Ethical Hacking Crash Course: The Beginners Guide (Hacking Lab, Reconnaissance, Scanning)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey curious about the world of ethical hacking and looking to safeguard the Digital Universe or maybe you're an absolute beginner eager to learn more about becoming a top-notch security expert well brace yourself my friends because you're about to go from 0 to 60 in no time and here is why this is your ultimate Pit Stop reason number one you get to learn from Alexa with over half a decade of experience in the cyber security field Alexa isn't just any instructor he's a season penetration tester skilled in unveiling vulnerabilities across various company systems and even government infrastructures he is as professional as they come reason number two the Cyber Onslaught is real Believe It or Not 64% of companies have battled webbased attacks and in the wake of covid-19 cyber crimes have surged by 3 100% so yes this is an in demand field where you literally have Limitless opportunity reason number three your learning doesn't have to stop here this tutorial is actually part of Alexa's complete comprehensive ethical hacking boot camp course so once you finish watching this video make sure to check out his complete course where you'll learn about many more advanced topics like vulnerability analysis man inth the-middle attacks and even Build 12 hacking tools along the way one more thing if you're liking this tutorial and are finding it helpful please drop it a like it really helps us out and it shows us that you want us to keep creating great free content for you all right enough chitchat from me let me hand it over to Alexa so you can start your journey into The Adventurous world of ethical hacking [Music] enjoy welcome to the complete ethical hacking course in this course we will be covering everything you need to know as an ethical hacker from Theory to the Practical examples we will start with Basics first and the further we go in the course the more intermediate and advanced stuff we will cover knowing Theory and practicing different attack methods that we will learn will eventually make you a master in ethical hacking but wait wait a second we just started the course and I'm already talking about being a master in ethical hacking let's slow down a little bit it what even is ethical hacking and what does an ethical hacker do or you might also wonder can I get in trouble by doing this don't worry remember we are ethical hackers this means we are hired to hack into a network or a device or in general we want to find as many vulnerabilities inside the target system but not to do bad things things quite opposite we want to secure them an ethical hacker who is hard to find as many vulnerabilities in a certain system is also known as a white hat hacker now I mentioned a word system quite a few times by now what do I mean by finding vulnerabilities in a system well system can be anything it can be a network of multiple computers or it could be just one single computer it could also be some company server that they keep their important data on we could also be targeting a web page or a website a vulnerability on the other hand is anything that could allow someone to have an unauthorized access to that system we are there to discover them and secure them but why are we doing this well as you know there are the bad guys or also known as black hat hackers their goal is also to find vulnerabilities in the system but not to secure them instead they want to perform malicious activity once they gain access to that system that is difference between a white hat hacker and a blackhead hacker a whad hacker is there to find vulnerability notify the person that hired him and let him know of a possible authorized access you can think of us as a cyber police we are there to protect a blackhead hacker on the other hand is there to perform malicious activity such as stealing your data they could also try to steal your online money they could install a virus or a key logger on your PC and track everything that you do they can go as far as doing something like stealing your identity however the methods white hat and black head hackers use can be quite similar the difference is we as widad hackers must make sure that we have a permission to Target a certain system an example would go like this we get hired by a certain company that company could have a website different networks with computers inside the building where for example employees work it could also have large servers and databases holding important company data and as we already know our goal is to make sure that data is secured from cyber attacks that also employees and their machines are also in a secure network and that website doesn't have any bugs that could present a threat to that company how do we do all of this well we do it by attacking the company we act as a blackhead hacker would but with a different goal okay but here we come to another problem you might be wondering well how am I going to learn this or how am I going to practice this I just said that we need a permission to attack any system right well don't worry we will simulate all of these targets with the help of our home devices and also with the help of virtual machines it will be exactly the same just this way you won't be breaking any law while you practice since the targets that you will attack will be yours okay more about veral machines later right now I want to give you a small challenge one of the biggest online cyber attacks is something called fishing in most cases fishing is an act of blackhead hackers tricking you into entering some of your private data such as usernames and passwords into a web page that isn't to be trusted this is one of the ways how they steal online accounts let let me show you here I have two Twitter login pages one of these two that you can see right here is a fake login page and the other one is real let's take a quick look at them so let's take a look at first one here it is and if we take a look at the second one they appear to be exactly the same right have you figured out which one is real and which one is fake the first one that we saw is the fake login page while the second one right here is real one let's mention some of the obvious reasons why this page right here that you're looking at is a fake login page that can be used to steal your account even though they are identical at first glance if we take a closer look we can see it doesn't really have twitter.com as the website name instead we have some random IP address in our search tab and this is the biggest indication that this page is indeed a fake page and that you shouldn't enter any private information here the original page should be twitter.com another thing we can notice is that next to the website name on a real page we have this green lock right here and this green lock indicates that this is an htps page or in other words it is secured as it says right here secure connection usually fishing websites won't be htps and they won't have this green lock right here however these two can be forged in a more advanced fishing attack and just to compare our fake login page doesn't have this green lock if we click right here it says connection is not secure and even though many of you probably knew these things already if you were in a hurry and you got redirected to this fake login page you could potentially enter your password here and little do you know in just a few seconds your account has been compromised and stall out by the bad guys since the information that you enter right here on this page gets sent to them and not to twitter.com but don't worry if you aren't familiar with these type of attacks throughout the course we will learn not only how to secure ourselves from these attacks and how these attacks work but also we will learn how to perform the taxs themselves and by the way we also have a Discord Channel where we answer your questions so if you haven't already feel free to come and join us in Discord since that is where we notify everyone about any new course updates that will come out and that is also where you can reach out to us in case you run into any problem during the course nonetheless I welcome you once again and let's get straight into the course [Music] okay so what is a virtual machine this is something that I mentioned in the previous video but it is important for us to fully understand what it is I can just give you a definition and say veral machine is a machine within our physical computer that is using its Hardware resources but for most of you this will be a new term that you haven't really encountered before so I would like to explain it furthermore for you as well as mention why are we going to use it let me start like this all of us are running an operating system and 99.9% of us are running one of the three main operating systems you either have Windows Mac OS or Linux most of you will have Windows or Mac OS I doubt anyone will be running Linux but nonetheless these are the the three main ones but what if we wanted to run two different operating systems on the same machine can we do that for example let's say you have windows installed on your physical machine but you want to install Linux too or even better case you want to install five operating systems running on different virtual machines can you do that you can how would that work well picture it like this imagine these four lines representing our computer and we already know that any computer will have one of the three main operating systems Windows Mac OS or Linux but operating system is not the only thing defining our machine our machine also has its computer parts we have hard disk processor RAM memory motherboard and many more computer parts that with the operating system make our machine work these computer parts are also known as Hardware but wait a second Alexa why are you telling us this thought this was a lecture on explaining how veral machines work and not on Hardware components well hang on for just a second we're slowly getting there picture a veral machine to be this smaller rectangle within our physical machine which is this larger rectangle and let's imagine that our physical machine is running Windows operating system but if you took a look at this course content you would probably notice that we're going to be doing all of our hacking stuff over Linux does that mean that we must delete our windows and install Linux nope we will install Linux as a virtual machine and for this machine to work it will need to have access to our Hardware components what does this mean well since virtual machine will act as a machine of its own it must have its own computer parts and what we will do is we're going to borrow our physical machine's CPU power ram memory hard disk memory to our virtal machine so it can run just like our physical machine in other words we are splitting the power of our physical machine into two different machines or more if we decide that we want to create multiple veral machines does that mean that they will be slower since they will be splitting Hardware resources well technically yes but it will not be noticeable for us however the more powerful your PC is more verle machines it will be able to run effectively another reported thing is that once you shut down your virtal machine all of the hardware resources used by it will get freedb for your physical machine to use okay good but what are other benefits that we have if we create a veral machine well since we are hackers and we will be doing a lot of things and running a lot of programs on that veral machine we want to make sure that we're doing it first in a safe environment at least while we learn the good thing about fertile machines is that if for example our machine starts getting some unknowing error or we get locked out of our files or simply we delete a file that we shouldn't have deleted and it crashes our virtal machine but what if we for example get infected by a malware or virus by accident or we simply just install the wrong version of operating system which we don't need don't worry with two clicks we can delete the entire vertical machine with all of its files and it will have no effect on our physical machine then we can proceed to create a new one for as many times as we want we can also create something called a snapshot which will allow us to save the current state of a veral machine and with it we can revert it back to date State whenever we want this could be used if we for example run into some errors with our veral machine sounds cool right now that we know how veral machines work and why are we going to use one you must be wondering how can we create a veral machine actually this is pretty easy all we need are two things we need an operating system that we want to install in that machine and we also need something called virtualization software now what is this even though it sounds harsh saying virtualization software what it essentially is is a program that will allow our physical machine to borrow Hardware components to our vertual machine or we can also Define it as a program that will allow us to run multiple operating systems on a single host or a single machine so with these two combined we can create a virtal machine and in the next few lectures we're going to see exactly how to do that see you [Music] there before we actually proceed to creating our virtal machine that we will use for hacking I believe most of you are wondering why Linux why are we installing Linux operating system on a vertical machine can't we hack using Windows or Mac OS well yes we can but Linux is something far better for that so what are the benefits of using Linux first thing that's great about Linux is that it is an open source operating system this means that we can inspect the code of it and see how it is made and what programs or functions it runs it can be used for any type of work not only for hacking many programmers also use Linux many servers all around the world are running on Linux and another great thing about it is that most of the Linux this shows are free of cost maybe some of you have heard about Ubuntu Linux Mint or Debian well to use an updated Windows operating system you must pay for a license Linux on the other hand is free to download for anyone and not only that but it also due to it being an open source it allows the users of Linux to edit copy or distribute various aspects of Linux based operating system without violating any copyright law or terms and conditions this is one of the main reasons hackers use Linux because they can easily develop softwares used for hacking and penetration testing on Linux and they can change and edit the operating system for their needs it is also very light requires lesser disk space consumes lesser Ram in order to run so it can be easily ran alongside any other operating system like Windows and Mac OS and last but not least is that as we mentioned due to Linux being an open source and allowing anyone to change and interact with the operating system it allows people to create an operating system that will specifically be made for one purpose such as for example ethical hacking or penetration testing and Linux D thrs like this already exist there are Linux dros called Cal Linux parrot backtrack and others that are especially made for penetration testing and checking for security loopholes and all of them are widely being used by hackers and in this course we will be using C Linux one of the Linux distrs specially created for hackers and penetration testers what's great about it is that it automatically comes after installation with bunch of different tools used by P penetration testers for hacking and we're going to cover those tools and go step by step through them plus we will be installing tools created by other people and at the advanced parts of this course we'll be creating our own hacking tools how cool will that be so now that we know exactly which Linux this R are we going to install and what are the benefits of using Linux in the next video we can create our virtal hacking lab [Music] welcome back so we have talked about fertilization software and C Linux in the previous lecture and now is the time that we finally start creating our virtual machine now to do that remember we need two things we need the virtualization software and the operating system that we're going to install so for the virtualization software we will use veral box now to navigate to veral box page you can simply just type veral box in your Google search bar or you can simply just navigate to the link verb box.org once you navigate to that link it will open this page where you will be prompted to download the newest version of veral box which is currently 7.0 now the one that we use in the course is I believe 6.0 but feel free to download the new newest version at the point of you watching this tutorial if there is for example veral boox 7.2 feel free to download the newest version okay so to download it we simply click on this download veral box and we will have several options here depending on the operating system that our host machine is running now since I'm on Windows 11 I will click on Windows hosts but if you're on Linux you would go with Linux distributions for Intel Mac OS you would go for this but since I'm using Windows 11 I will click on Windows hosts now it will ask me where do I want to store this virtualbox installation file I already have it downloaded it's on my desktop but for you simply just save it wherever you want and click on Save right here once you have the virtual box installation file downloaded you want to navigate to C Linux official page to download the cinux operating system to do that once again simply just type kinix in your Google search bar or navigate to the website cali.org once we visit the website we will be prompted with a simple description of the kinix operating system so as it says right here C Linux is an open source Deion based Linux distribution geared towards various information security tasks such as penetration testing security res research computer forensics and reverse engineering if I simply click on download it will lead me to the download page for C Linux where we will have several different options that we can choose from now the one that we want to use for the course is the installer images the virtual machines one will work as well but if you want to have it exactly as we do in the course you want to go with installer images so I'm going to click on installer images and here we get the newest version which is C Linux 2023.2rpm three options which is 64-bit 32bit and apple silicon which is for M1 and M2 Chip for MacBook now since my host machine is Windows 11 64-bit I will select 64-bit and download this installer just by clicking on it it will open this window for you to download it I already have it downloaded same as virtual box I have it saved on my desktop but for you simply just click on Save and it will start downloading your kinix ISO image if you are on a 32-bit system you simply select 32-bit and for anyone using a Macbook on M1 and M2 Chip which is Apple silicon select here Apple silicon and select the installer image which will work on M1 and M2 Chip now one more thing for users that are on Apple silicon if you are using the MacBook with M1 or M2 Chip veral box will cause issues for you as you notice right here there is not Mac osm1 and2 chip installation package for virtal box so for you you want to navigate to get UTM DOA and you want to download the UTM which is a virtualization software for Mac this will work for you and it is rather simple to install and use now if you are on Intel Mac or if you have Intel processor in your MacBook feel free to go with a regular 64-bit installer image as everyone else so once again Windows users 64-bit or 32bit depending on your architecture Mac Intel users also use 64 or 32-bit installer image and M1 M2 Chip MacBook users navigate with apple silicon and download that image now if you for whatever reason want to download an older version of C Linux you can navigate to this web page which is all . cal.org navigate to base images and here you will have all the previous C Linux releases that you can download but I always do advise that you go with the newest version of K Linux at the point of you watching the tutorial okay so once you download these two files you should have this virtal box installer and you should have this C Linux ISO image in the next lecture we're going to take a look at how we can create our first veral machine with veral [Music] box welcome back just a quick update on the new cat Linux website okay so they have just changed the downloads section of this page and how they made it can be a little bit confusing so I'm just making a quick update video to explain which exact version should you download So once you navigate to the C Linux page navigate to the download section and this is the new design they separated different versions into different categories on this page now since we talked about virtal machines it might seem to you that we want to go to the virtal machines and download a version from here but not exactly for our course we want to go to the bare metal click on that and here we want to download the version accordingly we select 64bit or 32-bit depending on our machine since my machine is 64-bit I would go with the 64-bit version if you're running an apple M1 chip then you want to select this one since once again I'm running 64-bit I want to go 64-bit installer and it will download the ISO image on my desktop awesome that's all that I wanted to say and let's continue with the [Music] course [Music] welcome back so in the last lecture we downloaded our installer file for virtual box and we also downloaded the iso image for Cali Linux now it is time that we combine these two together in order to create our first veral machine but of course to do that we need to install veral box first with this installer file so double click on the veral box installer file it will require administrator privileges simply just input your admin password and it will open this window welcoming you to the virtal box now it says here the setup wizard will install Oracle VM veral box on your computer click next to continue or cancel to exit Setup Wizard we want to proceed so I'll just click on next here under the custom setup I personally won't be changing anything you don't need to change anything as well you might want to change location if you prefer a different location to this one but I do advise that you leave this location and that you just proceed to The Next Step by clicking next and here we got a warning that says installing Oracle VM virtual box networking feature will reset your network connection and temporarily disconnect you from the network now it's just a warning that says you might be disconnected from the network while installing virtual box now in my personal experience this has never happened but it might happen for you so if you're doing anything important over the network at the moment wait for that to finish and then proceed with the veral Box installation I'll just proceeded with the installation right now by clicking on next or on yes and it will tell me that there are certain missing dependencies now in order to install them you simply just click on yes and you click install to begin installation so I'll just click on install this shouldn't take too long it might take 30 seconds or up to a minute for installation to finish and once it finishes we will get this window prompted that says start Oracle VM veral box after installation want to click on finish and in just a few seconds here it is we get virtual box window open now in your case the window will not look like this I already have some virtual machines installed you won't have any of these machines installed on the left side your window will look something like this now it should welcome you to veral box but once again you won't have these machines installed or available on the left side but more about that later once we install the virtal machines for now on we're going to pretend as these don't exist and we're going to create our first veral machine so to create our first veral machine we want to click on this new button if I click on new it will open this window where it will ask me certain questions about the veral machine that I want to create the first question is name so I'll just call it Cali Linux 2023 I'll just leave it at that you can call it whatever you want you can simply just call it C Linux it doesn't matter now what matters is this ISO image here we want to select the ASO image of C Linux that we downloaded so since it says that it is is not selected I want to click on here I want to click on other and simply just navigate to where you have your catalinux ISO image saved in my personal case it is on desktop and here it is I'll just click it and click on open and you can see right here it selected a path to the iso image under type want to have it set to Linux and under the version if you remember from the kinix official page it said that it was Debian based operating system so ideally here we want to find Dean operating system which is right here we can see that it has bunch of versions but we can simply just choose the regular Debian 64bit now of course if you downloaded the 32bit kinix image if your host machine is 32-bit machine you can simply just use Debian 32-bit since I'm on Windows 11 64-bit machine I will select Debian 64-bit once we do that we can navigate to unattended install and there is nothing that we need to change right here we can proceed to hardware and here is where it gets a little bit tricky remember that they said that virtual machines will use your Hardware resources well here we need to allocate those Hardware resources here the first question that it asks us is the base memory or RAM memory that we want to give to our virtual machine now this will be different for everyone depending on what RAM memory or how many gigabyt of ram you have in my personal case I have 64 GB of RAM so I'll just allocate 4 GB of RAM to my virtual machine now if you have less than 16 I do advise that you lower this to 2 GB of RAM for example if you have 8 GB of RAM 2 GB of RAM for Cal Linux will be more than enough for it to run properly if you have 4 GB Ram then you can proceed with either 2 GB or you can even try l powering it to 1 GB of RAM but 2 GB will