1
00:00:00,330 --> 00:00:07,770
‫In those unmap lectures, we have seen no port scam, also known as Ping Skåne, different ways of scanning

2
00:00:07,770 --> 00:00:08,220
‫ports.

3
00:00:09,290 --> 00:00:18,500
‫SoundScan, also known as half open scanning DCPI scan, also known as TCP Connect Scan and UDP scan.

4
00:00:19,610 --> 00:00:23,750
‫Now, let's see some more details to be able to use and map more effectively.

5
00:00:24,970 --> 00:00:30,910
‫We have found the hosts and open ports of them now is it time to find out the services which are listening

6
00:00:30,910 --> 00:00:33,880
‫to those ports and the version of those services?

7
00:00:34,630 --> 00:00:38,770
‫In addition, let's detect the operating systems running on those systems.

8
00:00:39,720 --> 00:00:49,440
‫Suppose that you ran an map query and it told you that ports twenty five TCP, 80 TCP and 53 UDP are

9
00:00:49,470 --> 00:00:49,890
‫open.

10
00:00:50,850 --> 00:00:57,750
‫Using its and map services database of about, oh, two thousand two hundred well known services and

11
00:00:57,750 --> 00:01:04,890
‫MAP would report that those boards probably correspond to a male server, SMTP, Web server, HTTP and

12
00:01:04,890 --> 00:01:07,470
‫name server DNS, respectively.

13
00:01:08,190 --> 00:01:09,940
‫This lookup is usually accurate.

14
00:01:10,500 --> 00:01:15,700
‫The vast majority of demons listening on TCP or 25 are in fact male servers.

15
00:01:16,440 --> 00:01:19,410
‫However, you should not bet your security on this.

16
00:01:20,480 --> 00:01:23,630
‫People can and do run services on strange ports.

17
00:01:25,100 --> 00:01:33,500
‫Even if unmap is right and the hypothetical server above is running SMTP and DNS servers.

18
00:01:34,600 --> 00:01:36,670
‫That is not a lot of information.

19
00:01:37,710 --> 00:01:43,350
‫When doing vulnerability assessments or even simple network inventories of your companies or clients,

20
00:01:43,950 --> 00:01:48,180
‫you really want to know which mail and DNS servers and versions are running.

21
00:01:49,100 --> 00:01:54,560
‫Having an accurate version number helps dramatically in determining which exploits the server is vulnerable

22
00:01:54,560 --> 00:02:03,500
‫to version detection, helps you obtain this information after TCP and or UDP ports are discovered using

23
00:02:03,500 --> 00:02:09,410
‫one of the other Skåne methods version detection interrogates those ports to determine more about what

24
00:02:09,410 --> 00:02:10,550
‫is actually running.

25
00:02:10,730 --> 00:02:17,810
‫The Unmap Service Probes database contains probes for querying various services and match expressions

26
00:02:17,810 --> 00:02:20,030
‫to recognize and pass responses.

27
00:02:20,570 --> 00:02:23,810
‫And Map tries to determine the service protocol.

28
00:02:24,140 --> 00:02:28,370
‫For example, FTP, s.h. telnet HTP.

29
00:02:29,390 --> 00:02:35,960
‫The application name could be Iasi Binde Apache http d Solares Telnet D.

30
00:02:36,970 --> 00:02:44,560
‫The version number hostname device type, something like a printer or a router and the OS family, you

31
00:02:44,560 --> 00:02:46,530
‫know, that is Windows, Linux cetera.

32
00:02:47,710 --> 00:02:52,390
‫So let's see how to use service and version detection and then map and why it's important.

33
00:02:53,820 --> 00:02:56,340
‫OK, go to Cali and open a new terminal window.

34
00:02:56,880 --> 00:03:00,620
‫Let's create the unmap scam command and map is a command itself.

35
00:03:02,170 --> 00:03:04,330
‫And is to avoid the DNS resolution.

36
00:03:05,330 --> 00:03:09,770
‫Up expenses to avoid the host discovery, I'm using the skin scan this time.

37
00:03:10,660 --> 00:03:16,870
‫All right, the destination IP, which is the IP address of my Métis voidable VM and the destination

38
00:03:16,870 --> 00:03:19,150
‫ports, the top 10 ports.

39
00:03:19,720 --> 00:03:23,780
‫Let's run this command first to see the results of a command without version detection.

40
00:03:24,220 --> 00:03:27,730
‫Now I open a new terminal window to create a new and map command.

