Nmap Tutorial to find Network Vulnerabilities

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

with just one command I scanned my entire network now my hacking targets found out what operating systems are running what ports are open and even found vulnerabilities that I can exploit that is the power of in map a free essential tool for hackers and pretty much anyone and IT let's get started you need to learn learn learn hacking in a map or network mapper is the tool used by hackers to scan network so we can find live host or find targets to hack and we can also use this tool to find out more information about these targets a process called enumeration so in this video we're gonna break down in map I'll show you how to use it I'll show you how it works let's do it oh and by the way if you want to go deeper than what I'm showing you here check out IT Pro TV they are the sponsor of my hacking journey they're my primary learning source and if you used my link below or code network chuck you'll get 30% off everything forever so check them out oh and by the way you can install in map anywhere Windows Mac OS Linux and you're gonna see me using Kali in map is amazing let me show you why let's say I have a server on my network and I do 10.7 dot 1 and dot 2 to 6 how would I typically find out if that host is they're up and running while we just use ping right ping 10 dot 7.1.2 to 6 ok BAM I'm getting response it's up now that's fine for pinging one device but what if I want to ping an entire network it becomes kind of a problem so my home network here is 10.7 dot 1.0 slash 24 which means that this network could have 254 hosts or endpoints that I could attack again who wants us to hear in ping 254 hosts not this guy so let's use nmap I'll use a command in map and then a switch it'll be lowercase s capital P and then my network and go and in 2.7 1 seconds I found out that 15 hosts were up here's the list right here that's amazing do it in your network right now ok all right we automated the pinging of hosts in a network big deal Chuck you're right and map can do a lot more a lot more like check this out you see as a hacker just knowing these hosts are up is not good enough for me I need more info than that if I look at the scanning methodology the ec-council goes by we just covered step one checking if systems are alive but now I want to look at step two check for open ports let's say my goal is to hack websites and I want to find all endpoints or servers in my network that are running a website where am I going to look for well typically look at report like 80 or port 443 these ports will typically be open on a server if they're running a website that's how people access them by accessing those ports within map we can find that information superfast check this out or throw sudo in here and then do in map - or tick lowercase s capital T I'll explain that here in a moment and then say I'm looking for servers using port 80 and 443 I'll do a - P and then 80 and 443 and then I'll specify my network 10.7 1.0 / 24 let's go-oh sudo password now let's go coffee break that was incredibly fast oh my gosh 2.3 nine seconds yes okay so what are we find well here's the scam report for the host ten dot 7.1.2 eleven we can see that port 80 and 443 are both closed so probably not a webserver safe to assume but host two seven one two two six BAM both of these ports are open probably maybe a webserver and we can quickly scroll through our results to see what other open ports we have like here's another one and it just has port 443 open now this is cool but even cooler is how it actually works check this up looking at my end map command I use the switch - st or tick st this is a type of port scan called a TCP connect or you might see it as a full open scan and the magic is in the TCP using the three-way handshake I just said a lot of words what is all that if you don't know I'm gonna cover it real quick right now let's first start with what is TCP it's a protocol the transport control protocol and what you got to know about it right now is that when let's say my computer wants to talk to a server or even another computer it's the TCP protocol a networking protocol that tells us how we communicate how do we start the conversation how do we keep it going the rules for starting and establishing this conversation are often referred to as the three-way handshake and it's what nmap actually uses to do all its magic a check if ports are open and essentially here's how it works let's say this is a web server and it's serving up David bumble comm if I want to visit David bumble comm I have to start a conversation with that server so I'll start out by sending David bumble a message saying David bubblegum hey I got something to tell you I want to talk to you are you there and this is referred to as a syn packet or a synchronization message now because David bumble comm is a web server I want to talk to him on port 443 so that's where I'm sitting this I'm saying hey David bumble comm on port 443 are you awake if he is if he's listening on that port he should respond saying yep I am awake I am here I'm ready to talk this is referred to as a syn ACK I'm like yeah yeah let's talk let's do this so I respond back with a ACK yeah I'm here I'm ready let's talk three-way handshake and this is what nmap uses to see if the ports are open now we have a little bit of a problem you see commands like this scans like this on a network might be a bit intrusive you see security features like an IDs which is an intrusion detection system that's often built into firewalls might catch on to this might get you in trouble might stop Union tracks but we can be a bit more stealthy here's what we can do well instead of using the switch - st we'll use a switch - s s so lowercase s capital S and then our ports and our network S is for stealthy that's actually the type of scan that says it's a stealth scan or often referred to as a sin scan or a half-open scan as opposed to the full open scan that we just did the difference being that win in map goes to initiate a three-way handshake see our host here is Tendo 7.1.1 we'll send our send message our send packet let's