WEBVTT 00:00:00.000 --> 00:00:06.810 align:middle line:90% 00:00:06.810 --> 00:00:09.330 align:middle line:84% So some of the type of things that a malicious hacker will 00:00:09.330 --> 00:00:12.293 align:middle line:84% try to look for during scans are IP addresses, 00:00:12.293 --> 00:00:14.460 align:middle line:84% the type of services you're running on your network, 00:00:14.460 --> 00:00:16.850 align:middle line:90% and vulnerabilities. 00:00:16.850 --> 00:00:20.530 align:middle line:84% And let's take a look at some of the tools that they'll use. 00:00:20.530 --> 00:00:23.710 align:middle line:84% So the first one is Nmap and Zenmap. 00:00:23.710 --> 00:00:25.960 align:middle line:84% So this is one of the most popular tools 00:00:25.960 --> 00:00:30.250 align:middle line:84% for malicious hackers, security professionals, ethical hackers, 00:00:30.250 --> 00:00:32.119 align:middle line:90% and whatnot. 00:00:32.119 --> 00:00:37.180 align:middle line:84% So Nmap is a very simple scan that is incredibly powerful. 00:00:37.180 --> 00:00:41.035 align:middle line:84% So Nmap is a command line tool, Windows, Linux, OS X, 00:00:41.035 --> 00:00:44.910 align:middle line:84% that you can run that will give you a great deal of information 00:00:44.910 --> 00:00:46.800 align:middle line:90% potentially. 00:00:46.800 --> 00:00:48.830 align:middle line:84% And again, it is a command line tool. 00:00:48.830 --> 00:00:50.770 align:middle line:84% So if you're not comfortable with that, 00:00:50.770 --> 00:00:53.430 align:middle line:84% you can always use Zenmap, which is part of Nmap. 00:00:53.430 --> 00:00:57.980 align:middle line:84% It's a graphical front end for Nmap. 00:00:57.980 --> 00:01:00.240 align:middle line:84% And it's also for - we're going to be using that. 00:01:00.240 --> 00:01:03.140 align:middle line:84% So it's a little bit easier to take a look 00:01:03.140 --> 00:01:06.330 align:middle line:90% at these type of scans. 00:01:06.330 --> 00:01:09.350 align:middle line:84% So let's take a look at the program. 00:01:09.350 --> 00:01:11.770 align:middle line:90% So this is Zenmap. 00:01:11.770 --> 00:01:15.140 align:middle line:84% And I'm running this on my Kali Linux virtual machine. 00:01:15.140 --> 00:01:18.440 align:middle line:84% Now, in the first part here, we can see the target address. 00:01:18.440 --> 00:01:21.470 align:middle line:84% And that's the target that we're going to be scanning. 00:01:21.470 --> 00:01:23.560 align:middle line:90% So you can enter an IP address. 00:01:23.560 --> 00:01:25.810 align:middle line:84% You could enter a series of IP addresses. 00:01:25.810 --> 00:01:30.320 align:middle line:84% Or you could enter an entire IP range to scan. 00:01:30.320 --> 00:01:35.060 align:middle line:84% So that's one of the things that makes Nmap really powerful. 00:01:35.060 --> 00:01:38.110 align:middle line:84% So the other thing we could do is 00:01:38.110 --> 00:01:41.335 align:middle line:84% once we enter an IP that we want to scan in here, we could take 00:01:41.335 --> 00:01:43.100 align:middle line:84% - you can see the command down in here. 00:01:43.100 --> 00:01:44.830 align:middle line:84% This is actually what the Nmap command 00:01:44.830 --> 00:01:47.560 align:middle line:84% would look like if we're going to actually run 00:01:47.560 --> 00:01:49.460 align:middle line:90% a particular scan. 00:01:49.460 --> 00:01:53.140 align:middle line:84% So if you were going to run an intense scan under Nmap - 00:01:53.140 --> 00:01:57.090 align:middle line:84% again, Nmap being the command line version of this program 00:01:57.090 --> 00:02:04.000 align:middle line:84% - it would be Nmap space dash capital T 4 dash capital A dash 00:02:04.000 --> 00:02:07.420 align:middle line:90% V, and then the IP address. 