1
00:00:00,090 --> 00:00:07,440
‫Active scanning is done through sending multiple probe requests and recording the probe responses because

2
00:00:07,440 --> 00:00:13,890
‫passive scanners are limited to looking at existing traffic they suffer in terms of overall completeness

3
00:00:13,890 --> 00:00:14,730
‫and accuracy.

4
00:00:15,210 --> 00:00:21,960
‫For example, a passive scanner can't detect an application that no one ever uses, and it can be fooled

5
00:00:21,960 --> 00:00:26,910
‫easily by a system intentionally spewing out misinformation and disinformation.

6
00:00:28,320 --> 00:00:34,800
‫The all seen on the slide are a few examples of active scanning tools in this course we will examine

7
00:00:34,800 --> 00:00:38,130
‫the end map and Nessus tools in detail.

8
00:00:38,700 --> 00:00:40,800
‫HP is next on command.

9
00:00:40,800 --> 00:00:44,070
‫Mine oriented TCP IP packet assembler analyzer.

10
00:00:45,500 --> 00:00:52,520
‫The interface is inspired by the Ping eight Unix command, but each ping isn't only able to send ICMP

11
00:00:52,520 --> 00:00:53,480
‫echo requests.

12
00:00:54,440 --> 00:01:03,140
‫It supports TCP, UDP, ICMP and IP protocols as a traceroute mode, the ability to send files between

13
00:01:03,140 --> 00:01:05,180
‫a covered channel and many other features.

14
00:01:06,340 --> 00:01:09,190
‫So a subset of the stuff you can do using age being.

15
00:01:10,200 --> 00:01:16,980
‫Firewall testing, advanced port scanning, network testing, using different protocols, deoxy fragmentation.

16
00:01:17,960 --> 00:01:24,470
‫Manual performed to you, Discovery advanced trace route under all the supported protocol, remote OS

17
00:01:24,470 --> 00:01:25,160
‫fingerprinting.

18
00:01:26,000 --> 00:01:27,320
‫Remote uptime guessing.

19
00:01:28,370 --> 00:01:31,130
‫And don't forget, TCP IP stacks auditing.

20
00:01:32,090 --> 00:01:38,210
‫HPN can also be useful to students that are learning TCP IP, although it's a packet analyzer tool,

21
00:01:38,450 --> 00:01:45,590
‫it's widely used for deoxy denial of service tests and attacks to create IP spoofed packets and send

22
00:01:45,590 --> 00:01:46,750
‫them to the target system.

23
00:01:48,060 --> 00:01:54,450
‫Let's see how we can use the ping command to scan the network, simply go to Cali and open a terminal

24
00:01:54,450 --> 00:01:54,870
‫screen.

25
00:01:56,290 --> 00:02:00,890
‫Being three is embedded into collee and defined in the path so you can use it anywhere.

26
00:02:01,300 --> 00:02:04,060
‫Just typing the name of the command, paying three.

27
00:02:05,160 --> 00:02:11,550
‫Type HPN three Dash H or H being three dash help to see the detailed usage of the Ping three command.

28
00:02:13,680 --> 00:02:16,430
‫Let's look at a few parameters important for scanning mode.

29
00:02:18,020 --> 00:02:24,190
‫Under the Mode title, we have a scan mode and the help shows a sample usage of the motor as well,

30
00:02:24,650 --> 00:02:29,900
‫we'll use scan or eight parameter to use each ping and scan mode.

31
00:02:30,900 --> 00:02:38,470
‫Under TCP UDP title, we have the parameters to set the flags of TCP or UDP packet.

32
00:02:39,210 --> 00:02:42,730
‫Well, you'll see the flags and meaning in this course in following lectures.

33
00:02:42,750 --> 00:02:45,420
‫So just see the thing in action now.

34
00:02:47,220 --> 00:02:57,090
‫For example, uppercase s or sin parameter is used to set the sin flag of TCP or UDP packet.

35
00:02:58,170 --> 00:03:05,670
‫Let's prepare the command to make a network scan, the first parameter is scan to use and scan mode.

36
00:03:06,740 --> 00:03:13,970
‫Here, we should say, in which ports we will scan in this example, zero to 500 means that the ports

37
00:03:13,970 --> 00:03:16,130
‫between zero and 500 will be scanned.

38
00:03:16,970 --> 00:03:22,550
‫You can give a port range like this with a dash between the lower bound in the upper bound, or you

39
00:03:22,550 --> 00:03:29,000
‫can give the ports one by one, separating them by a comma, or you can use a combination of these two.

40
00:03:30,300 --> 00:03:35,010
‫Now I want to set the scene flag of the pack, because all TCP connections start with a simple packet.

41
00:03:35,310 --> 00:03:40,440
‫Well, again, we'll show you how a TCP handshake is made later on in the following lecture's.

42
00:03:41,700 --> 00:03:45,910
‫Here comes the IP address to scan, hit, enter to start the scan.

43
00:03:46,830 --> 00:03:55,350
‫Here we have the responding ports and the flags column says what the reply is, we sent send packets

44
00:03:55,350 --> 00:03:57,410
‫and get sent backpacked.

45
00:03:57,830 --> 00:04:00,930
‫That means ports are accessible and open to us.

46
00:04:01,920 --> 00:04:03,180
‫Now, let's make another scan.

