1
00:00:00,210 --> 00:00:08,760
‫So a few lectures ago, we saw how we identify which ports are scanned now in input management, we'll

2
00:00:08,760 --> 00:00:11,610
‫see how we identify which systems are scanned.

3
00:00:12,120 --> 00:00:14,730
‫OK, go to Cali and open a terminal window.

4
00:00:15,630 --> 00:00:17,610
‫First, I'll prepare an end map query.

5
00:00:17,940 --> 00:00:23,190
‫And because I'll play with the destination EPWs, it will be the last parameter of my query.

6
00:00:24,310 --> 00:00:26,140
‫And map is the command itself.

7
00:00:27,020 --> 00:00:34,140
‫And to close a name resolution, uppercase P end to close ping as uppercase s first in scan.

8
00:00:34,580 --> 00:00:38,580
‫Now to keep it simple, let's scan just the top three ports.

9
00:00:38,990 --> 00:00:41,960
‫Now is the time to identify the destination systems.

10
00:00:42,980 --> 00:00:46,220
‫Up to now, we learn to scan a single IP.

11
00:00:47,060 --> 00:00:52,040
‫And we learned how to scan an entire city block that zero through 24.

12
00:00:56,270 --> 00:00:59,900
‫OK, so what are the other ways of identifying target systems?

13
00:01:01,010 --> 00:01:06,740
‫You can select a range of any part of the IP address in the slide, the third and the fourth parts of

14
00:01:06,740 --> 00:01:09,920
‫the IP address is given his ranges.

15
00:01:10,070 --> 00:01:17,090
‫That means and MAP will scan IPS from one nine two to one six eight one zero to one nine two one six

16
00:01:17,090 --> 00:01:19,370
‫eight two five five five five.

17
00:01:20,330 --> 00:01:25,610
‫I'd like to keep the rain small, I'll only define a range for the fourth part of the destination address

18
00:01:25,820 --> 00:01:27,950
‫from 100 to 150.

19
00:01:30,820 --> 00:01:37,120
‫There's only one machine between one seven two one six eight nine nine one zero zero and one seven two

20
00:01:37,360 --> 00:01:39,880
‫one six nine nine one five zero.

21
00:01:41,890 --> 00:01:48,340
‫You can scan more than one IP block in a single query, for example, and slide scans to ranges, the

22
00:01:48,340 --> 00:01:55,210
‫first range is between one nine two dot one six eight one zero and one nine two one six eight dot one

23
00:01:55,360 --> 00:01:56,470
‫two five five.

24
00:01:57,220 --> 00:02:03,030
‫In the second range is between 10 dot zero zero zero and 10.

25
00:02:03,040 --> 00:02:04,900
‫That zero dot 255.

26
00:02:04,900 --> 00:02:06,040
‫DOT 255.

27
00:02:07,290 --> 00:02:11,520
‫Since I don't have a second network on my colleague, I continue with a third example.

28
00:02:12,520 --> 00:02:17,440
‫The third example is a combination of defining a range and a single number.

29
00:02:18,310 --> 00:02:26,140
‫For example, you can scan the IPS between 100 and one for zero IP two zero six and the IPS between

30
00:02:26,290 --> 00:02:29,200
‫two to zero and two three zero.

31
00:02:29,800 --> 00:02:30,940
‫So here are the results.

32
00:02:31,120 --> 00:02:34,840
‫And Map found a machine from the range of one hundred three one four zero.

33
00:02:36,260 --> 00:02:38,390
‫The machine with IP two zero six.

34
00:02:41,000 --> 00:02:45,360
‫And another machine from the range of two to zero through two three zero.

35
00:02:45,590 --> 00:02:50,630
‫Another way to define the target systems is to give and map the IP addresses in a file.

36
00:02:51,490 --> 00:02:57,340
‫In a typical penetration test or ethical hacking, you will scan the network a lot of times.

37
00:02:57,880 --> 00:02:59,350
‫First you find the hosts.

38
00:02:59,410 --> 00:03:02,410
‫It doesn't make sense to scan the entire network again and again.

39
00:03:03,220 --> 00:03:04,480
‫You'll see huge networks.

40
00:03:04,720 --> 00:03:09,280
‫So if you scan the entire network each time, the pen test will take a lot longer than you think.

41
00:03:10,120 --> 00:03:16,900
‫Let's open a second terminal screen and find a host of our IP block using ping scan, as we learned

42
00:03:16,900 --> 00:03:17,510
‫before.

43
00:03:17,950 --> 00:03:26,650
‫Now clarify the output to have only the IP addresses of live hosts grep command to get only the rows

44
00:03:26,650 --> 00:03:28,030
‫containing IP addresses.

45
00:03:33,270 --> 00:03:37,380
‫And cut him in to get only the IP addresses from Arrow.

46
00:03:41,730 --> 00:03:47,610
‫Now we can redirect the output into a text file to reuse the list and following queries, but first

47
00:03:47,940 --> 00:03:49,400
‫let me close a name resolution.

48
00:03:49,980 --> 00:03:54,840
‫Now put a greater than character and give a file name to write the result.

49
00:03:55,260 --> 00:03:56,100
‫IP list.

50
00:03:56,430 --> 00:03:57,330
‫DOT text.

51
00:04:01,980 --> 00:04:06,810
‫We're not interested in the first two IP addresses, so let's edit the file and delete them.

52
00:04:07,140 --> 00:04:09,450
‫I use nano text editor to edit the file.

