1
1

00:00:00,940  -->  00:00:02,710
<v Instructor>The second program that we'll use</v>
2

2

00:00:02,710  -->  00:00:05,990
for network mapping is Nmap.
3

3

00:00:05,990  -->  00:00:08,740
Now in the previous lecture we used netdiscover
4

4

00:00:08,740  -->  00:00:11,860
and we seen how nice it is to quickly discover
5

5

00:00:11,860  -->  00:00:14,300
all the devices connected to our network,
6

6

00:00:14,300  -->  00:00:17,610
see their MAC address and maybe get the vendor.
7

7

00:00:17,610  -->  00:00:21,150
Nmap takes scanning to a whole new level.
8

8

00:00:21,150  -->  00:00:23,960
It might be a little bit slower than netdiscover
9

9

00:00:23,960  -->  00:00:27,450
but it will show you much much more information
10

10

00:00:27,450  -->  00:00:28,730
about the target.
11

11

00:00:28,730  -->  00:00:31,090
So you'll be able to see the open ports,
12

12

00:00:31,090  -->  00:00:33,510
you'll be able to see the running programs
13

13

00:00:33,510  -->  00:00:36,160
or the running services on these open ports.
14

14

00:00:36,160  -->  00:00:39,400
You'll be able to determine the computer name,
15

15

00:00:39,400  -->  00:00:42,660
the operating system running on that computer.
16

16

00:00:42,660  -->  00:00:45,270
If you are in a network, you'll be able to discover
17

17

00:00:45,270  -->  00:00:47,380
all of the connected clients.
18

18

00:00:47,380  -->  00:00:51,070
You'll be able to bypass security, bypass firewalls
19

19

00:00:51,070  -->  00:00:52,483
and so much more.
20

20

00:00:53,600  -->  00:00:56,220
Nmap is actually a huge tool and there are books
21

21

00:00:56,220  -->  00:00:59,750
and complete courses done just to teach Nmap.
22

22

00:00:59,750  -->  00:01:02,490
The Nmap book would actually be a really good read
23

23

00:01:02,490  -->  00:01:04,920
once you're done with this course.
24

24

00:01:04,920  -->  00:01:07,700
Now because this tool is huge, we're not gonna be able
25

25

00:01:07,700  -->  00:01:10,710
to cover of all its uses but in this lecture,
26

26

00:01:10,710  -->  00:01:13,070
I'm gonna show you the basics of this tool,
27

27

00:01:13,070  -->  00:01:15,970
how to use it to discover all the connected clients
28

28

00:01:15,970  -->  00:01:18,700
and see useful information about them.
29

29

00:01:18,700  -->  00:01:21,300
And we'll actually use it more when we get
30

30

00:01:21,300  -->  00:01:23,423
to the gaining access section.
31

31

00:01:25,100  -->  00:01:27,160
We're actually going to be using Zenmap
32

32

00:01:27,160  -->  00:01:30,493
which is the graphical user interface of Nmap.
33

33

00:01:31,350  -->  00:01:34,490
So to run it in Terminal you just have to type Zenmap
34

34

00:01:35,480  -->  00:01:38,483
or you can find it under your Applications menu.
35

35

00:01:39,410  -->  00:01:43,040
Now as you can see, it has a very very simple interface.
36

36

00:01:43,040  -->  00:01:46,650
The first thing that we see is the target input box,
37

37

00:01:46,650  -->  00:01:48,940
in here you can put your target.
38

38

00:01:48,940  -->  00:01:51,730
You can scan any IP that you can reach,
39

39

00:01:51,730  -->  00:01:55,150
whether it's a personal computer, whether it's a server,
40

40

00:01:55,150  -->  00:01:58,300
whether it's an IP for a web-server for a website,
41

41

00:01:58,300  -->  00:02:01,190
for example, that you want to discover all the open ports
42

42

00:02:01,190  -->  00:02:03,730
and all the running services on it.
43

43

00:02:03,730  -->  00:02:06,070
Or, like what we're going to do right now,
44

44

00:02:06,070  -->  00:02:10,060
we can put a range similar to what we did with netdiscover
45

45

00:02:10,060  -->  00:02:14,270
and it will scan this whole range, discover all the live IPs
46

