LongCut logo

Penetration Testing with Nmap: A Comprehensive Tutorial

By Nielsen Networking

Summary

## Key takeaways - **Nmap is the ultimate network scanning tool for pen testers.**: Nmap is the ultimate network scanning tool for penetration testers, capable of performing initial host discovery, vulnerability identification, and exploitation. [31:07], [54:59] - **Layer 2 vs. Layer 3/4 Host Discovery**: Layer 2 ARP broadcasts are faster for internal network discovery, while Layer 3 ICMP echo requests or Layer 4 ACK packets are used for external networks or when firewalls block ARP. [02:53:08], [04:55:57] - **Understanding Nmap Port States**: In Nmap scans, 'open' and 'unfiltered' states are most valuable, indicating active or accessible ports, while 'closed', 'filtered', and 'unfiltered' provide less actionable information for immediate exploitation. [07:53:08], [08:51:54] - **Service and Version Enumeration for Vulnerability Identification**: Identifying service versions like Apache 2.4.52 or vsftpd 3.0.3 allows pen testers to search for specific known vulnerabilities, greatly increasing the efficiency of vulnerability assessment. [15:51:53], [16:36:42] - **Detection Avoidance Techniques**: Techniques like decoy scans, randomizing host order, spoofing MAC addresses, and packet fragmentation can help evade intrusion detection systems, making scans harder to trace. [21:34:37], [25:33:38] - **Leveraging Nmap Scripts for Vulnerability Scanning**: Nmap scripts, such as 'vuln', can automate the search for known vulnerabilities across various services and protocols, streamlining the vulnerability identification process. [27:06:27], [31:30:31]

Topics Covered

  • Nmap: The Ultimate Network Scanning Tool for Pen Testers
  • Low-Profile Host Discovery with Nmap
  • Nmap: Layer 3 vs. Layer 4 Scanning Explained
  • Nmap Script Finds Poodle and RDP Vulnerabilities
  • Exploiting FTP Vulnerability with Metasploit

Full Transcript

foreign

[Music]

[Music]

