16,950
are something that we will cover shortly.

135
00:06:16,950 --> 00:06:20,010
For now, just remember that dash A enables

136
00:06:20,010 --> 00:06:22,890
all of those things that we covered in the previous videos,

137
00:06:22,890 --> 00:06:24,693
including nmap scripts.

138
00:06:25,710 --> 00:06:28,470
And since dash A is one of the more aggressive

139
00:06:28,470 --> 00:06:29,850
nmap options,

140
00:06:29,850 --> 00:06:31,590
please do not try this on targets

141
00:06:31,590 --> 00:06:33,960
that you do not have permission to scan.

142
00:06:33,960 --> 00:06:35,460
However, let us test it out

143
00:06:35,460 --> 00:06:37,020
on our method exploitable target,

144
00:06:37,020 --> 00:06:39,930
and if you want, you can also try to scan

145
00:06:39,930 --> 00:06:42,210
your home network with it.

146
00:06:42,210 --> 00:06:44,640
Just keep in mind that since it is using all

147
00:06:44,640 --> 00:06:45,473
of these options,

148
00:06:45,473 --> 00:06:48,510
it'll take some time even if it is scanning

149
00:06:48,510 --> 00:06:49,653
our home network.

150
00:06:50,760 --> 00:06:54,750
So if I run this comment, this will take some time.

151
00:06:54,750 --> 00:06:57,054
If I press upper arrow, it is 78% done,

152
00:06:57,054 --> 00:07:00,340
and the output of this option we're going to see

153
00:07:00,340 --> 00:07:03,720
in the next video as well as some other useful things

154
00:07:03,720 --> 00:07:05,880
that we can do with nmap.

155
00:07:05,880 --> 00:07:07,138
As soon as we check that,

156
00:07:07,138 --> 00:07:11,490
we are going to get into fireball evasion using nmap.

157
00:07:11,490 --> 00:07:12,323
See you there.