1
00:00:00,350 --> 00:00:03,900
In those Nmap lectures, we have seen. No port scan, also known

2
00:00:04,110 --> 00:00:12,330
as ping scan, Different ways of scanning ports, SYN scan, also known as half-­open scanning,

3
00:00:13,170 --> 00:00:19,630
TCP scan, also known as TCP connect scan, and UDP scan.

4
00:00:19,640 --> 00:00:25,010
Now let’s see some more details to be able to use Nmap more effectively.

5
00:00:25,040 --> 00:00:28,130
We have found the host and open ports of them.

6
00:00:28,130 --> 00:00:34,710
Now is it time to find out the services which are listening to those port and the version of those services.

7
00:00:34,730 --> 00:00:41,080
In addition let's detect the operating systems running on those systems . Suppose that you ran Nmap

8
00:00:41,090 --> 00:00:53,080
Nmap query and it told you that ports 25/tcp, 80/tcp, and 53/udp are open. Using its nmap-­services database

9
00:00:53,080 --> 00:01:00,880
of about 2,200 well-­known services, Nmap would  report that those ports probably correspond to a

10
00:01:00,880 --> 00:01:01,660
mail server.

11
00:01:01,830 --> 00:01:07,880
(SMTP), web server   (HTTP), and name server (DNS) respectively.

12
00:01:08,260 --> 00:01:10,520
This look up is usually accurate.

13
00:01:10,540 --> 00:01:16,480
The  vast majority of daemons listening on TCP port 25 are, in fact, mail servers.

14
00:01:16,540 --> 00:01:20,470
However you should not bet your security on this.

15
00:01:20,490 --> 00:01:29,320
People can and do run services on strange ports. Even if Nmap is right, and the hypothetical server a

16
00:01:29,320 --> 00:01:34,590
above is running SMTP, HTTP, and DNS servers.

17
00:01:34,640 --> 00:01:41,880
That is not a lot of information when doing vulnerability assessments or even simple network inventories

18
00:01:41,890 --> 00:01:43,900
of your companies or clients.

19
00:01:44,020 --> 00:01:50,280
You really want to know which mail and DNS servers and versions are running having an accurate version

20
00:01:50,280 --> 00:01:56,490
number helps dramatically in determining which exploits a server is vulnerable to version detection

21
00:01:56,700 --> 00:01:59,460
helps you obtain this information.

22
00:01:59,460 --> 00:02:06,580
After TCP and/or UDP ports are discovered using one of the other scan methods version detection interrogates

23
00:02:06,600 --> 00:02:14,040
those ports to determine more about what is actually running the the nmap-service-­probes database contains

24
00:02:14,040 --> 00:02:21,120
probes for querying various services and match expressions to recognize and parse responses. Nmap

25
00:02:21,390 --> 00:02:23,980
Nmap tries to determine the service protocol.

26
00:02:24,150 --> 00:02:35,610
FTP, SSH, Telnet, HTTP. The application name could be ISC BIND, Apache httpd, Solaris telnetd

27
00:02:35,610 --> 00:02:36,810
telnetd.

28
00:02:37,030 --> 00:02:44,660
The version number, hostname, device type something like a printer or a router and the OS family you know

29
00:02:44,650 --> 00:02:46,700
what that is Windows Linux etc..

30
00:02:47,770 --> 00:02:55,000
Let’s see how to use service and version detection in Nmap and why it is important: OK, go to Kali and

31
00:02:55,000 --> 00:02:56,840
and open a new terminal window.

32
00:02:56,950 --> 00:03:00,810
Let’s create the Nmap scan command: nmap is the command itself,

33
00:03:02,260 --> 00:03:06,190
-­n is to avoid the DNS resolution. -Pn

34
00:03:06,210 --> 00:03:08,160
-­Pn is to avoid the host discovery.

35
00:03:08,160 --> 00:03:10,480
I’m using the SYN scan for this time.

36
00:03:10,710 --> 00:03:17,900
All right the destination IP which is the IP address of my Medders voidable VM and the destination port.

37
00:03:18,140 --> 00:03:19,680
The top 10 ports.

38
00:03:19,790 --> 00:03:24,290
Let's run this command first to see the results of a command without version detection.