be ideal now once again I'll proceed with four and under the processors you can simply just leave it on one CPU core no matter how many CPU cores you have it will work just fine with one processor running for the VM now we go down to hard disk and here we want to allocate space for C Linux virtual machine now by default it will set it to 20 GB but that will not be enough you ideally want to have it between 30 and 40 GB of free space for the virtual machine I will leave it on 40 just like this this should be more than enough for the veral machine to run and all we have to do right now is click on finish and once you click on finish you will have your first veral machine added right here on the left side in my case here is the virtual machine that we just created C Linux 2023 if you click on it you can see all of its settings on the right side we can see that we allocated 4 GB of RAM right here we used Debian 64-bit operating system and you can see all the other settings that we used to create this veral machine okay awesome now that we created this virtal machine in the next lecture we're going to start it for the first time in order to install the operating system see you in the next lecture all right we have made a big step we have created our veral machine in the previous lecture all that we're left to do right now is to install the cinux operating system now it should be rather easy I will guide you through all the steps so let's start it straight away to start your VM simply just click on the VM you can either double click it or you can select it and click on this start button it will take a few seconds on the right you should see powering VM up and in just a few seconds this small window will open now the first thing that we see is this calex window asking us which type of installation do we want to proceed with now the two options that interest us are graphical install and install now since this window is quite small what I'm going to do is I'm going to click on view and I'm going to enter scaled mode which will enlarge this window a little bit now to enter scale mode you can simply just do what I did and to leave scale mode you use right control button and C so right control button and c will enter scale mode and it will also leave scale mode from here I can just enlarge this screen a little bit so we can see everything better and now we're good to go so I'm going to select graphical install I'm going to press enter and just a quick note inside the virtal machine during the installation your mouse will not work so make sure to navigate with arrow keys on your keyboard now this mostly refers to certain parts since at the beginning of the installation the mouse key will work but if you find it not working simply just use your arrow keys to navigate up and down and enter to continue to The Next Step so the first thing that we're prompted is to select a language and you can simply just select whichever language that you want I'm going to proceed with English and I'm going to press enter to continue same here the location you can find your country right here if you do not see it on the official list right here you can just click on other and select it from there now since this is not an important step I'm just going to proceed with United States and I'm going to click on continue and configuring the keyboard I'm going to select American English you can select whichever keyboard configuration that you want or you can proceed same way as me with American English keyboard let's click on continue it will perform a few steps so let's wait for it to get to the next step okay so here is the next question that we get asked and that is to configure the network please enter the host name for this system the host name is a single word that identifies your system to the network if you don't know what your host name should be consult your network administrator if you are setting up your own home network you can make something up here now since most of us are in our home network we can simply just make something up here so I'm just going to type Cali simple as that and I'm going to press continue we get one more configuration of network but this time it is domain name and here the domain name we can simply just leave empty so just delete whatever is inside this input bar and proceed to The Next Step okay so here is where we set up the full name for the new user on the Calin system and since we are hackers of course we're not going to use our full name we could just make something up here I'm going to call my new user Mr hacker now you can call your user whatever you want this is not that important step just make sure to remember it for later once you name your user click on continue and it will ask you to select the username for that new user I will just leave it as Mr hack right here and I will proceed to The Next Step the next step is giving the password to our new user so in the first field type in the password that you want your user to have I'll type it like this and if you want you can make sure that you typed it properly by clicking show password in clear here we want to re-enter the same password just to confirm it and fun fact make sure that you add a strong password because in the history many of the blackhead hackers have been caught by having weak passwords now of course we are not blackhead hackers we are whad hackers but we still want to have a strong password for our cinux machine so once again once you type your password in and you confirm it you can click on continue here it asks us to configure the clock I will proceed with Eastern you can choose your time zone accordingly I'll just proceed with Eastern and here we come to the partitioning of diss now under this step if you're a beginner simply just click on guided use entire dis and click on continue it will give you this one option which is your hard disk that you created in the previous lecture for me it is the 40 GB large hard disk for you it might be different but just select it right here and click on continue again partitioning diss here it says that this can be partitioned using one of several different schemes if you're unsure choose the first one since we are beginners and it does say right here recommended for new users let's select this one which is all files in one partition and let's click on continue we want to select finish partitioning and write changes to disk and click on continue once again and here we want to click on yes yes and click on continue and it finally finished partitioning our Diss and it will start installing the base system for Cal Linux let's wait for the next step and after a minute or two here is the next step software selection now ideally here you don't want to change anything you can simply just leave it as it is so let's go to continue and after this step this next step which is selecting an installing software can take some time even up to an hour or in some cases over an hour so just sit back and enjoy grab a cup of coffee and I will see you as soon as Next Step pops up okay here we are at the next step this installation took quite some time now for me personally it took about 15 to 20 minutes for you it might have been more or less now for anyone that might have encountered an issue during the last step or during the software installation double check if you have provided enough free space for the Cal Linux machine make sure that you provided at least 30 GB of free space now if you didn't encounter any error and you're at this step it asks us whether we want to install the gra loader and here is the simple explanation it seems that this new installation is the only operating system on this computer if so it should be safe to install the grabo loader to your primary drive now don't let this confuse you remember that this is a virtual machine and it doesn't know of any other operating systems other than c Linux since you might be wondering well it isn't the only operating system on this computer I'm running Windows on my host machine but this veral machine does not know that for it this is the only operating system which we are currently in installing so since we're installing cinux as a veral machine we can install the grabit loader to our primary drive just select here yes or leave it at yes because it's the default option and click on continue and it will ask us once again the device for bootloader installation we don't want to enter device manually so just navigate to the lower option which is this one right here and click on continue this will finish up the installation and once the installation is done it should boot into our Cal Linux machine and here it notifies us installation is complete so it is time to boot into our new system make sure to remove any installation media so that you boot into the new system rather than restarting the installation now since we don't have any installation media such as CD or USB we can simply just click on continue and this should open up our kinix veral machine Let's Wait for a few seconds for it to boot up and here it is here is our login window now at this point I will leave the scaled mode by pressing right control and c and you will notice that my window will get smaller but this will be fixed in just a second let us first log in my username if you remember is Mr hacker for you just type in your username and then type in your password that you used during the installation click on login and this will open the Catal Linux desktop now to enlarge this window usually all you need to do is simply just enlarge this window lower it once again and enlarge it once again but here is our first error you might have noticed that my screen went black and that can happen to you as well now what I would do in this case is I would lower the screen I would close the vertical machine and I can do that by clicking on X and then clicking on power off the machine navigating back to my veral box selecting my machine navigating on settings navigating on display settings and under the video memory I want to enlarge this to let's say 80 and I want to click on okay now if I start the VM again it will once again take a few seconds to boot up here is the login window once again I'll type in my password and now you see that my veral machine went in full screen scen mode okay awesome now if you have encountered the same error of getting the black screen on your cinux veral machine just remember navigate to your virtual machine navigate to settings navigate to display settings and increase video memory this should fix the issue all right awesome so this is our cinux veral machine looks quite cool right here is the desktop here are certain apps that we have we can find even more apps by clicking on this cinux icon that says applications and you can experiment and research a little bit if you want but in the next lecture we're going to take a look at how we can set up network settings for our cinux veral [Music] machine welcome back this is a quick little update video that we do every time a new release of C Linux comes out and since today is 1st June 2023 we got a new release of C Linux which is C Linux 2023.2rpm are interesting for us or for the course but nonetheless you can read all the new things that are added which are summarized right here if you want to read about any of these in details for example let's say you're interested in what new tools were added you can click on new tools which will lead you down the article where you will see all the new tools that were added in this Cal Linux release now to install or to download this release you simply navigate to get Cali installer images and here you can download the 64-bit installer image or if you're using Apple silicon M1 or M2 Chip then you can simply select Apple silicon and download the installer like this for all the other machines the 64-bit regular installer will be a way to go now if you for some reason don't want to install the newest version maybe you want to go with the one that we use in the course you can always navigate to old. cal.org and you can navigate to base images where you will find all the releases of Cal Linux and you can choose whichever one you want to download all right now before we close off this lecture let's also see how does the new Cal Linux look like and it pretty much looks the same here it is the display is rather the same as in the other cinux releases and all the tools that we use throughout the course are still in this release nonetheless let's not make this any longer once again feel free to download whichever version you want I do advise that you go with the latest kinix version but you can feel free to download the older version if that's what you prefer okay thank you for watching and let's go straight into the next [Music] lecture all right we got our hacking machine running and ready to use before we get to explaining all of the stuff you see on the screen first we need to make sure our machine is working properly so we'll just go through a few checks the first check that we want to do is is your machine in full screen mode now in the previous tutorial I showed you what you can do to get it in full screen mode and all you need to do is minimize this screen and maximize it once again in case it already wasn't in full screen mode and that is because newest versions of C Linux automatically set your machine to be in full screen mode without installing any additional tools for that usually this trick should work and if it didn't work and your machine is still not in full screen mode then we need to install something called veral box guest editions and I would advise all of you to do it even if you already have a full screen mode machine because guest editions will not only help us with getting our machine to be full screen but they will also make our machine run smoother and better in previous versions of Cal Linux we always had to install blebox guest editions to get the full screen mode so let us see how we can do that in the newest version as well first we need to do is we need to go up here and click on devices then navigate down to the insert guest Edition CD image and click on that they should get imported and in just a few seconds we should see a dis icon on our desktop if we double click it it will open a folder where we will see a bunch of files and other directories don't worry we don't need to know what each of these files are or what do they do the only thing we need to remember is the path to where these files are and up here we can see that the these files are located at/ media cd0 so let us copy this if we right click copy now comes the fun part we have to open something called terminal and terminal is something that we will use for the entire course it is the most important tool you need to master as a hacker but for now just follow what they do and we will explain things as we go to open a terminal right click on your desktop and click on open Terminal here it will open this window where we can execute our commands and once again since terminal is an important tool that you must master and learn from scratch we will cover it in the next section in Greater details for now on we just want to install veral box guest editions the first thing that we want to do is we want to navigate to that path that we copied and to do that using terminal we must use a command called CD this CD command stands for changing directories and you can see that we are currently on the desktop directory which says right here to change the directory we type the CD command and then we paste the path where we want to go so change directory SL media / cdrom press enter and you will see that in the next line we will be changing directories to the desired folder now to list all the files inside of this directory we need to type another command which is called LS what this command stands for is simply just listing the contents of the current directory so you can just remember LS to be a short command for list if I press here enter we will see bunch of the files that are located in the current directory these files are actually the files that we saw once we opened these veral box guest editions you can see these are the same files right now we are just there inside of our terminal and out of all of these files now we must run one of them can you guess which one we know that we can't run the exe files since those AR AED for Windows systems and we are on a Linux system but we can however run this one called veral boox Linux editions. run if you guess that one congrats this is the one that we will run to run it we can use a command that says sh veral box Linux editions. run and this sh is just a way for us to actually run this file which we are also going to explain once we get to explaining terminal in Greater details for now on if we press enter hm this program must be ran with administrator privileges aborting for now don't think about this and just run the following command pseudo sh virtual box Linux additions. run if we press enter here you should get a prompt like this asking you for your password then type in your password and keep in mind that even while you're typing you will not be able to see anything appear right here which doesn't mean that you're not typing you are typing just it doesn't show anything inside of the terminal once you typed in the password click enter and it will ask us do we want to continue with the installation we want to specify right here yes and it will start the process of installing veral box guest additions now you will notice that this entire process will be performed automatically we do not need to do anything anymore this will install on its own and don't worry if there is a part of this entire process that you did not understand we will discuss all of these commands and tools later on this installation right here will take a minute or two so let us just wait for that to finish okay so it has finished and we can see right here that it tells us running kernel modules will not be replaced until the system is restarted what this simply means is that this installation will not have any effect until we reboot or restart our machine so there are two ways that we can do that you can either go in right corner right here click on this and click on restart or you can do it in the cool way using terminal so if I cancel here and go back to my terminal and type the command reboot it will say command not found and if you get this message as well what we want to do we want to type pseudo and then once again reboot press enter and this will restart our machine for us with just one command that we run in terminal now we're ready to perform the second check and the second check would be internet connection so we want to see whether we can access the internet and to check that we're going to use our terminal once again and we will try to Ping Google so let us open up our terminal we already know how to do that right click and then open Terminal here and if we receive responses back from Google that means we can access the internet so let's check it out type pingg google.com and here it is we're getting responses back great we can access the internet to stop this we must press contrl c as we can see right here 21 packets transmitted 21 received and 0% packet loss but even though we can access the internet I want to point one thing out if we go to settings of our veral machine and we select the veral machine navigate to settings and from the settings navigate to network settings we will notice that we're attached to net and what net is is a network address translation this means that the IP address that our C Linux machine has will be given to us by a virtual box so if I go to my Cal Linux and in the terminal type pseudo I config press enter enter my password Here we will see that we got the IP address of of 10.0.2 15 and this is the IP Address given to us by virtal box since this can present as a problem later on we want our IP address to be received from our DHCP or from our router and before I show you how to do that I want to point out why this could present as a problem well this IP address right here does not belong to the IP range of my local area network if I go to my Windows machine and open up command prompt to check out the IP address on my physical machine I can type right here ip config and I will see right here that the IP address that my physical machine has starts with 192.168.1 and this is not the same IP range it starts with 10.0.2 so I want to change this to start as my physical machine with 192.168.1 to do that my Cal Linux must receive the IP address from my router and for all of you Mac users you can also type in if config in your terminal on your Mac basically you can check the IP address of your Mac the same way that we did inside of our C Linux by typing I config and all we need to do to change this IP address is go to the network settings and switch from that to bridged adapter this will automatically set my bridged adapter and my adapter to be this one since this is the only one I have and since I'm connecting over cable connection I want to go to the advanced and check right here cable connected you can select your adapter right here and once you do click on okay just one more thing before we click on okay in case your wireless adapter is not working in Cal Linux since there are some wireless adapters that are not supported by Cal Linux yet keep in mind that the cable connection will always work so if your wireless adapter doesn't work just switch the adapter to cable connection and then press on okay now that we Chang this if I go back to my K linix Machine and run the same command which is sudo if config now it starts with 192.168.1 and keep in mind that for you it might start differently it doesn't have to start with these three numbers it might be something like 192.168.0 or it might be something like 10.1.1 or 10.0.1 it depends of your network so now we can see that both of these IP addresses are starting the same okay great now that we went through both of the checks for the full screen and network connection in the next few lectures we can proceed to get more familiar with the cat Linux environment and hackers terminology see you [Music] there welcome back in the last lecture we talked about configuring our Cal Linux network settings to have internet connection inside of our C Linux machine now let's see whether that is set properly and in case it isn't let's see what we can do to get network connectivity with within our C Linux machine so a quick reminder last lecture we selected our C Linux machine we went on settings we went on network settings and we chose bridged adapter for our kinix machine now to check whether that works we can type once again I config inside of our terminal that we can open by clicking on this icon right here which is the terminal icon and under the eth zero interface we should get our ipv4 address that should belong to our Network's IP range if you do get it that's good if you don't get it or if you don't get any IP address at all right here then we must change something but before we do that we want to also check whether we can ping let's say Google or any IP address or any website whatsoever as you can see I'm receiving responses right here from Google so that is good I'm also getting an ipv4 address that belongs to my network range so both of these things are good and I can proceed to the next lecture with bridged adapter if both of these also work for you feel free to continue and you can skip the rest of this lecture and just move on to the next one if your bridged adapter however is causing some issues whether that being your IP not being present here or you not getting any packets back from Google or any other website or IP address then we have to change our network settings so go back to veral box window select your veral machine or your Cal Linux machine go to settings and another option that we can go besides bridg adapter in case bridg adapter doesn't work so always go first with bridg adapter but in case it doesn't work we want to go with net Network so don't confuse it with net we are not choosing just net we want to choose net Network and here you will notice that we don't have net Network selected that is because we haven't created one yet but before we create it let's just quickly explain what natet network is essentially natat Network allows us to have a separate Network where our virtual machine will be connected to and later on on once we create multiple veral machines we can put several different veral machines onto the same net Network and they will be able to communicate with one another if we just leave it on net which is default then our virtal machine will most likely have internet connection but it will not be able to communicate with machines inside of our Network okay if we select net Network let's click on cancel first so we can create it and to create the net Network we want to click on tools we want to click on preferences we want to go to network and here under the net networks we want to click on this plus sign which will generate the net Network for us if I double click it it will also give us the information about the net Network and if you want you can change certain things right here such as whether you support IPv6 or you want to change the range of your network it doesn't matter the network name it's all up to you I will just leave all of this on default and I will click on okay I will also click on okay here and all I have to do is go back to settings of my C Linux veral machine go back to the network settings and switch from bridged adapter to net Network and now you will see that under the name we have our net Network selected once I click okay it will save the settings I will now reboot my vertual machine let's give it a restart so here it is our C Linux or my C Linux has rebooted and now let's see whether we do get an IP address and whether we can ping websites from our Cal Linux so first thing we do once again we open Terminal by clicking here and if I type I config now we get a different IP address which is the IP address from the net Network right here which is good and yours might be different just so you know it doesn't have to be the same as mine and the second test that we perform is we ping Google or we ping any other website or IP address and we are getting response back so our not Network works properly okay awesome that will be all when configuring network settings now two things to