53
00:04:10,980 --> 00:04:18,810
‫In NENO use control keh to delete online, use control, exit to exit neno press why to save changes

54
00:04:19,140 --> 00:04:24,390
‫and hit enter save on the same file type cat ip list.

55
00:04:24,750 --> 00:04:27,070
‫TXT to look at the file again.

56
00:04:27,450 --> 00:04:29,980
‫Now we have four IP addresses in the file.

57
00:04:30,660 --> 00:04:38,030
‫Let's create a new and map query and this time let's give the destination systems in a file IP list,

58
00:04:38,040 --> 00:04:38,890
‫not text.

59
00:04:40,320 --> 00:04:45,720
‫And here are the results of the four systems which are listed in the IP list that file.

60
00:04:46,930 --> 00:04:53,320
‫So let's talk about the output management in MAP now, up to now, we've run a lot of unmap queries

61
00:04:53,320 --> 00:04:55,310
‫and got the results on the terminal screen.

62
00:04:55,600 --> 00:05:02,820
‫This is the default output behavior called interactive output, and it is sent to standard output tiddy

63
00:05:02,830 --> 00:05:09,460
‫out in a penetration test, we should say, the results of the queries to be able to analyze them later

64
00:05:09,460 --> 00:05:14,080
‫on, hopefully, and map as its own output management skills.

65
00:05:14,980 --> 00:05:15,860
‫So let's have a look.

66
00:05:16,240 --> 00:05:19,450
‫There are three major output saving formats and then Matt.

67
00:05:20,340 --> 00:05:23,880
‫Normal output, which is similar to interactive output.

68
00:05:24,880 --> 00:05:30,290
‫That's what you see on the screen up to now, except that it displays less run time, information and

69
00:05:30,290 --> 00:05:36,130
‫mourning since it is expected to be analyzed after the scan completes rather than interactively.

70
00:05:37,390 --> 00:05:44,560
‫Graspable output, which includes most information for target host on a single line so you can use it

71
00:05:44,560 --> 00:05:48,590
‫to collect the information you want using the excellent grep command.

72
00:05:48,610 --> 00:05:52,180
‫We've already seen a few examples of Greb command in this course.

73
00:05:53,470 --> 00:06:00,100
‫XML output is one of the most important output types as it can be converted to HTML, easily parsed

74
00:06:00,100 --> 00:06:06,100
‫by programs such as Inmet graphical user interfaces or imported into databases.

75
00:06:06,280 --> 00:06:13,840
‫There is one more magic parameter, which is uppercase A. to let you generate the outputs in all formats.

76
00:06:14,620 --> 00:06:17,290
‫Now let's see the unmap output management in action.

77
00:06:18,980 --> 00:06:20,720
‫Go to Colleen, open a terminal screen.

78
00:06:21,920 --> 00:06:24,440
‫Prepare an and map query for this example.

79
00:06:24,590 --> 00:06:26,390
‫I want to prepare a sin scan.

80
00:06:27,340 --> 00:06:29,560
‫Now we're ready for output management options.

81
00:06:30,400 --> 00:06:37,810
‫First, I want to generate the XML output using O uppercase X parameter, o uppercase X parameter needs

82
00:06:37,810 --> 00:06:38,950
‫the output filename.

83
00:06:39,580 --> 00:06:43,930
‫You can give the file name with a full path if you don't specify a path.

84
00:06:43,930 --> 00:06:48,760
‫Just as in this example, the file is created in the current folder.

85
00:06:50,110 --> 00:06:58,450
‫Be careful, OK, and A.N. parameters require the full file name, so if you want the file to have an

86
00:06:58,450 --> 00:07:04,600
‫extension such as DOT XML, you should specify it here yet enter to run the command.

87
00:07:05,550 --> 00:07:07,170
‫To see the generated file.

88
00:07:08,420 --> 00:07:16,250
‫Here it is, and use the less common to see the content of the file, so it's typical XML file with

89
00:07:16,250 --> 00:07:16,790
‫tags.

90
00:07:17,700 --> 00:07:21,150
‫Here's a hashtag starts and ends.

91
00:07:22,640 --> 00:07:29,060
‫All the results about a host is listed between the start tag in the end, tag I.P. address, scan sports

92
00:07:29,330 --> 00:07:31,730
‫and of course, the scan result.

93
00:07:32,700 --> 00:07:36,180
‫Here is another hashtag in the scan, results of the second host as well.

94
00:07:37,500 --> 00:07:39,600
‫Rescue to quit less command.

95
00:07:41,490 --> 00:07:46,240
‫Now, let's call back our map query with the up Iraqis of the keyboard.

96
00:07:47,130 --> 00:07:49,980
‫Now I want to generate all types of outputs.

97
00:07:51,860 --> 00:07:55,270
‫Type O, uppercase A. and the base name of the files.

98
00:07:55,910 --> 00:08:02,450
‫Be careful o uppercase a parameter requires the base file name of the files, not the full names of

99
00:08:02,450 --> 00:08:02,990
‫a file.

100
00:08:03,320 --> 00:08:05,540
‫And it'll put the file extensions itself.

101
00:08:06,700 --> 00:08:12,340
‫Let's look at the content of that and map file using the less Linux command.

102
00:08:13,220 --> 00:08:15,870
‫This is almost the same as you'll see on the screen.

103
00:08:16,220 --> 00:08:18,260
‫Now let's look at the graspable output.

104
00:08:19,830 --> 00:08:26,040
‫Here there are two lines for each host, one to show the status of the host and another one to show

105
00:08:26,040 --> 00:08:27,210
‫the port scan results.