1
00:00:00,600 --> 00:00:02,070
<v ->We've already covered the concept</v>

2
00:00:02,070 --> 00:00:04,730
of a vulnerability assessment earlier in this course.

3
00:00:04,730 --> 00:00:06,900
Now you might remember that a vulnerability assessment

4
00:00:06,900 --> 00:00:08,730
is the baselining of your network,

5
00:00:08,730 --> 00:00:11,250
to assess the current security state of the computers,

6
00:00:11,250 --> 00:00:13,140
the servers, the network devices

7
00:00:13,140 --> 00:00:14,940
and the entire network in general.

8
00:00:14,940 --> 00:00:16,840
Now in this lesson instead of focusing

9
00:00:16,840 --> 00:00:18,970
on the concept of a vulnerability assessment,

10
00:00:18,970 --> 00:00:21,170
we're instead going to focus on the types of tools

11
00:00:21,170 --> 00:00:23,100
that are used to conduct these assessments.

12
00:00:23,100 --> 00:00:25,430
Now this includes tools for network mapping,

13
00:00:25,430 --> 00:00:27,430
vulnerability scanning, network sniffing

14
00:00:27,430 --> 00:00:29,210
and password analysis.

15
00:00:29,210 --> 00:00:31,350
Network mapping tools are used for discovery

16
00:00:31,350 --> 00:00:33,830
and documentation of your physical and logical

17
00:00:33,830 --> 00:00:36,340
connectivity that exists within your network.

18
00:00:36,340 --> 00:00:38,130
By using these tools you can determine

19
00:00:38,130 --> 00:00:40,770
how the network is set up, how the data is going to flow

20
00:00:40,770 --> 00:00:43,760
over that network, and all sorts of other things like that.

21
00:00:43,760 --> 00:00:45,650
This is usually one of the first tools that's used

22
00:00:45,650 --> 00:00:47,750
when you conduct a vulnerability assessment,

23
00:00:47,750 --> 00:00:49,690
because you have to understand how all these

24
00:00:49,690 --> 00:00:51,230
different network connections are,

25
00:00:51,230 --> 00:00:52,960
so you can understand the vulnerabilities

26
00:00:52,960 --> 00:00:54,820
that are going to lie within the network.

27
00:00:54,820 --> 00:00:56,810
Now there are a lot of commercial and free

28
00:00:56,810 --> 00:00:58,510
network mapping tools available.

29
00:00:58,510 --> 00:01:01,370
For the exam you don't need to know specific tools,

30
00:01:01,370 --> 00:01:04,240
but you should understand the concept of a network map.

31
00:01:04,240 --> 00:01:06,800
For example, SolarWinds is a very popular

32
00:01:06,800 --> 00:01:09,220
commercially available network mapping tool.

33
00:01:09,220 --> 00:01:10,750
As you can see here on the screen,

34
00:01:10,750 --> 00:01:12,330
it's going to search your network and create

35
00:01:12,330 --> 00:01:14,710
a graphical representation of it for you.

36
00:01:14,710 --> 00:01:16,970
A good open source and free option you can use

37
00:01:16,970 --> 00:01:18,384
is known as Zenmap.

38
00:01:18,384 --> 00:01:20,630
Zenmap is going to allow you to create a graphical

39
00:01:20,630 --> 00:01:23,340
topology of your network, as you can see here.

40
00:01:23,340 --> 00:01:25,030
Now when we covered our wireless lessons,

41
00:01:25,030 --> 00:01:27,750
a few chapters ago, we also covered how wireless

42
00:01:27,750 --> 00:01:30,070
network mapping tools can be used to identify

43
00:01:30,070 --> 00:01:31,840
the hotspots that are in your network

44
00:01:31,840 --> 00:01:33,100
and you can also see the coverage area

45
00:01:33,100 --> 00:01:34,960
that exists from those hotspots.

46
00:01:34,960 --> 00:01:36,550
This is another type of network mapping

47
00:01:36,550 --> 00:01:38,030
that can be done too.