welcome back to another Nielsen

networking video

let me ask you are you ready to take

your penetration testing skills to the

next level if so you are in luck because

in this video I'm going to show you the

power of nmap which in my opinion is the

ultimate Network scanning tool that said

this video will be focused specifically

on nmap when used for penetration

testing I give that disclaimer because

we have other videos on the channel that

offer a more generalized overview of

nmap and its uses so that may be more

your style if so check out the link

above or just go browse for it in the

channel now with that out of the way and

to reiterate the focus of this video

will be on nmap from a pen tester's

perspective

what does that mean that means I'm going

to take you step by step through the

process of using mmap for initial host

Discovery all the way through

vulnerability identification and

exploitation to show you what I believe

nmap is a must-have in any penetration

testers toolkit so stick around as we

explore the various functionalities of

nmap and learn how to utilize them in

your testing process we're going to go

from host Discovery to Advanced Port

scanning and service enumeration and

we're going to cover it all plus I will

show you how to use nmaps Advanced

vulnerability testing features and how

to take your results and use them with

another tool to test any vulnerabilities

that we do discover so let's get to it

all right to get started here I'm going

to go ahead and maximize my terminal I

will be using Kali Linux for this video

that said nmap is available for almost

every major Linux distribution and even

windows so that's that I will be using

this from the perspective of a pen

tester so remember that and we're going

to be sticking specifically to to and

Maps uses in pen testing I say that

because we're not going to go out and do

any open source intelligence gathering

you know I already would have had

permission from the Network's owner that

I'm performing these on these are going

to be performed in my own virtual

Network so obviously I do have

permission but in the real world you

would have needed you know to get the

permission to get everything ready to

where you're at the point we are now on

the network and we're going to perform

this host Discovery so that said let's

get started with that all right the

first thing we need to do is verify the

network we're on so we're going to type

in route hit enter

and you can see right here this is the

network we're on uh and this is the

default gateway and to verify that we're

on that Network we can look at our IP

address by doing an if config

and verifying right here

that that is the network we're on so we

are on the

10.0.2.0 network

good enough and we're going to start off

using this scan

and I'll explain what this is as soon as

I'm done typing it and just an FYI all

these commands you'll be shown today are

case sensitive meaning if you do an nmap

lowercase PR you're not going to get the

results you want and you'll be mad at me

so let's not do that so okay sensitive

and we're going to type in our Network

slash 24 you could also do a slash eight

if you wanted to change the class of

network you're scanning I'm going to

leave it here because that's what I need

for this uh the purpose of this video

you could also write this this way

if you wanted to but it's simple I think

it's easier just to do a slash 24. and

then what we're going to do is we're

going to hit enter and we're going to

let us do its thing and while it's doing

that I'll explain what's happening what

this does is it goes out and it sends

out an ARP broadcast

request to each IP address in that range

so 1 through 254. so as you can see it

went through and scanned 256 IP

addresses and it found seven hosts that

are up the reason we do it this way

is because we're trying to limit the

transmission to only necessary

Transmissions we don't want to go out

and do a full-blown you know TCP

Discovery like we don't want to do that

because that's like shooting of

fireworks and going oh we're here so

we're going to start off as low Pro as

we can to get a to get the information

of the hosts that are available we will

then take this further obviously but we

don't need to then broadcast to the

whole entire subnet because we know

these are the only hosts on the subnet

so why do we need to send out a scan

that scans 256 when there's only seven

hosts so now we can narrow down our

search hope that makes sense to you now

that we have the IPS we need I'm going

to go ahead and open up a file here and

I'm just going to call it iplist.txt and

I am going to add the IP addresses that

we just discovered and here we are I'm

going to go ahead and save it and get

out of it

now that we have that we are good to go

we no longer need to do network

discovery on this network but what if

you needed to scan an external website

or an external network you're going to

need to use something besides Layer Two

so for that we're going to use layer 3

scan and here's how we're going to do it

we're going to first use sudo if I

select

select screen I'm going to do a dash PE

SN and I'm going to scan a website that

is actually hosted by nmap this is a

free site they put up that they allow

the general public to go and run and map

scans against it so you can practice

your techniques on this website pretty

cool that they do that so we're going to

go ahead and run this and I guess I

should put in the actual command because

uh

that would end up work so we're gonna go

ahead and do that and we're gonna go

ahead and hit enter and our results came

in really quick and it's looking like

okay we the scan went through

successfully we know there is a host

there we know the IP is this and that is

all we cared about we wanted to verify

that there was a host there using layer

3 and we did and since we didn't use ARP

you may be curious about what we used

and we actually sent an icmp echo

request out there and that came back and

let us know that there was a device out

there now if we would have done this

against a bigger Network it would have

taken a lot longer because ARP is really

quick compared to these icmp Echo

