Use Nmap for Tactical Network Reconnaissance [Tutorial]

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
if you find yourself on a Wi-Fi or Ethernet connection it might be confusing to know how to figure out what else is on it in fact nmap is a perfect tool for this but it can be a little bit confusing for beginners today we'll go through the tactical use of nmap for finding discovering and classifying different targets on a network on this episode of cyber weapons lab [Music] [Applause] [Music] having access to a network is exciting but not particularly useful if you don't know what else is on it now this can be a problem if you join a network and don't understand even where the Gateway is but this can be solved with a tool like an map which will give you the visibility to see what else is connected now the way and map works is by sending out a packet which will elicit a response if the host is up and listening on the port that we're sending the packet to and we can go ahead and scan a large range of IP addresses in order to discover different devices that are connected to this network now what this translates to is we can scan a whole bunch of different IP addresses and discover only the ones that are active allowing us to go after them one by one and refine the attack depending on what we discover now the first step is target discovery meaning making a list of active devices and the second is target classification where we'll actually start to prod around and discover things like the operating system the different services that are running like maybe a web server or SSH and then the type of service it's running like the version number which could give us as information about maybe a vulnerability that's publicly available now this is all a set up to an attack so we can use this as a recon phase and it doesn't necessarily need to just be limited to devices that are on our local network we can also use nmap to do the same for remote hosts meaning websites that are available on the Internet at large and the commands for this are not much different so learning and map has a lot of advantages now in order to use n map you'll just need to download and install it and fortunately it's cross-platform so you don't need to worry about being locked into a particular ecosystem if you have Kali Linux then you should have it installed by default so in order to begin you'll just need to open a terminal window and type nmap so let's get started a map should come installed on most systems but in case you don't have it you can use a couple commands that will generally install it relatively easily depending on the system you're using if you're using Kali Linux you can usually type apt install and map and this should work on any Debian based system although nmap should be installed on just about any of those we can also type brew install and map if we're using a Mac OS system and since I already have it after this finishes updating we should see that it is already installed and up-to-date now that we've confirmed that we have nmap we will need to begin to look around on the network and see what we can find now if we just run to end map we can see it doesn't work and it instead gives us all the different things we can do with it because we didn't specify the host that we're looking to actually run this against so let's see if you can see right so here we can see it requires target specification so usage and maps can type options and target specifications so since we didn't do any of that we didn't get a response back so we will need to learn a little bit more about the network that we're on in order to use and map properly because we can't just run an end map the same way we can do with say ARP scan and just to indicate that we want it to tell us just whatever's on the local network and map is powerful and precise so it needs a little bit more data to do what we want it to do in this case of just discovering everything on the network so if we type ifconfig we can get our IP address on the network and let's see here we go so we can see our IP address is 192 168 0 48 now if we want to just be lazy we can type IP calc and then type in the IP address we just found and this will do all the math for us and tell us the entire subnet range in this case it is 192 168 0 / 24 so we will use this to indicate the subnet 2 and map in order to make sure that it's scanning everything and as a little tip and just so you understand what's going on when we type and map and then just the most basic command which would be the subnet range we're asking nmap to scan every port on every possible IP address within this range which is in this case 256 now that is a lot of packets to be sending out so in order to make this faster we can actually add a flag tack F which will only scan a couple of the ports instead of getting the entire theoretical port range now that'll speed up the scan and that'll make it again go a lot faster but it's still a lot of different packets to be sending out so here we go we can see we got eight different hosts up in 7.2 seven seconds now this is pretty good for network discovery although some different devices might not show up depending on the the way that the network is set up and firewall rules on the various hosts that we're scanning so if we want to compare this against a different tool let's run our can hack L and see if we get similar results so ARP scan actually found a little bit more and this could be because we were only scanning on some of the ports and not all the ports that are actually open so this is a reason that we might get differing results from nmap and then comparing against another tool like ARP scan for network discovery now after we find out which devices are attached to a network we can go ahead and use that list in order to specify some more invasive scans that can tell us about the devices we've discovered existing on the same network so let's