1
00:00:01,260 --> 00:00:04,080
Ports and services on the Web server.

2
00:00:05,340 --> 00:00:10,890
Web applications are generally served on ports 80 and 443.

3
00:00:12,090 --> 00:00:20,340
But it's not limited to use just these port numbers, port numbers are configurable, so it's not uncommon

4
00:00:20,340 --> 00:00:24,360
to see Web applications served on a non-standard port such as AT&amp;T.

5
00:00:25,720 --> 00:00:34,090
OK, so basically you are ill or an IP address will be provided to you if you start a penetration test.

6
00:00:35,180 --> 00:00:43,070
But sometimes due to your contract, you you may need to run a black box testing approach with nothing.

7
00:00:44,260 --> 00:00:48,400
You wouldn't even have an IP or a URL to get to test.

8
00:00:49,930 --> 00:00:56,520
In both of these scenarios, you would need to identify and then map the target network in some level,

9
00:00:56,890 --> 00:01:01,420
so the first thing to do is to identify the target network with who is.

10
00:01:02,790 --> 00:01:04,110
So we've already done that.

11
00:01:05,230 --> 00:01:07,810
The second thing to do is to map the network.

12
00:01:09,020 --> 00:01:10,780
And that's what we're going to do now.

13
00:01:11,680 --> 00:01:19,510
And we will use county Linux, it's got a great tool in there to help us out and map.

14
00:01:20,870 --> 00:01:24,290
So and map is short for network mapper.

15
00:01:25,520 --> 00:01:33,200
It's a powerful open source network scanning tool perfect for conducting reconnaissance and enumeration.

16
00:01:35,840 --> 00:01:42,890
So here we are going to benefit from and map, so now open up your terminal and Cali and type and map.

17
00:01:44,530 --> 00:01:46,090
You can see there are a few options.

18
00:01:47,150 --> 00:01:49,280
And MAB can perform many tasks.

19
00:01:50,160 --> 00:01:58,710
It can identify live hosts, Skin TCP and UDP, open ports, detect firewalls, get service version

20
00:01:58,950 --> 00:02:04,750
running in remote hosts and even with the use of scripts, find and exploit vulnerabilities.

21
00:02:05,730 --> 00:02:08,530
So why don't we just start with a basic scan?

22
00:02:09,240 --> 00:02:17,520
So at this point, let's assume I was given or I have found the target IP or URL, so I'm going to use

23
00:02:17,520 --> 00:02:20,010
B box IP address and the examples.

24
00:02:21,140 --> 00:02:28,250
Simply type and map one nine two dot one six eight two zero four, dot one three zero and hit enter.

25
00:02:29,500 --> 00:02:31,240
And here is a basic scan.

26
00:02:32,240 --> 00:02:36,350
So Unmap will scan the target IP with its default options.

27
00:02:37,280 --> 00:02:42,830
And the result shows the open ports and corresponding service names running on these ports.

28
00:02:45,630 --> 00:02:51,390
So now let's touch on some of these other parameters to perform a detailed scan.

29
00:02:53,180 --> 00:02:56,630
Now, Unmap has several approaches for scanning open ports.

30
00:02:57,610 --> 00:03:05,770
It sounds raw network packets to several top or UDP ports of the target and check to see if there's

31
00:03:05,770 --> 00:03:06,610
a response.

32
00:03:07,520 --> 00:03:12,530
And if there is depending on the type of response, it will define the port.

33
00:03:13,640 --> 00:03:20,780
As to whether it's open or not and remembering that HTP uses Tsipi for transmitting packets.

34
00:03:21,750 --> 00:03:24,750
And MAP will play with these packets.

35
00:03:25,760 --> 00:03:28,010
And then different skin types come up.

36
00:03:29,110 --> 00:03:32,980
So regular TCP connection between.

37
00:03:34,030 --> 00:03:37,310
Two types is called a three way handshake.

38
00:03:38,110 --> 00:03:38,950
So first.

39
00:03:39,930 --> 00:03:49,200
A sign flag reaches a destination and then it sends the Sinak flags back to the source, then the source

40
00:03:49,200 --> 00:03:53,670
sends back the ACT flag to start the data transmission.

41
00:03:54,900 --> 00:04:03,090
So this is the basic and fully qualified TCP connection, right, so type and map one nine two, not

42
00:04:03,120 --> 00:04:07,140
one six eight two zero four that one three zero dash S.

43
00:04:07,140 --> 00:04:07,740
S.

44
00:04:09,040 --> 00:04:13,450
And he asked, Parameter will do the sign scan on the target.

45
00:04:15,130 --> 00:04:18,970
So that means it and map will not complete the three way handshake.

46
00:04:19,950 --> 00:04:24,930
It's not going to replace the last sign packet with a reset packet.