requests so just an FYI if you're going

out there and you are doing this against

a bigger Network and it's not returning

as quickly as you would expect and

that's why it's totally expected

Behavior so that's that now let's say

that didn't work the reason likely is

going to be because the firewall is in

your way and it's saying no no no I'm

blocking those requests so you're like

dang it what do I do now well now we're

going to go and try layer four and how

we would try layer 4 is as follows first

thing we'll clean this up and then we're

going to want to go and map Dash PA 80

for Port 80 and we're going to do again

and we're gonna do scan

meet.map.org once again and we're going

to hit enter and we got what looks like

the same results as the layer three and

it it is the same results I mean it's

not warning us about I'm using icmp uh

that we need root but nevertheless we

got the same we got the IP address and

we got that it is up now it doesn't look

a lot different to you but it is and

what's happening is we're actually using

layer 4. we sent acknowledgment packets

to the host and as a result the

lifeboats responded with a TCP rst reset

packet indicating that we have received

the packet and there is no open

Communication channel that means the

host is up so if this were a firewall

this would have gone through and at

least showed us that the host is up on

this ipu range and that's what we wanted

to accomplish so now that we know how to

do that we're going to go back to what

we discovered in our layer 2 scanning

using ARP which is my internal network

using my internal devices so let's get

started on those I'm going to go ahead

and clean this up and we'll get to it

all right and real quick before we get

to Port scanning we need to understand

what we're going to be looking for and

specifically we're going to be looking

for the port State we want to see the

results come back that the port is open

this is good this means that it's

accepting connections whether it's TCP

UDP or sctp obviously we're going to be

looking for the first two if it comes

back as closed not good that means it's

closed and other than verifying that

there is a device at that IP address

there's not much else we're going to be

able to do at this point with nmap

filtered this is a very vague response

doesn't help us out that much I'm not

going to waste time explaining it feel

free to screenshot this or pause the

video and check all these out with more

detail if you want

unfiltered this means it's accessible

but it can't tell if it's open or closed

not the most helpful but it does suggest

that you go and scan maybe using a

different technique maybe you use a

layer four or Layer Two or lever three

whatever you initiated with try a

different method and see if you can get

a little further open filtered similar

but it's enabled and map was unable to

determine if the port was even active so

a little less useful than unfiltered

last one closed filtered pretty much

means it's closed so the real the ones

we're really going to look for are open

and unfiltered the other ones we're just

going to kind of like not really worth

the time so that said now we're going to

move into the poor scanning all right

we're going to start with the most basic

of all and map scans and that is going

to be and map and then the IP address of

the device you want to scan hit enter

and boom just like that your first scan

is done now what did this do this scan

scans the first thousand most commonly

used TCP ports and then Returns the

results so I scanned them against my my

Cali Linux box that I'm on right now and

they all return that they are closed

that's good I didn't expect them to be

open but that is how you could do it now

let's say you wanted to do this to the

entire network you could do that but

instead of doing that you would do this

but again remember what we did in the

beginning we did host Discovery so we

could stay low Pro under the radar we

don't want to you know shoot up

fireworks again we want to stay under

the radar as long as possible so we're

going to do

we're going to go ahead and use our IP

list until MF to use that so just to

review what's in here

those are the IPS we're going to scan

and to tell Mapp to scan those

I simply do this

and then I give it the name of the list

so it's going to be nmap Dash IL IP list

and we hit enter and wait for the

results

all right and the results are in so

let's take a look

it's going to start up top it's going to

go I believe it's going to start with

the lowest IP and as a guitar go down

that way so it started with my Kali

Linux box which we already know has

nothing very fun to look at going down

the line here we have another machine on

2.7 that looks like it has a lot of

stuff we'll look and do further keep

continuing down here 2.9 has some stuff

we'll look into 2.13 14 and 254 has at

least Port 80. so all the other devices

look to have something we can

investigate a little bit further so

let's go ahead and move on to the next

scan we could look into all right and

this next scan is going to be useful if

you are looking for a specific ports so

let's say we were looking to see what

devices had SSH open so what you would

do is you would go and map you would do

a dash p and then you would put in what

port are we looking for let's say 22. so

then we would put in dash IL to point to

our IP list and we would put ipos.text

hit enter and wait for the results and

that came really quick so what it's

telling us is it's closed here

filtered here

open here so 2.13 is open

close closed closed and it looks like

it's closed on all the other IP

addresses but we do know now we could

investigate SSH on this one so see that

can be useful let's say you wanted to do

the same thing but you wanted to do it

for Port let's say

80.

see how many of them are running web

servers you can see right away open

open

open

right off the bat three and then we get

closed and then we're open again

that's unbelievable

so right there Port 80 is almost open on

all of them so you can see how you can

do that and you could even combine it

let's say you wanted to do 80

and you want to do let's just say 21.

