Hello and welcome to
Nmap, a trihack me room. And we're gonna be doing a bit of a
walkthrough, a bit of a study guide. I'm learning cybersecurity at the moment. So it's sort of like let's relearn as I've gone through through this room
and let's try and learn together. If that sounds nice. Let's go. So let's start off by making sure you're open VPN into
the VPN to the virtual private network. You can do this with OpenVPN. And let me just increase this size. Make sure you do that. That will go initialization sequence completed, which
is what we're after, to confirm that you are connected to the triage me
like virtual private network. Make sure you can Ping 1010. If you get that successful,
then you are in the right area. Great. Once that's all good, let's go over to
tryhack me.com room further and map the link to this room will
be in the description. So first thing first is
starting up our machine. That will take about 60
seconds to get up and running. So as that is up and running,
let's go complete that. And let's just read over introductions, get a bit of a view of
like what's going on. When it comes to hacking,
knowledge is power. The more knowledge that we have about our target system or network, the
more options you have available. So this makes it imperative that proper enumeration is carried out before
any exploitation attempts are made. So the key here is enumeration. So we are going to be
learning a tool called MMAP. You might have been learning it, you might have been going through this
room getting frustrated. This might be your very first time. Whatever the case is, this word is really key to learning penetration testing,
cybersecurity enumeration, which as it's saying, is just finding out stuff about a
system, about a computer, about a server, about a website, about an application,
finding out information. So sometimes that comes in the
form of just clicking around. Sometimes it's using this tool,
which is really powerful. So you can go through this in more detail, which is showing how different ports open
and close depending on different services. So I'm not going to go through all
the information in great detail. I'm sort of going to be scanning because we're more focused about
the actual tasks here. So
once your IP for the box that we're going to be looking at is up, you can go
ahead and try and Ping that box. So just because we can't see pings. So we're trying to say, hey, are you
there through an ICMP Ping packet? We're not seeing anything. Usually that's not a good sign just for basic testing, but in this case,
maybe something else is up. Maybe we can't Ping
this machine by design. So pretty interesting. So go through this and you sort of
pause the video, read all of that. What networking constructs are used to
direct traffic in the right application on the server, if I remember
correctly, it's ports. Interesting. So I'll sort of explain as we go
without going into great detail. But ports are just numbers that just
represent where the traffic is going. So some of the well known standard ports
are like four, four, three for Https protocols, SMB for file
transfers on four, four, five. So there's a list of well known and
we'll get to know them as we go through. How many of these available are there available on any
network enabled computer? So if we go through here we
can see that there's 65,535. I do actually wonder why
this number is chosen. Is it just a random number? Is it by design? I think most things with computers
it's probably by design. I should really look that up
if you know, let me know. That would be good. So how many of these are
considered well known? These are standard numbers mentioned. So I do know off the top of my head I thought it was 1023, but Port
zero is included is a Port. So it's actually 1024. But how do we actually know that? Well, let's just Google it. Let's look up computer ports. Simple little. Now I want the Wiki
computer Port, hardware. So usually try and find the Wiki. For most things this is just actual ports. So let's just be a bit more specific networking ports and hopefully
we get Port computer networking. So this is what we're after. The term Port is like. It's a little confusing because we often,
as I just found out again that ports can sort of be like input, but it's not
exactly what we're talking about. The ports in the networking sense. It's just a number. Okay, so we can see here we've
got notable well known ports. So we're sort of looking for
what is considered well known. So here's just some. So we talked about four, four, three. And there's 84 Http which
is not s, not secure. I've got other things like secure shell. So connecting securely into another
remotely accessing machine using SSH. Other things you might have heard
of like FTP, like over 20 or 21. And there's others like pop three
for mail DNS 53. So more protocols and their
Port numbers corresponding. That doesn't give us the exact number. Actually it says here the registered ports
are those from 100:24 through to that. So we can hit enter. Yay got it. So also a good hint here, how
many well known ports are there. So we could look up that sort of thing. So however you want to find out the information so that you but
those are some general ways. Awesome.
So that's a little bit about ports. So hopefully that gives a good idea. I haven't read the entire Wikipedia page, but if you are really into reading
it's got everything in there. But generally just as we're learning,
just starting off, get the concepts. Okay.
So like most people in Pen testing tools. Nmap is run from the terminal.