say port 80 and then hopefully the host responds back with the syn ACK well because we're being stealthy we're gonna say never mind and just walk away we're not gonna do the full complete TCP connection you see the communicate with TCP you have to complete that three-way handshake to establish a connection if that three-way handshake is not completed then there's no connection so we're hoping that by not completing that connection or completing the 3-way handshake process we avoid firewalls going hey what are you doing down there that's that's the idea now security and firewalls have become more advanced and sometimes they can even catch on if we do this to keep that in mind but this is a way to avoid that issue let's do it real quick BAM Oh pseudo stealthy we scanned network and they didn't even see us coming or going or leaving now I want to show you real quick the traffic that we're generating when we do this I want actually show you what it looks like we'll use Wireshark to capture it and then I'll show you so let's do it work like I want to show you the difference I'm gonna change up my command just a little bit I'm still gonna do st which if you remember is the full connection but this time I'm not going to specify a port and I'm not gonna scan my entire network I'll just scan one host tend out 7.1.2 to vi if I don't specify a port nothing bad happens it just it will automatically by default scan the top 1,000 ports or most popular ports and seeing that number makes you think wow it's gonna take forever it actually doesn't let's do it real quick I'll click go and it's done like I told you point 17 seconds now I'll do it again with Wireshark running all right I'm capturing packets let's do that one more time done I'm gonna filter by this IP address and we'll look at one of these conversations here and it's beautiful just like what we talked about here's my and map here's my target port 443 I've got my send message I get a syn ACK back from my target and then I send an act back saying everything's good buddy let's talk on port 443 a full TCP connect and then I'm like you know I didn't have much to say I'm going to end this conversation this flag right here this rst is another flag that is just a reset or ending the conversation on a TCP conversation now let's check out the stealthy one let's start my capture again and then go back to my commands here this time we'll do - s big s and go same results let's see what happened crazy looking huh let's check that same port and follow that path that conversation it's a little bit different right started out the same way I'm like hey you want to talk on 443 I got a send message he replies back yeah yeah let's talk my ports wide open and then I'm like psych nevermind I don't want to have that connection that session established I don't want to get caught I'm just poking my head in the window looking around and I'm coming out they probably tired of hearing me say this but nmap can do a lot more like look at this if you look at the manual page by typing in man and map you can go through and look at all these switches you can use and all the crazy things you can do like for example I can search for let's do - Oh with this switch I can enable OS detection and find out what OS is my targets are using which is obviously really helpful let's try it up sudo and map - capital oh and my host go done so we did a few things here first at ping the host saying hey it's up so I use ping then it went ahead and checked if ports are open so it's using TCP three-way handshakes and then it did its best to guess and it's pretty accurate what OS this thing was using or is using now this is a Linux machine let's try a Windows machine it does work on Windows let's try it I have a domain controller on my other Network send out 77 1.11 and this one's obviously pretty stinkin fun it found a lot of ports that you might find open on a domain controller because it is doing a lot and it learned that I'm using Windows Server 2012 r2 which is pretty crazy right but wait there's more let's get back to our main page man and map I'm a search for - eh this one's a combo search it will do - OH which is OS detection it'll check for versions of protocols oh you what that means here in a second script scanning and traceroute all those words we'll look at it right now sudo and map - a and my host and go now this one was busy it was doing a lot 128 seconds but let's check out what we found found some pretty amazing stuff we've got the SSH host key the version of SSH were using it learned that we're using Apache on port 80 Red Hat Linux doing some file sharing look at that and then to top it all off we have a traceroute to see how far away it is from us and the network that's amazing let's do my Windows machine real quick same command different host different network let's do it now these can take a while if you're like is it still working did it freeze what's going on you can hit enter any time baby I'll give it a second to breathe it'll tell you how fast going the progress sixty eight percent done those twenty five percent earlier how much time is left let's do it again but I'll let it do its thing okay this thing forever come on it's done finally done oh my gosh it took three hundred three seconds seven okay I can read numbers I promise three hundred seven seconds order to find out that's a lot of stuff found out oh my gosh so I found out all the versions of whatever I'm using for the protocols course tell Microsoft based hey look how this info it felt that's awesome my common name here all my SSL cert even the expiration my SMB information which is my file share oh my gosh and then a nice little traceroute so cool I love this okay this video is gonna be too long but I want to show you just two more things okay so stick around here we go the first thing is that you can have a decoy because as you're scanning a network and you want to avoid being found it's called obfuscation I can never say that word obfuscation yeah just basically covering your tracks making sure people can't find you easily because hey if you're scanning a networking you're sending all that traffic something might pick you up well