47
00:04:04,300 --> 00:04:12,340
‫This time, I'll use upper case X to make a Christmas scan in the scan, push urgent and Fynn flags

48
00:04:12,340 --> 00:04:16,030
‫are set in the packet, which is not seen in regular traffic.

49
00:04:18,340 --> 00:04:21,970
‫Sensitive packets they receive are not valid packets, they've dropped them.

50
00:04:23,010 --> 00:04:24,840
‫And returned, no response.

51
00:04:26,400 --> 00:04:32,010
‫Although it's not the subject of our cause because it's very common usage, I'd like to show you how

52
00:04:32,010 --> 00:04:37,920
‫to perform an IP spoofed Deacy or denial of service attack using the Bing tool.

53
00:04:39,120 --> 00:04:45,310
‫Going to attack my own server first, I'll test if I can connect to the application.

54
00:04:46,240 --> 00:04:53,290
‫So open a terminal screen and ping the application that was a dot com.

55
00:04:54,230 --> 00:04:56,780
‫OK, I have a connection through the application.

56
00:04:57,790 --> 00:04:59,920
‫Open a browser and visit the Web site.

57
00:05:05,710 --> 00:05:09,250
‫Here I click a few links to show the response time of the server.

58
00:05:12,160 --> 00:05:16,570
‫Well, it's really fast, it responds as soon as I click onto links.

59
00:05:17,640 --> 00:05:21,390
‫Now, let's prepare the command to prepare a deoxy attack.

60
00:05:24,550 --> 00:05:27,220
‫The first parameter, the command is Dasch Flood.

61
00:05:30,040 --> 00:05:35,140
‫You know what, let's run each paying three dash help in another terminal screen to see the meanings

62
00:05:35,140 --> 00:05:35,980
‫of the parameters.

63
00:05:40,690 --> 00:05:44,220
‫Flood parameter is used to send packets as fast as possible.

64
00:05:45,370 --> 00:05:53,290
‫To make it a sin flood attack, I said the sin flag using that parameter when I send the sin packet,

65
00:05:53,290 --> 00:05:56,110
‫since it's a legitimate TCP handshake starter.

66
00:05:56,260 --> 00:06:01,150
‫The server will try to respond to all the packets at the start of the TCP communication.

67
00:06:01,870 --> 00:06:04,000
‫So the server will be very, very busy.

68
00:06:05,020 --> 00:06:10,540
‫Dash V is the open, verbose mode that means we'd like to see the results have sent packets.

69
00:06:12,970 --> 00:06:20,290
‫The next parameter is rand sauce, this parameter will randomize the sauce IP addresses as if they are

70
00:06:20,290 --> 00:06:22,300
‫requested by different systems.

71
00:06:22,990 --> 00:06:26,440
‫So the attack is distributed denial of service now.

72
00:06:27,100 --> 00:06:31,900
‫And since the IP addresses are random, the victim doesn't know about you.

73
00:06:33,040 --> 00:06:35,170
‫You have the target domain is the last parameter.

74
00:06:36,130 --> 00:06:39,360
‫Oh, by the way, the order of the parameters is not important.

75
00:06:40,710 --> 00:06:42,390
‫It enter to start the attack.

76
00:06:43,460 --> 00:06:50,360
‫Now, because we're in flood mode, no reply to show, let's try to click a few links to see the response

77
00:06:50,360 --> 00:06:52,280
‫time of the server while it's under attack.

78
00:06:54,330 --> 00:06:54,960
‫Click a link.

79
00:06:56,000 --> 00:07:03,720
‫It's waiting, waiting, waiting is obviously so down, maybe our request will be timed.

80
00:07:04,820 --> 00:07:08,270
‫So this is how a simple denial of service attack is before.

81
00:07:09,560 --> 00:07:14,000
‫I'll stop the flood by stopping the run of the command using control psyche's.

82
00:07:15,250 --> 00:07:21,430
‫As you see in less than a minute, we sent more than a million Synn packets to the victim server, no

83
00:07:21,430 --> 00:07:25,650
‫package received because we randomize the source IP addresses of the packet.

84
00:07:25,900 --> 00:07:28,750
‫That means the responses were sent to different IP addresses.

85
00:07:29,500 --> 00:07:34,210
‫This is why we didn't receive any packets since I stopped sending packets.

86
00:07:34,390 --> 00:07:37,600
‫The server is now responding in good time again.

87
00:07:38,490 --> 00:07:43,020
‫Now, let's repeat the attack while Wireshark is running to see what's happening under the hood.

88
00:07:44,060 --> 00:07:50,420
‫Start Wireshark, since we're using the ethe zero interface of Colly, I'll double click the e0 on the

89
00:07:50,420 --> 00:07:54,530
‫home screen to start to listen to the traffic passing through the user interface.

90
00:07:55,880 --> 00:07:57,320
‫There's still some packets on the queue.

91
00:07:57,320 --> 00:08:02,720
‫Because of our previous attack, I restart capturing by pressing the green button at the upper left

92
00:08:02,720 --> 00:08:06,260
‫corner of Wireshark to clean the screen before the second attack.

93
00:08:07,360 --> 00:08:11,720
‫Continue without saving, OK, Wireshark is running and clean.

94
00:08:12,430 --> 00:08:13,870
‫We're ready to repeat the attack.

95
00:08:22,140 --> 00:08:28,110
‫You can see the number of packets at the bottom of Wireshark, as you see, we sent hundreds of thousands

96
00:08:28,110 --> 00:08:29,520
‫of packets in seconds.