Cool. So you're going to need to
get your terminal open. If you've got Kali or Carly downloaded, I'm running mine in a virtual
machine, hypervisor or software. You can use the attack box
that Trihack Me gives you. Or you can use VMware whatever you want. So you can see here that I've already gone
through and done some other switches. So we're going to be using the tool Nmap. So a good thing when you're just learning tools is just to run
the tool like the command itself. Command is a tool. So the tool and then like
help just to get used to it. Or maybe it's Dash or we can
look up the man for the tool. So yeah, those are just
a couple of options. In this case, we're just going to look up
man just to get an idea of what it is. So this is a great way because if you're ever in a challenge or maybe your network
is down or something, you might not be able to just Google things,
which is pretty rare. But this is also just a great way in case
you need to know the information quickly. It's on your local system. So good thing. Anyway, network exploration
tool and securityport scanner. So we can use the arrow keys. It gives us a synopsis. So Nmap scan type options, target spec. Okay, so we'll get into exactly all
of that if this is your first time. Another example, we can actually
scanmead Nmap.org, for example, scans. And we've got these funny switches. So we're going to learn
all about these switches. But this is just to get sort of like a general idea of how this
tool is going to work. So cool. I'm feeling a bit more comfortable.
Cool. So it says here that we can use H, man. Great, got that. So what is the first switch listed
in the help menu for Sinscan? I'm going to test my memory. I'm going to see if I can remember. Damn it. Let's look it up. So a Sin scan since then.
So let's go through. Let's have a look. We want to get to our
actual so here we go. We got Sin connect sincecan. So let's try S. Capital S. Got it. Let's give Simscam. Which switch would we use for a UDP scan? Now remember the difference
between TCP and UDP? They're both forms of connections over the
Internet to send and receive information. Tcp needs a TCP handshake or a three way
handshake to make sure that it's going to the right place and we
don't lose any information. Udp doesn't care about that
doesn't mean it's not used. It's great for things like YouTube and
Netflix and streaming services where it doesn't need to every single connection
to make sure that it is connected. If it loses some packets,
it's not a big deal. So it's more about speed
than I guess stability. Okay.
That's always good to remember. So from memory, you. I'm not looking
good, just trying to remember. I mean, it's right there. I swear I didn't see it. If you wanted to detect
which operating system the target is running on, which switch would you use
so we can keep looking here. I'm pretty sure it's dashv lowercase V. I mean, we can do it with Dasha. That actually does work. But that's not the only one I remember.
I remember. I swear it's. Yes. I've only know that because
I've gone through this before. So here it's actually capital OOH,
not right. Enable OS detection. Okay, so all this is just
going through this man page. We're trying to get
familiar with the man page. That's all.
Nmap provides a switch to detect the version of services running
on the target version. I think it's just. Oh, capital V.
Yes. Sweet. I can remember this, but I
can't remember where it is. Let's just go back up. We can find this information out a little
bit easier without using our head. So another good way of finding out
information like this, if we just go help. So this is going to print out everything. Hit the up arrow. If we grep this through something
and we just say like version. So just find anything through that
output with version we can see here. Sv is there too. So that's really handy just in
case we want to look up that way. So the default output provided by Nmap often does not provide enough
information for a Pen tester. So when you just run an Nmap scan. So say we just ran an Nmap
scan against our target. That's all we see. It's running an Nmap scan right now. But we didn't see anything. We didn't see what it was trying to do. So I don't even know what it means. Let's just have a look at what it means. Is the quality or state of
being verbose or wordy. The use of too many words
verbosity is such a stigma to me. Okay, so using more words, showing more information, I find it so
fascinating why they use this word. So this is V, but we can remember. Just go back here and we
can actually try and find. I know the switch, but just as a little
trick, if you're ever trying to look up a switch, you can use your
backslashes or forward slashes. Just because if you use a dash V, like say
I'm trying to find dashv, it's going to run that as a grip switch,
which we don't want. But if you actually write the slashes around your dash, it'll recognize that as
just actual text, which is quite cool. So that gives us anything that matches
the patent v, which we can see here. There is one increased verbosity level. So verbosity, but use double
V for even greater effect. So this is a habit that I'm trying to get
into and I actually encourage you to if you are using Nmap, try and just
make it a habit of using BB. Yeah, it's a good habit, which is
Consequently just the next cool. Okay, so we should always
save the output of our scans. This means we need to run the scan once. We only need to run the scan once, rather reducing network traffic
and thus chance detection. And gives us a reference to use
when writing ports for clients. What switch would we use to save
and map in three major formats? Man, I totally forgot about this one. So let's actually
go pick a word like a major. Cool.
So output in three major formats. So. Oa, I have not used it since
I've gone through this room. I haven't used this once. I feel like that is not a good thing. I feel like this is actually quite useful. Which switch would you use to see
the Nmap results in a normal format? Let's try that one again. But this time we're going to search
normal and output in normal scan. So we've got O-N-O-X-O-S-O-G file. I'm just going to pick the first one. No, I'm going to pick the last one. Damn it.
I'm going to pick the first one. Why does it say the different options?
I don't know. If you know, tell me
a very useful output format. How would you save the results
in a wrappable format? So let's search this one again. What did I do? I'm in that menu. There we go. Greppable.
Nothing. Let's try that again.