let's see and it would go through and

you could combine them so you could

continue to chain these along let's say

you also wanted to know if 23 were open

you have to wait a little bit longer the

more you put the longer it's going to

take to get the results obviously

because it's doing more makes sense

right so you go through here and look at

this this one has ftp's open and HTTP is

open let's see if any of them oh look at

this guy right here all three are open

so that would be a prime target so that

said that is how you run with a specific

or specific Port all right we're going

to shift gears here a little bit and

we're gonna go out and we're going to

scan for filtered ports and I know

you're thinking well why would we want

filtered ports we want filtered ports

because we're looking to see if the

ports happen to be there and they're

just being blocked by firewalls or other

devices and by looking for these filter

devices we'll know other ports we want

to investigate further using different

scanning techniques so to look for these

filtered ports we're going to go ahead

and do the following we're going to do

and map as normal and we're going to do

a dash s and an uppercase a and then I'm

going to tell it to use my IP list again

you could tell it to use your specific

IP or a range all that good stuff and

I'm just going to stick with this and

we're going to go ahead and run it

and it's going to warn you you need root

so what you're going to need to do is

either you know Su to root or use sudo

oops you're not going to use Sue because

or said sud's not going to work we need

sudo so we're going to go ahead and hit

enter and let it do its thing all right

and the results are in let's take a

quick look here uh we'll go from the

bottom up this time so it's looking like

254 is not having anything

right here look at this these are

showing us unfiltered and remember

unfiltered

doesn't mean that it's open but it means

it's accessible so that means we'd want

to further investigate that and see if

we could get in on Port 21 and 80. so

let's continue up none here none here so

it looks like everything else reported

as either it was either showed open in

another scan or it's closed so this

would be the only server we'd want to

further investigate on Port 21 and 80.

okay let's try something else here all

right I think it's about time we look at

some UDP ports because we have

completely overlooked those until now

and believe it or not that happens more

than you would believe but you're not

going to let that happen because you're

going to be thorough and to do this

we're going to go with an end map like

we do with all our commands and we're

for uh we're gonna go sudo in map I

should have said and we are then going

to put in dash s and U for UDP

and then we're going to go ahead and put

in our IL for our IP list and we're

going to let it run all right the

results are in let's go ahead and take a

look here it looks like this first

server is showing us that it has some

open slash filtered so that's not going

to be super useful so we won't spend too

much time looking at that this is

showing that it has a closed UDP Port so

that's not super helpful

um I'm assuming TCP is open on Port 80.