48
00:01:38,030 --> 00:01:40,020
Now I've seen people who map out their networks

49
00:01:40,020 --> 00:01:43,200
using an old school method too, that's pen and paper.

50
00:01:43,200 --> 00:01:44,870
That's right, they'll take pen and paper

51
00:01:44,870 --> 00:01:46,350
and create their network diagrams

52
00:01:46,350 --> 00:01:48,280
and figure out exactly how things are done

53
00:01:48,280 --> 00:01:50,210
by looking at the network manually.

54
00:01:50,210 --> 00:01:52,070
It doesn't matter what tool you use,

55
00:01:52,070 --> 00:01:54,570
as long as you understand what devices are on your network

56
00:01:54,570 --> 00:01:57,020
and how they're logically and physically connected.

57
00:01:57,020 --> 00:01:59,590
Once we have a good network map we can then dive deeper

58
00:01:59,590 --> 00:02:01,270
into our vulnerability assessment,

59
00:02:01,270 --> 00:02:03,500
by using vulnerability scanning tools.

60
00:02:03,500 --> 00:02:05,940
A vulnerability scan is a technique that's going to be used

61
00:02:05,940 --> 00:02:08,260
to identify threats that exist on the network,

62
00:02:08,260 --> 00:02:10,310
but it doesn't exploit those threats.

63
00:02:10,310 --> 00:02:12,330
Now vulnerability scanners can vary greatly

64
00:02:12,330 --> 00:02:14,700
in their complexity and their level of detail.

65
00:02:14,700 --> 00:02:17,940
Some are very basic and only do a scan for open ports.

66
00:02:17,940 --> 00:02:19,930
Others can probe those open ports and determine

67
00:02:19,930 --> 00:02:21,420
the exact service and software

68
00:02:21,420 --> 00:02:23,090
that's being run by the server.

69
00:02:23,090 --> 00:02:25,610
Now, for example, Nmap is a port scanner

70
00:02:25,610 --> 00:02:28,690
that can perform a basic port scan or a more in-depth

71
00:02:28,690 --> 00:02:30,550
vulnerability scan of those ports,

72
00:02:30,550 --> 00:02:32,110
once it finds one that's open.

73
00:02:32,110 --> 00:02:34,540
I'm going to show you that in a demonstration later on.

74
00:02:34,540 --> 00:02:36,330
Now once you find these open ports,

75
00:02:36,330 --> 00:02:38,410
you can then identify the services and you can

76
00:02:38,410 --> 00:02:40,000
attempt to enumerate them to determine

77
00:02:40,000 --> 00:02:42,640
the exact version being run, any network shares

78
00:02:42,640 --> 00:02:44,280
that might exist, and you can get a list

79
00:02:44,280 --> 00:02:46,970
of all the user accounts on the machine and much more.

80
00:02:46,970 --> 00:02:49,440
So if I wanted to do this vulnerability scan manually,

81
00:02:49,440 --> 00:02:50,480
I can do that.

82
00:02:50,480 --> 00:02:52,810
I might use something like Netcat to open a port

83
00:02:52,810 --> 00:02:54,423
on a web server, like port 80,

84
00:02:54,423 --> 00:02:56,530
query it for it's header information,

85
00:02:56,530 --> 00:02:59,270
as shown in this image, and then, based on that information,

86
00:02:59,270 --> 00:03:01,080
I can see what kind of server it is.

87
00:03:01,080 --> 00:03:04,700
Now notice here I sent the command of HTTP 1.1

88
00:03:04,700 --> 00:03:06,710
to the server and the server didn't even understand

89
00:03:06,710 --> 00:03:08,540
that command and so it sent back an error.

90
00:03:08,540 --> 00:03:10,930
And that's fine, because even in that error message

91
00:03:10,930 --> 00:03:12,730
I can see information about the server,

92
00:03:12,730 --> 00:03:15,600
specifically what type it is, in this case nginx,

93
00:03:15,600 --> 00:03:17,827
and the version it is, version 1.14.1.

94
00:03:19,110 --> 00:03:21,900
This is the concept of performing a banner grab.