But let's just use rep. Nothing. I'm going to assume that it's
actually this I can't remember. Okay, the only reason that I
picked that one for G is Greg. I guess there is a
difference in these four. So normal something grepable XML. Oh, it says here. Okay, so I'm missing the
last little bit here. Okay, so this is output in a normal mode for on
XML mode or format Ox in an S script. Kitty. I don't know what these exactly mean. And then there's probably
greppable after this for OG. I didn't pick up on that. Fascinating. Sometimes the results
were getting just aren't enough. If we don't care about how loud we
are, we can use an aggressive mode. This is a short hand switch that activates service detection, OS detection, trace
route, and common script scanning. So more on scripting,
which is super powerful. Crazy powerful.
So this one I also remember. But to find it we can use that's. Not actually it. I just remember it's a
but I mean it's in there. We can just look it up. But trust me, it's there. Honestly, I sort of skip over like using
just do it all in these test environments. It's like I'm just learning.
I'm just a beginner. But I assume in real world environments
you don't want to use a on certain targets you might get away with just using,
I don't know, just guessing. Okay.
Nap offers five levels of timing template. These are essentially used to
increase the speed your scan results. But be careful though. High speeds are noisier
and can incur errors. So I can actually vouch for this from
going through and doing this room. And like some other rooms
I have tested running like T four because I was watching a video of someone
who's like, I use T four. It's like sort of the best. It goes faster, which is true, but it's
usually good, but it does miss things. Okay, so this is sort of I don't
know what the best answer is here. So if we looked up. So let's just use Grep again and
we'll just look up anything with T. So there's the answer there. So capital T 12345. Okay, set the timing template. Higher is faster. If zero, that means six. So maybe it's just 12345, I don't know. So the higher is faster.
So this is the fastest. But you're going to incur the most areas. So basically the whole point of this is trying to find out information
about the computer. If you're just telling it to run so
fast, it's going to miss things. One example was like I did a scan and
there are actually like five ports open. But because I used T four,
it only got four ports. So I actually missed out on a Port. So yeah, it happens. That's what it means by errors. So we can also choose which ports to scan. So if you look up
ports, you can see here in the second one, we've got dash P for Port range
only scan specified ports. So this is really good. If you're scanning the machine and you get
all these ports, there's like hundreds of ports, but you just want to focus on
one Port to do more aggressively. Well, this is you can use the dashp and
then specify the Port you're after, which is in this
case 80, which if we're remembering is Http, how would you tell Nmap
to scan ports 1000 to 1500? So same sort of thing. We'd use our dash P switch, but we would just tell it, hey, go
between these two ports. Cool. So you can also do this if you wanted to run it against running against here. But we're going to specify
P, but we could do like 84, four, three. So we can actually just separate and say, hey, we only want to run it
against these three ports. We don't want to run it on all
the ports between 80 and 443. We just want to run it on these
three or these two ports. So you can use commas to separate it too. So that's good to know. So a very useful option
is to scan all ports. Super helpful. The reason that this is so
see if we get it here. So I can't see it here. Let's try all see if we can find it
with all treat all hosts online. Pn skip host discovery. So this is actually good one that
saved me with going through this. So I can't find it. So we can go men and map and
just look for it manually. I mean, I remember, but
it's a good process. Just spending some time. Where are you? Where are you? I don't know. Would be under heel. Can't see it. It's gonna be in like I saw it.
Oh, yeah. You guys didn't see it? Yeah, no, it was right there. Go back, pause the video. P.
So that's specifying all ports. Because remember that
there are 65,000 ports. So just a default Nmap scan is
not going to scan 65,000 ports. It's going to scan.
I think it's just 1000. It doesn't even see. We've got to get around something. But I'm pretty sure it just
scans like the thousand ports. I don't even know if it's 1024. I'm not sure. But it definitely does
not scan all the ports. So that's why when you use that P, how do you activate a script
from the Nmap scripting library? Lots more on this later. So this is insanely
big, I guess the scripting library. So if we look up our help page again, but this time let's just search
the output for script. We can see script equals and then
we can put in the name of a script. So think about the way I like to think about it is
scripts are sort of like plugins to Nmap. So if Nmap was the operating system and
you could install apps on your Nmap operating system, you'd go to your
iOS library or your Android app store, whatever, and you would go
and install that app on your phone. Okay, same sort of thing. You're going to go to a script library
to run a script on your end map. So every time that we have a program that is open to having programs installed on a
program, then it gets really flexible because that means so many other people
are starting to make programs and there's just kind of mind blowing how
much you can do with Nmap. So I didn't even realize that there are so many categories of scripts or programs or
apps that can run in Nmap, making it not only just an enumeration tool, but it can
also run payloads from it, apparently. Which is kind of crazy. So you could possibly just hypothetically break into a machine with
just one tool, just Nmap. Yeah, I think that's kind of crazy. Anyway, how would you activate a script
so we can just go script if I can spell? And then how do you activate all of
the scripts in the phone category? So we'll look at
categories and stuff soon. I can't actually remember just going
to go off the top of my head here. Might be wrong,
but I think that's it cool. There are two variants of the switch one
with a space and one with equal sign. Look at the asterisks in the answer
field to see which one it is. I was actually wondering this. I still don't quite understand it, but
I'm going to leave that for another time. What this is essentially doing is since
there are so many scripts out there, there's so many apps that
can be used in Nmap. This is categorizing them. So there could be thousands,
hundreds of thousands. I honestly don't know. But hey, try and run all of the
scripts under this category. Yeah, that's crazy.