39
00:03:24,290 --> 00:03:27,680
Now, I open a new terminal window to create a new Nmap command:

40
00:03:31,610 --> 00:03:40,670
I prepare the command with the same configuration: SYN scan, Metasploitable, and top 10 ports.

41
00:03:43,400 --> 00:03:52,250
I add -­sV parameter for version detection. And hit enter. As you see the query takes longer

42
00:03:52,250 --> 00:03:52,860
this time.

43
00:03:54,570 --> 00:04:00,540
The SYN scan without the version detection took less than a second, and the SYN scan with version detection

44
00:04:00,540 --> 00:04:08,550
took about 12 seconds. In the first query, service names are estimated by Nmap according to the default

45
00:04:08,550 --> 00:04:10,920
services running on those ports.

46
00:04:11,040 --> 00:04:17,640
In the second query, on the other and, Nmap probed the ports to determine more about what is actually

47
00:04:17,640 --> 00:04:19,470
running.

48
00:04:19,529 --> 00:04:25,270
Now, I want to show you the most important reason of using version detection in Nmap queries.

49
00:04:25,500 --> 00:04:34,470
In Kali, I’m going to run SSH on port 443 and then scan the port with Nmap. Let’s perform the demo together:

50
00:04:35,060 --> 00:04:45,050
First, look at the listening services if SSH is running: netstat -­tnlp
SSH is running on the port 22

51
00:04:45,050 --> 00:04:53,450
at the moment.
Type “service ssh stop” to stop SSH service and hit enter.

52
00:04:53,490 --> 00:05:01,280
Now, to change the port of SSH, we’re going to change the configuration. Open the sshd-

53
00:05:01,280 --> 00:05:05,060
_config file with a text editor change.

54
00:05:05,140 --> 00:05:14,560
I use “nano” text editor for this purpose.
Type “nano /etc/ssh/sshd_config”

55
00:05:15,040 --> 00:05:16,050
and hit enter.

56
00:05:16,360 --> 00:05:20,830
Find the port line delete the sharp to make it a valid configuration line.

57
00:05:21,250 --> 00:05:23,410
Sharp was used to make it a comment line.

58
00:05:23,560 --> 00:05:28,050
Change the port number to 443. Ctrl + x to exit the nano,

59
00:05:28,390 --> 00:05:32,720
“y” to save the changes, and hit enter to save over the existing file.

60
00:05:34,000 --> 00:05:42,790
Start SSH again, using “service ssh start” command. Look at the listening ports to double check:

61
00:05:42,830 --> 00:05:53,010
“netstat -­tnlp” SSH service is running on the port 443 now.
Let’s scan the port 443 of Kali with Nmap:

62
00:05:53,510 --> 00:05:57,930
Prepare the Nmap SYN scan command. No version detection for this query.

63
00:06:03,000 --> 00:06:06,120
Nmap detects that the port is open.

64
00:06:06,120 --> 00:06:14,680
Look at the service: Nmap says the service is HTTPS! Using its nmap-­services database, Nmap reported that

65
00:06:14,690 --> 00:06:18,550
this port probably correspond to a web server for HTTPS.

66
00:06:18,570 --> 00:06:20,940
Yes and we know that's not true.

67
00:06:22,140 --> 00:06:29,700
Let’s prepare the Nmap SYN scan again, but this time, use -­sV parameter to run version

68
00:06:29,700 --> 00:06:31,270
detection mechanism.

69
00:06:31,290 --> 00:06:40,060
Now as you see, the port 443 is running and the service is SSH, not HTTPS. Version detection

70
00:06:40,290 --> 00:06:46,980
interrogated the port to determine more about what is actually running. Nmap queried the port using

71
00:06:46,980 --> 00:06:53,790
the probes of the nmap-­service-­probes database and matched expressions to recognize and parse responses.

72
00:06:54,700 --> 00:06:58,040
And the version of SSH is OpenSSH version

73
00:06:58,260 --> 00:07:00,490
7.6p1

74
00:07:00,510 --> 00:07:08,160
So if you are not 100 percent sure about the type of the running service on a board run version detection.

75
00:07:08,160 --> 00:07:08,730
Got it.

76
00:07:08,910 --> 00:07:09,140
Good.