41
00:03:31,530 --> 00:03:33,750
‫I prepared the command with the same configuration.

42
00:03:35,860 --> 00:03:36,670
‫Since Gane.

43
00:03:37,650 --> 00:03:38,490
‫Matus voidable.

44
00:03:39,380 --> 00:03:40,700
‫And top 10 port.

45
00:03:43,340 --> 00:03:49,010
‫I had s uppercase V parameter for version detection and hit enter.

46
00:03:49,960 --> 00:03:52,780
‫As you see, the query takes longer this time.

47
00:03:54,470 --> 00:04:00,560
‫The skin scan without the version detection took less than a second and the skin scan with version detection

48
00:04:00,560 --> 00:04:02,240
‫took about 12 seconds.

49
00:04:03,740 --> 00:04:09,110
‫In the first query, service names are estimated by and MAP, according to the default service, is

50
00:04:09,110 --> 00:04:15,410
‫running on those ports in the second query, on the other hand, and map from the ports to determine

51
00:04:15,410 --> 00:04:18,140
‫more about what is actually running.

52
00:04:19,430 --> 00:04:25,680
‫Now, I want to show you the most important reason of using version detection and map queries, and

53
00:04:26,000 --> 00:04:31,640
‫I'm going to run S.H. on Port 443 and then scan the port within map.

54
00:04:32,460 --> 00:04:34,040
‫Let's perform the demo together.

55
00:04:35,020 --> 00:04:41,470
‫First, look at the listening services, if S.H. is running, that's debt to help.

56
00:04:42,660 --> 00:04:45,630
‫As I say, he is running on Port 22 at the moment.

57
00:04:46,790 --> 00:04:51,680
‫Type service s s h stop to stop us as a service and hit enter.

58
00:04:53,420 --> 00:04:58,010
‫Now, to change the board of S.H., we're going to change the configuration.

59
00:04:58,970 --> 00:05:03,770
‫Open the SAHD, underscore config file with a text editor, change it.

60
00:05:05,070 --> 00:05:14,580
‫I use nano text editor for this purpose type nano slash, Etsy slash, S.H., SAHD, underscore config

61
00:05:14,940 --> 00:05:20,520
‫and hit enter, find the port line, delete the sharp to make it a valid configuration line.

62
00:05:21,180 --> 00:05:23,280
‫The sharp was used to make it a comment line.

63
00:05:23,520 --> 00:05:31,290
‫Change the port number to four four three control X to exit nano Y to say changes and hit enter to save

64
00:05:31,290 --> 00:05:32,550
‫over the existing file.

65
00:05:33,960 --> 00:05:38,340
‫Start S.H. again using the service, S.H. start command.

66
00:05:40,540 --> 00:05:44,140
‫Look at the listening ports to double check net stat to help.

67
00:05:46,090 --> 00:05:54,190
‫S.H. Service is running on Port 443 now let's scan Port four for three of Colly within map repair the

68
00:05:54,190 --> 00:05:57,760
‫and map since can command no versioned detection for this query.

69
00:06:02,910 --> 00:06:11,550
‫And map, the text of the port is open, look at the service and map says the services https using its

70
00:06:11,550 --> 00:06:18,870
‫and MAP Services database and MAP reported that this port probably corresponds to a Web server for https.

71
00:06:19,050 --> 00:06:20,760
‫And we know that's not true.

72
00:06:22,070 --> 00:06:29,720
‫So let's prepare the maps and scan again, but this time use as uppercase V parameter to run the version

73
00:06:29,720 --> 00:06:30,830
‫detection mechanism.

74
00:06:31,250 --> 00:06:39,800
‫Now as you see, four, four, three is running and the service is S.H., not https version detection

75
00:06:40,220 --> 00:06:47,000
‫interrogated the port to determine more about what is actually running and map query the port using

76
00:06:47,000 --> 00:06:53,810
‫the probes of the end map service probes database and matched expressions to recognize and parse responses.

77
00:06:54,650 --> 00:06:56,990
‫And the version of S.H. is open.

78
00:06:56,990 --> 00:07:00,320
‫S.H. Version seven dot six P one.

79
00:07:00,470 --> 00:07:07,760
‫So if you are not 100 percent sure about the type of the running service on a port run version detection.

80
00:07:08,090 --> 00:07:08,570
‫Got it.

81
00:07:08,840 --> 00:07:09,200
‫Good.