Cool. So that's Nmap switches. So let's go over to our
scan types on task four. So you can definitely read this in
more detail like I've been saying. But basically there are three main types
of scans, TCP scans, Sin or half open scans or stealth scans,
and then UDP scans. So remember the difference between
TCP and UDP, that's important. And then there are less common scans, Null, Finn and Xmas, which we
will get into in a little bit. So read that. So this is going to detail exactly
the St, which is your normal TCP. So this is what I was sort of referring
to earlier, which was the handshake. Okay, that's important. You need to go over that. And I'm going to do my best to try and remember all of this off the top
of my head, which it's a process. So if we go read our questions, we've got which RFC defines the
appropriate behavior. So we've got RFC 793. So I've always think the RFC is sort
of like a handbook to technologies. I'm not sure if that's how everybody describes them or if that's even right,
but that's how I always think about it. If what was closed, which flag
should the server send back? So if we go back to our so by now you've read it because you've
paused the video and you've gone over this detail and now you're a boss
at understanding this stuff. So this is synchronized, synchronize,
acknowledge, and then acknowledge. If everything's open. And you've got an example here in Wireshark, something that
I need to get better at. So if something isn't
open, I think it's Rst. I remember, let's go. So an Rst packet is in response saying, hey, I'm closed or hey,
the Packet's been dropped. Yeah, that's from a firewall. So that's something else to keep in mind. If there is a firewall, it can
be dropped, it can be closed. There's a lot with Nmap. Every time I go over this, I'm like, yeah,
I'm pretty sure I remember everything. But then I'm like, man, it's so much
to it and just networking in general. Okay, so that's TCP connect scans, which
is by default when you just run the tool without root privileges or pseudo
privileges, that is what runs a TCP scan. Remember the S capital T. If we are running route, we are going
to actually be running a stealth scan. Okay, so similar to the TCP scan, but instead, if my memory serves me
correctly, it sends back a closed Port. So where is the system that we're
looking at with the TCP scan goes? Oh, okay, there's another machine on the other side who's wanting to connect
or can connect the client us. We send back a hey, no,
there's nothing here. It's stealthy. Apparently it's not that stealthy anymore from like watching videos and stuff
about it, but it still does the thing. So there are two other names for a since. So I know stealth is one
I cannot remember. The other half open. So that's referring to the fact that it's going one way open, and then we're
saying hey, we're not actually open. So half open and then it's stealth can Nmap use? Sincecan without pseudo permissions,
need pseudo permissions, why? All right, it's a good question. Me. I hope fusion me knows, but if you actually do know
why, that would be great. You could definitely tell me.
Cool. So task seven UDP scans, which stands for
I can't remember. I try not to go in like big
research, data programming. Yeah, user data, grand protocol. Obviously it's so easy to remember. Okay, so more very important information, which I actually have gone over,
and I have my notes to prove it. If you don't believe me, which you should go over to supports video,
go over everything. If a UDP Port doesn't respond to an end, I'm just going to copy a word
because I saw it in italics. Filtered, filtered.
The actual word. No, that was the word I was looking for. I can't remember. I don't actually write everything
down when I go through these. I don't write all the answers down. I like going through these
to try and pull it out. That memory thing repetition. So let's go for if a UDP Port doesn't respond to an M map scan,
what will it be marked as? I don't want to have to read everything because I am conscious of how
long this video goes for. If a UDP, but it might take longer if I
just keep trying to think about it. If UDP Port doesn't respond to an M
map scan, what will it be marked as? Back and forth handshake. When a package is sent, maybe it's a good
time to actually go over our information. Yeah, let's do that. Task seven, unlike TCP, UDP
connections are stateless. This means that rather than initiating a
connection, back and forth handshake, UDP connects relies on sending packets to a
task board and just essentially hoping they make it, which is good for
streaming services like video sharing. When a packet is sent to an open UDP
Port, there should be no response. Whenever this happens, it should
be, oh, it's open and filtered. It's the whole thing good.
Yes. It's not just filtered. It's open and filtered because it
essentially doesn't know the difference. That's right. This has tripped me out because you need to make sure we
remember that the Port is UDP. So if it comes back as open or filtered. Yeah, it doesn't know, basically
because it doesn't check. It feels good that we got that one.