take away from this lecture and previous lecture are if your network settings work well with bridged adapter then proceed with the bridged adapter here and for any future vertical machine that we create throughout the course if you have problems with bridged adapter whether that being not having an IP address or not being able to browse Firefox or not being able to Ping any website then proceed by going onto the net Network configure the net Network which we did from tools and then preferences and then select the net Network here reboot your machine and it should have the natat Network's IP address as well as it should be able to Ping different websites the same thing should be applied for any future VM that we create throughout the course if your Cal Linux is on net Network the other virtal machines should also be on net Network in order for them to communicate nonetheless thank you for watching and I will see you in the next [Music] lecture it is time we slowly start getting into penetration testing process for now we didn't yet perform any hacking but we are getting there it is important we get the basics first and that we know why we do everything and trust me later in the course we'll be doing some serious stuff and everything will make sense because we covered all the basics first and we didn't just jump into something without any preparation so in this video we will be briefly talking about stages of penetration test How does it go in which order do we perform the steps and which steps are crucial for now on we got our virtal lab set up we installed K Linux and all the tools that hackers use are now available for us in our machine we also performed some configuration to it to get it full screen as well as performed setup for internet connection from now the basic steps that we're going to do is we will use our C Linux machine to scan and attack different machines networ networks websites and accounts but how are we going to do that do we just magically attack it and do we just install virus on their machine somehow and if so how do we do that what about Trojans password cracking or fishing is that what we do well that is just a small portion of a penetration test first thing and most important thing before we even start the penetration test on a Target is to figure out do we have permission to attack this target this is very important since you don't want to be attacking machines or Target networks that you do not have permission to attack it could be that client told me to only test one machine on the network and not the entire network therefore I'm only allowed to test that one machine or it could be that our client has multiple networks and they only allowed us to test one of them that means you should not go around and try to hack different machines on a different network now these are only some of the examples but what's important to get out of this is that always have permission to perform a penetration test trying to hack or hacking something that you are not allowed to hack could potentially get you into some serious trouble if you get caught now that we got that out of the way let us finally talk about different stages of penetration testing we already know that there are five of them and the first one is reconnaissance or information gathering now reconnaissance is the act of gathering information about your target to better plan out your attack and this tyep of penetration testing is the only one that you can perform on any website or Target that you want since gathering information about something is not illegal there are two ways that we can go about doing information gathering actively by directly interacting with our Target or it can be done passively without interacting with the target a simple example of this would be let's say you want to gather information for Facebook and you would do it actively by visiting Facebook page and getting all the information that you can from the Facebook page itself while passively it would be if you went on some other website that talks about Facebook and you get information about Facebook from that other website this would mean you never interacted with Facebook therefore you performed a passive information gathering after this step comes scanning here is where you can start getting in trouble if you do it without permission scanning is a deeper form of information gathering using technical tools to find openings in the Target and in the systems that you're attacking these openings can be gateways open point ports operating systems that Target runs and so on and so on in this step we also perform vulnerability scanning which is just searching for vulnerable software in the Target system or network that could possibly be exploited after information gathering and scanning comes third step which is gaining access or so-called exploitation and this is the step where we actually hack the target we use information that we gathered in Phase 1 and phase two take control of any number of Target devices gaining access of Target devices allows us to steal data from their system or to use those devices to attack other devices on the same network usually after this step you can consider penetration test to be successful since you manag to gain access to a Target system however this is not the last step of a penetration test after exploitation comes maintaining access this step with the fifth step is sometimes optional you might not need to always perform last two steps since client might only care whether their system is penetrable therefore you prove them it is after the third step if there was a vulnerability of course however maintaining access is also important step and it is commonly done by installing back doors and planting root kits what a back door and root kits are are simply programs that will allow us to gain access to that Target whenever we want without the need to exploit it again we just connect to the back door that we planted in the Target system and there it is we are again on their machine and last step of penetration test is covering tracks covering tracks is simply removing all evidence that an attack ever took place this can involve deleting or hiding files editing logs or basically reverting any changes that you did to the system while the attack took place okay so these five steps are entire process of a penetration test and we're going to cover them in great detail throughout our course keep in mind that these steps should be performed in order and one more important thing is in case you're a beginner you might think that third step which is exploitation or gaining access is the most important step of the process even though it is very important and crucial the most important steps are actually information gathering and scanning it is in these two steps that we gather information about the Target and discover vulnerabilities so if you're not that good in gathering information you might miss some things that could be used to gain access to the machine therefore preventing you to find an actual ability so just keep that in mind that information gathering is 70% of work okay good so we talked a little about these phases but before we get to perform each one of these steps we must first get a little familiar with our Cal Linux machine so in the next few lectures we're going to get into details about terminal and some of the commands we can run and execute with it see you there [Music] welcome back here we are in our K Linux machine and it is time we finally learn how to use that mysterious tool that is said to be the most important tool that we must Master don't worry terminal is not difficult to use but before we get to open it and run a bunch of the commands let us first Define what terminal is so what is it terminal is a program that allows us to interact with Linux operating system using different commands we can create files delete files create directories run programs set different tasks to execute and we can do many more things using it it is important you get used to it especially if you never used it before because if you're coming from Windows or Mac OS you probably are used to opening files or folders by clicking on different icons and navigating like that for example on Windows we usually open files by double clicking on an icon and it will open that folder and on Linux we can actually do the same thing so if I go right here and for example I want to open this home folder I will double click on that folder and it will open folder with all the files inside of it but we don't want to be doing it like that let us see how we can do it using terminal so let us close this first and we already know how to open Terminal right click on desktop and click open Terminal here first thing that we notice is username that we have right here and the host name that we have right here but we also notied this slash desktop this means that our terminal process has opened inside of the desktop directory does it always open there nope it only opened there because we told it to open there remember we right clicked on desktop and clicked open Terminal here if we for example went to the home folder and right clicked here open Terminal hm it doesn't say slome like it did in desktop it just gives us this wavy minus sign well that sign in Linux means that you are in your home directory of your user and our user is called Mr hacker so the directory name should be slome slm haacker and to check the directory name we can type the command PWD if we press enter it will give us the current directory in which our terminal process is running and it is /home SL mrhacker and this PWD simply just stands for print working directory if we for example go to the folder once again which is slome folder slm haacker and we double click on documents try to open Terminal here so open Terminal here this will open a second terminal and you will see right here that it says slash documents but do we always need to go to that folder and open Terminal inside of that folder for it to be inside of this directory of course not we can use a command called CD and you should be familiar with this command since we already used it before let us test it out let's go to the documents directory from our home directory so I will just close this second terminal and right here we are inside of our home directory or /home slm haacker we know that inside of this directory there is a documents directory since we managed to open it right here and to navigate to this directory using terminal we can use the command CD and then the name of the directory which is documents we press enter and here it is we are in/ documents directory if we type PWD here it will tell us the current working directory is slome slm hacker SL doents and for example if we wanted to go one step or One Directory back we can type the command CD and then two dots what this command will do is it will go one dire back and if I type PWD once again we will now be again in slome slm haacker directory so these two dots tell the terminal to go One Directory back okay great but how can we know which subdirectories and files are in home directory for example we knew there was a documents directory in home folder because we opened it right here we didn't open it over terminal we opened it right here here from our desktop once we open it again we can see all the folders and files inside of this slome slm haacker directory but we didn't see these files inside of our terminal so how can we list them how can we see all of these files using terminal so we know which directories are available inside of this slome slm haacker directory to check files and folders in any directory we can use another familiar command which is LS and the ls command stands for list so let's just test it out if we type it press enter here we are we can see same folders and same files that we can see inside of this window right here so what we did for now is we used terminal instead of clicking on bunch of files bunch of icons we now are doing all of that with our terminal now that we know which folders are in this directory we can choose which folder we want to go to and use CD command to go there but let us go One Directory back from the slome slm haacker to do that we already know we can type CD and then two dots and by the way CD simply stands for changing directory don't know if I mentioned that but CD is changing directory and now we can see once we went One Directory back we are in slome directory if we type LS here we can see here is our Mr hacker directory that is containing these files right here since we went one step back we can only see Mr hacker directory since this is the only folder inside of the slome directory let's go one more step back back if I type CD two dots once again now I'm in slash directory and it is called SL directory because it is only specified as a forbo slash and we can go more than that this is the main directory that has all of the other files and directories in the system if we try to type CD once again you will see it will still be in the slash directory and remember when I told you during Cal Linux installation that we will shortly see slome /tmp SLV directories that occurred in one of the installation questions well if I type LS right here here they are these are all just standard Linux directories and here is slome from which we came from here is SLV and here is TMP and bunch of other directories and these are all just standard Linux directories from here you will notice that not all of it is same color this is because not all of the stuff we see here is the same thing something is a directory something is a file and for example we cannot use CD command onto a file we can only use CD to go to another directory so if we try for example CD and I choose this file so CD init rd. IMG and press enter this will not work it will give us an error saying not a directory but if I type CD and then at C for example which is this directory and press enter now I will be inside the at C directory and here I can type LS to list all of the the files inside of the at C directory and you will also notice that here we got a mixture of files and directories as well directories are these dark blue names while files can be other colors depending on file type usually they're white okay great we learned the basics of navigating through Linux system and directories using different commands now before we finish this video here is practice test try returning to the desktop directory from this at C directory using only the commands that we learned I will give you right now a few seconds and I will show you how to do it so try it out okay don't worry if you didn't get it this will come with practice so here it is how we can do it from the at C directory we know that we must go back to the slash directory and in the SL directory we got our home directory we can check it out by typing LS and inside of this home directory we know that we got the Mr hacker directory and the Mr hacker directory has the desktop directory so to navigate there we can type CD home type LS here then type CD Mr hacker typ LS here once again to check out all of the available directories and CD desktop and now we are on our desktop directory once again great so practice a little bit with these commands this is nothing really too hard it just takes some practice and you will get used to it pretty soon and in the next video we're going to see how we can create files and folders using terminal as well as we are going to see how we can run programs see you [Music] there okay so we know how to find our way to the desired directory in terminal but what if we need to create a file or a subfolder in another directory how can we do that well first let's open up our terminal and by the way another way that you can open ter Al instead of right clicking and going open Terminal here is going up here to this icon which says terminal emulator and clicking on it by default this will be inside of your home directory which we know to be this sign and if we type the PWD command we get slome slm hacker directory we know that our desktop directory is also inside of this directory so let's go there CD desktop press enter and now we are in the desktop directory let's get back to the files to create a simple empty file we can use a command called touch if I simply just type Touch file and let's call it file one press enter this will create a file named file one and it will have no contents inside of it we can also see that file one has been created as it is right now on our desktop since we created it inside of the SL desktop directory and if we also type LS we can see that the file is in our desktop directory to make sure this file is indeed empty we can use the command cat and this command once executed on a file writes out all the contents that are inside of that file let's try it out so we specify cat and then file one press enter and this will give no result since as we already mentioned the touch command creates empty files if we want to for example put something inside of that file we can use a command Echo you simply just type it like this Echo and to put something you specify after the echo let's say today is a really good day so we specified and entire sentence and all we need to do to put this sentence inside of this file is to specify this arrow to the right and after it specify the name of the file that we want to put this sentence in so Echo today is a really good day into the file one press enter and if we cat it once again with the cat command so cat file one we will see that now it out puts exactly what we've written to that file using the echo command okay that's all good but there is an easier way and more practical way to do all of this we can use a text editor to write things inside of a file and an easy text editor that we can run from terminal is called Nano so let's try to do the same thing we just did using Nano if we type Nano and after Nano comes the name of the file that you want to edit and since we want to edit a new file that we haven't created yet we can simply just type name let's call it file two and press enter this will open this empty window where we can type anything we want we can type file content here and it can be anything we can type for example text here but we could also type code if we wanted to let's start with text first let's write just hello world as a text to save this we press contrl o together then enter to save under this name and then control X to exit the Nano editor if we now type cat and then file two and by the way we can notice that file two has been created along file one on our desktop but if we C file two we can see the output of hello world so we managed to do it only using one tool which is nano instead of using two tools which are touch and Echo but I also mentioned we can do the same thing with programs for example how can we create a Python program using Nano and terminal first we need to open a file so let's type Nano and then file 3. py and in this case we add py because that is an extension for python Pro programs then inside of it after pressing enter we're going to run a simple command which is print and then hello world between the quotes and you will see that some stuff changes colors this is because the Nano editor recognizes this as a Python program what we did right here in case you're not familiar with python is we just ran a simple function that will print out the string that is in between the quotes so this will just print out hello world let's save it with CR O then press enter and then contrl X to exit and luckily for us python is already installed in Cal Linux so all we need to do to run this program is to type Python 3 and then the name of the file file 3. py press enter and the program will execute here it printed out hello world cool right you will also notice that the icon is different than these two icons this is also once again because this is recognized as a Python program it even has the python icon now that we know how to create files and execute python programs the next question would be how can we create directories to create a directory we can use the command MK deer which stands for make directory to check it out let us run MK deer and name a directory folder so press enter and if I type LS we will see that we got our files as well as a directory which is different color and it is called folder remember we differentiate them by color and also if we try to change directory to the folder it will work it will even give us the path of/ desktop SL folder great in that folder you can do pretty much anything you want you can create subfolders or create files whatever you want to do you can to move for example our Python program from the desktop directory to our folder directory we can use command MV which stands for move we must first navigate back to desktop directory so let's do it using CD and then two dots to go One Directory back and from it we run the command MV file 3py into the folder so we specify move then the second parameter is what we want to move which in our case is file 3. py and the last parameter is where we want to move it we want to move it inside of our folder so press here enter and you will notice that the file 3. py disappeared from our desktop directory we can also check that by typing LS and notice that our Python program is no longer here but if we go to the folder directory and type LS here we will see it here because we moved it here it is file 3py now this is a handy command and you will use it a lot besides moving the file we also want to see how we can copy a file and we can do it using the CP command this does the exact same thing as move command but it doesn't move it from original directory to desired directory it just copies it so let's try to copy file 3py and call it file 4py if I type CP which stands for copy file 3py and I type file 4py right after it this will create an exact copy of our file in the same directory if I press enter and type LS here it is we got file 3py and file 4py if we want to change whether they are exactly the same we can cat the content of file 3py and C the content of file 4py and we can see they're both the same python programs and last command that we want to cover regarding files is the command RM this command deletes files and directories and let's say we try to delete file 4py that is our copy of our Python program we can do it by typing RM and then file 4py now be careful with this command since once you delete the file there is no trash bin where you can retrieve it it is gone if I type enter and type LS you will see our file 4py is no longer there okay but how do we delete a directory let's first create a directory inside of our folder directory and to do that we type MK deer and let's call it folder two folder 2 is a subdirectory of our folder if I type LS here it is and let's say we did create this directory by mistake and we want to delete it can we use RM folder 2 well we can try it h cannot remove folder two and it will tell us that it is a directory so how do we delete it well we'll remove it in the same way we remove files we just add an option at the end of the command so type RM folder 2 and then at the end add space and then Dash R press enter and this will delete our directory also double check what you're deleting with this command since if you go to our SL directory which is directory containing all folders and files system and if we were to type for example in that directory RM then this star sign and then- R this command would delete entire Cal Linux machine with all of its files so always pay attention what exactly are you deleting in Linux and from which directory are you deleting since inside of the Linux you will not be stopped in deleting anything you want you can easily delete a crucial file for the operating system and make your Cal Linux machine unworkable that is also a reason why we are practicing with veral machine so let's whoops I actually ran this and you will notice that the results of this command if I type LS now our folder is completely empty so I actually ran this by mistake and keep in mind if I actually ran this from the SL directory which is our root directory I would delete the entire Cal Linux system for now on it is good since I only deleted our Python program so it is not a big deal okay great we learned bunch of the commands in this lecture now I got a practice test for you that you can try to do for the next lecture inside of our folder directory since I deleted my Python program I want you to create the file 3. py once again you can type anything you want inside of it you can use the print hello world statement that we used and what I want you to do using the commands you learned in this video is to copy that file in the desktop directory from our folder directory so you create it inside of this directory and I want you to copy it back to the desktop directory a hint is that it can be a little tricky once you copy file from some directory to directory anyways just try it and we're going to see the solution in the next [Music] video Welcome Back have you managed to figure out the command from previous video don't worry if you haven't since it was a tricky one let us see what the solution is so if I navigate to my folder which we created in the previous video we wanted to copy our file 3. py which is our Python program from folder directory to the desktop directory and if you tried to solve it but didn't manage to you probably went with command CP file 3py desktop and if I press enter this command probably surprised you since it created another folder or pardon me another file in the folder directory called desktop this is because it read our Command as if we wanted to copy our file into another file in the same directory and we call that file desktop and this is just just how the command Works in order to successfully copy the file to desktop directory we must run the command and specify the full path to the desktop as well as the name of the copy that we want so it would look something like this first we're going to delete this desktop file since we don't need it and then you specify CP file 3py and we specify the full path to the desktop which is slome slash Mr hacker and then slash desktop after it we also want to specify slash and type here the name that we want our copy to have so let's just call it our copy. py we add it py since it is a Python program press enter and you will see right away on the desktop we got