1
00:00:01,290 --> 00:00:04,110
‫Port and services on the Web server.

2
00:00:05,370 --> 00:00:10,920
‫Web applications are generally served on ports 80 and 443.

3
00:00:12,110 --> 00:00:20,360
‫But it's not limited to use just these port numbers, port numbers are configurable, so it's not uncommon

4
00:00:20,360 --> 00:00:24,380
‫to see Web applications served on a non-standard port such as AT&T.

5
00:00:25,720 --> 00:00:34,090
‫OK, so basically you are or an IP address will be provided to you if you start a penetration test,

6
00:00:35,200 --> 00:00:43,090
‫but sometimes due to your contract, you you may need to run a black box testing approach with nothing.

7
00:00:44,280 --> 00:00:48,420
‫You wouldn't even have an IP or a URL to get to test.

8
00:00:49,960 --> 00:00:56,550
‫In both of these scenarios, you would need to identify and then map the target network in some level,

9
00:00:56,920 --> 00:01:01,450
‫so the first thing to do is to identify the target network with who is.

10
00:01:02,840 --> 00:01:04,130
‫So we've already done that.

11
00:01:05,250 --> 00:01:07,860
‫The second thing to do is to map the network.

12
00:01:09,050 --> 00:01:10,810
‫And that's what we're going to do now.

13
00:01:11,700 --> 00:01:19,560
‫And we will use county, it's it's got a great tool in there to help us out and map.

14
00:01:20,890 --> 00:01:24,310
‫So end map is short for network mapper.

15
00:01:25,550 --> 00:01:33,230
‫It's a powerful open source network scanning tool perfect for conducting reconnaissance and enumeration.

16
00:01:35,860 --> 00:01:42,520
‫So here we are going to benefit from and map, so now open up your terminal and county and type and

17
00:01:42,520 --> 00:01:42,910
‫map.

18
00:01:44,550 --> 00:01:46,110
‫You can see there are a few options.

19
00:01:47,180 --> 00:01:49,310
‫And MAB can perform many tasks.

20
00:01:50,180 --> 00:01:58,730
‫It can identify live hosts, scan TCP and UDP, open ports, detect firewalls, get service version

21
00:01:58,970 --> 00:02:04,770
‫running in remote hosts and even with the use of scripts, find and exploit vulnerabilities.

22
00:02:05,750 --> 00:02:08,560
‫So why don't we just start with a basic scan?

23
00:02:09,260 --> 00:02:14,990
‫So at this point, let's assume I was given or I have found the target IP or you are.

24
00:02:15,950 --> 00:02:20,030
‫So I'm going to use B box IP address and the examples.

25
00:02:21,160 --> 00:02:28,270
‫Simply type and map one nine two dot one six eight two zero four, out one three zero and hit enter.

26
00:02:29,520 --> 00:02:31,260
‫And here is a basic scan.

27
00:02:32,290 --> 00:02:36,360
‫So Unmap will scan the target IP with its default options.

28
00:02:37,300 --> 00:02:42,850
‫And the result shows the open ports and corresponding service names running on these ports.

29
00:02:45,640 --> 00:02:51,430
‫So now let's touch on some of these other parameters to perform a detailed scan.

30
00:02:53,200 --> 00:02:56,650
‫Now, Unmap has several approaches for scanning open ports.

31
00:02:57,640 --> 00:03:05,800
‫It sounds raw network packets to several top or UDP parts of the target and check to see if there's

32
00:03:05,800 --> 00:03:06,610
‫a response.

33
00:03:07,540 --> 00:03:12,550
‫And if there is depending on the type of response, it will define the port.

34
00:03:13,660 --> 00:03:20,800
‫As to whether it's open or not and remembering that HTP uses Tsipi for transmitting packets.

35
00:03:21,770 --> 00:03:24,770
‫And MAP will play with these packets.

36
00:03:25,780 --> 00:03:28,030
‫And then different skin types come up.

37
00:03:29,130 --> 00:03:33,000
‫So regular TCP connection between.

38
00:03:34,050 --> 00:03:37,350
‫Two types is called a three way handshake.

39
00:03:38,130 --> 00:03:39,000
‫So first.

40
00:03:39,920 --> 00:03:49,210
‫A sign flack reaches a destination and then it sends the Sinak flags back to the source, then the source

41
00:03:49,210 --> 00:03:53,710
‫sends back the ACT flag to start the data transmission.

42
00:03:54,930 --> 00:04:03,090
‫So this is the basic and fully qualified TCP connection, right, so type and map one nine two, not

43
00:04:03,150 --> 00:04:07,050
‫one six eight two zero four one three zero dash s.

44
00:04:07,170 --> 00:04:07,740
‫S.

45
00:04:09,090 --> 00:04:13,470
‫And the SS parameter will do the sign scan on the target.

46
00:04:15,150 --> 00:04:18,990
‫So that means it and map will not complete the three way handshake.

47
00:04:19,970 --> 00:04:24,950
‫It's not going to replace the last sign packet with a reset packet.