move from club from target discovery into target classification now once we get a list of the various devices that are on the network we'll need to move into a service can in order to discover more information so we'll tape our take our previous scan and we'll add a more specific IP address instead of scanning the entire network range one of the devices we discovered in the previous scan which I happen to know is the router now here we will add tack lowercase ASP uppercase s and run the scan and here we see we need root privileges privileges some of let me that an effort runs you'll see that we're actually scanning every possible port and getting back a report of the various ports that are open so from this we can determine roughly what kind of service is running in this case HTTP HTTPS and that lets us know that we have an attack surface available to us on this particular device and we can even see that the MAC address was returned and recognized as an arrant group device so all of a sudden we've gone from I have no idea what's out there to here's a list of what's out there and now we're drilling down and finding out the manufacturer and the available ports that are open on this thing that we found this is getting pretty good so now we're going to attempt to find the operating system of the device that we've discovered with another service cam which is the uppercase o flag so this is going to go ahead and probe a variety of different response times and ports that are open and services and attempt to establish more information about the operating system being run on this remote server now if we get a very precise result this could allow us to launch an attack based on information about maybe the version or a vulnerability that's specific to what's running on the device so here we can see there are no exact OS matches for this particular device but we still get a lot of information some of it redundant from the scan before we get some TC tcp/ip fingerprints which could let us maybe manually find out some more information but instead we're going to go on to find more information about the version instead so the version scan which we can do by lowercase s uppercase v will allow us to learn information about the version that is running on each port so you can think of this as there are ports that are open that allow us to interact with this device in on those ports there are various applications that are running that kind of control the traffic that are going in and out now if we can learn the version of those applications aka how updated they are or what the specific implementation is there might be a vulnerability and we might maybe find something that's a little bit old and that could allow us to be maybe craft an attack that breaks into the device knowing the version number is really important because it gives us our first hard piece of information about the software that's running on this previously unknown device so once we discover that we can start googling it and maybe find an attack that's based on the Linux kernel version two point six one eight so again we didn't know anything about this before and now we can reliably hopefully infer the version of the kernel that's running on it and the fact that it's running a Linux operating system in the first place so even though we weren't able to initially find the operating system we can see it's a linux based system running a particular kernel and that's a really valuable thing to know because we also know that any attacks based on light httpd or mini you PNP could be a fruitful thing to look into on this particular device now this has taken us all the way from discovery to classification but the next step we'll take is actually looking at some of the advanced taste tactics we can use depending on the type of attack for running and the situation that we're in now one thing that nmap is really useful for is scripting and I want to show you a little something you can do in order to get a list of all the different ports that are open on a network without needing to go through all the output and kind of look through all the ports that might be filtered or closed now to do this you can type any end map command you want and then we'll we'll be using a pipe symbol here the grip option in order to look for any output that has the word open in it indicating an open port and then we'll use cat in order to write the results to a file called results dot txt now in this case we're not going to scan the entire network range we'll just scan one IP address but this two greater than symbols means that if the file doesn't already exist or if it even if it does exist it will write it regardless so with file already exists on the system it'll just override it so what this happening is we're scanning 192 168 0 1 we're doing a service scan and then we're taking the output from that looking for anything that matches the word open and then writing results to results dot txt so let's type cat results dot txt and here we can see a list of different services that are all open now these have been added all together after a couple different scans so it looks like a whole lot but what we can do is use nmap really versatile e and a number of different scripts in order to cut or paste different information and maybe even pass it into a follow up command or a follow up script now let's say that we're on a network and we need to do things a little bit differently because of the way that it's set up in fact we might want to appear to scan from a different address in order to avoid getting our IP address banned now a deceptive scan is relatively easy to do and the way that it works is to use the the tack d option in order to specify a list of deceptive IP addresses to appear to scan from here we have a nmap scan in which we're simply attempting to guess the operating system from our 192 168 0 1 IP address but by adding the flag tack d and then a