our copy. py now that we got that figured out let us talk about about a few Network commands that we will use a lot throughout this course the most important command we already know is if config we use if config command to get our IP address and what the output of this command is is all the network interfaces as well as IP addresses corresponding to those interfaces if I run I config oops we get command not found so we must run Pudo I config press enter then we enter our password and here I have a few interfaces so let me enlarge the terminal so we can see entire command let's just fully enlarge it and run the command once again and by the way you can navigate to the previous commands using upper and lower Arrow so I can navigate between all the the commands that I ran previously and here is pseudo if config and this is the output of my if config command for you this will probably be different here I have eth0 interface which is my cable connection and it has an IP address of 192.168.1.2 and I can also see the loop back interface which is this L which all of us should have and it will be an IP address of 127.0.0.1 which is also a local host IP for this course we will usually be interested in this eth0 IP address if you have another interface call differently that is also fine you could have a different named interface if you for example are connecting over Wi-Fi this IP address that we get right here is called local IP address which means it only works inside of our Network to communicate with other devices that are also inside of our Network there is also something called public IP address which we're going to talk about later in the course for now just remember that I config outputs local IP address as well as our network interfaces another thing we can get from if config is our Mac address for a specific interface so for the eth0 interface here is my Mac address and what Mac address is is a unique identifier for every device unlike local IP addresses that could be the same in different networks for example it is a great possibility that you also have the IP address starting with 192.168.1 while the MAC address is unique for every device in the world and in in case you're new to all of this and don't have much previous experience with Mac addresses and IP addresses you might be asking why do we need both of them well let me explain like this Mac addresses are unique and usable in Communications with your neighbor machines or simply with machines that are on your network while IP addresses are used to communicate over internet and they can also change remember it like this Mac address tells you who you are IP address tells you where you are so that is the if config command and now that I think of this I config command there is one more important command that I didn't show you and that you will use a lot which is pseudo remember we used it with I config now pseudo is not a part of the I config command it is just a command that we use once we want to execute something as a root user and just to remind you a root user is something like an administrator it has highest privileges above all other users with root user you can execute any commands that you want for example once we ran this if config command it told us command doesn't exist if I just type once again I have config it will say command not found but after using Pudo I have config we managed to execute it that is because I've config command must be run with root privileges in order for it to execute throughout this course we will encounter many programs and many commands that will require pseudo in order to run and sometimes there could be multiple commands at once that we must execute as a root user there is one called trick so you don't have to type pseudo before every command is to run at the beginning pseudo and then s you press enter and if you're running P sudo for the first time inside of one terminal session it will ask you for your password and then it will log in into the root terminal so everything you run from now on you will run as a root account right now I no longer need to specify pseudo if config I can just specify if config and it will not tell me command not found it will execute it since I am a root user as it says right here it is no longer Mr hacker it is now root if you want to exit out of this root terminal you simply just type exit and it will go back to your Mr hacker terminal now this can also be applied to files some files might be created only for you account to edit for example if we run the command sud sudo Touch file one we press enter and if we for example examp Le type pseudo Nano file one type here hello there we control o to save and then contrl X to exit we won't be able to edit this file as a normal user without the sud sudo command or without the root account if I lower this terminal here is our file one and the reason why we can't edit it is because this actual file right now has been opened and edited with root privileges and once we saved it we saved it as a root so right now if I try to Nano it it will tell me file is unwritable which means I cannot write anything well I mean I can but if I try to save it it will tell me right here permission denied so let's close this and open Terminal once again however if you go as a root account sud sudo Nano file one and we type our password now we can type anything we want just one second it seems that we open the wrong file this is the file one that we created from the previous video that says today is a really good day and to go to the file one that root account created I believe it is One Directory back or let's just go to the sudo user type enter CD Mr hack CD desktop cat file one never mind since we cannot really find it let us just create another file just make sure you go to the root account of the terminal and then type Nano test file and once you type Nano test file here type hello there save this exit the root account and if I lower terminal right now we will see this this test file right here on our desktop but it also has this lock right here this means we as a normal user cannot edit this file we first need to go to desktop directory so let's go to the Mr hacker and then desktop and we Nano test file it will tell us once again file is unwritable only root account can edit it and this is something you will encounter a lot so it is really important next time you see either something like command not found or right protected file or this requires root privileges just know that it needs to be ran with pseudo all righty so with this we finished our small crash course for Linux and I would advise you to practice a little bit with the commands we learned and also explore K Linux operating system a little bit go to different directories see what it all has but be careful not to delete some important files okay now we're ready to finally go into the process of penetration testing hopefully you are excited since this is where the fun starts let us see how to perform the first phase which is information gathering see you [Music] there welcome back it is time we learn in details what is information gathering and how can we perform it we already know that information gathering is the first step in penetration testing and it is an act of gathering data about our Target it can be any type of data that we might find useful for the future attack and if you remember there are two types of information gathering we got active information gathering and passive information gathering and we talked briefly about them but now it is time to fully explain what both of them are so let's start with active information gathering in active information gathering we use our C Linux machine and we try to get as much data or as much information about our Target while interacting with them it could be a Target website that we need to test so we need to find as many things about it as we can or it could also be a network that we're testing or perhaps an entire company the main point is that with active information gathering we directly get that data from the target this could mean directly exchanging packets with the Target by visiting and enumerating their website or it could also mean talking to an employee that works there we could could maybe call them over mobile phone to try to get them to tell us something important but this part is also considered social engineering nonetheless any action where you exchange something with the target is active information gathering this can be legal to an extent if you start performing some Advanced scans or Os fingerprinting on the target you most likely won't get in trouble but you should still not do it without permission and it is important to mention that usually active information gathering will provide us with much more important data than passive information gathering since we are directly interacting with the Target on the other hand we got passive information gathering and it is similar we got our Cal Linux machine and our Target but we also have an intermediate system or what I like to call a middle source and what this middle source is well basically it could be anything from a search engine to a website it could also be a person but what matters is that information we get is going through that middle source for example if we want to find out something about a certain Target and we Google that Target to find some pages that contain information about it this is considered passive information Gathering okay good but what are the goals of this what exactly are we searching for which information could be of value to us usually the first thing we search to identify a Target is their IP address or IP addresses if the target has multiple addresses that belong to them this could be for example a company that has servers and buildings all around the world and if we were to test this company we would also be interested in their employees too for example we would want to gather their emails which could be useful for a future attack to gain access to that company or we could possibly want to gather their phone numbers which could also be useful but most importantly and what we're mainly interested in are technologies that the target has if it was a company we would want to know how many networks they have what soft are running on their machines what operating systems they have if it was a website we would also want to know how that website was built which programming languages it has does it have JavaScript or PHP for example just one software on one machine that is outdated or that has unknown vulnerability that could be exploited is our way in so now that we know what we're looking for during this first step it is time we see see what tools and programs can we use to find out as much information as possible about our Target let's do [Music] it welcome back since this is our first video in information gathering we're going to start off with something easy let us see how we can identify our Target and get its IP address we're going to check how we can do this both actively and passively let's do it with active information gathering first so this means we're going to interact with our Target so just go on Google and pick a website that you want to use for this it can be any website that you want and you can also use the ones that I will show in this video first open up your terminal and what we're going to do for the first test I'm going to use use this website this is just some University page that I picked and what we can do to get its IP address is to Ping it most of you will already be familiar with ping tool since it is installed by default on any operating system by pinging this website or any other website we're sending something called icmp packets to that website and if we get responses back that means that website is up and running but what we also get besides that response is the IP address so let's try it out I will leave this link right here and I will just add at the beginning ping space and then hit enter and it seems that we're not getting any responses back but what we did get is an IP address here it is and we are not getting responses back from this side because because it is probably blocking ping probes which some websites often do let us try another site to see how it looks once we get responses back so to stop this you can simply just press contrl C and it will tell us 32 packets transmitted and 100% packet loss now this doesn't mean that this website is offline since if we visited this link rate here or this IP address we would open a page to that website but just in case let us see how it looks like once we get the response back from the Ping command if we try to Ping a big website for example like Facebook so let's type ping facebook.com here we get an IP address of Facebook and we can contrl C since we can notice that we are getting packets back which means Facebook is up and running and also responding to our icmp packets just to note this IP address right here is just one of the IP addresses that Facebook uses so for you once you ping it you will probably get a different result okay what we saw right here is an example of active information gathering to get the IP address since we directly send packets to these websites another tool you can use to get IP from a website is called NS lookup so if I go down here and type NS lookup and then the name of the website which in our case let's try with the first one which is this one and once again you can test any website you want with this it doesn't matter if I press enter it will give me this response which says server and address right here but this is not the IP address of this website this is just my router and where the result or where the IP address of this website is is down here here it is if we compare this one and we go back to the pink command you will notice the IP address is the same so we got the same result which is good let's try the same with Facebook so just type right here nslookup facebook.com and we also get the IP address of Facebook now if you wanted to do this passively you would search for this information such as IP address over some other website let us see how we can do that first of all we want to open our Firefox and to do that just click on this cat Linux icon in the top left corner and type Firefox you should see Firefox ECR click on it and what we're going to look for is a website that provides us with IP address of a different website and since I don't know any website that does that I will simply just go right here in the search bar and type what is an IP address of this website if I press enter it should probably give me a few results of different websites that will do exactly what we want which is get the IP address of another website and let's go with this one IP checker which is ipinfo doino if I click on it and down here we see something that says IP domain Checker we need to specify the IP address the domain or URL and if we type the domain name of that first website so if I type the same domain name and click right here on check okay so some security checked select all traffic lights let's select all traffic lights that we see and here is the result and you will notice that right here we get even more information than we asked for for example here is the IP address of this website we also get from which country it is as it says right here in the brackets and we also get its geolocation which says even the city we can also check it out on Google Maps if we wanted to down here we get even more information such as reverse DNS here we get information about registration date modification date expiration date down here we get some of the DNS servers and here we get its physical address so this is the exact location to where this server is located now this is just the same result I believe down here we also get some email addresses as we can notice right here all of this could be useful for us depending on which type of attack we would plan now of course we're not going to be attacking this website since we do not have permission but we're simply just gathering information to see what can we retrieve from the internet about this website and for now on we're getting a bunch of information about it now similar response that we got right here we can get using a tool called who is who is not only gives us an IP address of the specified domain but it also gives us bunch of other information about that domain it is already installed in Cal Linux so let's test it out if I close this page and type in my terminal who is the same domain name press enter I will pretty much get the same information that I saw previously on that website as we can see right here we get those DNS servers the the registration date modification date exploration date we get the physical address and some other things such as ID number text ID which is not really of interest to us and let us also test this tool on Facebook since different websites might give different information for example if I do the same on Facebook since it being a much bigger site it will probably give us much more information as well so let's type it who is facebook.com press enter let me just enlarge the terminal so we can see everything clearly and if I scroll all the way up we get some name servers teex Street city state Province postal code we also get some phone numbers right here here are some of the email addresses for the tech email so we get another email address right here and even more phone numbers we get the city the street if I go all the way up we can see that this is a who is response so this all information is public to us and this would be pretty much it this is all the information we get for Facebook using who is tool and by the way in real penetration tests that you will perform all of the interesting information is something that you want to write down in our report for now we only saw how we can get basic information such as IP addresses country origin physical address and similar but later during information gathering and scanning we might find something that shouldn't be out there on the internet and that would be called information disclosure it is something that client doesn't want to be seen but it is still publicly available so anything that you might think is interesting you would write down okay great now we know how we can identify a Target by getting its IP address and also getting its physical address and some other interesting information as well and even though this isn't really hard information to get it is a good beginning let us see in the next video what else can we find [Music] out welcome back now we're going to discuss a tool called whatweb this tool is used to gather information and to scan any website on the internet so it is primarily used to scan websites since this tool recognizes web Technologies including web servers embedded devices JavaScript libraries and many more things they explain it really well on the website page for this tool so we can read right here about all the details that this tool has we can notice they have over 1,700 plugins each one of them used to recognize something different so they use these plugins to perform the scan on the website and discover what technologies does that website run what is important for us is this second paragraph since down here it tells us that default level of aggression called stealthy is the fastest and requires only one HTTP request of a website now what this simply means is that this wat web tool has different levels for scanning and the default level is the level of aggression that is called stealthy which we can use on any website that we want the other levels of scanning are more aggressive and should only be performed during penetration tests so we should not use the more aggressive scans on the websites that we do not have permission to scan we can however use the stealthy scan on any website that we want on the internet and don't worry we are going to see all of these options in just a second for now it's good that we know what we can or cannot do so let's test this tool out in our Cal Linux to do it open up your terminal and to check out all of the options we can do with what web you can simply just type what web in your terminal and press enter this will give you a smaller help menu with some of the basic features that what web has as we can see we can specify targets which can be anything from url's host names or IP addresses here is that aggression level which we specify like this there is the aggression level one which is stealy and the aggression level three which is aggressive the default level is level one which is good to notice so we don't want to change this if we scan a random website on the internet we can also list all of the plugins that it uses but we are not currently interested in this and we can have also our bow output but these are just some of the options for the wat web tool to get even more available options with watweb we can type the command watweb d-el press enter and this will give us a much larger help menu with all of the possible options that we can use for watweb and down here here is the aggression level we can see besides the stealy that we're going to use on random websites and besides the aggressive scan that you would use in a penetration test there is even more aggressive scan called heavy and it says right here makes a lot of HTP request per Target URLs from all plugins are attempted so this is basically the deepest scan that what web tool can perform on a website up here are also the targets so we specify a Target first and if I go all the way down you will notice right here we got some of the examples of usage of what wweb so we can see right here that the most simple example is running whatweb and then the domain name so for the first run let us go with this one we're only going to specify website as an option so just type down here what web and since we are using the aggression level one we can scan any website that we want so I'm going to go with this one and this is just another University website from my country feel free to scan any website that you want or you can also go with this one if you'd like if I press here enter in just a few seconds we should get response for this website and here it is we already got something uh we got two responses as we can see by the links right here the command has finished executing so let us just go through these results and see what we got it tells us that it most likely performed a redirect as soon as we tried getting this link we can also see that we got the Apache web server we even get the version which is 2.4.6 we got some cookies right here which the website uses we got from which country it is which type of HTTP server it uses if I go down here here is the IP address of this website here's the PHP version that they use and the redirect location if you remember I told you that it most likely redirected us to a different page here is to where it redirected us and once we got redirected we got the response of 200 and this is just an HTTP Response Code which tells us that we successfully loaded a page we got the same Apache version the bootstrap version which cookies it uses down here we got the country and we also managed to extract some of the emails as we can see down here these are some of the emails from the page that belong to this domain down here we also see that it us uses HTML 5 which HTTP server it has which Apache version it has once again which PHP version the IP address it also uses jQuery light box and bunch of other things we can see right here but I don't really like how this is outputed it is hard to read to Output this a little bit prettier we can use this verbose option that I saw in The Help menu here it is and what did for bothos option does is it also includes plug-in descriptions it will also tell us for each plug-in that the watweb tool managed to discover it will tell us what exactly that plugin is so let's try it out if I type watweb and then the same website but I add- V option at the end and press enter it will pretty much give us the same result just it will be outputed a whole a lot better and easier to read if I scroll all the way up to the beginning of the command remember we got two responses here is the IP address and this is the first request or first response which tells us to move to the actual website so the redirect response we get all of this information that we got previously but we also get this section right here which says detected plugins and for example if we didn't know what the patch was we could right here what Apache is and down here we get the version that this website has of the Apache we also get for cookies same thing for HTTP server we can see which operating system which Apache server it is which PHP version it is it tells us right here what PHP is for example if we didn't know PHP is a widely used general purpose scripting language redirect location so after this request it redirect us to this location and down here we get the response 200 for the actual page we get once again the country the IP address and all of the detected plugins and we can read through this and discover what is this website running and it is outputed a whole lot better and easier to read than the previous command okay good so we managed to get the information as to what a certain website is running which Technologies it has and in the next video we're going to deeply go into this tool and try to perform some of the more aggressive scans as well as experiment with some of the different options of wat web as [Music] well welcome back let's continue with our wat web tool so in the previous video we only saw how we can perform the basic stealthy scan on a certain website another thing that we can do with whatweb besides testing a website is to test a range of IP addresses all at once so if I open up my terminal and I type what web d-el once again to list out all of the available options and scroll all the way up here under the targets we can see that we can specify urls host names IP addresses but we can also specify IP ranges we can specify them like this or like this now to test this out I'm going to scan my entire home network and to know what range of IP addresses should I scan for my home network I could type down here command I config or pseudo I have config since remember this requires root privileges press enter enter our password and we can see that my IP address is 182 that F 6814 and what's