00:02:07.420 --> 00:02:09.759 align:middle line:84% Now, if we click on Profile here, 00:02:09.759 --> 00:02:11.800 align:middle line:84% we can see the various scans that we could do. 00:02:11.800 --> 00:02:16.210 align:middle line:84% We can see intense scans, intense scan plus UDP, 00:02:16.210 --> 00:02:21.100 align:middle line:84% intense scan, and all TCP ports, intense scan no ping, 00:02:21.100 --> 00:02:24.760 align:middle line:84% ping scan, quick scan, quick scan plus, trace routing, 00:02:24.760 --> 00:02:28.360 align:middle line:84% regular scan, slow comprehensive scans. 00:02:28.360 --> 00:02:31.760 align:middle line:84% So some of these scans are going to be noisier than others. 00:02:31.760 --> 00:02:34.210 align:middle line:84% So a malicious hacker may be very careful 00:02:34.210 --> 00:02:35.845 align:middle line:90% and run a very quiet scan. 00:02:35.845 --> 00:02:38.350 align:middle line:90% 00:02:38.350 --> 00:02:42.370 align:middle line:84% Knowing what type of scans to run without alerting someone 00:02:42.370 --> 00:02:46.480 align:middle line:84% is going to be very important for a malicious hacker. 00:02:46.480 --> 00:02:49.400 align:middle line:84% However, some of the lighter scans 00:02:49.400 --> 00:02:51.880 align:middle line:84% that aren't going to really raise a lot of flags 00:02:51.880 --> 00:02:55.340 align:middle line:84% may not always get a lot of information. 00:02:55.340 --> 00:02:57.900 align:middle line:84% So we do want to be mindful of this. 00:02:57.900 --> 00:03:01.770 align:middle line:84% So let's continue the video here. 00:03:01.770 --> 00:03:03.920 align:middle line:84% So if we click on one of these things, 00:03:03.920 --> 00:03:05.900 align:middle line:84% we can see it actually change here. 00:03:05.900 --> 00:03:09.170 align:middle line:84% Ping scan is dash sn, and then IP address. 00:03:09.170 --> 00:03:13.390 align:middle line:84% Regular scans is Nmap and the IP address. 00:03:13.390 --> 00:03:14.110 align:middle line:90% Trace routing. 00:03:14.110 --> 00:03:17.230 align:middle line:90% 00:03:17.230 --> 00:03:20.580 align:middle line:90% And we could do a regular scan. 00:03:20.580 --> 00:03:22.710 align:middle line:84% And you can just click the Scan button. 00:03:22.710 --> 00:03:24.540 align:middle line:84% Now, the information we get back here, we 00:03:24.540 --> 00:03:29.610 align:middle line:84% can see the version of Nmap that we're running, the time, date. 00:03:29.610 --> 00:03:32.520 align:middle line:84% We can see the IP address that we're scanning. 00:03:32.520 --> 00:03:35.660 align:middle line:84% And since we just ran a regular scan, 00:03:35.660 --> 00:03:37.160 align:middle line:90% we can see how long it took. 00:03:37.160 --> 00:03:42.410 align:middle line:84% All 1,000 ports on this particular IP address, 00:03:42.410 --> 00:03:44.000 align:middle line:90% it reports have closed. 00:03:44.000 --> 00:03:47.730 align:middle line:84% And the one IP address of the host is up. 00:03:47.730 --> 00:03:50.590 align:middle line:84% And we also could take a look at things like port hosts. 00:03:50.590 --> 00:03:52.500 align:middle line:84% So if there was an open ports that it found. 00:03:52.500 --> 00:03:53.580 align:middle line:90% You can click on here. 00:03:53.580 --> 00:03:55.470 align:middle line:84% You can take a look at the topology. 00:03:55.470 --> 00:03:58.290 align:middle line:84% Not a lot here, because, again, this is my virtual machine. 00:03:58.290 --> 00:04:01.260 align:middle line:84% It's not actually a server somewhere. 00:04:01.260 --> 00:04:02.720 align:middle line:84% We take a look at the host details. 00:04:02.720 --> 00:04:03.900 align:middle line:90% There's information here. 00:04:03.900 --> 00:04:06.120 align:middle line:90% And we can add comments in here. 00:04:06.120 --> 00:04:07.470 align:middle line:90% And then we click on scans. 00:04:07.470 --> 00:04:10.200 align:middle line:84% We can take a look at the type of scan that was ran. 00:04:10.200 --> 00:04:12.385 align:middle line:84% Or if we ran several scans, we could take a look 00:04:12.385 --> 00:04:14.010 align:middle line:84% at all the different scans that we ran, 00:04:14.010 --> 00:04:18.009 align:middle line:84% and the IP address we were scanning against. 00:04:18.009 --> 00:04:20.000 align:middle line:90%