1
1

00:00:00,950  -->  00:00:04,860
<v ->Information gathering is one of the most important steps</v>
2

2

00:00:04,860  -->  00:00:07,970
when it comes to hacking or penetration testing.
3

3

00:00:07,970  -->  00:00:11,530
If you think of it, you can't really gain access to a system
4

4

00:00:11,530  -->  00:00:14,810
if you don't have enough information about it.
5

5

00:00:14,810  -->  00:00:17,990
So, for example, let's say you're connected to a network
6

6

00:00:17,990  -->  00:00:21,070
and one of the devices connected to this network
7

7

00:00:21,070  -->  00:00:22,690
is your target.
8

8

00:00:22,690  -->  00:00:25,260
Now for you to hack into that target,
9

9

00:00:25,260  -->  00:00:28,310
first you need to discover all of the connected clients
10

10

00:00:28,310  -->  00:00:31,910
to this network, get their MAC address, their IP address,
11

11

00:00:31,910  -->  00:00:35,620
and then from there try to maybe gather more information
12

12

00:00:35,620  -->  00:00:39,683
or run some attacks in order to gain access to your target.
13

13

00:00:40,680  -->  00:00:42,650
Now, there are a number of programs
14

14

00:00:42,650  -->  00:00:44,330
that will do this for you.
15

15

00:00:44,330  -->  00:00:47,050
Examples are NetDiscover and Nmap,
16

16

00:00:47,050  -->  00:00:49,260
which do this job really, really well.
17

17

00:00:49,260  -->  00:00:52,220
So in this lecture, we'll start with the simpler one,
18

18

00:00:52,220  -->  00:00:56,780
which is NetDiscover and see how to use it to quickly map
19

19

00:00:56,780  -->  00:00:59,110
the network we're connected to.
20

20

00:00:59,110  -->  00:01:00,620
And in the next lecture,
21

21

00:01:00,620  -->  00:01:02,780
I'm gonna show you how to use Nmap
22

22

00:01:02,780  -->  00:01:05,920
to gather detailed information about all
23

23

00:01:05,920  -->  00:01:09,053
of the clients connected to the same network.
24

24

00:01:10,420  -->  00:01:15,420
So, I have my Kali terminal in here, and if I do ifconfig,
25

25

00:01:15,530  -->  00:01:20,050
you'll see I have eth0, it has an IP address.
26

26

00:01:20,050  -->  00:01:23,850
And like I said, this is the virtual interface created
27

27

00:01:23,850  -->  00:01:27,170
by VirtualBox when we set the Kali machine
28

28

00:01:27,170  -->  00:01:28,783
to use a NAT network.
29

29

00:01:29,870  -->  00:01:34,150
Now, I also said that this NAT network behaves exactly like
30

30

00:01:34,150  -->  00:01:35,730
an Ethernet network.
31

31

00:01:35,730  -->  00:01:38,650
And as far as the Kali machine is concerned,
32

32

00:01:38,650  -->  00:01:42,680
it thinks that it is connected to a real wired network.
33

33

00:01:42,680  -->  00:01:44,010
And as you can see in here,
34

34

00:01:44,010  -->  00:01:46,133
it's telling me that wired connected.
35

35

00:01:47,480  -->  00:01:51,420
Now, I have my virtual Windows machine right here.
36

36

00:01:51,420  -->  00:01:54,910
It is configured to use the same NAT network
37

37

00:01:54,910  -->  00:01:56,970
as the Kali machine.
38

38

00:01:56,970  -->  00:02:00,120
Remember, we're still in the network hacking section,
39

39

00:02:00,120  -->  00:02:04,650
so both you and the target machine need to be connected
40

40

00:02:04,650  -->  00:02:06,400
to the same network.
41

41

00:02:06,400  -->  00:02:09,430
So as far as these two computers are concerned,
42

42

00:02:09,430  -->  00:02:13,130
they think that they are connected to the same network.
43

43

00:02:13,130  -->  00:02:16,090
So what I wanna do right now is use NetDiscover
44

44

00:02:16,090  -->  00:02:19,960
and see how we can use it to discover all devices connected
45

45

00:02:19,960  -->  00:02:21,173
to the same network.
46

46

00:02:22,330  -->  00:02:24,040
Now the method that I'm gonna show you
47

47

00:02:24,040  -->  00:02:25,860
will work exactly the same,
48

48

00:02:25,860  -->  00:02:28,180
whether you're using it against a virtual network,
49

49

00:02:28,180  -->  00:02:31,100
like I'm doing right now, or against real network,
50

50

00:02:31,100  -->  00:02:34,603
and even if your target is a Wi-Fi or a wireless network.
51

51

00:02:35,690  -->  00:02:38,130
So all you have to do is type the name of the program,
52

52

00:02:38,130  -->  00:02:41,350
which is NetDiscover, and then type dash r
53

53

00:02:41,350  -->  00:02:45,333
to specify an IP range to search for.
54

54

00:02:46,170  -->  00:02:49,680
This needs to be arranged that can be accessed by you.
55

55

00:02:49,680  -->  00:02:54,020
So right now you can see that my IP is 10.0.2.16
56