47
00:04:26,470 --> 00:04:29,970
But the result is not going to be different.

48
00:04:30,780 --> 00:04:31,590
And the first one.

49
00:04:32,410 --> 00:04:36,600
Because the sign scan is the default option for enmasse.

50
00:04:38,290 --> 00:04:45,550
Now, type and map one nine two two one six eight two zero four one three zero T.

51
00:04:46,780 --> 00:04:51,220
And this is a TCP scan, if the S.

52
00:04:51,220 --> 00:04:52,840
T parameters used.

53
00:04:53,800 --> 00:04:57,970
So that means and map completes the three way handshake.

54
00:04:59,320 --> 00:05:04,240
And that way and map can actually connect to the target for.

55
00:05:05,570 --> 00:05:10,790
And then the connection is logged by the server and the result is the same as the previous one.

56
00:05:11,830 --> 00:05:15,520
But it provides a more accurate state of the port.

57
00:05:17,210 --> 00:05:23,840
OK, so you can see the maps are really clever tool at first identifies the live host on the Target

58
00:05:23,840 --> 00:05:27,380
network and then scans the host for open ports.

59
00:05:29,510 --> 00:05:37,250
So now let's type and map one nine two down one six eight two zero four one three zero as in.

60
00:05:38,980 --> 00:05:46,300
And with the flag, as in, you can force and map to check to see if the horse is alive or not.

61
00:05:47,760 --> 00:05:50,490
And then, of course, the opposite is also possible.

62
00:05:51,770 --> 00:05:53,720
Change SRN to pen.

63
00:05:55,850 --> 00:06:00,160
And then this time and Map will not check to see if the host is alive or not.

64
00:06:01,600 --> 00:06:04,360
It will only perform a port scan.

65
00:06:06,820 --> 00:06:13,630
OK, so now let's let's be a little bit more specific about these ports so you can use the P flag to

66
00:06:13,630 --> 00:06:17,830
define a port, no port list or port range for and map to scan.

67
00:06:18,880 --> 00:06:23,590
So here, I'm going to give it port 80 and four for three.

68
00:06:25,200 --> 00:06:29,310
And of course, you can provide service names like HTTP or https.

69
00:06:31,520 --> 00:06:35,000
This time, it will find ports running the services.

70
00:06:36,100 --> 00:06:40,290
So if you want to scan all the ports, just put a dash after the P.

71
00:06:41,660 --> 00:06:42,880
It's going to take a lot longer.

72
00:06:45,000 --> 00:06:50,670
But if you're not looking for a specific port, you can limit the number of ports by using top ports

73
00:06:50,850 --> 00:06:51,720
as a parameter.

74
00:06:54,030 --> 00:06:57,210
It will look for an maps, top 100 ports.

75
00:07:00,050 --> 00:07:04,700
Now, if you only want the open ports, just ahead, the open parameter.

76
00:07:06,270 --> 00:07:07,620
Now, closed port is gone.

77
00:07:10,310 --> 00:07:16,490
Also, you can add a reasoned parameter to display the reason a port is in its particular state.

78
00:07:18,330 --> 00:07:25,740
So until now, we've got open ports and the names of the services, right, so thankfully and MAP can

79
00:07:25,740 --> 00:07:28,670
show the software versions running on the open ports.

80
00:07:30,090 --> 00:07:33,570
And just add the parameter as the two detective versions.

81
00:07:35,710 --> 00:07:38,440
And it might take a little while to run this kind of scan.

82
00:07:40,430 --> 00:07:43,700
And here are the results with their version banners.

83
00:07:44,450 --> 00:07:49,680
So now you can look for these version numbers to see if they have vulnerabilities or not.

84
00:07:50,360 --> 00:07:57,200
And then the last thing that we'll do here is determining the operating system running on the target

85
00:07:57,200 --> 00:07:57,560
host.

86
00:07:59,060 --> 00:08:03,050
So just add the parameter O to the previous command.

87
00:08:04,310 --> 00:08:06,530
And this could also take a little more time.

88
00:08:09,040 --> 00:08:16,420
And Map will analyze the information collected from the open ports and versions and guess the probable

89
00:08:16,420 --> 00:08:16,840
OS.

90
00:08:18,090 --> 00:08:25,620
You can also use and map scripts and also you can compose your own script by using the end map scripting

91
00:08:25,620 --> 00:08:26,140
engine.

92
00:08:26,430 --> 00:08:32,160
So here are some script names that you can use to help you when you're doing penetration tests.

93
00:08:32,370 --> 00:08:37,230
I want to show you how to use them, but simply because I'm going to be using some other tools and techniques

94
00:08:37,230 --> 00:08:41,850
for the same purpose, using scripts is certainly not complicated, and I.

95
00:08:41,870 --> 00:08:43,740
I do advise you to use them.