more important than the IP address in this case is the net mask and my net mask is 255.255.255.0 the subnet mask right here means that only the last octet of my IP address is changeable which is this last number so these first three octets or these first three numbers never change in my home network this also means that the range of IP addresses that belong to my network are going to be from zero to 255 so basically the range of the IP addresses that my network can have is this one 192.168.1.0 2 1 192.168.1 255 this is the range of my home network so let me scan it now for you it might be different based on what type of network you got but in most home networks the subnet mask is going to be this one therefore just the last octet will be changeable for you now before I actually run the scan I don't have any websites hosted in my home network but I do got some devices running something on Port 80 and Port 80 is an HTTP Port that websites use to host their pages so we should still get some result from scanning my network let us go delete this and type what web and then the range or my home network let us go with 1 2 192.168.1 255 so this this is the range of IP addresses that I want to scan and all of them belong to my home network and the good thing right here is that I can use whichever aggression level I want since it is my own network Let's test out aggression level three to do that we can specify Das Dash aggression and then three after it we can also specify the dash V option to better output all of this and let's press enter you will notice we're getting some of the results but there is a lot of this error happening on the screen now what this error right here is let me just contrl C since we're not going to wait for this to finish and what this error is is all of the hosts that it tried to scan but couldn't manage to and the reason why it couldn't manage to scan these hosts is because they do not exist I currently only have around two or three devices on my home network and all of these other IP addresses are out of use so let me go up here to see what it found it found the result for the IP address 192.168.1.1 and this is my router down here we can see all of the plugins that it managed to detect for my router we can see an interesting plugin which is password field this is something that we would write down since any password field that we find we can use later on in something like a Brute Force attack to try to guess the password and try to Brute Force the login credentials but nonetheless this is just a router so we're not really interested in it at the moment this is just an example of a test of how it would look like and since I don't have any website on my home network it didn't really give much result we can see right here here is another IP address that is active it is 192.168.1.10 and this is an IP address of my laptop which is currently up and running it detected this HTTP server on it but it got the status code of 403 Forbidden so it is not allowed to visit that page therefore this is as much information as it managed to get and all the other ones down here are simply just offline now if you don't want this outputed this red text you can use the same command and at the end add-- no errors what this no errors are option does is it simply just doesn't print these offline IP addresses Let's test it out if I run the same command just with no errors you will see we are not going to get any red text anymore it will only scan these two live IP addresses which is my home router and the laptop and that is basically it that is everything that it will output okay so it took just a few seconds to finish and keep in mind that since we are running level three of aggression scan it will take a little bit more time to scan something than with level one since it is performing a deeper scan than just the level one stealthy scan okay so we ran this command and we use the aggression level three we use- V to Output all of the detected plugins as well as their description and we used no errors to not print out these offline IP addresses but what if we for example wanted to save this output that we got in a file for some future references well if I type the command what web d-el and I go through this help menu once again I will get to this part which is logging and down here we can see that there are a bunch of options that we can use to log our file or to save our file so let's just go with the first one or we can even use the second one which is to log verbose output to do that we use this option right here and then equals and then the file name that we want it to save to so if I go down here and another useful command once you have a bunch of things happening in your terminal and by bunch of things I mean just bunch of text printed out what we can do to get rid of this is run the command clear this will clear our terminal so we get much cleaner look now if I press upper Arrow to find the command that we ran previously and at the end I add log and then Dash verbose equals and here I can call the file results for example if I press here enter now you will notice that besides of this outputting it to the terminal it will also save it inside of a file let's wait for this to finish to check out the file that we got okay so it finished let us clear the screen once again and if I type LS right here we will see our results file let's lower the terminal and open this file to see what it got saved and if I enlarge it we will see that we got our results saved for both IP addresses for my laptop IP address and for my router IP address now for your scan if you scan your home network you will probably have more devices or less devices or you might not get any result in case none of your devices is having an open port 80 or in case none of your devices is running an HTTP server so don't worry if you didn't get any device this is just an example to see that we can even run the ranges of IP addresses and to test out this aggression level three scan since we can only do it on the websites that we own or have permission to scan okay great so look at all of the commands that we crafted with all of these options right here and this is just a part of this what web tool you don't need to be learning all of these commands you can always just run the help command and read through its help menu to discover what you want to run we won't be going through all of these options in what web tool since there is too much of them but I encourage you to play with it a little bit and see if it has any other interesting options great in the next video we're going to see how we can Harvest or gather as much emails as possible from just knowing a domain see you [Music] there [Music] right now we are going to see how we can gather emails for a company or a domain remember people are always weak at security if we manage to send some alicious program to someone working in a company and they run that program we got our way in we can also use emails in something like a Brute Force attack we can use them in the username Fields there are many ways this could be useful but for now let us just see how we can get them since emails are public information we can test this on any domain we want to get emails we're going to check out two different options a tool called the Harvester that's installed in Cal Linux and a website called hunter.io let's start with Harvester first so open up your terminal and to just run the help menu from the Harvester we can type the tool name so just type the Harvester with Capital H and press enter and this will output us with a smaller help menu just like the wat web tool did once we specified its name we get its banner and some of the options that we can run it tells us since we try to run it with just the name of the program that there is an error the following arguments are required so we need to specify the domain but before we specify the domain let us just run the bigger help menu so we can see all of our available options okay great here it is so we get the domain option so we need to specify either a company name or domain name to search this is the limit limit of search results which is default equal to 500 and all these other options are not really of interest to us besides this last Source option and this last Source option we specify with dasb and we specify where we want to search for emails now we can either specify one of these we can for example specify we want to search for Twitter LinkedIn Bing Google or we can simply just specify all and it will go through all of these in search for usernames hosts and emails so let's try it out if I clear the screen type the Harvester and first thing we need to specify is- D for the domain and for this test I will go with this domain right here which is another University domain you can go either with this one or you can pick any website that you want and use it instead so if I specify the Harvester DD then the domain name the next option that I want to specify is dasb and remember DB option is the source so where we want to search for the emails host names and usernames and let's us for the first try specify all and the last option is- L which is the limit that is set by default to be 500 so we can either specify more than that or less than that or we can simply just not specify DL at all and it will just by default scan 500 results so if we leave it just like this and I press here enter the running of this command will take some time it will search for different results it will search for host names it will search for usernames and it will also search for emails as we can see down here it says searching 300 results and this will go up to 500 since we are using the default DL option which is 500 results and it seems that we already got some users found here are some of the names as well as what do they do so this is already some result for us let's just wait for all of this to finish and then we will go through all of the results that we managed to gather okay so it has finished let us check out what we got as an output so it searched through bunch of different platforms as we can see LinkedIn virus total Yahoo Twitter but it didn't manage to find any results for these platforms the only thing we got is these users right here but this is not what we looked for we wanted to find some email addresses or perhaps some usernames there is one thing with this Harvester tool from my personal experience this tool doesn't always work there are days when it gives amazing result but there are days when it doesn't find any emails or any hosts just like in did in this case as it says fail to detect a valid IP address from this domain name we also didn't get any emails and I'm talking about scanning this same domain just on two different days that's why it is always good to in case you don't get any results for this tool right now to scan it multiple times so if I scan it once again and instead of dasb all I will select dasb and scan only from Google to see if I get any different results and if we still don't manage to get any results just try the same command either later or tomorrow and I guarantee you it will usually give you a different result as we can see we didn't manage to find anything with this tool that's why we got a second option and that second option is a website hunter.io so let's go and visit that website open up your Firefox and in the search bar up here type hunter.io it will automatically lead you to this website and we can see right here we got this search bar where we specify our company domain and we click on find email addresses but on this website you must first create an account and you either have a free account or a paid account technically you can even search without creating an account but it will only show you first Five results and they will be half blurred let me show you if I go here and type the same domain name that we used for Harvester and let me just enlarge this a little bit so you can see in Greater detail and I click on find email addresses it will show me first Five results and they will all be blurred now you can technically try to figure out what these email addresses are but they will be blurred nonetheless and down here it also tells you how much results it manage to gather it managed to gather 3155 more results besides these five emails and those results will be available if you get a paid account with free account however let me show you how free account looks like if I go ins sign in and I sign into to my account for you just go and create an account right here and sign in into your free account once you create an account you should be able to have about 50 searches per month with a free account as it says right here so we got Zer out of 50 and these monthly requests reset in about 1 month and as I mentioned even with free account you also don't get all the results outputed but at least the emails that it gives you are not blurred Let's test it out if I type the domain name that we used this entire video and click on search right now I manag to get some of the results right here so I get up to 10 results with its email addresses and with their names so we got the name and we also got the email addresses we get right here which pattern it used to find email addresses and all of these email addresses are also split into different sections so if I click on it engineering I will even get what type of work does this person do project advisor it engineering production engineering technical editor as well as their email addresses we also get from which sources we manage to get these emails and if I go to all right here and I remove this it engineering down here we will also get that there are 310 more more results for this domain name so it is completely up to you whether you think you should get paid version for this just keep in mind that with the paid version you get much more results than with the free version the bad side about the paid version is that it isn't cheap at all if I go to my account up here and I click on subscription I can see down here which plan choices I have available to purchase and you can see th000 requests per month will be around €50 per month so this is completely up to you but nonetheless what we did learn in this video is different ways to gather emails about a certain domain and I encourage you to also later try out this Harvester tool once again because it does know to give really good results once it works and one more thing is that at the end of this section I will give you a tool that is coded in Python 3 that will be able to gather even more emails from a specifile domain so it will be even better than these two options that they showed you right here and it will be our own tool I will give you its code and also show you how to run it and how it works okay good in the next video we're going to see how we can install some additional tools that we might need for information gathering see you there right now we are going to see how we can gather emails for a certain company or a domain remember people are always weak at security if we manage to send some malicious program to someone working in a company and they run that program we got our way in we can also use emails in something like a Brute Force attack we can use them in the username Fields there are many many ways this could be useful but for now let us just see how we can get them since emails are public information we can test this on any domain we want to get emails we're going to check out two different options a tool called the Harvester that's installed in Cal Linux and a website called hunter.io let's start with Harvester first so open up your terminal and to just run the help men from the Harvester we can type the tool name so just type the Harvester with Capital H and press enter and this will output us with a smaller help menu just like the wat web tool did once we specified its name we get its banner and some of the options that we can run it tells us since we try to run it with just the name of the program that there is an error the following arguments are required so we need to specify the domain but before we specify the domain let us just run the bigger help menu so we can see all of our available options okay great here it is so we get the domain option so we need to specify either a company name or domain name to search this is the limit limit of search results which is default equal to 500 and all these other options are not really of interest to us besides this last Source option and this last Source option we specify with DB and we specify where we want to search for emails now we can either specify one of these we can for example specify we want to search for Twitter LinkedIn Bing Google or we can simply just specify all and it will go through all of these in search for usernames hosts and emails so let's try it out if I clear the screen type the Harvester and first thing we need to specify is- D for the domain and for this test I will go with this domain right here which is another University domain you can go either with this one or you can pick any website that you want and use it instead so if I specify the Harvester DD then the domain name the next option that I want to specify is dasb and remember DB option is the source so where we want to search for the emails host names and usernames and let's us for the first try specify all and the last option is- L which is the limit that is set by default to be 500 so we can either specify more than that or less than that or we can simply just not specify - L at all and it will just by default scan 500 results so if we leave it just like this and I press here enter the running of this command will take some time it will search for different results it will search for host names it will search for usernames and it will also search for emails as we can see down here it says searching 300 results and this will go up to 500 since we are using the default DL option which is 500 results and it seems that we already got some users found here are some of the names as well as what do they do so this is already some result for us let's just wait for all of this to finish and then we will go through all of the results that we manag to ga okay so it has finished let us check out what we got as an output so it searched through bunch of different platforms as we can see LinkedIn virus total Yahoo Twitter but it didn't manage to find any results for these platforms the only thing we got is these users right here but this is not what we looked for we wanted to find some email addresses or perhaps some usernames there is one thing with this Harvester tool from my personal experience this tool doesn't always work there are days when it gives amazing result but there are days when it doesn't find any emails or any hosts just like it did in this case as it says fail to detect the valid IP address from this domain name we also didn't get any emails and I'm talking about scanning this same domain just on two different days that's why it is always good to in case you don't get any results for this tool right now to scan it multiple times so if I scan it once again and instead of dasb all I will select dasb and scan only from Google to see if I get any different results and if we still don't manage to get any results just try the same command either later or tomorrow and I guarantee you it will usually give you a different result as we can see we didn't man manage to find anything with this tool that's why we got a second option and that second option is a website hunter.io so let's go and visit that website open up your Firefox and in the search bar up here type hunter.io it will automatically lead you to this website and we can see right here we got this search bar where we specify our company domain and we click on find email addresses but on this website you must first create an account and you either have a free account or a paid account technically you can even search without creating an account but it will only show you first Five results and they will be half blurred let me show you if I go here and type the same domain name that we used for Harvester and let me just enlarge this a little a little bit so you can see in Greater detail and I click on find email addresses it will show me first Five results and they will all be blurred now you can technically try to figure out what these email addresses are but they will be blurred nonetheless and down here it also tells you how much results it managed to gather it managed to gather 3155 more results besides these five emails and those results will be a ailable if you get a paid account with free account however let me show you how free account looks like if I go in sign in and I sign into my account for you just go and create an account right here and sign in into your free account once you create an account you should be able to have about 50 searches per month with a free account as it says right here so we got zero out of 50 and these monthly requests reset in about 1 month and as I me mentioned even with free account you also don't get all the results outputed but at least the emails that it gives you are not blurred let's test it out if I type the domain name that we used this entire video and click on search right now I managed to get some of the results right here so I get up to 10 results with its email addresses and with their names so we got the name and we also got the email addresses we get right here here which pattern it used to find email addresses and all of these email addresses are also split into different sections so if I click on it engineering I will even get what type of work does this person do project adviser it engineering production engineering technical editor as well as their email addresses we also get from which sources we manage to get these emails and if I go to all right here here and I remove this it engineering down here we will also get that there are 310 more results for this domain name so it is completely up to you whether you think you should get paid version for this just keep in mind that with the paid version you get much more results than with the free version the bad side about the paid version is that it isn't cheap at all if I go to my account up here and I click on subscription I can see down here which plan choices I have available to purchase and you can see th000 requests per month will be around 50 per month so this is completely up to you but nonetheless what we did learn in this video is different ways to gather emails about a certain domain and I encourage you to also later try out this Harvester tool once again because it does know to give really good results once it works and one more thing is that at the end of this section I will give you a tool that is coded in Python 3 that will be able to gather even more emails from a specifile domain so it will be even better than these two options that I showed you right here and it will be our own tool I will give you its code and also show you how to run it and how it works okay good in the next video we're going to see how we can install some additional tools that we might need for information gathering see you [Music] there okay so for now we took a look at couple of tools used for information gathering but what happens if some of the tools stop working or if they get outdated what are we going to do we cannot depend on certain tools if a tool breaks we must find our way around to do the task either using other tool or by creating that tool ourselves well luckily there are a lot of tools available for us to download online and we cannot cover all of them but what is important to cover is how we can download them so in this video we're going to be searching for an information gathering tool that we can download online and then run in C Linux and the best place where we can find those to download is GitHub most of you if you are either a developer or a programmer are already familiar with GitHub and for those of you who don't know what GitHub is GitHub is world's largest community of developers that build and share their software so let's see how we can download some additional tools from there first of all open up your Firefox and when we download tools we either know exactly which tools we want to download so we search them by their name or we have no idea what tools even exist and this is the case where we don't even know what we want we only know that we're looking for a tool used for information gathering so let's just type that in search bar type information gathering tools GitHub up here information gathering tools GitHub press enter okay so let's just click and go with the first link information gathering tools make sure that it is from the GitHub page and down here it will output us with bunch of different tools that are used for information gathering as we can see in the description scan all possible tlds for a given domain name information gathering website reconnaissance this is a program to detect probability of admin page and uh we got bunch of different tools if we go to some other links we will also see some other tools available so from the second link we get the Sherlock the photon F Society fantasting Bible if I go all the way down here is the Harvester remember this tool we used in the previous video and by the way if you didn't test out once again whether you managed to get some of the results with it try it out right now and down here we will get this cover which is also a known tool raccoon striker hwk sand map and bunch of others as well and let's just go with any one of them let's just go with this one let us read the description it says allinone tool for information gathering vulnerability scanning and crawling a must tool have for all penetration testers okay so it seems interesting let us click on it click on Red Hawk and here is the page of the tool these are all of the files that the tool has we can see them right here down here we got read me this is what we can perform with red hawk so we can read what are our available options with it and down here released versions change log down here we also get how we can install it how to configure it and we get usage now sometimes you will need to install some of the requirements that tool needs in order to run and you can almost always find the commands that you must run on this tool page so as we can see right here we got the usage and installation so all we need to do is follow both of