Cool. When a UDP Port is closed by convention, the target should send back
Port unreachable message. Which protocol would it use to do so? Man, I really don't remember this. When a UDP Port is closed by convention, it should send back Port
unreachable message. Which protocol? Icmp.
Yeah. So this is something that
I'm definitely like. I need to get a bit more familiar with
getting better at the lower levels of networking, like the packets and stuff,
which is sort of what I'm really hoping to get from triathny the different headers
and the information in the headers. So those are the three main scans. So let's go on to task eight. So we've got Null, Finn, and Xmas. So this will tell us the difference. And if we do it at a sort of a high quick level and from my vague memory,
breaking down. So there's different flags, like
going deeper into the scan type. There's these different flags and so
there's reserve there's no, I do not understand all these, but basically the
scan is just showing different flags, like different smaller parts
that are being sent. So Null doesn't have any of that. Finn only has the last one, Finn, and then
Xmas has got three of them, PSH, which is push URG, which is urgent, and then Finn,
which I just assume stands for finish. But I'm not really sure. And it says here that it's like a blinking Christmas tree when it's
viewed on Wireshark. So it got the names.
Cool. So I'm going to be honest, I feel like they're a bit more lower level than I'm
quite at right now, so I don't fully understand it, but at least we can
take away that they are less used. So that's what we'll take away from that. But they've got their purpose and
I'm sure we'll understand them. So which of the three scan
shows that there is urgent? So that was the last one. Sx. Oh my God, I think it
was the actual name X. Okay, why are Null, Finn and
Xmascans generally used? These are the questions that I just want to cheat on because I can't remember, like harder to detect. Okay, I'm going to have to read, damn it,
because they're covered already. So we've put in a huge amount of depth here, all these interlinked and are
used primarily, even stealthier. Is that. No, that's not the amount
of letters that were after. Oh, no, please just tell me the response. Malformed packet. Unfortunately, as we open UDP ports, spec
behavior of the Port in the firewall. Why are they generally used? Oh, firewall evasion. Firewall evasion. I remember. Yeah, I remember because I got
really stuck on this one for ages. But yeah, firewall evasion as Firewalls have got more advanced and
looking at different packets. I'm not an expert.
I'm not an expert. I'm just assuming that Firewalls have got
more advanced over the years and that these have been used as just
different methods to get around it. So if there are Firewalls that maybe
aren't so up to date or something, these could still get around it
without being noticed. Which common OS operating system may respond to a knob or XML scan
with the Rst on every Port. I saw Windows somewhere. Am I just making that up? Yeah. And I think it says here and a lot of Cisco network devices
also respond with Rst. Awesome.
All right, we're doing pretty good. We're understanding our scan types
and we haven't even used it yet. So that's cool. Okay, task nine scan types. Icmp network scanning. So this is what our Ping packet is using. An ICMP. So more important information that I'm going to do my best to try and
remember and therefore skip. How would you perform a
Ping sweep on the 170, 216. Xx network?
Netmask. 255-2500. I'm so bad at netmasks subnets. I'm so bad at it in the Sidi notation. Okay, let's start with what I do remember. So the SDI notation is
putting a slash at the end. So if we look here, these
are saying the same thing. So hey, can you give me everything?
192-1680. One between two, five, four. So all of that. And this is saying the same thing. I'm so bad at this, but I
think that's what it's doing. So from memory, we are using this one. A pink suite to do a pink sweep is SN. I mean, I believe that this is what
it is, but I just want to know. Sn. That's weird. Okay, there it is.
Sn. Ping scan, disable Port scan. And it gives us an example here of
how we could use it using the Bose SM so we can look at our
asterisks to give us a hint. Nmap. We would want to run then SN
to do a whole Ping sweep. Tell us everything that's on the network. So this is where
it's all coming back to me. Especially if we want to
get a map of the network. We would want to do a pink sleep. Show me everything on the network, please. So I'm just making sure that
we can just put in 2116 X. So usually we would have numbers
there, but this is just. I think it might want numbers now. I'm pretty sure it's the 16. Pretty sure it's this.
Hope so. I could be dead wrong. Damn it. We might just want zero instead of our Xx. Cool. Alright, so just to sort of explain
from my limited experience and memory. So this is on a different subnet. And honestly, I need to do
so much more research on it. That is just matching up to the 2550. So it's 16, which is the amount of bits. So if there's another two, five, five,
then it would be the 24 that it was showing here, which means the last
octet is the only one that changes. I think I sound like I know what I'm talking about, but to be
honest, yeah, I really don't. So it even says here the CIDR notation, which we use as class B network,
which is the default net mask of 16. So I just did that off memory. But yeah, need to go back to the network study book to get that
ingrained in me marine. But that's okay.
