1
00:00:00,300 --> 00:00:02,780
<v ->In this demonstration you're going to see how Nmap</v>

2
00:00:02,780 --> 00:00:05,120
is used to conduct a network scan.

3
00:00:05,120 --> 00:00:07,470
Now for the Security+ exam you don't need to know

4
00:00:07,470 --> 00:00:09,820
how to run Nmap or all of the commands that I'm going to

5
00:00:09,820 --> 00:00:11,860
use inside this demonstration.

6
00:00:11,860 --> 00:00:13,820
You just need to be aware that Nmap is a tool

7
00:00:13,820 --> 00:00:15,420
that can be used to determine what hosts

8
00:00:15,420 --> 00:00:17,930
are on your network, so in that respect it's a network

9
00:00:17,930 --> 00:00:20,410
mapping tool but it also can be used

10
00:00:20,410 --> 00:00:21,800
to determine what services are running

11
00:00:21,800 --> 00:00:23,730
on what open ports and what versions

12
00:00:23,730 --> 00:00:25,340
of those services are being run.

13
00:00:25,340 --> 00:00:27,090
Now in that respect, Nmap can be used

14
00:00:27,090 --> 00:00:29,060
as a vulnerability scanner as well.

15
00:00:29,060 --> 00:00:30,810
So let's move into the lab environment

16
00:00:30,810 --> 00:00:33,420
and watch as I show you a little of what Nmap can do

17
00:00:33,420 --> 00:00:36,260
for you as a security analysis, a vulnerability assessor,

18
00:00:36,260 --> 00:00:38,033
or even a pen tester in the future.

19
00:00:39,470 --> 00:00:41,890
So now that we are in the command line environment,

20
00:00:41,890 --> 00:00:43,550
what are we going to do?

21
00:00:43,550 --> 00:00:47,420
Well we first are going to want to find out which things

22
00:00:47,420 --> 00:00:52,420
on the 10.10.10.0 network are up and which ones are down,

23
00:00:52,770 --> 00:00:54,540
so we want to use ping scan.

24
00:00:54,540 --> 00:00:57,830
Nmap dash SN and then the IP address.

25
00:00:57,830 --> 00:01:02,460
So for us that's 10.10.10.0/24.

26
00:01:02,460 --> 00:01:07,120
It's going to go through and scan all 254 possible IPs

27
00:01:07,120 --> 00:01:09,790
and find which ones are up and which ones are down.

28
00:01:09,790 --> 00:01:11,700
Now it came back with four hosts.

29
00:01:11,700 --> 00:01:13,260
What are those four hosts?

30
00:01:13,260 --> 00:01:15,540
Well the .1 is the router itself.

31
00:01:15,540 --> 00:01:17,740
It's the internal interface of the router.

32
00:01:17,740 --> 00:01:20,780
There is the .10 which is one of our servers,

33
00:01:20,780 --> 00:01:23,970
the .11 and the .12 which is the other two servers.

34
00:01:23,970 --> 00:01:25,800
All we have at this point is knowing that those

35
00:01:25,800 --> 00:01:28,370
three servers are up and responding to ping.

36
00:01:28,370 --> 00:01:30,300
We have no other information.

37
00:01:30,300 --> 00:01:32,330
So we're going to want to take it a step further.

38
00:01:32,330 --> 00:01:36,447
Let's go ahead and do a SYN scan, Nmap dash SS

39
00:01:38,970 --> 00:01:41,600
and then the IP address that we want to look at.

40
00:01:41,600 --> 00:01:44,160
But I'm going to combine that with port 80,

41
00:01:44,160 --> 00:01:45,750
so I want to figure out what web servers

42
00:01:45,750 --> 00:01:48,540
are being run out of this network.

43
00:01:48,540 --> 00:01:53,540
And then we're going to use the 10.10.10.0/24.

44
00:01:53,590 --> 00:01:58,300
Now as I scan away, it's going to check all of the 254 IPs

45
00:01:58,300 --> 00:02:01,160
again and in this case we found there are

46
00:02:01,160 --> 00:02:03,070
four web servers responding.

47
00:02:03,070 --> 00:02:07,210
There's port 80 responding up as closed on the router.

