1
00:00:00,000 --> 00:00:14,519
Hey guys and welcome back.

2
00:00:14,519 --> 00:00:19,559
So what we're going to talk about in this nugget right here is all about port scanning.

3
00:00:19,559 --> 00:00:25,300
So what exactly is this subject all about and what are the tools that we can use to

4
00:00:25,300 --> 00:00:27,480
invoke this task?

5
00:00:27,480 --> 00:00:30,580
So let's first talk about what a port actually is.

6
00:00:30,580 --> 00:00:34,820
Now a port, although it might sound like a physical port like something you would plug

7
00:00:34,820 --> 00:00:40,659
into, a port is a logical construct in this context, meaning that it doesn't actually

8
00:00:40,659 --> 00:00:45,939
physically exist on your laptop or your server, it is something that is done effectively in

9
00:00:45,939 --> 00:00:47,100
software.

10
00:00:47,100 --> 00:00:52,159
Now when you talk about a port, you can identify them via a port number.

11
00:00:52,159 --> 00:00:57,839
And particular services by default are associated with particular numbers.

12
00:00:57,839 --> 00:01:00,399
A very well known one is port 80.

13
00:01:00,399 --> 00:01:04,560
This is the common port when you want to run an HTTP service.

14
00:01:04,560 --> 00:01:08,000
This is a basic web service without encryption.

15
00:01:08,000 --> 00:01:13,120
Whereas if you happen to be running an encrypted web service, you would run that over port

16
00:01:13,120 --> 00:01:16,079
443, that would be HTTPS.

17
00:01:16,079 --> 00:01:20,719
Now one thing to note here is that these numbers are not locked in.

18
00:01:20,719 --> 00:01:24,039
You don't have to use port 80 to serve up a web address.

19
00:01:24,039 --> 00:01:29,400
You don't have to use port 443 to serve up an encrypted web server.

20
00:01:29,400 --> 00:01:35,120
But having these well known and accepted and standardized numbers makes our lives much

21
00:01:35,120 --> 00:01:36,120
much easier.

22
00:01:36,120 --> 00:01:40,319
So let's say we wanted to go and watch some funny cat videos on YouTube.

23
00:01:40,319 --> 00:01:42,680
Always a good reason to go there.

24
00:01:42,680 --> 00:01:46,079
What we would do is on our local machine we would open up our browser.

25
00:01:46,079 --> 00:01:50,599
This could be something like say Firefox or Google Chrome, say for example.

26
00:01:51,079 --> 00:01:54,479
You would type in the address youtube.com.

27
00:01:54,479 --> 00:01:59,879
Now what is actually going on under the hood here is that DNS is going to resolve this

28
00:01:59,879 --> 00:02:02,359
host name to the server's IP address.

29
00:02:02,359 --> 00:02:04,719
So this would be translated to the IP address.

30
00:02:04,719 --> 00:02:10,680
Let's just say it's 8.8.8.8, which it is not for YouTube by the way, but let's just pretend.

31
00:02:10,680 --> 00:02:16,639
Your browser would then seek to visit 8.8.8.8.

32
00:02:16,639 --> 00:02:21,239
But it would also have to specify a particular port number to receive these services now

33
00:02:21,239 --> 00:02:26,279
because we know we are trying to receive HTTP traffic.

34
00:02:26,279 --> 00:02:29,719
We would make the request to either port 80 or port 443.

35
00:02:29,719 --> 00:02:34,319
Now realistically in the modern day YouTube is going to be served to you over HTTPS.

36
00:02:34,319 --> 00:02:38,839
So the request would be to the IP address here at port 443.

37
00:02:38,839 --> 00:02:41,039
Your browser would handle this under the hood.

38
00:02:41,039 --> 00:02:42,519
Now think about this.

39
00:02:42,560 --> 00:02:47,439
Even though this is not a mandated number, i.e. you could feasibly change the number

40
00:02:47,439 --> 00:02:50,480
to port 449 if you so choose.

41
00:02:50,480 --> 00:02:55,040
Think about how confusing this would be if web servers all over the world were just randomly

42
00:02:55,040 --> 00:02:56,439
choosing different port numbers.

43
00:02:56,439 --> 00:03:03,160
If you happen to open up a browser and go to youtube.com, you could maybe resolve the

44
00:03:03,160 --> 00:03:08,280
domain name to the IP address, but how would you figure out the correct ports to make that

45
00:03:08,280 --> 00:03:11,680
connection over so that you could actually reach the web server?

46
00:03:11,840 --> 00:03:17,879
Instead, if we have these standardized ports, which are associated with particular services,

47
00:03:17,879 --> 00:03:22,280
when you want to have public facing services that you want to share with the public when

48
00:03:22,280 --> 00:03:26,879
it does make sense to actually utilize these well known port numbers.