that's why it's showing us that and then

this has a combination of it looks like

DNS right here is open so that's

something we would look into and then it

has some open filtered and just some

more open so that's definitely something

we'd want to look in on 2.13 and moving

up the ladder here we have more and more

open on the next machine up

and it just kind of keeps going with

more and more open all the way up so you

can see scanning for UDP was definitely

useful because if we didn't do this scan

we would have been uh in the dark about

some of these other ports that are open

that we could have investigated so let's

go ahead and check something else out

all right for the next step we want to

take this a little bit further now we've

found some open ports both UDP and TCP

but now we want to know exactly what

services and version are running on

those ports so to do this we need to

switch it up a little bit we're going to

need to go with that map again we're

going to go suda just in case we need it

and we are going to do a dash s and FV

for version and then I'm going to do

again my IP list you could do again the

ranger the specific IP and I'm going to

go with this oops I'll go ahead and hit

enter and we'll wait for the results

here

after I put in my password

all right and the results are in so

let's take a look here first thing we'll

look at is 2.254 which apparently is a

Ubuntu server and when Newport 80 was

open on it but we didn't know what was

on it and apparently it's Apache and

it's running this version of Apache so

you can see how powerful this is now we

could go out on Google and just look up

vulnerabilities for Apache 2.4.52 on

Linux going up the ladder

could do the same thing

for the next server but this one is also

running an FTP version here vsftp

3.0.3 so again we could go out and see

if there's any vulnerabilities for that

version of that FTP and up here this

thing has you could almost just blind

throw something at it and hit a Target

here I mean this is a lot of real estate

to deal with here my SQL

I mean SSH tell I mean my gosh there's a

lot there so that's definitely one we

would be uh targeting going up the

ladder again we have another machine on

2.9 that looks like it has a few things

looks like it's running um

SMB and some other things here so that's

another one we look into further and

continuing up look at this this has a

ton of them as well including is FTP

you name it it also looks like it's

running um SMB so the only one that

looks good is the Kali Linux machine I'm

on now so that is how you could look for

services and versions running and that's

going to be our kind of our bread and

butter for what we're looking for but

now let's say we wanted to know just to

verify you know it says Ubuntu here but

how can we take that a level further and

for that we're going to use this next

scan alright so following up with that

service

and version number we want to know the

operating system and to do that we are

going to do an nmap Dash oh pretty basic

right and then you would just do you

know you know by now what we're doing

we're not doing that we're doing this

just making sure you're paying attention

go ahead and hit enter actually we need

to pseudo this I caught myself that time

and hit enter and go ahead and wait for

the results and those results are in so

let's mix it up and go from the top down

this time started with my Kali Linux box

and no surprise here it did not give it

much information that's what I would

hope for

continuing down here we have 2.7 which

if we continue all the way down to the

bottom we can see that it identified it

as a Windows 7 machine and that is

correct it is running a Windows 7.