46

00:02:15,339  -->  00:02:18,200
of the connected machines on the same network
47

47

00:02:18,200  -->  00:02:20,703
and display information about them.
48

48

00:02:21,760  -->  00:02:24,860
Now we'll have a look on how to scan servers
49

49

00:02:24,860  -->  00:02:26,660
in the gaining access section.
50

50

00:02:26,660  -->  00:02:28,480
So for now, since we are still
51

51

00:02:28,480  -->  00:02:30,800
in the network hacking section
52

52

00:02:30,800  -->  00:02:33,740
we're gonna put a range to discover all the connected
53

53

00:02:33,740  -->  00:02:37,023
clients and see useful information about them.
54

54

00:02:37,910  -->  00:02:41,330
So, right now I'm actually connected to my wireless network,
55

55

00:02:41,330  -->  00:02:44,630
that's why I'm gonna specify the whole range on that network
56

56

00:02:44,630  -->  00:02:47,470
and we seen how to get that in the previous lecture.
57

57

00:02:47,470  -->  00:02:51,400
So it's 192.168.11
58

58

00:02:51,400  -->  00:02:52,913
over 24.
59

59

00:02:54,545  -->  00:02:56,930
At the bottom you can see the command,
60

60

00:02:56,930  -->  00:03:00,610
this is actually the Nmap command that will be executed
61

61

00:03:00,610  -->  00:03:02,700
when I hit the Scan button.
62

62

00:03:02,700  -->  00:03:05,140
So like I said, Zenmap, what we're using right now
63

63

00:03:05,140  -->  00:03:07,730
is just a graphical interface
64

64

00:03:07,730  -->  00:03:10,460
that will run this Nmap command in the background
65

65

00:03:10,460  -->  00:03:12,020
and show me the results.
66

66

00:03:12,020  -->  00:03:15,420
So, if you know a custom Nmap command you can put it here
67

67

00:03:15,420  -->  00:03:17,940
or if you just want to see Nmap in Terminal
68

68

00:03:17,940  -->  00:03:21,240
you can literally copy this command, paste it in Terminal
69

69

00:03:21,240  -->  00:03:24,000
and it will give you the same results that you would get
70

70

00:03:24,000  -->  00:03:25,243
if you run it here.
71

71

00:03:26,460  -->  00:03:29,540
Alternatively, if you don't really know much about Nmap
72

72

00:03:29,540  -->  00:03:31,290
and it's commands, you can use
73

73

00:03:31,290  -->  00:03:33,343
one of the ready profiles in here.
74

74

00:03:35,340  -->  00:03:37,780
So in this lecture we're actually gonna be using
75

75

00:03:37,780  -->  00:03:40,700
a number of these profiles and we'll see the difference
76

76

00:03:40,700  -->  00:03:42,800
between them, in terms of speed
77

77

00:03:42,800  -->  00:03:44,433
and the information gathered.
78

78

00:03:46,100  -->  00:03:48,930
So I'm gonna start with the Pink scan.
79

79

00:03:48,930  -->  00:03:51,920
This is a very quick scan, it literally just pings
80

80

00:03:51,920  -->  00:03:55,780
every possible IP in the range, and if it gets a response,
81

81

00:03:55,780  -->  00:03:58,310
it will record this response and it will show me
82

82

00:03:58,310  -->  00:04:00,450
the devices that devices that gave me a response
83

83

00:04:00,450  -->  00:04:02,250
which means that these are the devices
84

84

00:04:02,250  -->  00:04:04,220
connected to the network.
85

85

00:04:04,220  -->  00:04:07,780
Now a lot of devices do not respond to pinged requests
86

86

00:04:07,780  -->  00:04:11,240
even if they are alive, so the list that you'll get
87

87

00:04:11,240  -->  00:04:14,620
in the scan might not include all the devices
88

88

00:04:14,620  -->  00:04:16,163
connected to your network.
89

89

00:04:17,170  -->  00:04:19,960
Now once the scan's done, as you can see, we can see
90

90

00:04:19,960  -->  00:04:22,940
the list of all the connected devices in here.
91