48
00:02:07,210 --> 00:02:10,820
It is open on the LAMP server, the .10,

49
00:02:10,820 --> 00:02:14,010
it is open on the .11 which is Metasploitable 2,

50
00:02:14,010 --> 00:02:18,640
and it is ope on .12 which is the Damn Vulnerable Web App.

51
00:02:18,640 --> 00:02:22,210
So all three of my servers are running at least port 80.

52
00:02:22,210 --> 00:02:24,340
Now let's dig in deeper on one of those servers

53
00:02:24,340 --> 00:02:26,720
as we go further in our information gathering.

54
00:02:26,720 --> 00:02:28,170
Let's go ahead and do a SYN scan

55
00:02:28,170 --> 00:02:30,960
against the LAMP server, which is the .10.

56
00:02:30,960 --> 00:02:35,960
So, we're going to do Nmap dash SS and then 10.10.10.10

57
00:02:37,530 --> 00:02:39,430
and we'll go ahead and search that

58
00:02:39,430 --> 00:02:41,800
and you can see now that there are more than just

59
00:02:41,800 --> 00:02:42,930
the web server running, right?

60
00:02:42,930 --> 00:02:46,040
There are three services running on this server.

61
00:02:46,040 --> 00:02:48,730
There's an SSH server on port 22,

62
00:02:48,730 --> 00:02:50,740
there's the web server on port 80,

63
00:02:50,740 --> 00:02:54,090
and the web proxy on port 8080.

64
00:02:54,090 --> 00:02:57,760
Now that we found those, what about the versions?

65
00:02:57,760 --> 00:03:01,180
What if I wanted to figure out what version of web server

66
00:03:01,180 --> 00:03:02,890
it was running on port 80?

67
00:03:02,890 --> 00:03:04,550
Well how would we do that?

68
00:03:04,550 --> 00:03:09,550
Well, we're going to us Nmap dash SV and then the 10.10.10.10

69
00:03:12,890 --> 00:03:15,290
and now if we run it you're going to see a little bit

70
00:03:15,290 --> 00:03:17,190
of a difference here, it's a little bit longer

71
00:03:17,190 --> 00:03:20,150
to run this, but instead of half a second,

72
00:03:20,150 --> 00:03:21,933
it's taking almost seven seconds.

73
00:03:23,050 --> 00:03:25,680
The difference here is that I get the versioning

74
00:03:25,680 --> 00:03:27,750
associated with each of those services.

75
00:03:27,750 --> 00:03:29,710
So the same three services are up,

76
00:03:29,710 --> 00:03:32,430
but I found out that it's running some form of Linux

77
00:03:32,430 --> 00:03:36,760
and it's running Apache 2.4.18, which tells me

78
00:03:36,760 --> 00:03:38,370
that I could start associating vulnerabilities

79
00:03:38,370 --> 00:03:41,010
associated with that and attack this machine.

80
00:03:41,010 --> 00:03:42,940
Now it tells me Ubuntu Linux,

81
00:03:42,940 --> 00:03:45,010
but it doesn't tell me what version.

82
00:03:45,010 --> 00:03:46,210
What if I wanted to go deeper

83
00:03:46,210 --> 00:03:48,900
and figure out the version of this operating system?

84
00:03:48,900 --> 00:03:50,354
How would I do that?

85
00:03:50,354 --> 00:03:53,060
Well it's not SV because that's the version

86
00:03:53,060 --> 00:03:55,490
for the service, instead it's dash O

87
00:03:55,490 --> 00:03:57,110
because it's for the operating system.

88
00:03:57,110 --> 00:04:01,870
So it's Nmap dash O and then 10.10.10.10.

89
00:04:01,870 --> 00:04:03,680
And then we'll go ahead and hit enter

90
00:04:03,680 --> 00:04:07,240
and away it goes and it comes back in less than two seconds

91
00:04:07,240 --> 00:04:09,670
and tells me that it is Linux somewhere

92
00:04:09,670 --> 00:04:11,070
between version 3.2 and 4.6.

93
00:04:13,150 --> 00:04:15,340
So let's go ahead and take it a step further.

94
00:04:15,340 --> 00:04:17,300
Let's combine some commands.

95
00:04:17,300 --> 00:04:21,703
Let's go ahead and do an Nmap scan for dash SS,

96
00:04:22,700 --> 00:04:26,411
we're also going to do dash SV for the versioning,

97
00:04:26,411 --> 00:04:29,460
and we're going to go ahead and add the dash O

98
00:04:29,460 --> 00:04:31,580
to get the operating system.