continuing down 2.9 is running Windows

XP and that is also correct continuing

down

we have 2.13 that is running Linux it

doesn't tell us the exact release or

distribution of Linux but it gives us

close enough we know it's Linux 2.14 is

also Linux it's saying unreliable and

there are options we can do or switches

we could put onto the command I just ran

to get these results that we can look

into later but for now we don't need

that we don't care so much we just want

to know that it's Linux and continue and

done down down our last box is also

Linux so that's three Linux boxes and

two windows machines so pretty good

there well four because Kali Linux but

three that were open

um and returned results so that's good

now let's move on to another little

Technique we can do to either speed up

or slow down our scanning and that

technique is pretty easy I'm going to do

it using the most basic event map scans

which is and map it I'm going to do

scan

me.mmap.org so we'll run it again

mmap.org and here's where we're going to

put in the switch that's going to

control the speed it's going to be a

dash T and the dash T has a range from

zero to five zero being slow what they

call paranoid five being the fastest

what they call insane three is the

default three is the same as running the

scan like this so for to test this let's

go ahead and put a t here and let's run

it out of five and we'll see what it

says all right and the scan finished and

it took 14.15 seconds so let's go ahead

and do that same scan let's try running

it at a T3

and we'll let it run

all right and here we go so this one

took almost double the interesting thing

is this actually picked up an extra port

that this one didn't and it's supposed

to now work that way the faster you go

the less accurate your scans are

supposed to be that's what that was

going to be my next point of why you'd

even want to do this and that goes into

the quicker it's going the less accurate

it's going to be the slower it goes the

more likely you're going to be able to

go under the radar you know under the

intrusion detection systems and things

like that but be warned when I say

slower I mean considerably slower I once

tried to do this and I used zero and it

was at like 45 minutes for five hosts

and I hadn't had a single result and I

just canceled it because it was too long

so just FYI this is a way to do it but I

would if you're gonna do it it should be

for single host do not run this against

an entire network or you're going to be

there all day long using a zero Now

using a five it wouldn't take as long

but you're going to set off every Alert

in the system so FYI so with that said

let's go ahead and move on

all right and continuing with the theme

of trying to stay under the radar you

know we want to avoid detection we're

going to run what's known as a decoy

scan and this is pretty cool so we're

going to do is first you need to be root

so we're going to go sudo or you could

you know ask you to root whatever floats

your boat then you're going to put in

the IP or the um subnet of the devices

you want to scan I'm just going to go to

against Windows 7 here because we

haven't picked on Windows 7 enough yet

and then what you would do is you would

do a Dash D

and then you would do R and D colon and

the number of decoy IPS you want to do

I'll go with 20. you know let's go crazy

so we're going to go ahead and run this

but before we do that why don't we do

this

why don't we open uh Wireshark and you

can see what's going on as it's going on

so let's put these two side by side if

we can pull this off should be able to

all right let's go ahead and open eth0

and let's go ahead and run it and see

what we get

and boom as you can see the outgoing 2.7

is getting flooded by all these Source

IPS so now while we're not completely

off the log we are now in the log with

20 other IP addresses which will make it

a lot harder harder to pick out one

specific IP address pretty cool stuff

right now over on our end we got the

results we wanted and nothing we don't

notice much difference this is more

going to be for the destination side

you're not going to really get any

different well you're not going to get

any different results at all but that's

good because we weren't trying to get

different results we just didn't want

them to know where we were so mission

accomplished right right on so let's go

ahead and move on to another way to try

to avoid detection all right the next

technique I'm going to show you is how

to randomize the order that your scan is

performed by default if you were to pick

a subnet it's going to start

sequentially and work its way through

and that can be pretty easy for you know

intrusion detection systems and other

defensive controls to pick up because

you're going from one host to another

this is going to go a to d to C to F and

all over instead of going a b c d e so

how to do that pretty simple we're going

to go ahead and map and we're just going

to go IL and we will go ahead and put an

IP list dot text

and at the end all you need to do is add

randomize

hosts and I believe we need to be root

for this so we're going to throw a

pseudo in there and we'll go ahead and

hit enter

and I will wait and see what happens

all right and the scan completed let's

go up and take a look this should go

from two to seven to nine and as you can

see it went from two

or I'm from 4 excuse me to 9 to 13 to 7

and down to 14 and ended up with 254. so

as you can see it did exactly what we

asked it to so that's another technique

to keep you off the radar all right in

the second to last technique I want to

show you to try to avoid detection is

going to be how to smooth your Mac

address and this is pretty

straightforward we're just going to go

pseudo and map

and enter the IP address of the device

you want to scan I'll go ahead and run

this against our Cali Linux box here

just to see what we got and then we're

going to do is we're going to go spoof

Mac and then you'll enter a zero to

randomize the number if you wanted to

actually fill it in you could go ahead

and do that as well but I don't really

see what the point of that would be so

I'm going to go ahead and run this and

see what we got

and as you can see here's what it went

with that's the Mac get picked for us

scanned and we knew this box had no open

ports because it's pretty well-hearted

so what we want to do now is check to

verify that it didn't really use a real

Mac and here's our real Mac so no it did

not so pretty straightforward technique

nevertheless it can help keep you off

um some detections if they were you know