That's pretty good. So task ten now. Nse scripts, man, this is a big room. Hey, we're at 40 minutes. This is a big room to get
our brain over all this. So I've gone through it. And trust me, it's a lot
as you're experiencing. Okay, so the NSE library or script
library stands for Nmap scripting engine. It's crazy.
So it's built on the lure programming language, which I don't know, but
apparently it's pretty simple language. And we have our categories here. So we've got safe intrusive vuln for vulnerabilities exploit
to exploit the vulnerabilities or to attempt bypass authentication,
brute forcing. So that's crazy that Nmap has got the option to brute force, but I
think that's what it like. Yeah. Discovery attempt to
query running services. So yeah, that's crazy. So we can find the whole list by going to
Nmap.org. Crazy big, right? So what language we've got here?
What language? Rnse scripts written in. So that's our Nmap scripting engine. And if we remember it
was the L-U-A Lua Lua. Which category of scripts would be a very bad idea to run
in a production environment. So I'm just going to take by the amount
of letters that we're looking for. It's the intrusive. So as it says here, not safe
likely to affect the target. So it might actually cause some damage. So if we're in a production environment,
meaning we're just testing an app or we're just testing a server or whatever
that doing intrusive scanning or intrusive scripting is probably not
what you want to use. Cool. Task eleven NSE scripts
working with the NSE. So we looked at script back in task three
and that's activating the volume. If we use exactly that script equals van. So that's anything inside. I think that's what it is. That's how we activate it. I'm not an expert. Or we can use this specific script and we just put the script
name in, which is kind of cool. So it says here http file upload. So that's an example of a
script that you can run. So you've got to use the script and then you've got to equals and say,
hey, please use this script. You can use multiple scripts by commas, similar to how you use multiple
ports that we looked at earlier. So we've got an example here, please. Hey, can we run Nmap only against Port 80. So I'm assuming that then it's
on our website space http put. So that's a script and then
script arguments you can use. So it says here. I'm just trying to think
of how to explain this. If this makes sense,
just ignore my Rambling. If this doesn't make sense, let me
make it more confusing for you. So if we are using any arguments. So sort of consider these like switches. So when we have a command we run a switch. So here it's sort of like the switch
and then entering a parameter. It's not exactly probably
the best way to explain it. That's just how it helps me. So if it helps you, great. If it doesn't, I apologize. So you've got to specify the
actual command or the script rather. And then a dot. And then what needs the
parameter that needs to be met? In this case a URL needs to
be passed through the script. Comma and then another one and the
file that needs to be passed through. So I got to be honest, this stuff always
gets a little confusing at the beginning, but it does sort of make sense
slowly, hopefully some time. But yeah, it gives you
a script name argument. So I think that's maybe just stick
with how they explain things. So what optional arguments can the
FTP and non dot se script take? So this year we can look up the script name but we can use the script help
name to actually get the help for it. So let's try that. Let's go script
help and then we're going to look up the script name, which in this
case is FTP anonymous. Nse. So we've got FTP and on categories is under the default authentic auth or Safe
and we're looking for arguments. If anonymous is allowed
get directory listing. So is this the only
argument that it takes? No. What arguments does it take? To be honest, I do not remember this one at all.
What optional arguments can it take? I looked up script help SCP announced. I haven't misspelled anything, have I? Honestly loud.
Yeah. So that's what it does. I don't know what number I'm gone. I guess it's interesting
that gave me the same. I'm not sure why let's you the URL
just going to do it. Copy please. So in this case did not
tell us in the help. How dare it? But it does require some other things. So let's go through and look at the action
connect FTP parameters, host and Port. So that's cool. I'm looking for 123-4567. It's probably something that I need to get better at is actually if you can't find it
there, which I thought that you could find everything there like
go to Nmap's website. So good lesson for me there.
Cool. So we can search scripts. So there are two ways. So we've got two ways of searching
scripts, user share and map scripts. All these scripts are stored
in directory by default. Let's just list out this directory.
So let's go. Ls, L. So user share in map. Wow. And scripts. Look at all those scripts. Give me like a number of how many? It'd be interesting to know how many?
I don't know. I don't know how to find out. But if you do, let me know. Or we can search through the database. So let's just try and cat
that out and grab through. I don't know. It worked.
Cool. Entry, file name, FTP,
Anon and categories. There we go. So there are two ways to look through. You can just list them out. But if you use the database, which I think it says in here, it's not
actually just a text file. Despite the extension, this isn't actually
a database, it's just a text file. So you can just grab it like
normal, which is quite cool. Awesome. So that's just going through file yet. So making sure that it's
installing new scripts. Cool.