them and different tools might need different requirements but this is something that you will get better at the more tools you install however to just download a tool from GitHub you will always use the same command and for this command what we need to do is we need to copy the link to this tool so copy up here this link right click copy let us lower this page and open our terminal and the command is git clone and by the way make sure that you're in the SL desktop directory before you run this then type git clone space and then paste the link and press enter and this is the command that we use to download a tool from GitHub as we can see right here it downloaded all of the files and right now on our desktop we got the folder called red hoc which is our tool and also keep in mind that sometimes once you're searching for a tool you might need to download multiple different tools before you run into a good one so let's test this red hog tool out let's see whether it is any good to run it well we don't know how to run it but we can go to the Red Hawk directory and see what files we got right here so we we got some PHP configuration files functions PHP these are all of the files that we really are not interested in at the moment if there was for example a usage file we would most likely want to read that in case the tool is complicated but for now we got this red haw. PHP file and out of all of these files this is the file that seems to be the tool so how can we run this well first we notice what type of file it is it is a PHP file so to run it we must type PHP and then the file name if it was for example a python file we will type Python and then the file name so depending on which file type it is we run it like this so PHP red hog. PHP and press enter it will load this with its banner and it tells us right here that some of the modules are missing and it tells us that we can try fix command or we can simply just install it ourselves using terminal so let's see whether this tool will install it for us if I type fix checking if curl module is installed curl module not installed and installing curl operation requires pseudo permission so you might be ask for password this asks us for pseudo password and let's input it and it seems to be downloading the curl module for us automatically and we don't need to run other commands it is also installing the second thing that I'm missing so let's just wait for this to finish and it tells us right here job finished successfully please restart red Haw so let's clear the screen and run once again PHP red Haw and right now we don't get any error messages right here it only asks us which website we want to scan so let's just go with Google why not let's see what are the available options that we have enter one for HTTP or enter two for htps and since Google is https of course we will select two and here are all of the available options that we can use with our red hoc basic reckon site title IP address Cloud for detection so let's see just the basic reckon of Google if I type number zero it should perform the basic reckon and here are some of the basic output for Google so we got site title to be Google IP address web server Cloud flare and it seems to be stuck at Cloud flare so let's just control C it it could be just a bug and let's run it once again type google.com type 24 htps and let's go once again with zero just to see whether it will perform it correctly right now and never mind it seems to be stuck at Cloud flare once again so let's just go with other options and test them out now this is what I'm talking about maybe if you don't like this this tool maybe you want to consider going and finding some other one but for now we only tested one of the options so let's go with other ones as well and see what else can we get the who is lookup let's go with that one and we get the who is response for our Google good so this option seems to work it tells us scanning complete press enter to continue so let's continue and let's go with go IP lookup this should tell us the coordinates of the Google and it does tell us the country the IP address the latitude and longtitude but city and state seems to be unavailable let's go with another option we got grab anners DNS lookup subnet calculator and map port scan and this option right here is something that we are not going to run right now since this is something that we cover in the scanning section the subdomain scanner is also something that we're not going to be doing right now these options as well so these these are just some of the advanced options that we are going to cover later on so we won't be running them at the moment we can go with for example DNS lookup to check out which DNS servers it has and here is the output so this tool seems to be pretty good it does give us some of the information for Google now of course there are other options that we didn't run and that I would advise you not to run since some of them can be considered Advanced scanning methods but nonetheless we will be covering them in the next section so for now on what we did is we managed to find a random tool on GitHub install it and get it to work we also tested it out and it did give us some of the information now what I want you to do for the next video is try to download the same way a tool called Sherlock it is also tool from GitHub we saw it up here if I go one step back to this page the first tool that we saw was I believe called share loock try to download this tool it is a tool that is used to discover different accounts on different platforms based on the usernames that you specify try it out and we will see how to download it and run it in the next [Music] video Welcome back here we are ready to start our scanning phase we have covered the information gathering with which was first phase of penetration testing and now we will proceed with the second stage by scanning our Target and trying to get even more information about it now the difference between information gathering and scanning is that scanning is performed on a much deeper level and also while in the first phase we gathered all kinds of information such as emails phone numbers and bunch of other things in the scanning we are mainly focused on technology side so we want to find out as much as we can about our Target's technical aspect we're going to talk about in just a second as to what exactly are we looking for in this stage and what are all the goals of this stage but first you could be wondering what are we going to scan since remember that scanning is something that we are not allowed to do on any Target that we want don't worry for for this stage and any future stage from now on we're going to be using vulnerable veral machines there are lots of paid vulnerable veral machines that you can buy and test on but for this course I will be showing the free ones so all of us can download them install them and then try to hack them all of these veral machines are going to be running some outdated vulnerable software that we will be able to exploit in the third stage and they will also require very little Hardware power so all of us will be able to run them while also running K Linux and keep in mind that penetration testing process will look exactly like it would look in real world if you were to test some website or some Network the only difference is that right now we know that these machines are vulnerable since I just told you and in real world you wouldn't essentially know that before testing them however just knowing they are vulnerable doesn't really help us as we need to figure out in what way are they vulnerable and how can we take advantage of that scanning will help us with this we will be using our C Linux machine to scan these machines and by scanning these machines what they really mean is we're going to directly exchange packets with our Target and once that Target sends packets back to us hopefully it will discover something about the target machine that we will find useful and what we will be sending to the Target are TCP and UDP packets TCP and UDP are just protocols that are used for sending bits of data also known as packets and we will discuss them in a little more detail in the next video for now just think of them as different communication protocols that will allow us to get information from our Target I keep talking about information and scanning and all of that without actually explaining what do I mean by scanning and getting information what are the goals of this what are we looking for exactly well we're looking for open ports and I don't mean USB ports or some physical ports I mean we are looking for virtual open ports that every machine has and it uses them to host their software and communicate with other machines over internet for example you watch watching this over internet on a website means that the machine that's hosting this website has Port 0 open why Port 80 well Port 80 is used to host a web server it is used for HTTP and it's also known as HTTP Port so every time you visit a website you are essentially making a connection to that machine hosting that website on Port 80 or on Port 443 since Port 80 is used for http and Port 443 is used for https and https is just a secure version of HTTP these are the two most usual ports that Target that you're scanning externally will have open and by externally scanning I mean that you're scanning it while not being in the same network as the target an example would be you scanning some website from your home and a port that could sometimes be open if you're scanning internally with which means either Scanning Machines on your network or you're performing Network penetration testing inside of some company you could for example find Port 21 to be open this is an FTP port and it's used for file transferring FTP stands for file transfer protocol these are just two of the ports and there are a lot of them you could for example have Port 22 open which is SSH port or secure shell Port it is used to log into the target machine and execute commands on it remotely we could also have for example Port 53 open which is DNS port or we could have Port 25 open which is SMTP Port so there are a lot of ports matter of fact every machine has 65,535 ports for both TCP and UDP and if there is just one open port with one vulnerable software running on the that open port then that Target is vulnerable and it could be exploited now the highest secured machines are the ones that have all ports closed these are usually your home devices such as laptops or computers that you use just for browsing online or playing video games or something they don't need to be hosting any software since they are not a server that someone will connect to for a certain service they're just home devices that you use but websites for example must have Port 80 or Port 443 open since they're hosting a web page there also in companies their machines could have some Port open maybe they use that port on all their machines within that company to internally transfer files between different machines it could be anything basically now the problem occurs if that software they use on their open ports is outdated and has a vulnerability then our job as a hacker is to scan that machine for open ports and exploit that machine through that vulnerable software running on that open port but the goal for now in the scanning section is only to scan the target for the open ports then we want to discover what software are they running on those open ports and we want to go as deep as discovering what version of software is on that open port are you ready we're going to be covering a lot in this section and in this section we will cover one of the most important tools that a hacker must master that tool is called and map let's dive into [Music] scanning welcome back before we proceed with scanning I just want to give a basic overview of TCP and UDP protocol for anyone that is incountered in it for the first time we already mentioned what TCP and UDP are they are two different protocols used for sending bits of data or also known as packets TCP and UDP are not the only protocols that are out there however they're the most widely used ones let's talk about TCP first so TCP stands for transmission control protocol and it is the most commonly used protocol on the internet when you load a web page your computer is sending TCP packets to the web server address asking it to send the web page to you then the web server responds by sending a stream of TCP packets which your web browser stitches together to form the web page that you see the same happens once you for example click on a link or sign in or post a comment your web browser sends TCP packets to the web server and the server sends TCP packets back however TCP p is not a one-way communication the remote system sends packets back to acknowledge that it received your packets so TCP is based on threeway handshake and as the name says three-way handshake is consisted out of three steps first one is sin in this step the client wants to establish a connection with the server so it sends a segment with sin and what sin stands for is synchronized sequence number which informs server that client wants to start communication and with what sequence number it starts the segments with after the sin step comes the sin act which is the second step and in this step the server responds to the client request with syac signal bit set a signifies the response of segment it received and sin is the same from the first step it signifies with what sequence number it is going to start these segments with in the third and final step which is just act in this step the client acknowledges the response of server and they both establish a reliable connection with which they will start the actual data transfer this is just an example of TCP communication establishing between a client and a server once the data transfer starts TCP guarantees the receiver will get the packets in order by numbering them then the server sends messages back to the sender saying it received the messages or packets if the sender does not get the correct response it will resend the packets to ensure the server got the packets all of those packets are also checked for errors so TCP is all about reliability packets sent with TCP are tracked so no data is lost or corrupted in transit that's why once you download a file for example over the internet your file is working once you run it in your machine because it is being transferred with TCP so all the packets will reach their destination without any errors UDP on the other hand stands for user datagram protocol a datagram is the same thing as a packet of information and UDP protocol Works similarly to TCP but it throws all the error checking stuff out that's why UDP is much faster it is is used when speed is desirable and error correction is not necessary for example UDP is frequently used for live broadcasts and online games that's why UDP doesn't really care whether packets received its destination and it will not freend the packet if it didn't reach the other part it will just continue sending other packets you cannot ask for those missing packets again with UDP and these are just the basics behind two most known protocols for communication even though many of you probably knew this already it is good to have a refresher since we're going to need this knowledge once performing scanning see you in the next [Music] video remember I told you that we must have a vulnerable machines that we can scan and before we actually proceed to performing scanning and covering different tools that we will use let us first first see where we can get a vulnerable machine and how we can install it and trust me it is pretty easy so just type top 10 vulnerable machines and you will see this rapid seven link that says 10 places to find vulnerable machines for your lab click on that link and down here if I scroll all the way down I should see a list of 10 different vulnerable machines that we can use as a hacker to practice our skills and for this section we're going to be going with the first one so the name of it is met exploitable click on it and it will route you to another page of Rapid 7 website and it will tell you met exploitable veral machine to test you can read through this if you want as it tells you some of the information about the met exploitable but what's the most important part is down here in order to download this machine you must fill in this information now it is up to you what information you will fill right here but as soon as you fill all of this you can click on submit and it will lead you to a page where you can download metasploitable up here it tells us that metasploitable is free to use after we fill out the form so this is something that you must do in order to download it from the official website and after you finish downloading it you should finish up with a file that looks something like this so metable Linux .zip you want to extract this file as you can see I have already extracted it and you should see these files right here this vmdk file is our hard disk that we're going to use in a virtal machine so let's see how we can install it go open up your veral box and we want to be creating a new veral machine we already know how to do that click on this new button right here and it will ask us for the name of veral machine and the operating system you can name it anything you want I will just name it metasploitable 2 and the reason why I'm naming it two is because I already have it installed right here so the names differ in the type of operating system you want to select Linux and in the version of operating system you want to scroll all the way down and select other Linux 64bit once you got these settings ready click on next and this is what I talked about these veral machines will use very little Hardware resources from your physical machine that's why for this veral machine for the met exploitable we can leave 512 megab of ram it is more than enough for this machine to run it will even work if you lower it to 256 MB of ram but 512 is recommended so let us leave it on 52 and if you don't have this much RAM to use you can leave it on 256 the then proceed on next and in this step instead of creating a veral hard disk now we want to use an existing veral hard disk once you select this option click on this icon right here and click on ADD then find your virtual hard disk wherever you got metable downloaded for example I got it on my desktop right here here it is find this vmdk file select it and then select it right here again and click on choose once you do that you can click on Create and this is pretty much it we got our met exploitable created all we are left to do right now are two things the first thing is navigate to settings go to the network settings and switch from net to bridg adapter the same thing we did with our C Linux machine then choose your adapter and click on okay this will just make cment exploitable to IP address belong to the IP range of our Network once you do that click on start and this will start the process of installing met exploitable for you unlike in Cal Linux right here you don't need to do anything this will install machine on its own and it will take about a minute or two maybe even less so at the end after this finishes it should prompt us with a login and you will notice that this machine doesn't have a desktop or anything else it is a command line machine that means we can only navigate through this machine using commands and those commands are simply terminal commands so just picture this as one big terminal as we can see the installation has finished and down here we got met exploitable login and if you read through this website right here if you read through this paragraph it tells us right here that the Met exploitable login is msf admin and the password is also msf admin so let's try it out go to our machine type msf admin and under password again msf admin and here we are we manag to log to our metable just to check our network type I've config and it will tell me that my IP address is 1821 16813 that is because I set it to be over bridged adapter and if we try to Ping Google for example it will work so our machine is set up and it is ready to be scanned and attacked you see this was pretty simple to do and in the next video we're ready to start our scanning process see you [Music] there okay so we know what scanning is we also created our veral machine that is vulnerable and now we are ready to see what information can we get by scanning that machine but before we scan a single machine to discover open ports we must first discover what machines we got on our Network so the first part of scanning a network is to figure out how many hosts you have active and what are their IP addresses in this case we are going to act as if we got a task to scan our home network and we want to discover vulnerable machines within our home network so let's start by seeing how many hosts we got active first there are many ways that we can go about doing this since I know that all the possible hosts for my network must go in range from 192.168.1.1 to 192.168.1 255 since my IP address starts with these three first numbers first let me just type the password and here it is 192.168.1 this is the part that doesn't change and to scan all 254 hosts inside of my network I can just go and ping each and every one of them and see whether they respond to our pinging or not if they respond they are online if not they are offline but what if I had to test more than one network what if I had 10 more Networks besides this one that I need to test am I about to try to Ping every possible host from all those networks of course not that's why we are going to use different tools to perform this much faster let us try with the first tool called ARP now ARP is a tool in Cal Linux but it is also a packet ARP packets are used in discovering hosts on the network but more about them later on once we get to theand in the middle section for now just remember that they are packets for discovering hosts before we use this ARP tool make sure your met exploitable is started up and in case you got some other devices that you can connect to the Internet connect them just so we can get various output and try to figure out which IP address belongs to which host now our ARP tool Works based on those ARP packets that I mentioned so if I type ARP d-el and press enter it will tell me command not found now this is because I must run the tool with pseudo privileges so pseudo ARP d-el and here is the tool it doesn't have too many options we got- a which displays all hosts in alternative BSD style- e display all host in default Linux style and these options down here are not something that we're interested in all we want to do is use this- a option so if I go down here clear the screen and type pseudo rp-a it will tell me it only discovered my router but why is that I got my met exploitable running also got my laptop running so it should be discovering other hosts as well sometimes we must ping a host first before it appears right here since this information is being read from our ARP tables so if I for example try to ping my metasploitable it will get responses back and if I run ar- a again now we will see that we got an entry for the metasploitable inside of our ARP tables so this tool doesn't seem to be that good for discovering hosts sometimes it will have all the hosts available since you already communicated with them before but sometimes it seems that we must ping the host first before it shows them that's why a much better option is tool called net discover to Run net discover we can simply type pseudo net discover inside of your terminal press enter and this tool will find all of the available devices on your network on its own you don't have to Ping anything you don't have to communicate with anything you can just leave this tool to run and it will find all the devices on your network so right here it managed to find five of them we can see up here that it is still scanning and it is just scanning different subnets so it already finished mine and you can control C this if you already see the result since this will scan all the usual subnets that occur in a network right here we see that we captured five AR packets and there are AR requests and R replies but once again more about that later this just means that we managed to discover five hosts using these packets and these are those five hosts let me control C this since it won't really manage to find any more hosts and right here we got their IP addresses their Mac addresses and their Mac vendor name or host name so right here I know that this is my met exploitable which is this one this one I2 168 1.7 is my host machine or my physical machine that I'm running my Cal Linux on these two down here are two laptops I believe and this right here is my router and how do I know that this is my router well usually routers start with the first number either it will be something like zero or one and just so you can be sure which IP address is your router you can type the command netstat DNR and under this Gateway column we should see the IP address of the router so you can see they do match the next step would be to go about scanning each and every one of them and for this we're going to be scanning our metasploitable and you can also scan your home machines just for even more practice see you in the next video it is time to start with the first big tool that is essential for etical hackers that tool is called nmap we're going to cover a lot of things inside of it and unlike all the other tools that we covered by now which you might or might not use in penetration tests this is a tool that you will almost always use without any doubt so what is nmap nmap is is a network mapper it is a free and open source Network scanner and it is used to discover hosts and services on a computer network by sending packets and analyzing responses it has a lot of different options and we're going to check them out in the next few videos for now let us just see how we can start nmap and run a basic scan first thing make sure your metasploitable is up and running and also if you got any other devices in your home network turn them on just so we can scan them as well okay let us see how we can run nmap and what options do we get with nmap just like all the other tools we can get the nmap help menu by only specifying