48
00:04:26,510 --> 00:04:34,910
‫But the result is not going to be different than the first one, because the sign scan is the default

49
00:04:35,120 --> 00:04:36,770
‫option for unmap.

50
00:04:38,310 --> 00:04:45,570
‫Now, type and map one nine two, not one six eight two zero four one three zero T.

51
00:04:46,810 --> 00:04:51,250
‫And this is a TCP scan, if the S.

52
00:04:51,250 --> 00:04:52,870
‫T parameters used.

53
00:04:53,820 --> 00:04:57,990
‫So that means and map completes the three way handshake.

54
00:04:59,340 --> 00:05:04,260
‫And that way and map can actually connect to the target for.

55
00:05:05,590 --> 00:05:10,810
‫And then the connection is logged by the server and the result is the same as the previous one.

56
00:05:11,830 --> 00:05:15,550
‫But it provides a more accurate state of the port.

57
00:05:17,220 --> 00:05:23,850
‫OK, so you can see the maps are really clever tool at first identifies the live host on the Target

58
00:05:23,850 --> 00:05:27,420
‫network and then scans the host for open ports.

59
00:05:29,550 --> 00:05:37,260
‫So now let's type and map one nine two down one six eight two zero four dot one three zero as in.

60
00:05:39,000 --> 00:05:46,320
‫And with the flag SRN, you can force and map to check to see if the host is alive or not.

61
00:05:47,780 --> 00:05:50,540
‫And then, of course, the opposite is also possible.

62
00:05:51,820 --> 00:05:53,740
‫Change SRN to porn.

63
00:05:55,870 --> 00:06:00,190
‫And then this time and Map will not check to see if the host is alive or not.

64
00:06:01,620 --> 00:06:04,380
‫It will only perform a port scan.

65
00:06:06,840 --> 00:06:13,650
‫OK, so now let's let's be a little bit more specific about these ports so you can use the P flag to

66
00:06:13,650 --> 00:06:17,850
‫define a port, no port list or port range for and map to scan.

67
00:06:18,900 --> 00:06:23,610
‫So here, I'm going to give it port 80 and four for three.

68
00:06:25,230 --> 00:06:29,310
‫And of course, you can provide service names like HTTP or https.

69
00:06:31,550 --> 00:06:35,030
‫This time, it will find ports running the services.

70
00:06:36,140 --> 00:06:40,310
‫So if you want to scan all the ports, just put a dash after the P.

71
00:06:41,670 --> 00:06:42,920
‫It's going to take a lot longer.

72
00:06:45,020 --> 00:06:50,690
‫But if you're not looking for a specific port, you can limit the number of ports by using top ports

73
00:06:50,870 --> 00:06:51,740
‫as a parameter.

74
00:06:54,060 --> 00:06:57,240
‫It will look for an maps, top 100 ports.

75
00:07:00,070 --> 00:07:04,720
‫Now, if you only want the open ports, just ahead, the open parameter.

76
00:07:06,290 --> 00:07:07,670
‫Now, closed port is gone.

77
00:07:10,330 --> 00:07:16,540
‫Also, you can add a reasoned parameter to display the reason a port is in its particular state.

78
00:07:18,350 --> 00:07:25,790
‫So until now, we've got open ports and the names of the services, right, so thankfully and MAP can

79
00:07:25,790 --> 00:07:28,700
‫show the software versions running on the open ports.

80
00:07:30,110 --> 00:07:33,590
‫And just add the parameter as the easy to detect versions.

81
00:07:35,700 --> 00:07:38,460
‫And it might take a little while to run this kind of scan.

82
00:07:40,450 --> 00:07:43,730
‫And here are the results with their version banners.

83
00:07:44,470 --> 00:07:49,720
‫So now you can look for these version numbers to see if they have vulnerabilities or not.

84
00:07:50,380 --> 00:07:57,220
‫And then the last thing that we'll do here is determining the operating system running on the target

85
00:07:57,220 --> 00:07:57,610
‫host.

86
00:07:59,080 --> 00:08:03,070
‫So just add the parameter O to the previous command.

87
00:08:04,360 --> 00:08:06,550
‫And this could also take a little more time.

88
00:08:09,060 --> 00:08:16,440
‫And Map will analyze the information collected from the open ports and versions and guess the probable

89
00:08:16,440 --> 00:08:16,860
‫OS.

90
00:08:18,110 --> 00:08:25,640
‫You can also use and map scripts and also you can compose your own script by using the end map scripting

91
00:08:25,640 --> 00:08:26,160
‫engine.

92
00:08:26,450 --> 00:08:32,160
‫So here are some script names that you can use to help you when you're doing penetration tests.

93
00:08:32,390 --> 00:08:37,250
‫I want to show you how to use them, but simply because I'm going to be using some other tools and techniques

94
00:08:37,250 --> 00:08:41,870
‫for the same purpose, using scripts is certainly not complicated, and I.

95
00:08:41,920 --> 00:08:43,760
‫I do advise you to use them.