99
00:04:31,580 --> 00:04:36,580
I'm going to do that against 10.10.10.10 through 10.10.10.12,

100
00:04:38,890 --> 00:04:41,573
those three machines, and see what comes back.

101
00:04:43,240 --> 00:04:44,850
Now you may have noticed that it keeps saying

102
00:04:44,850 --> 00:04:47,620
it's unable to determine any DNS servers.

103
00:04:47,620 --> 00:04:51,120
That's an error because I don't have this lab environment

104
00:04:51,120 --> 00:04:54,290
connected to the internet so there's no DNS being resolved.

105
00:04:54,290 --> 00:04:56,590
It's not an issue because we're using IP addresses,

106
00:04:56,590 --> 00:04:59,350
but if I tried to do something like scanning Google.com

107
00:04:59,350 --> 00:05:01,400
right now it wouldn't be able to give me

108
00:05:01,400 --> 00:05:03,340
that answer back because it doesn't know

109
00:05:03,340 --> 00:05:05,213
what the IP address is for Google.

110
00:05:06,500 --> 00:05:08,210
Now this scan is going to take a little bit longer

111
00:05:08,210 --> 00:05:09,450
so I'm going to fast forward to when

112
00:05:09,450 --> 00:05:11,300
the scan comes back with the results.

113
00:05:12,980 --> 00:05:14,450
Now the results have come back,

114
00:05:14,450 --> 00:05:19,120
it took 140 seconds, so it took almost three minutes.

115
00:05:19,120 --> 00:05:21,440
So this has come back with a ton of information,

116
00:05:21,440 --> 00:05:23,940
so much so that it actually scrolled off my screen.

117
00:05:23,940 --> 00:05:26,940
So we're going to scroll back up to where I put in the command.

118
00:05:28,320 --> 00:05:30,470
So there we go, there's the command we put in,

119
00:05:30,470 --> 00:05:34,900
Nmap dash SS, a SYN scan, dash SV,

120
00:05:34,900 --> 00:05:36,960
versioning for the services,

121
00:05:36,960 --> 00:05:40,410
dash capital O for operating system versioning,

122
00:05:40,410 --> 00:05:44,653
and then 10.10.10.10 through 10.10.10.12.

123
00:05:46,130 --> 00:05:48,480
Now the first one it comes back with is the results

124
00:05:48,480 --> 00:05:53,480
for 10.10.10., which shows that there are 997 closed ports

125
00:05:53,810 --> 00:05:56,110
'cause by default Nmap is going to scan the

126
00:05:56,110 --> 00:05:59,220
top 1,000 commonly opened ports.

127
00:05:59,220 --> 00:06:01,670
You'll notice here there was those same three ports

128
00:06:01,670 --> 00:06:05,680
that we found earlier, port 22, port 80 and port 8080

129
00:06:05,680 --> 00:06:08,310
and you'll notice it tells us what version of SSH

130
00:06:08,310 --> 00:06:10,640
and what version of Apache is being run

131
00:06:10,640 --> 00:06:13,240
and again the versioning of Linux is somewhere between

132
00:06:13,240 --> 00:06:16,960
3.2 and 4.6, not very accurate.

133
00:06:16,960 --> 00:06:18,570
Now if we look at the bottom of the screen,

134
00:06:18,570 --> 00:06:20,930
I'm going to scroll it up to the top here,

135
00:06:20,930 --> 00:06:25,640
this is the scan report for 10.10.10.11.

136
00:06:25,640 --> 00:06:28,190
Notice this one has a ton of open stuff,

137
00:06:28,190 --> 00:06:31,430
it only has 979 closed ports,

138
00:06:31,430 --> 00:06:33,880
which means that there are 21 open ports

139
00:06:33,880 --> 00:06:36,120
and you'll see them all shown on the screen there.

140
00:06:36,120 --> 00:06:40,100
Things like FTP and SSH and Telnet and http

141
00:06:40,100 --> 00:06:44,740
and RPC bind and port 139 and 445 for netbios,

142
00:06:44,740 --> 00:06:47,410
as I said which is Samba for Windows file sharing

143
00:06:47,410 --> 00:06:50,120
between a Linux machine and a Windows machine.