actually blocking Mac addresses instead

of IP addresses because unfortunately

there's no easy way to spoof your IP

address short of using something called

ipchange which uses a proxy and it's out

of the scope of this video maybe I'll do

another video at some time on that but

that's a little more technical but

nevertheless this is one more technique

moving on to the last technique for

avoiding detection

for the last technique I want to show

you on trying to avoid detection we're

going to do something known as packet

fragmentation and what is that that is

going to be where we're going to take

our packets and fragment them into

smaller packets and the reason we do

this is we're hoping the smaller packets

will be able to avoid detection they'll

be able to you know bypass those content

filters firewalls intrusion detection

systems and things of that nature so

let's go ahead and do it and to do it

it's very basic we're going to go nmap

our pseudo and map always

and then we're going to put in the IP

address we'll go against nine because we

picked almost every other server we have

here and then what we're going to do is

we're just going to put a dash up at the

end that's it but before we do it let's

go ahead and open up Wireshark so we can

take a look at what it looks like going

out

so we'll do that go ahead go ahead and

do that

and

let's go ahead and hit enter

done go over here

and this looks normal right but check it

out

scroll by so fast see this this is a

fragment that was broken up and all

these all the way up here and you can

see

it goes all the way up there so in my

personal experience I would say this

helps maybe one out of every five times

this isn't like the oh this is going to

work every time it's gonna get by the

detection systems it's not all that

great but you know what it is another

tool and it's definitely worth worth

keeping in Your Arsenal so that said

let's move on to testing these services

for vulnerabilities all right at this

point If This Were A penetration test

let's see what we've done we've

discovered the devices on the network we

have singled out the devices we want we

have singled out what ports were open on

them what services were running on those

ports what versions of services we're

running and what operated system so we

have compiled all this data now at this

point we're ready to go to the next

level and what we're going to do at that

stage is we're going to now test to see

if there's any known vulnerabilities to

those specific service versions running

on each of those hosts and to do that

we're going to leverage and map

scripting and to get scripts you can

either go out to their website right

here I'll show you

you know you're just going to go to

mmap.org I'll put the whole URL in the

description and here you're going to get

a listing of scripts really long listing

of scripts of all different kinds of

built-in scripts that you can either

download by clicking on them and hitting

download

some of these are actually already

pre-built in and some of these actually

come with different distributions of

Linux but if for whatever reason it's

not you could always go here and

download them so that will work for

everyone windows or Linux you name it

you can go here and get them

for those of you on Kali Linux you're in

luck because they actually come

pre-installed or pre-loaded I should say

and to get there you would just go to

this location and actually one more

folder

in here so if we do this you can see

well actually it's just maybe this will

give you a little bit better view but

you can see they're all here for the

most part again if one wasn't here you

could go up and get it from the website

so that's where we're going to get the

scripts now let's move forward and show

you some of the most popular ones to

look for vulnerabilities

all right and before we get to our first

script I'm just going to ask out of the

uh kindness of your heart if you could

smash that like button if you are

enjoying this video or learning anything

I would greatly appreciate it if you

want to one-up me on that go ahead and

subscribe for future content we're

trying to get a lot of content out there

and believe it or not about 80 percent

of our viewers don't subscribe so they

never get the notifications again and

maybe they never come back to see all

the great content I believe I'm putting

out there so that out of the way the

first script we're gonna run is one

that's going to go out and look for SMB

vulnerabilities on our two windows

machines which we have an XP and Windows

7. so enough Chit Chat let's get to it

we're going to go ahead and run this

command out here we're gonna need to

change it up a little bit to add what we

want to scan

so I am of course going to put in il IP

list dot text this little Overkill this

is going to scan all devices but you

know what I don't care if it runs

against the Linux machines we'll at

least get the windows devices while it's

scanning that so that's cool

you would probably want to be specific

in each device but for this video I'm

just going to run this list because be

honest it's been a long video so we're

going to let it run and we're going to

see what we get so let's scroll up here

let's go all the way up to the top

and we can see we got some hits there so

obviously the Linux box nothing

this is our Windows 7 machine

so scrolling down here here we go

right here is the vulnerability we were

looking for and it's showing it is

vulnerable

so that is one we would then

and maybe we'll do it at the end of the

video we would then you know go and take

it a step further and maybe open

Metasploit and see if we could actually

exploit that vulnerability scrolling

down

same thing on our Windows XP machine so

we found those two vulnerabilities let's

go ahead and check a different

vulnerability all right next we're going

to go ahead and scan for a known

vulnerability with vsftp which we saw at

the beginning remember how I said I

think there's a vulnerability out there

let's go ahead and find out if there

actually is so again we're going to go

ahead and paste this in we're going to

change this and we're going to add

our IP list and we're gonna go ahead and

run it see what we get

all right and here we are it's done and

we can see right here we have one and of

course it's lucky number 13. surprise

surprise I thought we'd actually get two

hits because I remember we saw this

twice but apparently that other version

is not

um vulnerable but this version is so 13

is vulnerable to a uh back door here so

that's that let's do one more

and for the last script I want to show