56

00:02:54,020  -->  00:02:57,980
and I can only access IPs on the same subnet.
57

57

00:02:57,980  -->  00:03:02,860
So IPs on the same subnet start at 10.0.2.0,
58

58

00:03:02,860  -->  00:03:06,730
and they would end at 10.0.2.254
59

59

00:03:06,730  -->  00:03:11,253
because 254 is the last IP that a client can have.
60

60

00:03:12,380  -->  00:03:17,380
So, my range is gonna be 10.0.2.1
61

61

00:03:17,400  -->  00:03:20,800
and I wanna search for clients that might have an IP
62

62

00:03:20,800  -->  00:03:25,010
of 10.0.2.1, 10.0.2.2, 10.0.2.3,
63

63

00:03:25,010  -->  00:03:28,803
all the way up to 10.0.2.254.
64

64

00:03:29,700  -->  00:03:32,780
So instead of manually typing all of these IPs,
65

65

00:03:32,780  -->  00:03:35,920
I can just type over 24
66

66

00:03:35,920  -->  00:03:38,500
and NetDiscover will automatically know
67

67

00:03:38,500  -->  00:03:41,570
that I'm trying to search for all of the IPs
68

68

00:03:41,570  -->  00:03:46,457
that start at 10.0.2.1 and end at 10.0.2.254.
69

69

00:03:47,400  -->  00:03:51,290
So this is a way of specifying an IP range
70

70

00:03:51,290  -->  00:03:53,360
for the whole subnet.
71

71

00:03:53,360  -->  00:03:57,540
So if I hit enter now, you'll see that NetDiscover
72

72

00:03:57,540  -->  00:04:01,440
will show me all the IPs of the devices connected
73

73

00:04:01,440  -->  00:04:03,070
to the same network.
74

74

00:04:03,070  -->  00:04:05,610
And note that the first three parts of the IPs
75

75

00:04:05,610  -->  00:04:08,703
are always the same because they are on the same subnet.
76

76

00:04:09,710  -->  00:04:12,950
And I also have the Mac addresses of these clients
77

77

00:04:12,950  -->  00:04:15,340
and Net discovers also attempting
78

78

00:04:15,340  -->  00:04:17,763
to guess the device vendor.
79

79

00:04:18,620  -->  00:04:21,870
Now, if I press queue, this will quit the program.
80

80

00:04:21,870  -->  00:04:25,640
And right now, we have a list of all the connected clients
81

81

00:04:25,640  -->  00:04:26,963
to the same network.
82

82

00:04:28,020  -->  00:04:30,770
Now, like I said, you can also use this method
83

83

00:04:30,770  -->  00:04:35,240
to discover clients connected to the same Wi-Fi network.
84

84

00:04:35,240  -->  00:04:38,643
The only thing is, right now, if I do ifconfig,
85

85

00:04:39,640  -->  00:04:41,770
you can see that my Kali machine
86

86

00:04:41,770  -->  00:04:44,120
does not have a wireless adapter,
87

87

00:04:44,120  -->  00:04:46,863
it's not connected to a Wi-Fi network.
88

88

00:04:47,970  -->  00:04:49,520
And like I said before,
89

89

00:04:49,520  -->  00:04:52,600
you cannot access the built in wireless card
90

90

00:04:52,600  -->  00:04:55,140
from a virtual machine.
91

91

00:04:55,140  -->  00:04:57,410
Therefore, if you want to do this
92

92

00:04:57,410  -->  00:05:00,420
or run any of the wireless attacks that we're gonna see
93

93

00:05:00,420  -->  00:05:03,510
in the future against a real computer
94

94

00:05:03,510  -->  00:05:05,470
and a real wireless network,
95

95

00:05:05,470  -->  00:05:08,463
you're gonna need to use a wireless adapter.
96

96

00:05:09,720  -->  00:05:12,210
Now, I'm gonna include links in the description
97

97

00:05:12,210  -->  00:05:14,240
that will help you pick a good adapter
98

98

00:05:14,240  -->  00:05:16,480
that works with Kali Linux.
99

99

00:05:16,480  -->  00:05:18,650
But right now I actually have one,
100

100

00:05:18,650  -->  00:05:19,890
and I'm just gonna connect it
101

101

00:05:19,890  -->  00:05:21,940
and use it just to prove to you,
102

102

00:05:21,940  -->  00:05:24,980
if things work on the virtual machines connected
103

103

00:05:24,980  -->  00:05:26,930
to the virtual network,
104

104

00:05:26,930  -->  00:05:30,630
they will work exactly the same against a real network
105

105

00:05:30,630  -->  00:05:32,630
with real machines.
106

106

00:05:32,630  -->  00:05:34,813
So, I'm gonna connect my adapter now.
107

107

00:05:35,980  -->  00:05:40,900
And if I do ifconfig, it's still not showing up,
108

108

00:05:40,900  -->  00:05:45,900
so I'm gonna connect it from my devices, USB,
109