I haven't had to do that. I just assumed that all the good scripts that we need are in there,
but shows how much I know. This must be followed by script. Yeah, I think I got this in my notes
because I'm already going to forget this. So good to take notes. All right, let's search for SMB. So I'm going to go up. I'm just going to search SMB. So pause if you need to. But we're just counting out that database
file because remember, concatenate is just displaying what's in that file and we're
grepping, which is searching for patterns. So we're searching for any
pattern that matches SMB. All right, there's a lot. So we've got SMB, brute, SMB, double
Pulsar, backdoor, SMB, enum groups, processes, services,
sessions, shares, users, enum, flood, LS. Okay, there's a lot. So we need a bit more info. How describe either demonstration methods. What's the file name of the script
determines the underlying OS. Okay, so this one stood out to me both
because I saw it and because I remember OS discovery that sort of lines up with
the question OS read through the script. What does it depend on?
How do we do that? I've already forgotten. Let's go up. So let's just go for the help and
just going to paste that in here. Give me help. So script help, S and B, OS discovery. And what does it depend on? I think I might be making the same mistake
because I need to go to the website again. Reading, reading, reading, reading. Attempts to determine the operating system, computer name, domain
worker, apparent time over there. This is done by signing a session
with the anonymous account. We need an account. I need anonymous account. We need anonymous. We need the decentralized
hacking hacktivist group. All right, let's go and look up
this thing. Let's go to this thing. What does it depend on? I remember looking and looking
and looking and not finding it. So we've got arguments this time around. What's out?
Can I just read through the scripts? Don't tell me what to do. I don't read attempts to determine.
Oh, that's right. It says the exact same thing here. I remember trying circumstances so many
times depending on what's going to be
circumstances depending on look for dependencies in the Lewis script.
Do we actually want to cat out the script? If we want to cat out the
script, where was it all at? Let's just. No, we're, we just want to cat this out because remember it's just a file. We can count this out. There we go. So this was the mistake that
I made the first time around. Remember, we're not actually
trying to look at the help page. We're actually looking at the scripts because it says here,
read through this script. So yeah, when I actually do that, it did give me a little hint
when I clicked on the word hint. Funny enough, I don't know,
Lure, I'm not a programmer. This is stressing me out
seeing so many words. So to make this a bit nicer, let's just grab this through and let's just use
the hint that it said dependencies. I might just use it. Cool, we got it. So it's depending on another script. I assume that's another script. I'm not actually sure. I'm assuming that's another script. Just like most Linux programs and open source projects and everything,
there's always dependencies. There's always another program
that it depends on to run. So I'm assuming that's what
it means and what that is. So awesome. We got another one. So that's task twelve. So let's go over to task 13 and let's go for bypassing firewalls
or firewall evasion. So Nmap provides an option for this called PM PN which says don't bother
pinging the host before scanning. Just basically think that
everything's actually there. So this is a good one
for firewall evasion. So I'm pretty sure we do have to use this. So here's some other things to use that
would need F to fragment the packets. Alternative to F is MTU number
maximum transitions, scan delays. So allowing packets to send at different
intervals or different delays. So maybe the firewall can't pick up. If it's a time based thing,
I think that's what it says. Time based firewall IDs triggers.
Yeah. Don't understand a word of it, but
this is good to come back. I think when we are in CTF and like
challenges down the road, these are going to be the notes that I come back
to and go, I wish I understood it. Then that's learning which simply and frequently relied
upon protocol is often blocked. Referring to. I think it's Ping, which
I'm just guessing. Icmp. Yeah. Cool.
Research. Which Nmap switches allows you to append the arbitrary length of random
data to the end of packets. Well, that's kind of cool. I'm going to use our Grep
method for the help. I'm just going to type it out. Help.
Grep. Let's go.
Append. Ms.
Append output. Append.
Rather. I'm going to try this one, but
this might not be which allows us. I'm so tempted just to
read Google that question. Let's just think about this. Which Nmap switch allows
you to append in arbitrary. Arbitrary is going to be the word, right? Let's try random data length. Append random sent.
There it is. Append random data to send packets. Is that what it means?
I don't know. Let's try. We got it.
Append random data to sent packets. That is what it is.
Awesome. All right. After all that learning,
this is pretty long. We're at like an hour already and
we skipped a lot of the detail. Only now we're getting to our practical. So don't feel bad if
you spent ages on this. I know I spent ages on this room just
trying to understand everything. And that's okay. That's learning. Use what you've learned to scan the target machine and answer the
following questions. If you're not a subscriber, make sure you
does the target respond. So we actually know this because I've
been trying to Ping it since we started. No, it doesn't. So by design, yes. I mean no.