95
00:03:21,900 --> 00:03:23,960
Banner grabbing is where you can manually enumerate

96
00:03:23,960 --> 00:03:25,890
a server to gain additional information

97
00:03:25,890 --> 00:03:29,150
and inventory the systems or services that it uses.

98
00:03:29,150 --> 00:03:30,721
Now if I used a commercially available

99
00:03:30,721 --> 00:03:33,200
or more in-depth vulnerability scanning tool,

100
00:03:33,200 --> 00:03:34,940
I wouldn't've had to stop there.

101
00:03:34,940 --> 00:03:37,360
There is very complex vulnerability scanning suites

102
00:03:37,360 --> 00:03:39,950
out there, things like Nessus and Qualysguard,

103
00:03:39,950 --> 00:03:42,910
and these can scan for open ports, enumerate the services

104
00:03:42,910 --> 00:03:45,190
on those ports and then determine if a vulnerability

105
00:03:45,190 --> 00:03:47,600
exists on those services by checking if they've been

106
00:03:47,600 --> 00:03:49,180
patched for known exploits.

107
00:03:49,180 --> 00:03:50,810
I'm even going to show you a demonstration of this

108
00:03:50,810 --> 00:03:53,580
by using Nessus to scan a sample network and look at

109
00:03:53,580 --> 00:03:55,730
a server and a workstation on that network

110
00:03:55,730 --> 00:03:57,310
and determine which one is more

111
00:03:57,310 --> 00:03:59,150
vulnerable to attack than the other.

112
00:03:59,150 --> 00:04:02,460
Our next category of tools is known as network sniffers.

113
00:04:02,460 --> 00:04:04,510
Network sniffing is the process of finding

114
00:04:04,510 --> 00:04:06,640
and investigating other computers on the network

115
00:04:06,640 --> 00:04:08,760
by analyzing the active network traffic,

116
00:04:08,760 --> 00:04:11,120
or capturing the packets as they're going across

117
00:04:11,120 --> 00:04:13,240
the network for later analysis.

118
00:04:13,240 --> 00:04:15,790
Network sniffing tools are also called packet sniffers,

119
00:04:15,790 --> 00:04:18,420
or protocol analyzers, because all three of these

120
00:04:18,420 --> 00:04:21,680
can conduct the concept of packet capturing on the network,

121
00:04:21,680 --> 00:04:23,920
but a protocol analyzer has the ability

122
00:04:23,920 --> 00:04:25,850
to give you much more information than just

123
00:04:25,850 --> 00:04:28,260
a network sniffer or a packet sniffer does.

124
00:04:28,260 --> 00:04:30,890
With a protocol analyser you can actually capture,

125
00:04:30,890 --> 00:04:32,724
reassemble and analyze those packets

126
00:04:32,724 --> 00:04:34,600
that have gone across the network,

127
00:04:34,600 --> 00:04:38,150
look at them as packets, frames or even at the bit level.

128
00:04:38,150 --> 00:04:39,900
The most commonly used protocol analyzer

129
00:04:39,900 --> 00:04:42,980
is the open source program known as Wireshark.

130
00:04:42,980 --> 00:04:45,210
Wireshark is free, available on just about

131
00:04:45,210 --> 00:04:46,660
every operating system out there,

132
00:04:46,660 --> 00:04:48,990
and it is really, really powerful.

133
00:04:48,990 --> 00:04:51,340
For example, here you can see a packet capture

134
00:04:51,340 --> 00:04:54,730
that I was able to create in Wireshark of an FTP session.

135
00:04:54,730 --> 00:04:56,280
I was able to capture the communications

136
00:04:56,280 --> 00:04:58,530
going between a client and that server.

137
00:04:58,530 --> 00:05:00,550
In the top third of the screen you're going to see

138
00:05:00,550 --> 00:05:02,980
the packet in the sequence, and currently we see

139
00:05:02,980 --> 00:05:05,420
packet one through packet 10, and we can do that

140
00:05:05,420 --> 00:05:07,690
as it goes all the way through the communication,

141
00:05:07,690 --> 00:05:10,000
if I was going to scroll down through this list.

