1
00:00:00,390 --> 00:00:05,880
So remember that while performing a penetration test, we should always test the network devices, whether

2
00:00:05,880 --> 00:00:12,480
they're vulnerable to attacks, all the ones we've mentioned up till now, of course, we have to discover

3
00:00:12,480 --> 00:00:16,200
the network devices and the services running on them first.

4
00:00:16,650 --> 00:00:22,890
So let's see how we discover network devices and their services and what else we can do to attack these

5
00:00:22,890 --> 00:00:23,550
services.

6
00:00:23,820 --> 00:00:24,830
Come on, it'll be fun.

7
00:00:26,770 --> 00:00:32,920
So, as you already know, the first step of a penetration test is always reconnaissance, in other

8
00:00:32,920 --> 00:00:34,550
words, gathering the information.

9
00:00:35,440 --> 00:00:38,740
So how can we collect information about the network devices?

10
00:00:39,520 --> 00:00:44,200
The answer is the same with the reconnaissance of all the other parts of the penetration tests.

11
00:00:45,740 --> 00:00:52,070
We can scan the network and find the network devices according to the fingerprints or operating systems

12
00:00:52,070 --> 00:01:00,830
of the devices found, for example, if the operating system of a device is Cisco iOS, it's most probably

13
00:01:00,830 --> 00:01:03,710
a network device such as a switch or router.

14
00:01:05,000 --> 00:01:11,090
Sniffing is another way to collect data about the network devices, you should always especially focus

15
00:01:11,090 --> 00:01:13,580
on the clear text services such as Telnet.

16
00:01:15,590 --> 00:01:21,050
Now, one of the brilliant ways of reconnaissance is analyzing the documents collected throughout the

17
00:01:21,050 --> 00:01:27,530
penetration test in a typical penetration test, you probably find a lot of sensitive information by

18
00:01:27,530 --> 00:01:35,690
just looking at the file servers, shared files and e-mail backups or unprotected ASCII files of compromised

19
00:01:35,690 --> 00:01:37,190
admin personal computers.

20
00:01:39,330 --> 00:01:45,960
So as we were saying before, the most common services open in the network devices are S.H. Telnet,

21
00:01:46,560 --> 00:01:50,130
HTTP https and S&amp;P.

22
00:01:51,200 --> 00:01:54,540
And the default parts of these services are listed in the slide.

23
00:01:56,210 --> 00:02:01,850
I want to call your attention to these are the default ports, right?

24
00:02:01,880 --> 00:02:05,080
So they don't have to run on the specified port.

25
00:02:05,900 --> 00:02:13,340
You can run an escort service on port for three or an HTTPS service on the port.

26
00:02:13,430 --> 00:02:16,100
I don't know, for three, two, one, et cetera.

27
00:02:17,450 --> 00:02:22,670
You can discover more details about the network devices by analyzing these services deeply.

28
00:02:24,780 --> 00:02:31,410
Right, and now they have the correct result and discover even more, you should always scan network

29
00:02:31,410 --> 00:02:34,950
with OS Discovery and version detection options.

30
00:02:37,020 --> 00:02:43,680
So if you look at the example in the slide, again, you see and and map, command and map is a security

31
00:02:43,680 --> 00:02:50,700
scanner which is used to discover hosts and services on a computer network in the same sample command

32
00:02:50,700 --> 00:03:00,000
shown the parameter is used for OAC detection, while S of Score V is used for version detection.

33
00:03:03,820 --> 00:03:05,170
So just listen to the traffic.

34
00:03:06,460 --> 00:03:13,360
We can gather some information about the network devices here, the protocols which use clear text communication

35
00:03:13,360 --> 00:03:19,930
are especially important because you can see the payload data transferred between the end points.

36
00:03:21,360 --> 00:03:25,140
The most important clear text protocols are telnet.

37
00:03:26,520 --> 00:03:28,200
Cisco Discovery Protocol.

38
00:03:29,590 --> 00:03:31,210
Spanning tree protocol.

39
00:03:32,710 --> 00:03:33,880
Routing protocols.

40
00:03:35,430 --> 00:03:37,950
VLAD trunking protocol and.

41
00:03:39,000 --> 00:03:41,160
Simple network management protocol.

42
00:03:44,200 --> 00:03:48,240
So let's scan the router according to the criteria that we talked about up now.

43
00:03:49,780 --> 00:03:56,840
In Cali, I opened the terminal screen, so I'll use the end map to scan the router, but first.

44
00:03:57,790 --> 00:04:00,040
Let's go ahead and ping the router to check the network.

45
00:04:03,830 --> 00:04:06,290
So unmap is the command itself.

46
00:04:07,610 --> 00:04:16,280
As Hyperscore s to make it a sin scan, a simple scan is a kind of TCP scan where a three way handshake

47
00:04:16,280 --> 00:04:22,190
is not completed, but please refer to my network and vulnerability scan for hacking by and Map and

48
00:04:22,190 --> 00:04:27,170
Nessus Course for more details about the unmap and those scanned times.

49
00:04:28,500 --> 00:04:30,180
Target IP is our router.

50
00:04:31,570 --> 00:04:36,130
Asclepius Gorvy is for the version detection of the open ports.

51
00:04:37,580 --> 00:04:39,740
Oh, for the operating system detection.

52
00:04:40,920 --> 00:04:46,230
Reason is to force and map to tell the reason of its decisions.

53
00:04:47,500 --> 00:04:56,950
And P is for the ports, so let's scan S.H. Telnet https htp and as an MP, ports now hit enter.

54
00:05:01,280 --> 00:05:06,050
So that took 15 seconds, seems the only port open is the telnet.

55
00:05:09,010 --> 00:05:13,810
Here's the details, it is a Cisco device and one of these series.