let's get them off the trail so let's do another port scam do a pseudo and map I'll do a net - s T for a full TCP connection and actually I'll just go stealthy we don't want them to find us that's the point right and we'll use the command dash D which stands for decoy and we'll put in a decoy IP address let's just say 10.7 dot one dot this is nothing hey t and I'll put in my target it's in not 7.1.2 - six and this is cool because what it will do is it will still send messages for me putting in the packets that I am the sender right I'm the source but it will also send another one i duplicate changing the source to 10.7 dot one dot eighty so if someone looking through traffic on the network and going man there's a lot of traffic from that one host well you can add decoys to are like there's a lot of traffic from all these hosts which ones doing it I don't know that's the big idea that's that's super cool now final thing I want to show you is awesome in map can do all these things I just showed you but it also has a scripting engine you can write custom scripts written that and map that can do a lot of things let's go find these scripts here's the site it's called the end mapped scripting engine and here's all these scripts you can run one that's cool are all these scripts under vulner which is vulnerabilities it'll actually scan your hosts in addition to seeing if they're up and what ports are open it'll scan to see if they have vulnerabilities that we could exploit that's what I'm talking about that's hacking automation right there now we could go in here and run all these scripts individually but you know what I'm lazy I'm not gonna do that here's what I can do I'm gonna do this pseudo in map the switch for scripts is - - scripts and then I could specify my script but what I'm gonna do here instead is just type in Pavan which should use every one of those scripts in that category what ok now let's do my host now this will take a bit so I'm gonna do this and coffee break oh sorry it's script now scripts add scripts on the brain here we go and we wait and it's done 106 seconds not too bad actually let's see what it did now I have to be honest there will be a lot of vulnerabilities on this particular box because the server is from vuln up but basically the script went through and analyzed this box for any vulnerabilities using the CVEs which is common vulnerabilities and exposures it's a list that's maintained and it found some obviously which is awesome and we could then go ahead and exploit those because those are known vulnerabilities easy enough right oh and by the way Voland hub it's awesome that box I downloaded is actually called key op tricks let me find it real quick and they have five different versions it's a VM you can download and it's designed to help you start hacking things so it's the vulnerable blocks that you should be able to hack and there's walkthroughs and all kinds of challenges but yeah I picked this because it's gonna be vulnerable and a huge shout-out to the guy who created this who I was talking to the other day he's a founder of the site he's a hacking genius go follow him I'll put a link below oh by the way content on these will be coming there they're pretty cool now this was just a quick overview of nmap and why it's amazing if you want to become a hacker if you want to get your ceh or any other hacking certification you do need to become more familiar than what i just covered with nmap here's some of the other switches you might want to learn put these on note cards practice them lab them understand what they are understand how networking works with these situations I forgot to cover this right here actually the the speeds you can lower the speed in which it scans things so you can avoid being detected the default is t3 which is a pretty normal speed skin as it says normal speed scan right there but you can go slower to avoid detection I tried that I'd lost patience and I went faster but you can do that and that nmap just one tool we'll use for the scanning and enumeration part of hacking and if you're going through the SI eh this is a vital step if you check out the ec-council official course scanning in enumeration or module three and four so pretty vital and please don't consider this a deep dive on everything you need to know for scanning an enumeration I showed you and map and some really fun things you can do with it if you want to dive deeper which I encourage you to in fact I'm hoping this video makes you dive deeper go check out IT Pro TV I only have like one 16 minute video and they have a bunch of videos that you can go and dive deeper with not to mention they have virtual labs you can just immediately start playing with stuff you don't have to set up a lab it's just there you play with it it's awesome again link below or code network chuck for that you get 30% off forever so check it out it's it's worth it I'm not a hacker yet I know that but I got just a little bit closer today by studying in map scanning and enumeration I hope that if you watch this video you got just a little bit closer to becoming a hacker as well so if you like what I'm doing if you want to keep watching my journey to see if I actually become a hacker well subscribe hit that like button to help the YouTube algorithm and hit that notification bell so you get notified when I launch stuff videos and such well that's pretty much it that's all I got let me know what you thought of the video below in the comments let me know if you used in map or if you're going to use in map I'd love to hear the cool ways you're going to use it I'll catch you guys next time [Music] [Music]

Info

Channel: NetworkChuck

Views: 1,123,247

Rating: 4.9575233 out of 5

Keywords: ethical hacking, hacker, hacking tutorial, how to be a hacker, how to become a hacker, how to hack, information technology, kali linux, learn hacking, linux tutorial, linux+ exam, linux+ xk0-004, raspberry pi, raspberry pi 3, top 10, how to, nmap basics, nmap full tutorial, nmap complete tutorial, nmap, network hacking, hacking networks

Id: 4t4kBkMsDbQ

Channel Id: undefined

Length: 17min 8sec (1028 seconds)

Published: Thu Jul 09 2020