number of deceptive addresses at the end we can appear to scan from 10 0 0 0 1 and 1000 2 because if we were to appear to scan from our own IP address it would give the router the opportunity to eventually block these scans or identify where the source of the scans were coming from now we can do another type of deceptive skin as well by adding the tactics spoof - Mac command which will basically allow us to specify an arbitrary MAC address to scan from other than our own now this is another tool we have to avoid detection and here we can see that we were able to scan and get the same information we would be able to scanning directly with the deceptive scan that we just ran so an example of including the spoofed Mac would just be running spoof hack Mac and then the same command with a specified fake MAC address at the end but for simplicity sake I'm gonna move on and show you another trick you can use with a map to get a little bit more information now if you don't want to go back and scan the whole network range every single time you want to look at the different devices you've discovered you can run one discovery scan and once you have a list of IP addresses simply use this to scan instead now to use this you'll just type and map and then tack s l and then the list that you want to scan after that so if I had IP dot txt and that was a list of IP addresses and that would go ahead and do a general scan against every single port possible on every single IP address in IPT X T now you can imagine this is much much more quick than simply scanning everything every single time you need to do another scan so once you do the initial discovery you can add the relevant IP addresses that are responding to an IP text and run subsequent scans on that instead the final type of scan is designed to overcome some limitations that otherwise might cause us to miss some devices on the network now this scan will actually go ahead and drop the initial ping which some firewalls might block this will take some time to actually execute but the su command will execute a UDP scan which is different than from the TCP scan that we've been doing before and while it will be longer we might be able to pick up some things that we didn't initially find so I'll specify a single host in this case because it is a longer scan six eight zero one and the syntax in this is a service scan we're going to do a UDP scan and then we're going to drop the initial ping that might otherwise cause a firewall to not be replying and these are all things you can work with individually to see if you have maybe a firewall interfering with you or if a device is UDP only and doesn't have any PC the port's to kind of alert you to its presence and as you can see this is a scan that requires recovered privileges so I will pseudo here and then after the scan completes we might be able to see some devices or some ports that are open that otherwise would be blocked by the firewall or simply by the fact that they're not TCP ports and wouldn't come up in our initial scan while powerful command-line tools like nmap might be a little bit intimidating for a beginner to use at first they're important to learn because they're a fundamental tool of any IT professional or hackers toolkit now because of that they are often seen as a prelude to an attack by organisations that might be a little bit sensitive about this sort of thing so don't go running this on your work computer because you might find that the response is to get flagged for further scrutiny now again this is a tool for IT professionals so there are lots of legitimate uses for nmap such as maybe finding your Raspberry Pi on a network in order to connect to it however when running this on a network you don't have full permission on you may run into some problems so keep that in mind when learning these sorts of tools that's all we have for this episode of cyber weapons lab make sure to like comment and subscribe and if you have any thoughts or feedback on the show make sure to send me a message on Twitter because other I'd love to hear from you we'll see you next time you
Info
Channel: Null Byte
Views: 230,555
Rating: 4.9580469 out of 5
Keywords: wht, wonderhowto, nullbyte, null byte, hack, hacking, hacker, hacks, hackers, how to hack, howto, how to, tutorial, guide, cyber weapon, cyber weapons, cyber, wireless networks, networks, recon, nmap, tactical, reconnaissance, port scan, portscan, ports, open ports, operating system, OS, fingerprint, wifi, wi-fi, ethernet, remote, arpscan, arp-scan, arp scan, mac address, ip address, version, services, subnet
Id: ltEFbi_I2KY
Channel Id: undefined
Length: 17min 36sec (1056 seconds)
Published: Wed Jan 02 2019
Related Videos
Use Netcat to Spawn Reverse Shells & Connect to Other Computers [Tutorial]
Null Byte
208K
Nmap Tutorial For Beginners - 1 - What is Nmap?
HackerSploit
925K
Track & Connect to Smartphones with a Beacon Swarm [Tutorial]
Null Byte
958K
HakByte: How to find anything on the internet with Google Dorks
Hak5
412K
Find Information from a Phone Number Using OSINT Tools [Tutorial]
Null Byte
3.3M
NMap 101: Scanning Networks For Open Ports To Access, HakTip 94
Hak5
244K
Haunt a Computer Using SSH [Tutorial]
Null Byte
317K
Aaron Jones: Introduction to WiFi Hacking
Brian Cluff
9.3K
Linux for Ethical Hackers (Kali Linux Tutorial)
freeCodeCamp.org
2.6M
Hacking/Security - NMAP Network Mapping Introduction
Eli the Computer Guy
17K
Aaron Jones: Introduction to Shodan
Brian Cluff
161K
Scan for Vulnerabilities on Any Website Using Nikto [Tutorial]
Null Byte
249K
Radio Hacking: Cars, Hardware, and more! - Samy Kamkar - AppSec California 2016
OWASP Foundation
1.1M
Network Security 101: Full Workshop
SecureSet
1.6M
Find Vulnerable Services & Hidden Info Using Google Dorks [Tutorial]
Null Byte
1.2M
The Top 10 Things to Do After Installing Kali Linux on Your Computer [Tutorial]
Null Byte
2M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.