nmap in terminal or specifying and map d-el and you will see right away we get a lot of options right here and this right here is just a short help menu we will see the longer menu once we start experimenting with these options right here but for now we're only interested in running nmap with just a basic scan so for basic scan all we need to do is specify an IP address if we go to The Help menu and you scroll all the way to the top we should see Target specification right here it tells us that we can provide a host name an IP address or a network for scanning and below that we got some of the examples of what we can specify with nmap and what is the Syntax for specifying hosts we can also read our targets from a list by specifying option- iil and if we want we can exclude some hosts that we don't want to scan by specifying D- exclude option for the first time let us get an IP address from am meta splitable and let's scan it to see what results we get for scanning one IP add address we already saw how we can get met exploitable IP address you can either Run net discover to see all the online hosts or if you don't want to bother you can just go to met exploitable right here and type I have config I can see that the IP address of my metasploitable is 192.168.1 6 so that is the IP address that I will use let's run our first nmap scan if I type nmap and just one 92.1 16816 and press enter wow this finished pretty fast but don't get used to it the only reason that this SC finished so fast is because the target is on my home network true n map scans can sometimes take hours to finish depending on where your target is how many ports they have open are they protected by firewall and many other things that we're also going to cover but for now this this is the response for our metasploitable with our basic scan so it tells us that host is up it tells us which open ports it has we get the exact number of which ports are open on the target machine and right here we can notice that there are a lot of ports that are open that is because met exploitable is running a lot of services and map also tells you besides the port that is opened which service is running on that open port and this is this third column so we can see that Port 21 is open and it is running FTP which we already know that it's file transfer protocol we got Port 22 to be open and that Port is for secure shell we got Port 80 that is opened and that is an HTTP port and this could mean that to met exploitable could be hosting a web page we can check this out if we type the IP address of our met exploitable inside of our Firefox so let's go up here open up our Firefox and if I go up here and type 192.168.1 6 press enter this will automatically go and try to connect to the port 80 and indeed it is hosting a web page but more about this web page later on in the course as it holds bunch of vulnerabilities which we will cover for now let us just see what other things we got with our nmap so besides these known ports that we got right here we also discovered bunch of other ports hosting different services and some of them could be vulnerable we also see this right here that says not shown 977 close ports but wait a second I said that there are over 65,000 ports why does it say that it didn't show only 977 ports or it shows that only 977 ports are closed that is because nmap by default scans most known 1,000 ports it doesn't scan all 65,000 we can tell it to scan all 65,000 which we will see later on but in most cases it is not necessary okay cool our first nmap scan gave us some results and all of these results from our scans you would write down in a report in a real penetration test now that we know how we can scan one IP address let us see how we can scan a range of IP addresses let's say we want to scan our entire network and for this once again you must know your subnet of your network or your Network's IP range we talked about this earlier for me it is from 192.168.1.1 up to 192.168.1 255 so we can specify this in two different ways we can type nmap 1821 16811 d255 or we can type it like this 192.168.1.1 sl24 and if you're new to subnetting you can think of this /24 as something that says first three octets are not changeable and by first three octat I mean first three numbers which leaves us with only last octet or last number that will be changeable inside of our IP range so let's scan it if I press enter now this scan right here might take a little bit more time since it is not only scanning one host it is scanning multiple hosts and even though it's scanning multiple hosts it finish relatively fast because it is scanning my own network let us read the results so this right here are the results for the metal spit table as we can see by the IP address and we got the same results as before which ports are open and what services are they running down here we get that it scan 256 IP addresses and three hosts are up let's see what other Two Hosts are up besides our met exploitable we got a device with the IP address of 1821 16814 and it says right here all 1,000 scan ports on this device are closed and you remember when I told you that this is the more secure version since right now we cannot connect to any one of these ports and this is probably some home device possibly my laptop it has all 1,000 scan ports closed because it doesn't host any service to other machines and the last device that we got is my router we got its IP address and we also got which ports it has open so it has Port 22 for SSH Port 23 for tnet Port 53 for the domain Port 80 and Port 443 for HTTP and https and this port right here here that says Service unknown this is because nmap couldn't figure out what service is running on this open port okay great for now we perform basic nmap scan without adding any additional options to it and with this we managed to discover open ports on our Target machines that is good for the start in the next video we will see what else can we discover using nmap and what other cool options it has it is time we discuss different scan types that we can do with nmap now nmap is a huge tool and it offers many different types of scans that we can perform and we will be covering just some since there are a lot of them however at the end of this video I will give you a really good tip as to how you can really Master the nmap tool talking about different scans doesn't necessarily mean that we will get different results matter of fact many of these different scans will give us the same result and in this video I'm going to explain exactly what the differences are between certain scans to fully understand this you will need a background knowledge on TCP and UDP so in case you didn't watch the short video I made on TCP and UDP make sure to watch it before covering this let's start with first type of scan and that scan is called TCP sin scan let me open the terminal the command that we must run is nmap DSS and then we're going to be scanning metas portable in this video since that is the machine that we are attacking so the IP address of my metable is 1821 16816 and this- SS is DCP sin scan sin scan is probably the most popular scan in nmap it can be performed quickly scanning thousands of ports per second on networks that aren't protected by a firewall and the reason why it is called a sin scan is because it never really opens a full TCP connection you only perform the first step of three-way handshake which is sending sin and the way it works is if the target sends cak back for a certain Port that indicates that that Port is listening or it is open Target can also send something called RSD which stands for reset which would indicate that the port is closed in case it doesn't give any response back after several tries Port will be marked as filtered and filtered is just another state of ports that happens once n map cannot determine whether a certain port is open or closed the filtered State could happen if Port is for example protected by some filtering or a firewall and now now that we know exactly how TCP SC scan Works Let's test it out on our metable there is one thing with this command if I try to run it it will not work it will tell me you requested a scan type which requires root privileges and the reason this requires root privileges is because we are only sending one part of three-way handshake and telling our machine that we do not want to respond to a cak bitset in case it is sent back from the Target that requires root privileges so we must run this with pseudo pseudo and m- SS and then let's type in our password and we will notice it gives us the results of ports that are open very fast and it is also very important and satisfying once we know how certain scan type Works once again it sends only the sin and waits for a syac or RSD and it never establishes a full TCP connection let us check out there result so we got these ports open and we also got what service is running on those open ports now here's the time that it took and we are going to compare this with different scans and the reason it finished this fast is once again it doesn't establish a connection compared to this sin scan that we just performed we also got something called TCP connect scan or also labeled as- St so so in order to run this we can just change this command from- SS to- SD and you will see all of these options if you run the help menu of nmap what's interesting about this is that it does not require pseudo Privileges and the reason it does not require is because it performs a normal TCP 3-way handshake connection so the only difference between this and previous scan is that TCP connect scan establishes a full connection the important part here that you should remember is is that this scan will leave much more Trace that you performed an nmap scan on the target machine and it is easily detected that's why once you can run nmap as root usually sin scan will be a better option than the TCP connect scan nonetheless Let's test this one out so we can remove PSE sudo as it does not require root privileges and you will see it also finishes relatively fast the output will be exactly the same as with the scan but sometimes it could take a little bit longer than the Sinn scans since it is performing a full TCP connection and even though we got the exact same result which are just the open ports and the services that they run now we know how both of these scans work and now you know that for example this scan is much more detectable than the sin scan or you can say that it just makes more noise on target machine the last scan that we're going to cover and keep in mind these are just some of the scans and I will show you where you can find the rest of them and possibly test them out if you want to but the next scan that I'm going to cover is pretty unpopular and that is the dash s scan or also known as UDP scan the reason why it's unpopular is because many services on the Internet run over TCP protocol as we already know since UDP scanning is much slower than TCP scanning and more difficult sometimes when people are developing security for their ports they ignore the UDP ports and this results in a mistake as there are a lot of exploitable UDP services and we should never ignore this scan just because it takes time let us test it out this also will require pseudo privileges so let us type pseudo and m-su for the UDP scan and specify the IP address of my exploitable you will notice this scan will take time you can check at how much percent it is currently at by pressing the upper Arrow key so if I press upper Arrow key down here it will tell me it is currently at 3% and I'm just going to leave this running while I show you the cool tip for the nmap so remember this the key to learning nmap in great details is not in Reading its help Manu but in Reading its manual and to open the nmap manual you can open your terminal and type manual and map and let me do this in a second terminal so I will open it up type man and then n map this man right here is shortened for manual press enter in this file it explains every nmap option in great detail let us find different scan types that also exist since we didn't really cover every one of them let's scroll all the way down to different nmap scans and as we're scrolling you will see that we're passing the actual help menu that we get outputed once we onun the d-el and below this help menu it explains every option in great details and as I'm scrolling I came to this part which says Port scanning Basics and here are the six Port States recognized by nmap and this is good to read so we got the open port State the closed port State we got filtered Port State unfiltered Port State open and filtered and closed and filtered so if you want read through this it is really useful knowing once you get for example filtered port to know exactly what that means and if I go a little bit more down here they are here are the different scan types that nmap has so here is the TCP skin scan that we performed which is- SS here is the - SD which is full TCP connection scan and down here you will notice after the UDP scan that we got different options as to how we can perform our scan and you can read about each and every one of them and see when are they useful and how you can specify them here is the TCP X scan here's the TCP Windows scan and you will see there are a lot of them there are also different options such as this scan Flags which is custom TCP scan but this is an advanced option and we might take a look at this later on here is Idle scan Echo scan let's see all the way down IP protocol scan FTP relay host FTP bound scan and that would pretty much be it for the nmap scans so depending on your Target and what you exactly want to get from this scan you would pick one of them so for example if you wanted to discover open ports you would use the dcpc scan now the X scan I believe which is the- sa which we saw a few seconds ago is useful I believe to mapping out the firewall just read through them if you have time and you will discover how they work and when are they useful so let's see how much percentage of UDP scan is at so it has finished about third of the scan and we know that this will take at least 10 to 15 more minutes so we're not going to wait this and by the way about the nmap manual you don't need to read that entire file just it is good to know that it exists so sometimes when you forget something or you want to check out if nmap has some other option that you need you can just open that manual and read until you find what you need nobody expects you to know everything inside of that file but after some time you will start picking some of the commands up and memorizing them cool we covered a lot in this video the next two videos will be even more important we're going to check how we can discover operating systems that our Target machines run and what versions of services are they running on an open port which is remember one of the most important things that we want to [Music] find let us check out how we can figure out what operating system is our t Target running just by scanning it with nmap in nmap this feature is quite popular as they have a database of thousands of known operating system fingerprints that they compare with the host that you scan in order to find out what operating system is it running but for this to work a Target machine must have at least one port open and one port closed which we need not to worry about since our Met exploitable has both open and closed ports however it could not work for some other targets what I'm going to do in this video is I'm going to try to scan my met exploitable which is running Linux and then I will try to scan my Windows 7 veral machine that I got right here and I will try to scan my Windows 10 host machine and let us see what results can we get let's see whether nmap can figure out what operating systems are they running if I go back to my C Linux and let's go with metasploitable first to run the operating system feature we must use Pudo and after Rand map we specify - o for discovery of operating system then we specify the IP address and if I specify the IP address of my met exploit table first press enter type in my password it will take just a few seconds and down in the results we can see the OS testing it tells us right here that met exploitable is running Linux and down here in the OS details it tells us which version exactly is it running and how many hops is the target distance from us it says one which means host is inside of our Network and besides all of this it also tells us that the machine that we are scanning is a veral machine as we can see right here it managed to figure this out by the MAC address that metable has since virtual box machines have mac addresses that start the same and these are these three first numbers this is really interesting because it can sometimes help us to realize that our Target is an actual veral machine and not a physical machine which could possibly indicate that we're scanning a Honeypot which is usually a purposely vulnerable virtual environment that is used to leure in hackers in order to find out whether they're being attacked this is because usually an attacker will go for the most vulnerable machine first and that's how they catch him that vulnerable machine could possibly be put there on purpose so for our met splitable we got the correct result it tells us that it is running Linux which is correct down here it even tells us which version of Linux is it running and we can also see right here by the MAC address that this is a veral machine so we got a lot of useful results for metable let's try with my Windows 10 physical machine so if I type pseudo nmap d o and to scan my physical machine I must check the IP address inside of my command prompt if I type ip config it will tell me that my IP address is 1921 16817 let us type it in 1821 168 1.7 and run this scan it should also take just a few seconds once again you can check at what percentage is it at by pressing pressing the upper Arrow key and it is currently 81% done so let's just wait for the remaining few seconds to finish and it will tell me right here that it didn't manage to discover OS details now why is that well because we can see right here all thousand scan ports are either closed or filtered and remember to discover an operating system we need at least one open port and one closed port in this case there is really nothing that we can do to discover operating system with nmap since all ports seem to be filtered let's try the same on Windows 7 veral machine I know for a fact that the Windows 7 veral machine has one port open so let's see whether it will manage to figure out the operating system on that machine if I type Pudo nmap d o and I already typed ip config in my Windows 7 the IP address is 192.168.1.1 14 let's specified right here let's wait for this to finish and it gives us bunch of os details up here we have a warning that says results may be unreliable because we could not find at least one open port and one closed Port it did manage to however find one open port which is this port 445 but all the other ports are filtered however based on this one open port it tried to guess what operating system it has and it was relatively close it managed to Guess that the operating system is Windows and sometimes this could be enough for us we can see right here it specified Windows 7 which is correct but it also specified Windows Vista and Windows 2008 which are incorrect guesses hm so we can say that it managed to narrow it down for us but it didn't really hit the correct one so we checked how to figure out what operating system is the target running we notice that it doesn't always work but this information with the information which we will get in the next video will be more than enough for us to be able to conduct a vulnerability analysis let us see in the next video how to get exact version of services running on open ports welcome back let us finally check out how we can figure out the version of software running on an open port for now we managed to discover open ports we also learned what different scans do and which ones are better to use and we learned how we can identify an operating system on some of the targets that we scan now let's see one of the most important parts that will also help us in identifying what vulnerabilities so why do we care about versions of software so much for example I might somehow find out that metasploitable is running aache web server on Port 80 but that doesn't narrow all the possible attacks too much of course it narrows it down to only search for Apache vulnerabilities but n map can even go as far as discovering what exact version of Apache is it running then after knowing the version we can search that version on Internet and try to see whether there are any known vulnerabilities for that specific version so version Discovery helps us a lot and let's see how we can perform it to perform version Discovery we use the option- SV so I'll will run the command nmap D SV and as usual we're going to be scanning our met PL table now this command also requires pseudo privileges so make sure to type it at the beginning of the command pseudo nm- SV and then the IP address press enter enter the password and this particular scan could take longer than other scans because right now we are deeply scanning the target let us check out at what percentage is it at so 91% it should finish in just a few seconds let's wait for it and and here it is we can see we got a bunch of result right here the new thing that we got from all the previous scans is this fourth column remember once we scanned previously we only got these first three columns which are the port number the state of the port and the servers that it is running right now we also get the version of the service so let's go quickly through this we got port 21 which is FTP and right here we got the exact version of what type of FTP software does it have for the SSH we get the same thing so the version of SSH is open SSH 4.7 Dean Ubuntu we got the telnet the SMTP the HTTP we got that it is running the Apache HTTP 2.2.8 for the S&P protocol which is Port 445 and 139 we got that it is running SBA from the 3 something to 4 point something so in this range will be the version that it is running and what we would do with this information as I already mentioned is we would just try to search for some known vulnerabilities for the specified versions for example if this Apache version right here has a know vulnerability we will Discover It by pasting this in Google and typing vulnerabilities and whatever comes up we will test this on this Target and see whether it works or not since some vulnerabilities could be patched we never know so we want to try it out down here we also got the versions for the other ports so we get a bunch of results right here what you would do with this scan since this is really useful we would type this on our report and we would use for the future references for now let me show you another option that you can use with the version scan and that option is intensity of scanning versions We can type in like this so if I use the same command let me just clear the screen so we can see it better if I use the same command and after- SV I type Das Dash version Dash intensity and after the version intensity we need to specify how high we want the intensity to be and it can be set between zero and N9 the default one which we used in the last scan is seven so every time you don't specify this option it will be seven by default if we set it all the way up to 9 in this SC then we will have higher possibility of identifying the correct service version however in 99% of and map scans this option is not needed you can just leave it on default which is seven if you set it at 9 it will take longer time and since we're scanning a Target that is on our own network it will still do it in just a few seconds or minutes but if you were to scan a real Target nmap scans could take a lot more time to accomplish so you always want to consider not only performing most accurate scan possible but also performing a scan that will be equally fast and accurate so sometimes we have to lose one thing in order to gain the other and that would be pretty much all for the version scanning now we're not going to be running this command since I can tell you right now that it will give us the same output as the previous one so in this case increase in the version intensity won't help us too much and as far as these options go there are more options for the version discovery that you can check out inside of the nmap manual but before I end this video I want to show you another thing that I also use a lot and that is the dash a option so let me show you right here if instead of all of this I specify - A and- A is so called aggressive option it enables some Advanced features of nmap those Advanced features are well first it enables OS detection without specifying the- o that we already covered it also enables the version detection without specifying the dash SV and it enables something called nmap Script scanning what nmap scripts are are something that we will cover shortly for now just remember that- a enables all of those things that we covered in the previous videos including nmap scripts and since Das a is one of the more aggressive nmap options please do not try this on targets that you do not have permission to scan however let us test it out on our metastable Target and if you want you can also try to scan your home network with it just keep in mind that since it is using all of these options it will take some time even if it is scanning our home network so if I run this command this will take some time if I press upper Arrow it is 78% done and the output of this option we're going to see in the next video as well as some other useful things that we can do with nmap as soon as we check that we are going to get into firewall evasion using nmap see you [Music] there by now if you covered all of the nmap videos that we did you should have an intermediate knowledge of nmap all we are left to do to check out is just some of the few options that you might find useful once you're performing your scans which we will check out in this video and after it we need to check out two more things one of them is running an map with scripts which part of it we're going to see right now with the results of our- a scan from the previous video and the the