109

00:05:46,010  -->  00:05:48,093
and click on the adapter name,
110

110

00:05:49,240  -->  00:05:52,150
and let's see if it shows up now.
111

111

00:05:52,150  -->  00:05:55,923
Perfect, as you can see, I have an adapter now called Lan0.
112

112

00:05:57,380  -->  00:05:58,860
And what I'm gonna do is,
113

113

00:05:58,860  -->  00:06:03,180
I need to connect this adapter to a Wi-Fi network first
114

114

00:06:03,180  -->  00:06:06,280
before I can discover all the connected clients
115

115

00:06:06,280  -->  00:06:07,313
to this network.
116

116

00:06:08,300  -->  00:06:11,070
So I'm gonna go to my network manager,
117

117

00:06:11,070  -->  00:06:13,040
I'm gonna click in here
118

118

00:06:13,040  -->  00:06:16,175
and you wanna click on Select Network.
119

119

00:06:16,175  -->  00:06:18,360
And as you can see, automatically now,
120

120

00:06:18,360  -->  00:06:20,620
it's actually connected to a network.
121

121

00:06:20,620  -->  00:06:23,150
But in your case, you'd wanna select a network
122

122

00:06:23,150  -->  00:06:24,580
and click on Connect,
123

123

00:06:24,580  -->  00:06:27,290
and then it will ask you for the password.
124

124

00:06:27,290  -->  00:06:29,030
So now I'm actually connected
125

125

00:06:29,030  -->  00:06:32,410
and you'll see if I do ifconfig again.
126

126

00:06:32,410  -->  00:06:36,143
Right now, lan0 has an IP address.
127

127

00:06:37,390  -->  00:06:40,010
So this means that it is connected to a network
128

128

00:06:40,010  -->  00:06:42,963
and this means that we can use it now with NetDiscover.
129

129

00:06:44,600  -->  00:06:47,060
So again, I'm gonna use the exact same command
130

130

00:06:47,060  -->  00:06:50,240
that I used before just to show you and prove to you
131

131

00:06:50,240  -->  00:06:52,520
that if this works against virtual machines,
132

132

00:06:52,520  -->  00:06:54,383
it will work against real machines.
133

133

00:06:55,350  -->  00:06:58,160
And the only difference is going to be the IP.
134

134

00:06:58,160  -->  00:07:00,170
So I'm gonna remove this IP.
135

135

00:07:00,170  -->  00:07:05,170
And as you can see right now, my IP is 192.168.1.8.
136

136

00:07:06,320  -->  00:07:08,600
So therefore, the range that I'm gonna look
137

137

00:07:08,600  -->  00:07:12,997
for is gonna start at 192.168.1.1,
138

138

00:07:14,820  -->  00:07:17,240
and I'm gonna leave the over 24 here
139

139

00:07:17,240  -->  00:07:21,190
because this will tell NetDiscover that I want to start
140

140

00:07:21,190  -->  00:07:25,913
at 192.168.1.1 and finish at 192.168.254.
141

141

00:07:28,500  -->  00:07:30,423
So if I hit enter now.
142

142

00:07:32,370  -->  00:07:34,960
Now, this did not work and I know why.
143

143

00:07:34,960  -->  00:07:36,710
In order for this to work,
144

144

00:07:36,710  -->  00:07:39,593
you actually have to disable the NAT network.
145

145

00:07:40,520  -->  00:07:44,500
So to disable the NAT network, we're gonna go on devices,
146

146

00:07:44,500  -->  00:07:46,300
we're gonna go on network,
147

147

00:07:46,300  -->  00:07:49,673
and we're gonna uncheck the Connect Network Adapter.
148

148

00:07:51,010  -->  00:07:53,010
So now once done with this,
149

149

00:07:53,010  -->  00:07:56,053
if we just run the exact same command again.
150

150

00:07:58,000  -->  00:08:02,460
As you can see, it's discovering all the connected clients,
151

151

00:08:02,460  -->  00:08:05,530
all their IP addresses, all their MAC addresses,
152

152

00:08:05,530  -->  00:08:07,780
and it's guessing the manufacturer,
153

153

00:08:07,780  -->  00:08:09,480
and you can see it's also discovering
154

154

00:08:09,480  -->  00:08:11,630
some Apple devices here.
155

155

00:08:11,630  -->  00:08:12,860
So as you can see,
156

156

00:08:12,860  -->  00:08:16,543
it's working perfectly using the exact same command.
157

157

00:08:17,510  -->  00:08:20,330
Now, I only did this just to show you
158

158

00:08:20,330  -->  00:08:23,010
that if things work against virtual machines
159

159

00:08:23,010  -->  00:08:24,840
and I guess virtual networks,
160

160

00:08:24,840  -->  00:08:27,490
then they will work against real machines
161

161

00:08:27,490  -->  00:08:30,570
because these virtual machines and virtual networks
162

162

00:08:30,570  -->  00:08:33,140
are modeled of a real machines.
163

163

00:08:33,140  -->  00:08:35,500
And as far as the machines are concerned,
164

164

00:08:35,500  -->  00:08:38,140
they actually think they are real computers
165

165

00:08:38,140  -->  00:08:39,243
and real machines.