1
00:00:00,240 --> 00:00:09,150
So a few lecutures ago, we saw how we identify which ports are scanned. Now  in input management we'll see how

2
00:00:09,150 --> 00:00:11,890
we identify which systems are scanned.

3
00:00:12,180 --> 00:00:14,950
OK go to Kali and open a terminal window.

4
00:00:15,640 --> 00:00:21,670
First I'll prepare Nmap query and because I'll play with the destination IPs, it will be the last

5
00:00:21,670 --> 00:00:23,160
parameter of my query.

6
00:00:24,410 --> 00:00:26,300
nmap is the command itself.

7
00:00:27,120 --> 00:00:34,580
-n to close name resolution, Pn to close ping, sS for SYN scan.

8
00:00:34,700 --> 00:00:39,050
Now keep it simple let's scan just the top three ports.

9
00:00:39,060 --> 00:00:42,120
Now is the time to identify the destination systems.

10
00:00:43,080 --> 00:00:51,220
Up to now we learned to scan a single IP and we learned how to scan an entire

11
00:00:51,260 --> 00:00:52,030
C block, .0/24

12
00:00:56,400 --> 00:01:00,840
OK so what are the other ways of identifying target systems.

13
00:01:01,080 --> 00:01:06,690
You can select a range of any part of the IP address. In the slide the third and the fourth parts of

14
00:01:06,690 --> 00:01:10,030
the IP address is given as range.

15
00:01:10,140 --> 00:01:20,360
That means and Nmap will scan IPs from 192.168.1.0 to 192.168.255.255

16
00:01:20,400 --> 00:01:22,100
I'd like to keep the range small.

17
00:01:22,280 --> 00:01:30,830
I only define a range for the fourth part of the destination address, from 100 to 150.

18
00:01:30,850 --> 00:01:41,890
There is only 1 machine between 172.16.99.100 and 172.16.99.150.

19
00:01:41,980 --> 00:01:48,240
You can scan more than one IP block in a single query. Example and the slide scans two ranges.

20
00:01:48,240 --> 00:01:57,100
The first range is between 192.168.1.0 and 192.168.1.255,

21
00:01:57,280 --> 00:02:07,220
and the second range is between 10.0.0.0 and 10.0.255.255

22
00:02:07,360 --> 00:02:12,430
Since I don’t have a second network on my Kali, I continue with the third example.

23
00:02:12,580 --> 00:02:17,690
The third example is the combination of defining a range and a single number.

24
00:02:18,350 --> 00:02:28,730
For example, you can scan the IPs between 172.16.99.100 and 140, IP 206,

25
00:02:28,730 --> 00:02:29,530
and the IPs between 172.16.99.220 and 230

26
00:02:29,840 --> 00:02:34,940
So here are the results: Nmap found a machine from the range of 100 through 140.

27
00:02:36,210 --> 00:02:38,340
The machine with IP 206

28
00:02:41,100 --> 00:02:45,520
and another machine from the range of 220 through to 230.

29
00:02:45,660 --> 00:02:52,160
Another way to define the target systems is to give Nmap the IP addresses in a file. In a typical

30
00:02:52,160 --> 00:02:57,800
penetration test or ethical hacking will scan the network a lot of times.

31
00:02:57,920 --> 00:03:03,890
First you find a host, it doesn't make sense to scan the entire network again and again you'll see huge

32
00:03:03,890 --> 00:03:04,600
networks.

33
00:03:04,760 --> 00:03:09,350
So if you scan the entire network each time the pen test will take a lot longer than you think.

34
00:03:10,190 --> 00:03:18,020
Let's open a second terminal screen and find a host of our IP block using ping scan. As we learnt before,

35
00:03:18,020 --> 00:03:27,170
now clarify the output to have only the IP addresses of live hosts. grep command to get only the rows containing

36
00:03:27,170 --> 00:03:27,990
IP addresses

37
00:03:33,320 --> 00:03:34,910
and cut command

38
00:03:35,190 --> 00:03:41,790
to get only the IP addresses from a row.

39
00:03:41,800 --> 00:03:47,010
Now we can redirect the output into a text file to reuse the list and following queries.

40
00:03:47,110 --> 00:03:53,980
But first let me close the name resolution. ow put a ">" character and give a file name

41
00:03:53,980 --> 00:03:57,260
to write the result: ipList.txt

42
00:04:02,040 --> 00:04:07,200
We're not interested in the first two IP addresses so let's edit the file and delete them.

43
00:04:07,200 --> 00:04:14,900
I use nano text editor to edit the file. In nano, use “ctrl + k” to delete a line

44
00:04:15,200 --> 00:04:20,040
Use “ctrl + x” to exit nano, press “y”, to save changes and hit enter save on the same file.

45
00:04:20,040 --> 00:04:27,520
Type “cat ipList.txt” to look at the file again

46
00:04:27,520 --> 00:04:30,380
Now we have 4 IP addresses in the file.

