Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5

Video Description

The next step in planning an attack is to enumerate the various ports, IP addresses, OSes, services, and software versions running within a target's environment. This is performed in order to uncover potential vulnerabilities which can then be exploited. Tools used in this step include NMAP, Armitage, and ZenMap.

Video Transcription

00:04
The next part of the hacker methodology is scanning. Scanning. An enumeration were candid. Hand
00:09
after your skin a network. You will use the map that you've created to send queries for vulnerabilities.
00:14
Skinning can be done with a tool like and map to identify key areas.
00:19
Areas such as ports I P addresses, operating systems and service's and service versions of those service is
00:27
they're running on the system. All of these are going to give you a accurate look at the network and
00:34
where you might be able to punch holes at
00:37
and also where you might need thio. Increase your security.
00:41
So let's take a look at scanning real quick.
00:51
All right, here. We're on our Callie to box
00:56
pause for one moment. Have to start up my Veum workstation
01:02
target.
01:14
I have to set the I P address
01:17
and then test connection
02:23
that one address.
02:39
All right, we have communication there,
02:46
and we're able to browse. All right, now, back to
02:51
I say, here we are in our Callie environment. So we're gonna do is open our terminal.
02:54
And first we're gonna start up arma Taj Armitage is
02:59
a scanning a piece of software that can scan for us. Um, and we're gonna start that up first because it takes a second to start up. We're gonna type Mama Taj
03:09
an ampersand. Let it run in the background
03:13
now, processes started, and it takes a second to pop up
03:19
and it's gonna break. Give us this menu here, and we want to click. Connect
03:24
has gonna ask us if we want to start The Medicis played RPC several. You're going to say yes,
03:30
and it's going to attempt to start it up
03:39
now.
03:42
The service is were not started prior to starting it up. So what you're gonna do here
03:46
because you're gonna type service,
03:51
post
03:52
great school
03:53
start
04:00
and started up that service on where are also going to start up? The U men displayed service
04:20
and it failed to start the municipal aid service because I don't have that, uh, service installed on here. So let's attempt
04:28
restarting Alma Taj again.
04:30
You have control
04:36
patrol, See, to get out of that,
04:40
starve our montage again,
04:46
it's gonna ask. Guess about the minister Blade server. Once more, you're gonna click. Yes.
05:01
Yeah, we go.
05:04
It started the minute split service ourselves.
05:08
It started the minute split service itself there
05:12
where it failed here it was ableto start up properly
05:19
and you see, it's running some processes there. So now with our massage,
05:25
we do a scan with our massage.
05:30
There's a lot of different things you can do Here
05:36
you go in and
05:40
import hosts add hosts were gonna
05:43
doing and maps can
05:46
mmm started an intense scam.
05:50
We're gonna do it on 192.168
05:54
0.1 dot 10.
05:57
You click. Okay.
06:00
And now it's going to run through
06:05
and it's performing and maps can
06:16
and it has found the target,
06:19
and you can right click on it.
06:21
View the different types of Loggins that found
06:26
you. Click Service is here and identify the service is that were running.
06:32
You go over here, and
06:45
if you think it's a different operating system, you go over here, you can change what you think the operating system actually is,
06:51
and it changes the AC on there, but we know it is Lennox
06:56
Ridge said back toe Lennox, there
07:00
Have you had more items that you were scanning? It would create a nice little map here, for you
07:05
have all the other virtual machines turned. I also right now we're just getting that one item,
07:12
and we will come back to
07:15
I am a Taj. Later on, when we get to the enumeration portion,
07:25
if you come over here to the mmm.
07:28
We're able to see some further information here.
07:31
Ah, I'm a college Doesn't make that
07:33
information so pretty.
07:35
So let's check out
07:36
and map
07:40
in a terminal by itself.
07:45
So we can also skin using and maps, so we're gonna d'oh!
07:47
And that
07:48
tak es for everything
07:51
I'm gonna do when I intuit out 168.0
07:56
sorry 0.1 dot 10.
08:03
Here we get a better look of the information than you get from Armagh. Taj Armitage is nice because
08:09
of the things that you could do further with it
08:11
and the, uh, new Marais shin portion and exploitation portion.
08:16
So we will go back to that later on,
08:20
but
08:20
from end map here
08:22
able to see it, the host is up.
08:26
We will see the ports that are open.
08:28
We're able to see what's running on the ports. So this as S h running and it's running open. Sshh. Version 5.5
08:37
here, he said, There's an Apache.
08:39
Several running
08:41
No, I have opened L dap running as well.
08:45
We get a Mac address from the device,
08:48
and then we get some information about the operating system itself and also each racer out. That's performed.
08:54
So a map is a fantastic tool for you to use to get information
08:58
about
09:00
hosts that you may want to enumerate information about
09:09
another to let you can use. It's called Zen map.
09:13
Zen map is like karma, Taj, and it's like an map. In fact, it actually uses end map. However, it puts all the information to, ah,
09:22
nice little consolidated format for you.
09:26
That's where I got, uh,
09:28
our target list up here. I've already typed in a couple of different
09:31
yeah,
09:33
networks here. We're gonna
09:35
go to our 192.168 dot 0.14 slash 24. You can manually type it in there,
09:43
and then you're gonna click scan, and it's gonna run in 10 scan.
09:48
Now, you are gonna see
09:50
a bunch of things saying hosts is down.
09:54
If you don't have all of things on your network, you're going to get that a lot.
09:58
Um, and you're gonna see that, actually, here in a second on this video,
10:03
As you see there, all those hosts down came up,
10:20
and now it's scanning the 192.168 that 1.10 which is the
10:26
Web server.
10:33
Come over here. We can see that it found when I 2.168 dot 1.10 and 1.30
10:39
come up here
10:41
like ports slash hosts.
10:45
It wasn't able to find anything on the one that won 30 and that's because it was a Cali box in the Cali box blocks, a lot of and maps canings.
10:52
Well, come up here and we see the Web server
10:56
and we're able to see the ports and hosts are open on. Go here to a topology
11:01
and we could see a little
11:03
topology. Here. You can zoom in and zoom out using your wheel.
11:07
And if we had more devices on the network, it would show those additional devices on here all interconnected.
11:16
There's a couple different ways that you can view it. You can change different kinds of control so you can
11:22
adjust how you want this network map to be viewed.
11:26
You come over here to host details.
11:28
Here we see in this Callie box at all, the ports were closed, a scant will, 1000 ports were closed and a scan of 1000 ports
11:41
as because Callie filters that out. Come over here to the tenants. Sees that
11:46
1000 were scanned and 999 7 997
11:52
We're closed.
11:58
You come down here and you get
12:01
TCP sequences. Any kind of comments that you might want to put in you could put in there.
12:07
So
12:09
that is an map. It's a fantastic little too afraid to use.
12:13
And you can also see the previous scans. As usual, you've done by clicking scans.
12:20
Let us move on to enumeration.

Up Next

Web Application Penetration Testing

In this web application penetration testing course, SME, Raymond Evans, takes you on a wild and fascinating journey into the cyber security discipline of web application pentesting. This is a very hands-on course that will require you to set up your own pentesting environment.

Instructed By

Instructor Profile Image
Raymond Evans
Instructor