you we're going to use a script known as

Von and what Vol does is it actually

scans for All the known vulnerabilities

in that category so instead of

individually scanning for you know FTP

or SMB or SSH known vulnerabilities it's

going to scan for all of them at once so

this would probably be the easiest if

you wanted to scan a broad range of

vulnerabilities and not a specific one

and to do that it's really easy we're

going to go nmap and we're going to do

IL for our list

and then you're just going to do a

script and you're going to type in Vol

sure vulnerability hit enter and give it

a little while and we'll check the

results

all right and the results are in and it

took a little under six minutes so let's

scroll up and look at all what we got

and starting at the top with our Windows

7 machine scrolling down you can see it

started at the typical ports work down

and it looks like the first thing it

discovered is a vulnerability with

poodle this is going to allow for a man

in the middle attack I believe

yeah so I found that scrolling down

it does tell you that there was no

cross-site scripting vulnerabilities

found or cross-site request forgeries so

you know this this doesn't have to just

be used by pen testers this can also be

run by net admins system administrators

to go out there and see what it what is

on your network why why wait for a pen

tester to come in and tell you you could

do this on your own and if you're doing

it from that angle you can also check

out these websites that will give you

remediation techniques to use if you

wanted to go out and do it that way so

just remember this isn't just for pen

testing the focus of this video is on

pen testing but this can be used in

multiple different ways so continue on

on down uh it looks like

it's also vulnerable to

this vulnerability right here remote

desktop protocol

and continuing down lots of

vulnerabilities so let's continue down

here to our next machine here

this is going to be the SMB

vulnerability

and wow okay so lots on that machine

that is not a pretty machine and then

we're going down here and I believe this

is our Windows XP machine

and

this one was vulnerable again right here

another SMB vulnerability and I'm just

going to kind of continue on down here

because we'll be here all day again this

is that FTP vulnerability we saw

this is a new another vulnerability with

the uh

SSL version they're running and continue

on down there's lots of vulnerabilities

in these machines and a lot of that is

by Design obviously for this video I did

put machines out there that were going

to give us some some results otherwise

how would we know what to look for so as

you can see we can continue on all day

long there's a lot of vulnerabilities to

go through here so that all said I think

that kind of wraps up the um the video

from nmap perspective now let's say we

wanted to take this one step further

right let's say we wanted to actually

see if now we could exploit one of the

vulnerabilities we discovered so as a

little bit of a bonus here I'm going to

show you how we could see if that's

possible using Metasploit so let's get

to that

all right and if you don't know what

Metasploit is go ahead and check out the

two videos I have in my Kali Linux

security tool Series where I cover the

first half of Metasploit which is the

initial exploitation phase how to use it

how to use all the modules and every all

the great stuff inside it and then I

cover the post exploitation how to set

up persistence and things like that so

anyways I'm going to open up one of the

many interfaces of MF MF of metasploy

and this interface I'm going to use is

called msf console again really long

video here so forgive me if I sound like

I'm rambling here so we're going to do

msf console we're going to go ahead and

let it open up after I give it my

password

and it shouldn't take too long

and then we're gonna get a bunch of text

and here we are so at this point what

we're going to do we are going to search

for vulnerability

and I thought I had it copied but

apparently not so I'm going to copy it

right now we're going to search for

vulnerability with that FTP that we saw

earlier on that Linux machine so we do

is we search for vs FTP here we go we

got a hit it says it's an excellent that

means it should work hopefully and what

I'm going to do is I'm going to hit use

zero and then I'm going to set my R host

to

the IP of that machine which is 13. and

at this point all we have to do is hit

run

and we're going to have to wait here for

a second

and it looked like it denied us

apparently it didn't want to be nice

there so we're going to do it again

because we are persistent actually we'll

do persistence later in another video

actually check out that second video on

uh post exploitation for that so at this

point it looks like it actually worked I

don't know why we had a little hiccup on

their first run but we're good on the

second one and I can prove that by going

who am I I'm root okay well you knew I

was root probably uh logging in here

because I did sudo right but watch this

I'm rude

on this server

to prove that I can go here

and there I am

that didn't quite work did it

and there you go you can see I am not on

my Kali Linux box I am on the

metasploitable server which is ironic

because we're using Metasploit to hack

them at a splatable box so anyways you

can see that was pretty easy to

accomplish right so we're about to close

it up but before we do I mentioned some

things you could do for you know

defensive measures as a system

administrator but just to give you some

key advice here and these are things as

a pen tester you would want to offer in

that report that you're going to now do

that you've now proven that you could

exploit those vulnerabilities some

things you're going to suggest they need

to keep their servers patched and that's

not just the server itself they need to

keep the applications and services

running on those servers patch they need

to get rid of servers that are past the

end of life Windows 7 Windows XP why are

they on here they need to check their

logs they need to have good backups they

need to shut off unneeded ports and

services they need to harden those

machines and they need to be aware of

what is out there you know sign up for

security feeds all that great stuff so I

hope you enjoyed this video if you did

did again I would greatly appreciate a

like subscribe to the channel for future

content and that's all I have I'm I'm

done that's all I can handle now so you

have a great rest of your day talk to

you later

Loading...

Loading video analysis...