second thing is how we can bypass firewall IDs and IPS using nmap so for now we only noticed how we can perform different scans but we never really talked about what if our Target is well secured what if they have a firewall we want to perform our scans as quietly as possible in order for us to not get detected but before we jump into all of that let us check out the output of our Dash a option remember from the previous video - A runs bunch of different things such as OS detection version scan and it also runs something called mmap scripts you will see down here that we are getting output that we didn't get before so besides the open port and the version that the open port is running we also get the output of different scripts that are running on the target as we execute this scan so right now here we can see that it executed the script for FTP Anonymous login and it says that it is allowed and we will check out what the FTP Anonymous login is for now on I can tell you that it is not really that secure even though if we go all the way down here it says ftpd 2.3.4 which is this version that the target has is secure fast and stable and I can assure you this is one big lie as this FTP version is vulnerable and we're going to to see in the exploitation section how we can exploit this and gain access to our Target machine down here we also get the enumeration of the SSH so we get the SSH host key nothing really too useful for us the SMTP commands that are allowed the SSL ciphers right here we also get the HTTP servers header the HTTP title and these are just some additional information that we got from running scripts if we go all the way down we also get information for some other open ports and down here we will see the our scan also perform the SMB enumeration so we got the computer name net bias computer name domain name SB security mode down here we also get the trace route to this Target's IP address and this is the one hop that we have since it is in our own network it tells us down here that it also performed the OS and service detection and here is the OS detection but we already saw this we got Linux running so this is just some additional information on top of the information that we already had but remember- a is an aggressive scan it does give us the most output out of any other options but it is also pretty aggressive and easily detectable if target has some security measures since our metable doesn't have any security measures or is not behind any firewall this scan is best for targets like that so we got the most information using d a but besides this- a let us also check a few more useful options that nmap gives us and to do that we're going to run the nmap manual so type man and then nmap and it will open up the manual once again we already know how we can go through it with upper and lower arrow and we're going to just go really quick through it and see whether there are any useful options that we haven't covered but that you might want to use so if we go down here this Das SN option is really useful option and it is not really useful for disc discovering vulnerabilities or open ports matter of fact this option right here performs the same thing that our net discover tool did remember we use net discover to locate all of the hosts that are up and running on our Network and- SN pretty much does the same thing as we can see right here this option tells nmap not to do a port scans so you will not find out any open ports with this scan the only useful thing we get from this is which hosts are up and running so let's test it out real quick and this is a scan that you would use probably on multiple machines to discover which ones are up and which ones aren't but you can also use it on one machine if you'd like for this scan I will use my home network so- SN and then 192.168.1.1 d255 if I press enter this should pretty much in just a few seconds and here it is it will give us which hosts are currently up we get their IP addresses SO2 168 1.10 this is my laptop we get the metas sportable we get Windows 10 probably and we get my router so instead of net discover you can use this to figure out which hosts are up but for me personally I like net discover output a little bit better than this one this right here looks a little bit messy okay so the second thing that I want to show you is Dash p option and this is an actual option that you will use a lot so for this we're going to scan our met exploitable so change the IP address to the Met exploitable IP address and what Dash p option is is simply you can specify what range of Port you want to scan with nmap so remember when we perform any other scan it scans top 1,000 ports but but what if we for example only wanted to scan one port for example let's say we wanted to scan Port 80 on the metable can we do that well if you specify - p and then 80 and then the IP address here it will tell us Port 80 open and service that it is running so we can scan only one port if you want this option is useful if you're only attacking one port and you don't want to bother really and let N map scan one time th000 Port when you only want to enumerate one single port you can also do it on multiple ports for example Port 80 Port 22 Port 100 and let's see what the output is and here we can see Port 1880 and Port 22 are open while the port 100 is closed we separate different ports with comma and instead of separating them with comma if you want to scan a range of ports you can also do this you can do Port one to Port 100 and here are the results not shown 94 closed ports and we got six ports that are open in first 100 ports and remember when I told you that there are over 655,000 ports well this is the option that we can use in order to scan all 65,000 if I type the same command just I scan from 1 to 65,535 and press enter this scan will take longer than any previous scan that we did since it is scanning 65,000 ports here we can see the output it finished in 7.74 seconds and here are all the open ports that it managed to discover here are some of the ports that we never really discovered with previous scans that we did in last few videos so this is really useful if we used regular scans and we only scanned first 1,000 ports we would never really know that these ports are also open now on the contrary instead of scanning th000 ports or 65,000 ports we can use a cool option which is-f and it is capital F and what this option does is instead of scanning 1,000 ports it scans first 100 ports so in case you want to perform a quicker scan and you also want to scan top 100 used ports you would use the dash F option if I press enter you can see it finished in less than 1 second and it scanned top 100 ports now this doesn't mean that it scanned Port from one to 100 this simply means it scan first 100 ports that are usually most used so we got 21 22 25 53 and bunch of others as well but whenever you really want to find out everything you can about the target this SC will will be more useful the one where we scan 65,000 ports since you can see there are a lot more ports that are open than with this scan okay cool let me show you one more option before we proceed to the next video and that option is how to Output an N map scan so there are a few ways that we can do that if I run n map and then we use the sin scan which we covered and let's say we scan the met exploitable there are two ways that we can do this if we want the output to be inside of a file we can use two arrows to the right and then output of scan. dxt let me see you request the scan type which requires root privileges so let us run it with root and press enter type in password and you will see we get no output to our terminal that is because all of the output is stored in this file if we use the cat command to Output the results here is our scan that is being stored inside of this file so this is useful once you want to for example add this to your report so you just save it in a file and then later on copy and paste this on a report another way that you can do this in case you want the results to be saved both in a file and also outputed in your terminal we can use the- o n option so- o n I'm not sure if it is with capital N or lower case and we're going to check that out with the help menu so let's go to the output settings and it is Dash o n option and we can see right here D O N option is output scan in normal so we can simply just save this in a normal file if you want some other file type you can use Ox for the XML and we got some other options here as well that you might find interesting for now on we're just going to check out this one so if I go down here and type nmap that d o n and then- SS of course we need to run this with pseudo and we specify 192.168.1.5 output file begins with yeah we need to specify the name of the file that we want to save it so let's just call it output and here it is we get the output to our terminal but if I also type LS and Cat the output file we also get the results saved inside of this file okay great these are just some of the basic options that I wanted to mention since you might find them useful and by now as I already told you you can consider yourself an intermediate nmap scanner now to take this to the advanced level we're going to check out in the next few videos how we can bypass firewall IDs and IPS using nmap scans in this small section we're going to cover how we can use nmap in our advantage to be able to buypass some of the security measures that the target might have such as firewalls and IDs these options that we will use in nmap can be considered Advanced so don't worry if you don't fully understand everything that we talked about in next few videos just make sure that in case there is something that you didn't understand rewatch a video a few times and you will get it but wait Alexa I don't even know what firewall or IDs is so what are they well firewall is a network security system that monitors Network traffic and it is based on the security rules that are predetermined there are two types of firewalls Network firewalls and host-based firewalls Network firewalls filter traffic between two or more networks while while host-based firewalls only filter traffic that is going in or out from that specific machine and what IDs is is intrusion detection system it is usually a software application that monitors Network for any malicious activity for example some of the nmap scans that we did in the previous section can get caught by intrusion detection system so in this section we will check out a few options that could help us bypass that all in all firewall and IDs helps us secure our Network or machine in the previous section where we covered nmap Basics we used our K Linux machine and we scanned our met exploitable Target we scanned different ports and with the scans that we did we managed to figure out what ports are open and what ports are closed but some of our targets might host services on ports hiding behind the firewall and once we scan them it will tell us those ports are filtered which we know that it means nmap can't figure out whether that port is open or closed what this means is that we're sending packets to the Target but their firewall keeps dropping those packets and in this section we're going to see what nmap options can help us in bypassing this let's get straight into into [Music] it let us talk about different options we can use in our scans to bypass firewall firewall is something unpredictable you don't really know its rules in order to know exactly what type of scan you need to perform in order to bypass it some of the firewalls could use MAC address filtering in order to allow certain devices to connect to a specific port or in order to block a certain devices some firewalls could block different types of packets some firewalls could block only some ports and not all of them and we can't really know what the exact rule is what I'm going to do is I will give you a few different options as to what you can try in order to bypass firewall first of all how can we know if some of the ports on target machine are behind the firewall we already mentioned this in the previous video and map will tell us that those ports are filtered by now we should already know what filtered Port is but let us Define it once again filtered Port is when nmap can't figure out whether a certain port is open or closed and that is due to it dropping packets possibly because that Port is behind the firewall therefore we don't get any responses back from that port and nmap flags it as filtered let me show you this on a Windows machine right here I have Windows 7 veral machine and this veral machine if I go to the control panel and then system and security and Windows Firewall this machine has firewall turned on if we try to scan it using sin scan which we covered in the previous section so let's do it right here remember it requires pseudo privileges Pudo nm- SS and then the IP address I will use the IP address of my Windows 7 veral machine and if I press here enter type in the password in just a few seconds the scan will finish and we're going to compare this result when the firewall is turned on with the result once we turn off the firewall so let's wait for this to end and here it is it doesn't have any port open matter of fact it will tell me all 1,000 scan ports on this PC are are filtered now this doesn't mean that all could be closed or all could be opened this just means that they are behind the firewall and any packets we send get dropped by that firewall so our Target could have a few ports open and other closed but we don't really know that let me show you the response of the same scan once we have that Target turn off their firewall so let's go to Windows machine and I will click on this turn Windows fire firewall on or off and in both of these settings I will select turn off Windows Firewall click on okay and now once the firewall is turned off let us perform the same scan that we did right here so we'll just use upper Arrow run the same command and here it is we can see that some ports are indeed open this firewall right here doesn't have any special rules since it is made to block all all traffics so techniques that I'm about to show you in these few videos will not work on regular machines that just turn on their farall and that don't accept any type of connection however once firew War rules are applied and they usually are applied in some servers or machines that need remote access or that need to communicate with other machines then we can test these options and see whether those rules have any vulnerability that we can bypass I will turn the firewall back on right here I will close this and let's start with our first option we're going to use an option- F so if I clear the screen and type the command sud sudo nmap DF and then the IP address this- F option causes the requested scan to use tiny fragmented IP packets now you might be wondering why would we do that well the idea behind this is to split TCP header over several packets to make it harder for packet filters or intrusion detection systems to detect what you're doing if we specify the option once just by adding one-f the N map will split the packets into eight bytes or less so if your packet had a 24 byes TCP header this would be split into three different packets of eight bytes now you can also specify the option twice with- F and then once again- F and this will split the packets into 16 bytes per fragment but be careful once running this option on an actual Target as some programs have trouble handling these tiny packets if you want to increase fragment size even more you can use the option D- MTU and after it the fragment size just remember that Offset you specify must be a multiple of eight this fragmentation won't always work if I run this scan this option will not work most of the time actually it only works if a network that you're scanning can afford the hit that this will cause therefore they just leave it disabled some networks also can enable this because fragments may take different routes into their networks nonetheless it is good to mention this option as it might come in handy one day another option we can use which is more focused on hiding your IP address then bypassing security and that option is creating decoys using dasd so if I specify Dash and then capital D creating this decoy scan makes it appear to the Target as it has been scanned not only by you but also by the decoys that you specify so their intrusion dete ction system might report multiple IP addresses that scan them including yours but they will not be able to determine which one is real so you successfully HD your IP address from them there are two ways that we can do this and just to show you how this works what I'm going to do is I will open a software called Wireshark on my Windows 10 machine and with this software we will be able to see which IP address are communicating with my Windows 10 machine now you don't need to have wire shark for now just pay attention to the scans that we perform and results that we get in W shark right here I will select ethernet since that is what I'm currently using and we should already see some packets coming in but these packets right here have nothing to do with our scan so if I go back to my C Linux and I run the command pseudo nmap DD and to specify how many random IP addresses we want to use to scan the target we can specify DD and then RND D two dots and then the number of IP addresses we want to use so in this case I will use five random IP addresses if I press enter right here and go to my wi shark hm it doesn't seem to be flooding anything are we successfully scanning oh that's right we are scanning Windows 7 machine my bad so we need to be scanning our Windows 10 machine so let me check the IP address on my Windows 10 ip config 182 168 1.7 and right here I will just change from 16 to 17 and let's go back to our shark once again hm it doesn't seem to show for some reason let us try adding this command and we will use the sin scan to perform this press enter and and the reason this might not work is because sometimes farock will have a problem capturing the packets that we send from a veral machine and that is mostly because we're scanning our host machine from the veral machine so what I'm going to do is I'm going to go to my laptop and run the same command give me just a second and I'm running the same command that we ran right here I just ran it and if I go back here here we can see now the output we can see that our Windows 10 machine is getting flooded with random IP addresses if I stop it I can see different IP addresses right here so we got 193. 245 21377 we also got the other IP addresses but I will also see my laptop's IP address and it kind of sticks out since this R&D option that we used creates random IP addresses all of those random IP addresses will be truly random while the only IP address that will stick out will be this 1821 16810 and that is a local IP so this will most likely not work they will recognize it as the true IP so how can we change this and make it seem like the scan is coming from five local IP addresses that belong to my home network instead of running the command like this what we can do is we can run the command like this sud sudo nmap and then- d and after-d we specify five different IP addresses including ours so we'll specify 182 168 1.2 let's also use 182 16815 for example let's use 18268 1.6 let's use 1821 16815 and let's at the end use my IP address and to specify the C Linux IP address we can simply type me what this command will do is it will use these random IP addresses to scan the target including our true IP address so all we need to specify is the IP address of my Windows 10 machine and if I run this go back to W shark yeah of course once again I must run this from the actual laptop in order for this to work so what I'm going to do is I'm going to run the same command in just a second and I'm running it right now if I go to my w shark here we can see now it is getting flooded with local IP addresses we can see 1821 168 1.2 1.5 1.15 and 1.10 and they will never really realize that this one is the correct IP address since they're getting flooded with a lot of them and you can change this number you can use more IP addresses if you want or less but the point of this is that in case you're scanning a Target that is inside the same network as you use local IP addresses and in case you're scanning the Target that is outside your network you can use this option right here which will Generate random IP addresses and the security will have hard time figuring out which one is the correct one cool right now don't worry since this didn't work on my Windows 10 machine the only reason it didn't work is because my K Linux machine uses the same network interface as my Windows 10 host machine if you were to scan any other Target except your host machine this would work in every case so for now we looked at these two options and in the next video I will just quickly mention a few more options used to evade security and then we will proceed to vulnerability analysis which is the last step with before we start gaining access to our [Music] Target we mentioned fragmented packets and creating decoys in the previous video right now we're going to mention a few more options and even though they are not that important it is good to know they exist so let's go through them real fast I will not be running these options but you can test them out if you want I will just mention them so you know what else you can use the first thing we got is option- s and you run it like this pseudo nmap - s and this option is used to spoof your IP address it will make your target think that someone else is scanning them the problem with this is that you will not get results of scan back since they will be sent to the IP address that you're trying to impersonate so for example you can be trying to impersonate 8.8.8.8 and your target will be scanned with this IP address or at least it will seem that the scan is coming from this IP address for this option to work you must also specify Das PN and the reason why you must specify DPN is first of all DPN is used to assume that all hosts are online so it doesn't perform the ping scan to discover whether a host is up and running without the PN this option would not work and the reason is because your target will be scanned with this IP address and we will not be able to get the packets back and see whether the target is on or off that's why we will just assume that the target is online so we can scan them with a different IP address otherwise we will never get the result whether they are online and sometimes with these two options you must also run- e e is used to specify a network interface so you would simply just type I have config check out what network interface you're using and you would specify it right here in my case that would be eth0 another cool option besides this that AAP has is you can specify the source port with dasg option this can sometimes help bypass a firewall for example a network administrator May set up a firewall and set rule where only traffic from a certain Port is allowed and with that he's probably thinking that attackers won't be able to figure out from which Port exactly and if you perform a scan and send packets from the port that's allowed in the firewall rule you successfully bypassed firewall so you would specify it with- G and then random port number and one last thing that we will mention that could help you in bypassing firewall is changing different scan types we already covered some scan types and any of them could be useful to you sometimes for example in case you perform a sin scan on a Target machine and in case the sin scan is blocked by the targets firewall which would mean that they drop all sin requests that try to initiate TCP connection we could try to perform a fin scan and fin scan is labeled like this- SF now you're probably confused because there are a lot of scans that we can do and in case you don't have any networking background you're probably wondering what fin scan even means well fin scan is just sending a fin packet without any other flags and these th flags and fin Flags can be confusing sometimes but with practice you will catch everything up just one advice I have is that every time you don't fully understand something just Google it that is how I learned as well and all of these options options that we covered can be combined with something called timing template and to show you what timing template really is I opened up my nmap manual right here and I scrolled to this option right here which says- D timing template and if you also open up nmap manual this will be all the way down so there are about 1 or 2 minutes of scrolling until you reach this option here in the nmap manual we can see the dasht comes with six different options or six different modes and what's interesting for us regarding security evasion are the first two modes which are zero and one also called paranoid and sneaky these two are used for idea seasion as it says right here now the problem with t0 and T1 or the first two options is since they're trying to avoid IDs alerts they will take a lot longer to finish so once you're scanning more machines or more networks this might not be the most reasonable approach to take since this scan will take a lot of time with specifying dt0 or- D1 and all of this including the options that we covered in the last video will help you in security evasion and spoofing what I would advise you to do is also read about other options as well that we didn't cover just to see what else can you do in the next video big things are happening we're going to create our first tool used for penetration testing let's do it congrat all

Info

Channel: Zero To Mastery

Views: 5,702

Rating: undefined out of 5

Keywords: ethical hacking, ethical hacking course, ethical hacking tutorial, ethical hacking full course, ethical hacking for beginners, what is ethical hacking, cybersecurity, hacker, ethical hacking scanning, Reconnaissance, ethical hacking reconnaissance, port scanning, firewalls, hacking lab, man in the middle attack, penetration testing, python, linux, linux terminal, nmap, nmap tutorial, ethical hacking projects, learn hacking 2024, hacking course, kali linux, cyber security

Id: f8Ci0CWHzs8

Channel Id: undefined

Length: 268min 18sec (16098 seconds)

Published: Fri Sep 08 2023