91

00:04:22,940  -->  00:04:25,740
And in here we can also see the MAC addresses
92

92

00:04:25,740  -->  00:04:28,120
for each of these devices.
93

93

00:04:28,120  -->  00:04:31,140
We also can see the vendor, so for example, we can see
94

94

00:04:31,140  -->  00:04:35,710
that the device at 192.168.11 is a Cisco device,
95

95

00:04:35,710  -->  00:04:37,610
this actually my router
96

96

00:04:37,610  -->  00:04:40,470
and it is made by Cisco so this is correct.
97

97

00:04:40,470  -->  00:04:42,960
So we can go ahead and start looking for exploits
98

98

00:04:42,960  -->  00:04:44,053
in this device.
99

99

00:04:45,490  -->  00:04:49,900
We can also see the 192.168.10 is a HTC device
100

100

00:04:49,900  -->  00:04:53,400
and again, this is a HTC phone, this is correct.
101

101

00:04:53,400  -->  00:04:56,820
And since it's HTC then we know that it's probably
102

102

00:04:56,820  -->  00:04:58,490
running on Android.
103

103

00:04:58,490  -->  00:05:00,650
So as you can see, we're getting more information
104

104

00:05:00,650  -->  00:05:02,770
about the connected clients.
105

105

00:05:02,770  -->  00:05:07,770
Again, we can see the 192.168.12 is an Apple device,
106

106

00:05:07,770  -->  00:05:10,543
so it could be a phone, a tablet or a Mac.
107

107

00:05:11,410  -->  00:05:14,340
We can see the next device is a Dell.
108

108

00:05:14,340  -->  00:05:17,490
So again, it was a very quick scan but as you can see
109

109

00:05:17,490  -->  00:05:19,800
it still gave us much more information
110

110

00:05:19,800  -->  00:05:22,473
than what we got from netdiscover.
111

111

00:05:23,610  -->  00:05:26,310
The next scan that I wanna show you is the Quick scan.
112

112

00:05:27,520  -->  00:05:30,560
Now this is gonna be slightly slower than the Pink Scan
113

113

00:05:30,560  -->  00:05:32,893
but it's gonna show us more information.
114

114

00:05:34,900  -->  00:05:37,900
So right now, you can see that the scan is showing us
115

115

00:05:37,900  -->  00:05:41,530
the same information that we seen before with the Pink scan
116

116

00:05:41,530  -->  00:05:45,450
but it's also showing us the open ports on each one
117

117

00:05:45,450  -->  00:05:47,800
of the discovered devices.
118

118

00:05:47,800  -->  00:05:50,190
So it's able to discover the following ports
119

119

00:05:50,190  -->  00:05:53,500
in the router and we can see that port 80 is open.
120

120

00:05:53,500  -->  00:05:56,600
This is actually the port used for the router settings
121

121

00:05:56,600  -->  00:05:59,763
page because it runs on a webserver, so this is correct.
122

122

00:06:01,140  -->  00:06:03,660
Again we have our Apple device here that we said
123

123

00:06:03,660  -->  00:06:06,740
it might a phone or a computer or a tablet,
124

124

00:06:06,740  -->  00:06:09,080
but we can see now it has port 22 open.
125

125

00:06:09,080  -->  00:06:12,340
So this is a port for a service called SSH
126

126

00:06:12,340  -->  00:06:14,880
which is designed to allow remote access
127

127

00:06:14,880  -->  00:06:16,723
to the system it's running on.
128

128

00:06:17,760  -->  00:06:20,170
Again, if you go on all the other devices
129

129

00:06:20,170  -->  00:06:23,860
you can see all the open ports and the services running
130

130

00:06:23,860  -->  00:06:25,553
on each one of these ports.
131

131

00:06:27,290  -->  00:06:30,090
Now, in the next lecture, we'll build up on this.
132

132

00:06:30,090  -->  00:06:33,110
We'll see how to gather even more information
133

133

00:06:33,110  -->  00:06:36,750
and you'll see how important information gathering is
134

134

00:06:36,750  -->  00:06:40,180
because we're going to use the gathered information
135

135

00:06:40,180  -->  00:06:43,670
to hack into an iPhone that is connected
136

136

00:06:43,670  -->  00:06:44,963
to the same network.