144
00:06:50,120 --> 00:06:51,440
All of these different things

145
00:06:51,440 --> 00:06:53,220
with all of these different versions.

146
00:06:53,220 --> 00:06:55,370
Now this is a great machine that we can target,

147
00:06:55,370 --> 00:06:57,900
because we have a lot of vulnerable apps on it,

148
00:06:57,900 --> 00:06:59,960
things like Apache 2.2.8.

149
00:06:59,960 --> 00:07:01,950
There's exploits that exist for that.

150
00:07:01,950 --> 00:07:06,470
There's VS FTPD 2.3.4 for the FTP service.

151
00:07:06,470 --> 00:07:08,430
That's a vulnerable version we can attack.

152
00:07:08,430 --> 00:07:10,553
There's Pro FTPD 1.3.1.

153
00:07:11,520 --> 00:07:14,960
There's MySQL, version 5.0.51, right?

154
00:07:14,960 --> 00:07:17,530
Lots of different pieces of information

155
00:07:17,530 --> 00:07:20,380
that we can use to then later exploit it.

156
00:07:20,380 --> 00:07:23,440
Now it does say that one service was unrecognized

157
00:07:23,440 --> 00:07:24,840
even though it gave back data

158
00:07:24,840 --> 00:07:26,880
and they weren't really sure what it was

159
00:07:26,880 --> 00:07:28,690
because there wasn't a valid fingerprint

160
00:07:28,690 --> 00:07:30,800
and you could submit it to Nmap

161
00:07:30,800 --> 00:07:32,930
for them to try to figure it out better.

162
00:07:32,930 --> 00:07:34,780
If you know what the service is you could tell it

163
00:07:34,780 --> 00:07:37,934
and then they can add that to the next version of Nmap.

164
00:07:37,934 --> 00:07:39,310
Then as we scroll down a little bit further,

165
00:07:39,310 --> 00:07:41,670
we'll go through that signature that they gave us

166
00:07:43,110 --> 00:07:46,280
and you can see that the version of Linux here

167
00:07:46,280 --> 00:07:48,130
was again version 3.2 to version 4.6.

168
00:07:50,626 --> 00:07:53,180
And so that again wasn't real helpful

169
00:07:53,180 --> 00:07:55,300
and the reason why we're getting that wide range

170
00:07:55,300 --> 00:07:57,810
of operating systems is because this is all actually

171
00:07:57,810 --> 00:08:00,866
being run in a docker environment, so they're all sharing

172
00:08:00,866 --> 00:08:01,750
the same operating system.

173
00:08:01,750 --> 00:08:03,990
This is a container based virtualization

174
00:08:03,990 --> 00:08:06,340
that we've talked about perviously.

175
00:08:06,340 --> 00:08:08,840
Now as I scroll on down, we're going to see the results

176
00:08:08,840 --> 00:08:13,800
for 10.10.10.12 and this one only has one port that's open

177
00:08:13,800 --> 00:08:17,740
and it's running Apache version 2.4.10.

178
00:08:17,740 --> 00:08:19,960
So again, we can go and look for something

179
00:08:19,960 --> 00:08:21,350
that would be able to be exploited

180
00:08:21,350 --> 00:08:24,000
and go after that server using that.

181
00:08:24,000 --> 00:08:27,500
So as you can see, Nmap has a ton of capabilities here.

182
00:08:27,500 --> 00:08:29,440
I only just scratched the surface of what Nmap

183
00:08:29,440 --> 00:08:32,120
can really do but this is already much more

184
00:08:32,120 --> 00:08:34,470
than what you need to know for the Security+ exam.

185
00:08:34,470 --> 00:08:36,470
If you're interested in learning more about Nmap,

186
00:08:36,470 --> 00:08:39,350
you definitely will want to move up to the PenTest+

187
00:08:39,350 --> 00:08:41,480
or CySA+ certifications in the future.

188
00:08:41,480 --> 00:08:44,290
Or you could take an entire course on Nmap itself,

189
00:08:44,290 --> 00:08:46,630
because honestly, there is so much more to learn

190
00:08:46,630 --> 00:08:48,510
about using this particular network mapping

191
00:08:48,510 --> 00:08:50,488
and vulnerability scanning tool.

192
00:08:50,488 --> 00:08:52,847
(upbeat music)