Tutorial: Zenmap is a tool used to help map out networks, ports and find connected devices.

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right so we're going to take a look today at Zen map now this is available for both Windows and Linux I'm running it here and Linux is it's my preferred operating system but this will run on a Windows box I think you get full functionality but I know you do and when in Linux you do have to run this as root to be able to do absolutely everything and I believe like the OS fingerprinting only works if you're running in root mode and it were with sudo permissions depending on the flavor of Linux you're running so it does need admin level permission so to get started you're presented with a basic interface and it's basically a front end for nmap and the nice thing is I love that they give you the unmapped commands here so if you're already familiar with the end map you can start just dropping the commands in right here from the top but they have predefined profiles and we'll start with a quick scan so target now you can target a single IP or network range and this is a tool I use a lot when I'm getting to new clients because well I don't always know what's under network and I want to start identifying and labeling all the devices because frequently when we take over a client as many if you probably know as well there's just a lack of documentation so this is a great tool to get started with documentation so I'm going to scan my local network here and it supports both you can do it two ways one - 2x4 will scan the range one through this or you can specify a shorter range you can also just possess 0/24 and it will give you the entire slash 24 Network you can expand this bigger you can fill in whichever netmask works but for the sake of this one this is how we're going to do it now the different options are quick scan quick span plus quick plan traceroute it'll add more and more information slow comprehensive scans all the ports an intense scan does an even deeper scan with you can also include every single port not just the known ports for sake of discussion and how long it takes to do an intense scan on a network we're just going to do the quick scan as quick RAM plus and kind of show the differences there but you can get really deep really intense and digging a lot of information but this is generally enough to get you going and pull it I really just want to show how to how to work the tool and let you kind of take it there so we're gonna do a quick scan of this Network slash 24 here's it you can see as you type up here it fills in down here and we're gonna do a quick skin now it doesn't take long to scan a slash 24 Network I don't know generally maybe 30 to 60 seconds for basic scan you can see my network activity jumping up here and now it did a basic port scan and lists all of the devices now we're where this gets really cool to is you can save this as an XML file and if you come back later I'll show you how the differential works this is just kind of real quick the you can do another scan and actually I want to pause this for a second I want to go plug something back in alright so I'm gonna run the scan again same scan same parameters nothing different so we'll scan this again and what I've actually done is I turned on another device on the network so we could see if it finds it alright and we can it did add one more device in here but ideally you want to do a results comparison so we'll look at our first scan and our second scan you could have saved and name these to make it clearer but it puts a little one after it and now it finds it so there's the different scans the different times is two and you know a standard differential and here's the other device highlighted in green that it found so it's really handy to that know it looks like I found an Android device dropped off so it's kind of neat it will go through and find changes in devices and things like that so if you go to a site and you come back later you want to know did something new get added to this network you could save the results and what we do is we save each of these results that our client file so we have like a profile of them and there's standard XML so they're easy to parse back out later even without using Zen map anything that can open XML can read these so you can you know figure out what's in there so let's do a little bit more let's start a new scan let's get rid of this close anyway it prompts you to save this like any program and we'll do another scan of this Network and this time we're gonna do a little bit more intense we'll do a quick scan plus and now what this has is going to do OS fingerprinting OS fingerprinting is not a absolutely perfect science but it can be somewhat accurate what it does is it's going to go through and try and determine based on the behavior of the network what operating system it's running it can be kind of handy so you can kind of identify okay is this a Linux device is a Windows device FreeBSD it fingerprints a lot of them I can how you can find some of the switches and things like that if they have an IP address like for a managed switch but it's a great gathering tool to do this now this takes probably about a minute or so to run so we're gonna fast-forward here all right it's done running the scan um make it fullscreen so you have plenty of stuff in here and you see the level of detail is a lot higher on here so we're gonna jump right to each little host detail it recognizes this system as FreeBSD which it is it's a freenas box tells you which ports are open on there the IP address MAC address operating system it fills 99% confident that it's freebsd 9.1 cuz it gives you a confidence level on there so it breaks down some of the sequences and other details and you can add comments to each one of these if you wanted to this is actually I love this rebranded surveillance DVR and it has all the suggestions for which one it is so this is actually kind of cool it is actually accurate this is my DVR NVR system for our security cameras and I do have it on the same network as this because we're doing some testing and copying files over normally it's not there and this is the HP printer so it's accurate to that it even figures out the general models based on that so I thought that's kind of cool another linux box it identifies the phones these are Cisco phones I thought it was kind of weird it identifies them as VxWorks which I'm assuming must be the Cisco operating system that runs the phones so it's got those on there I was she had a better icon for the phones it finds the Linux based cameras that I have which is kind of cool so it's got those details in there as I said you can look at the raw output but it's nicely groups it all together here's the different types of stamp scans that you ran for each one touchy well donuts are saved you know for this whole session you know it does have this topology