47
00:04:30,730 --> 00:04:34,260
Let's create a new Nmap query and this time,

48
00:04:34,360 --> 00:04:41,770
let’s give the destination systems in a file "ipList.txt". and here are the results of the four

49
00:04:41,770 --> 00:04:49,670
systems which are listed in the "ipList.txt" file. So let's talk about the output management in Nmap now.

50
00:04:49,680 --> 00:04:55,650
Up to now we've run a lot of Nmap queries and got the results on the terminal screen.

51
00:04:55,650 --> 00:05:02,490
This is the default output behaviour called interactive output and it is sent to standard output (stdout)

52
00:05:02,490 --> 00:05:05,820
In a penetration test,

53
00:05:05,820 --> 00:05:12,210
we should save the results of the queries to be able to analyze them later on. Hopefully Nmap has its

54
00:05:12,210 --> 00:05:15,010
own output management skills.

55
00:05:15,050 --> 00:05:16,140
So let's have a look.

56
00:05:16,310 --> 00:05:23,440
There are three major output saving formats and Nmap; normal output which is similar to interactive

57
00:05:23,440 --> 00:05:24,840
output.

58
00:05:24,920 --> 00:05:30,810
That's what you see on the screen up to now, except that it displays less runtime information and warnings.

59
00:05:30,830 --> 00:05:38,520
Since it is expected to be analyzed after the scan completes rather than interactively. Grepable output

60
00:05:39,120 --> 00:05:43,800
which includes most information for target host on a single line.

61
00:05:43,800 --> 00:05:48,610
So we can use it to collect the information you want using the excellent "grep" command.

62
00:05:48,630 --> 00:05:56,410
We've already seen a few examples of grep command in this course. XML output is one of the most important

63
00:05:56,530 --> 00:06:02,080
output types as it can be converted to HTML easily parsed by programs such as Nmap graphical

64
00:06:02,080 --> 00:06:06,320
user interfaces or imported into databases.

65
00:06:06,340 --> 00:06:14,680
There is one more magic parameter which is -oA to let you generate the outputs in all formats.

66
00:06:14,680 --> 00:06:17,370
Now let's see the Nmap output management in action.

67
00:06:18,980 --> 00:06:23,550
Go to Kali and open a terminal screen. Prepare an Nmap query.

68
00:06:23,710 --> 00:06:27,200
For this example I want to prepare a SYN scan.

69
00:06:27,410 --> 00:06:30,310
Now we are ready for output management options.

70
00:06:30,410 --> 00:06:37,100
First I want to generate XML output using -­oX parameter

71
00:06:37,430 --> 00:06:39,390
oX parameter needs the output file name.

72
00:06:39,650 --> 00:06:42,210
You can give the file name with the full path.

73
00:06:42,410 --> 00:06:48,920
If you don't specify a path just as in this example the file is created in the current folder.

74
00:06:50,150 --> 00:06:51,170
Be careful.

75
00:06:51,420 --> 00:06:57,020
-­oX, oG and -­oN parameters require the full filename

76
00:06:57,050 --> 00:07:03,780
So if you want the file to have an extension such as ".xml" you should specify it here it.

77
00:07:03,800 --> 00:07:04,850
Hit enter to run the command

78
00:07:05,600 --> 00:07:14,020
to see the generated file. Here it is. And use the "ls" command to see the content of the file.

79
00:07:14,370 --> 00:07:17,620
So it's typical XML file with tags.

80
00:07:17,740 --> 00:07:26,350
Here's a "host" tag starts and ends. All the results about a host is listed between the start tag and the

81
00:07:26,350 --> 00:07:32,760
end tag. IP address, scan ports and of course the scan result.

82
00:07:32,770 --> 00:07:36,350
Here's another host tag and the scan results of the second host as well.

83
00:07:37,570 --> 00:07:41,470
Press "q" to quit. "less" command.

84
00:07:41,560 --> 00:07:46,350
Now let's call back our Nmap query with a updown arrow keys of the keyboard.

85
00:07:47,190 --> 00:07:55,870
Now I want to generate all types of output type -oA and the base name of the files.

86
00:07:55,950 --> 00:07:57,630
Be careful -oA

87
00:07:57,660 --> 00:08:04,380
parameter requires a base file name of the files not the full names of a file and it'll put the file

88
00:08:04,380 --> 00:08:06,750
extensions itself.

89
00:08:06,770 --> 00:08:12,510
Let's look at the content of .nmap file using the less Linux command.

90
00:08:13,260 --> 00:08:16,090
This is almost the same as you'll see on the screen.

91
00:08:16,290 --> 00:08:22,220
Now let's look at the grepable output. Here there are two lines for each host.

92
00:08:22,720 --> 00:08:27,670
One to show the status of the host and another one to show the port scan results.