Yes. Perform an ex miss scan on the first
999 ports of the target. How many ports are open? So some of these scans can take a while. So if you see the video pausing or anything, just assume that
things are taking a while. Okay, so let's go ahead and run Nmap. We're going to use our dashv. So remember that means for the Verosity,
however you say it, it's a good habit to be in to get that showing
so we can see results. So we want to use the S
capital X for this Xmas. So remember that's the different flags. It looks like a Christmas
tree on Wireshark. So they tell me. And we want to use the P for ports. We want to specify the ports. So we are going to run it against 999. But this is a problem right now. We're only running it against Port 999,
but we want to do it from zero to 999 and we want to know how many
ports are open or filtered. So the last step of our Nmap scan is we just need to paste in what
we're actually targeting. Okay, so I'm going to let that run. I'm going to pause it, and then when I
come back and look at the results, I should really put it in a
text file before I hit run. But anyway, you do that, I'll do this. Let's go. Okay, how did we do so I see four ports and we're asking for how many
ports are to be open or filtered. So let's look at our scan results. So about 50%. One undergoing Ping scan
completed Ping scan one. If it is really up by blocking
our Ping probes, try PN. So that was the last one.
We saw about. So we're not seeing Ping probes,
pin probes, so we're not seeing them. So let's use our capital PN. Let's see the up arrow. I'm not actually sure if you
can just combine them all. I'm not sure. But honestly, just for beginning, it's really helpful just to
have them all separate. So it's sort of like I know
what each one is something. Let's try that. So we're going to be scanning and yeah, this might take a
while so I might just pause. All right. It took a couple of minutes but
we've got our scan results now. It says here all 1000 scans. So let's just have a look. You can see here we get completed scan, how long it took, and then
we've got Nmap scan reports. So we've got that report. So I'm in a bad habit of not saving it
off and just copy and pasting this. It's a bit of a no no, probably. But we can see here that we've
got 1000 open filter TCP ports. So we can put 1000. But that's not going to work. So I'm going to assume that means that all
999 pores are indeed open or filtered, meaning we're not getting
that acknowledged response. All right, so there is a
reason given for this. What is it? Firewall question Mark. I think the answer will
be in your scan results. Think carefully about which switches to use and read the hint
before asking for help. All right, let's continue looking at our I believe that it is the no response can't exactly remember, but yeah, awesome. Pretty sure that really confused me. So just because there's a dash here and we've got a space, that's the reason
we're not getting an actual response. So remember the stealth scan,
which would no, not stealth scan. Sorry. Well, in this case we're
just not getting a response. So it doesn't know how to handle it. So it just says that they are
open or filtered, I think. Awesome. So perform a TCP syn scan on the
first 5000 ports of the target. How many ports are shown to be open? Let's hit up arrow because we've
got a lot of the work here. So this time we want to go $5,000. So it's going to take a little bit longer. If you remember, we could use that T four,
T three, or C five. So that was just speed it up,
possibly creating a problem for me. I'm going to use the T three, see if
that just speeds it up a little bit. So we've got 00:20 5000 ports. This time we want to use a TCP syn scan. So if we go back, if we remember, we've got our TCP syn scan which is that stealth
open scan. So that's what we're wanting to run. So I honestly just forgot it's. Ss, right? Yeah, SS, literally right
in front of my vase. So let's go over here and change our X, which was for the XMA scan to the
Stell scan which is now the capital s. So I'm almost now regretting using the T
three because it might stuff something up. But you don't have to use the T three, remember, that's just
the time to speed it up. You can try it without I may be
doing it without off my memory. It might be zero. It's not zero, but it is
between one and nine. So let's run that and let's make sure you've got your dashv so we can
actually see what's going on. So look at this. We can see some results using our
stealthy scan and using our PM. So we've got an open Port
on 211-353-3895 380. Some of these are known ports. Can't remember what they're so known,
I can't remember what they are. Okay, I'm going to just use 12345 awesome. So we can essentially
cancel that and cool. It's already done.
So we've got our five awesome. So this is what we generally get with our scans is we get a little bit of info
saying we've got 5996 that are filtered or no response like we saw
with the first bunch. But this time we weren't using this SS. So yeah, we can see here
we've actually got our ports. The state that they're in the service
that they're running to domain http. Msrpc. Mswpbt.
You can read. Okay, so let's go back here. So we've got open Wireshark and
if we wanted to do that, that's cool. I'm not familiar with Wireshark.
I got to do that room. So I'm going to leave
that for another time. So we want to deploy the FTP
and on script against the box. Can npmap log in successfully
to the FTP server on Port 21? Yes or no? I remember off the top of my head that we
can I mean, we could just guess yes or no. It's only the last one. But trust me, we can for the time that we've already gone
here, I think we've done a good job. So well done. If you made it to this stage in the
video, you're an absolute legend. Thank you for sticking around. I would really encourage you to take on
network services and network services, too, in the beginning path,
which I will be showing soon. So if you want to stick around and you
can see that but no, Congratulations. You've got through quite a lot. This is a big room so thank you to try
hack me for providing the amazing rooms. Thank you to you, the awesome community.
I hope you enjoyed this. If you did great. If you didn't, let me know why
and I'll see you in the next one. Cool.