which is kind of cool so you can look at things a little bit different let me zoom in with it a little bit they'll let you click on each one and pull up information for each one here I don't know it's kind of novel gives you a way to click on it how it's attached how it's set there what it thinks match classes ping the OS fingerprint information again on each individual host kind of novel if you double click one of the hosts it will up let me change it back to this and it switches like that it's kind of a cool animation but then it's got this is just a straight up post here or this I like because it is just another way I can present the information so you can go by and look at each one on there look at which ports are used or open and the results of each of those or just expand out under services now it's giving you some of the detailed responses that it got out of here so you can understand them a little bit better it does have a trace chart option I'll run that next but like I said this is really just a neat way to take a look at and it dumps a little bit more raw information here in the when you click on each one of them it jumps to it gives you a lot of details but in short just to make a quick list of IP addresses you dump it in XML you can throw it into a spreadsheet and have a nice little file where you can start categorizing all the different things on there so you can start categorizing all the different devices and everything else and if you notice on some of these like the Cisco phones it tells you Cisco SP a 508 G ATP config so it it pulls a lot of good information here you know device VoIP phone it's just a great tool for identifying everything that's not a network you can also just group things by services and figure out where those services were found which i think is kind of neat so the NetBIOS was found on these devices here NFS on this PPP printer was found right here if only we've actually had one printer then let's turn off our TS P was found on here sip was found on this one here so on this particular Android that's interesting OpenSSH now it also gives you the version that was found on there so it's you know forcing protocol to forcing protocol on there so it's giving it to you and telling you which protocols used on there so definitely pretty cool and when you go to HTTP it has the information for that too so like on this one here it's a Apache with the mod mono and anything else that server was willing to give up and then this one here is running engine X so that's all of it here so we're going to run another scan and we'll add the traceroute option to it and we'll do a quick scan and a trace route and we're going to add another thing in your road to Google and that's where the topology gets a little bit more interesting because what it can do now is give you the breakdown for how you got to google.com and how it relates to the different Network and it's a really cool animation to be able to do that so it's gonna break down scan details for each one but it also gives you the traceroute information on there so let's bring up the controls and it's adding a trace shot to each one and what does this allows you to do is you can say okay from my computer to here is these hops but what does it look like coming back and it can change and you can put each one different centric so how does that one connect to this and how does that one connect to that and you can start stacking other things in here do another one you know I add to it it's kind of take a second here and we'll look at the topology here and it will actually show you the different crossing points for them let's clean this up and make it kind of a clean looking here so now what we're looking at is the different methods that from me localhost it gets to the other things for example how we get to Google over here or being over here and it's showing the common paths now it can take this path this path this path and we can become centric of each one and start digging out details so there's how we get to there and then you can think about it in the reverse of how one server we then trace back to another server and which points at which they would connect it's just kind of novel the way it gives you this much detail for each one and if you compound this so I did a quick traceroute but then if I take and let's go back to Google here we're going to choose Google as a target we're gonna do a quick slant plus on Google so we want to know what other information is on there so now when we pull up Google we have what they're running at least what it thinks are running port information fingerprint information services and the trace right of information for how it got there so you can actually use that map to start not only building a network map and mapping how everything's interconnected inside of an unknown Network you can do it where you want to know which services are running every device so you can they see how this really builds on top of and starts giving you just so much detail for everything on there so obviously it's only 80% accurate but it's pretty sure Google runs open BSD I know they have a lot of their own stuff on there it also has the reverse PTR record that it found in the hostname it has which ports are open the TCP suit consists that around there it's just pretty clever breaks down Google's IP address which ports are open for Google I didn't do this to Bing I only scan the Google one so it only has these two ports open which is good Google's keeping everything secure and of course here's the raw dump output for google.com so like I said this is Zen map a great tool for doing your basics mapping a small network but it does have the ability to map out larger networks and help identify all the crazy devices that people may have on there so as a technician this tool is just you know invaluable for helping to figure out you know new networks and things like that and it's also a great exploring tool when you're connected to a network to figure out how things are working and just kind of reverse engineer a little things you can do this a lot from the command line but this just makes it so much nice saving it all in just a simple XML XML file it also has an option to just drop all the scans into one directory which is pretty cool too so you can just stack a whole lot of scan save them all to a directory and you know turned it into an entire project so that was it for Zen Map thank you very much oh don't forget hit like him subscribe for more content like this thanks

Info

Channel: Lawrence Systems

Views: 36,174

Rating: 4.9627042 out of 5

Keywords: zenmap, nmap (software), linux, nmap, hacking, network, scanner, scan, tutorial, gui, security, gnu/linux (operating system), port scanner (software genre), windows, computer, computer network (industry), computer network, ethernet

Id: 5zozBk5OOeU

Channel Id: undefined

Length: 14min 0sec (840 seconds)

Published: Mon Nov 07 2016