142
00:05:10,000 --> 00:05:12,640
Now as you can see each packet you can also see

143
00:05:12,640 --> 00:05:15,120
the time it was sent, the source who sent it,

144
00:05:15,120 --> 00:05:17,830
the destination that received it, what type of protocol

145
00:05:17,830 --> 00:05:19,610
was used during the transmission of it,

146
00:05:19,610 --> 00:05:22,080
the length of that packet and some information

147
00:05:22,080 --> 00:05:23,830
about the particular packet.

148
00:05:23,830 --> 00:05:26,350
In this case I have packet one selected.

149
00:05:26,350 --> 00:05:29,050
Now if we look at the middle panel inside Wireshark,

150
00:05:29,050 --> 00:05:31,180
this is where the packet can be viewed as a packet

151
00:05:31,180 --> 00:05:33,910
at layer three or layer four, the network layer

152
00:05:33,910 --> 00:05:36,600
or the transport layer, or be further broken down

153
00:05:36,600 --> 00:05:38,710
into layer two, the data link layer,

154
00:05:38,710 --> 00:05:40,860
where those network frames were captured.

155
00:05:40,860 --> 00:05:42,670
Now at the bottom portion of the screen

156
00:05:42,670 --> 00:05:44,847
you actually can see the hexadecimal representation

157
00:05:44,847 --> 00:05:47,990
of the binary code as it was sent at the physical layer

158
00:05:47,990 --> 00:05:50,470
of the OSI model across the network.

159
00:05:50,470 --> 00:05:53,451
Now as I said, Wireshark is truly powerful.

160
00:05:53,451 --> 00:05:55,610
Now, if you remember, earlier in the course

161
00:05:55,610 --> 00:05:57,780
I said FTP was insecure, right?

162
00:05:57,780 --> 00:05:59,140
Because it sends all of its data

163
00:05:59,140 --> 00:06:01,480
across the network without encryption.

164
00:06:01,480 --> 00:06:03,340
Now if you remember that, I'm going to prove it to you

165
00:06:03,340 --> 00:06:05,130
at this point, because you're going to be able to see

166
00:06:05,130 --> 00:06:07,950
the entire conversation between the FTP server

167
00:06:07,950 --> 00:06:10,590
and the client inside this packet capture.

168
00:06:10,590 --> 00:06:12,330
If I right click on the packet and I click

169
00:06:12,330 --> 00:06:14,900
follow the stream, we get to see the raw data

170
00:06:14,900 --> 00:06:17,730
that was sent over the network in a human readable format.

171
00:06:17,730 --> 00:06:19,840
This is going to follow the stream and reconstruct

172
00:06:19,840 --> 00:06:22,300
the entire conversation, as you can see here.

173
00:06:22,300 --> 00:06:23,590
Notice the username and password

174
00:06:23,590 --> 00:06:25,140
can be seen here too, right?

175
00:06:25,140 --> 00:06:27,670
This is why encryption is needed for any communications

176
00:06:27,670 --> 00:06:29,050
that are going over your network.

177
00:06:29,050 --> 00:06:30,760
Because anything you send over the network

178
00:06:30,760 --> 00:06:32,830
can be seen by somebody who is sniffing it

179
00:06:32,830 --> 00:06:34,350
and doing a packet capture.

180
00:06:34,350 --> 00:06:35,730
So if you have confidential information,

181
00:06:35,730 --> 00:06:38,310
like usernames and passwords, you have to encrypt them

182
00:06:38,310 --> 00:06:40,260
before sending them across the network.

183
00:06:40,260 --> 00:06:42,520
The final category of tools that we're going to discuss

184
00:06:42,520 --> 00:06:44,830
is called password analysis tools,

185
00:06:44,830 --> 00:06:47,520
but that's a fairly large category that we have to cover,

186
00:06:47,520 --> 00:06:49,660
so I'm going to save that for its own lesson.

187
00:06:49,660 --> 00:06:51,050
Let's go to the lab environment first

188
00:06:51,050 --> 00:06:52,811
and see some demonstrations.

189
00:06:52,811 --> 00:06:54,957
(electronic crackling)