49
00:03:26,879 --> 00:03:31,200
Now this is often a common thing with respect to networking.

50
00:03:31,200 --> 00:03:34,000
We will have ports for particular things that we will be using.

51
00:03:34,000 --> 00:03:37,600
Say for example SSH, which is what I have right here.

52
00:03:37,680 --> 00:03:43,719
In this session here, I'm actually connecting to my virtual machine over SSH, which means

53
00:03:43,719 --> 00:03:49,759
I am targeting my virtual machines IP address and I'm specifying the port 22.

54
00:03:49,759 --> 00:03:54,120
Now when we happen to be managing systems doing things like system administration, we

55
00:03:54,120 --> 00:04:00,079
want to know what services are running on the servers we happen to be administering.

56
00:04:00,079 --> 00:04:06,439
Also for the purposes of security, we have to understand which ports are actually available

57
00:04:06,439 --> 00:04:08,439
on our own system.

58
00:04:08,439 --> 00:04:13,039
Because here is the thing, for every port you leave open, you leave a potential for

59
00:04:13,039 --> 00:04:15,039
that port to be exploited.

60
00:04:15,039 --> 00:04:20,439
In fact, if you happen to do the general hacking methodology which hackers use, one of the

61
00:04:20,439 --> 00:04:26,720
very first things they try to do is to discover which port numbers are open on a particular

62
00:04:26,720 --> 00:04:30,560
machine they want to attack and which services are running.

63
00:04:30,560 --> 00:04:35,560
Because if you can identify a listening port, you can identify a potential attack vector.

64
00:04:35,680 --> 00:04:41,040
Now if you are a Linux engineer and you happen to have a whole bunch of ports open which

65
00:04:41,040 --> 00:04:47,040
are no longer necessary, then you would want to be able to identify those ports and shut

66
00:04:47,040 --> 00:04:48,040
them down.

67
00:04:48,040 --> 00:04:52,439
Now one thing to say is that when we actually talk about this combination of an IP address,

68
00:04:52,439 --> 00:05:01,439
say for example 192.168.0.68 on port 80, this combination of the IP address and the colon

69
00:05:01,439 --> 00:05:04,959
and the port number, this is known as a socket.

70
00:05:04,959 --> 00:05:10,120
If you hear this term referring to some type of socket, you will know we are referring

71
00:05:10,120 --> 00:05:12,879
to exactly this, the IP and the port.

72
00:05:12,879 --> 00:05:19,240
Now like I say, we want to be able to identify which ports are open i.e. which services are

73
00:05:19,240 --> 00:05:24,919
being served up by a particular server as well as which potential attack vectors are

74
00:05:24,919 --> 00:05:27,519
we opening on our own system.

75
00:05:27,519 --> 00:05:33,399
So the way we can identify what ports are actually open is we can do what exactly I

76
00:05:33,479 --> 00:05:37,079
mentioned at the very beginning, we can do port scanning.

77
00:05:37,079 --> 00:05:40,599
Now port scanning is really quite an art.

78
00:05:40,599 --> 00:05:45,120
There is many many ways to scan different ports using different techniques but one of

79
00:05:45,120 --> 00:05:49,439
the absolute best tools that we can use, in fact I would probably say this is the go-to

80
00:05:49,439 --> 00:05:55,799
tool for security researchers and penetration testers, is a tool called Nmap.

81
00:05:55,799 --> 00:06:01,919
This is the network mapper and with Nmap you are going to be able to craft particular

82
00:06:01,960 --> 00:06:09,480
packets, things like TCP packets or UDP packets and send these packets to a particular host

83
00:06:09,480 --> 00:06:15,400
or a particular network and probe that target to see which services it is listening on,

84
00:06:15,400 --> 00:06:21,120
if it is listening on HTTP, port 80 or if it is listening on port 23 for Telnet.

85
00:06:21,120 --> 00:06:26,040
You kind of get the drift and Nmap is going to make our lives much much easier when attempting

86
00:06:26,040 --> 00:06:27,240
to do such a thing.

87
00:06:27,280 --> 00:06:32,600
So what I actually want to do here is I want to briefly download another virtual machine

88
00:06:32,600 --> 00:06:36,280
and we will scan that virtual machine using Nmap.

89
00:06:36,280 --> 00:06:40,600
So we can see how to use this tool and how we can interpret the results of what we actually

90
00:06:40,600 --> 00:06:41,600
see.

91
00:06:41,600 --> 00:06:47,199
Now what I am going to download is something called the DVWA.

92
00:06:47,199 --> 00:06:51,720
Now there is absolutely no requirement for you to download this for the purposes of the

93
00:06:51,720 --> 00:06:53,519
LPIC2 examination.

94
00:06:53,519 --> 00:06:58,839
This just happens to be one of my favourite virtual machines that I like to download when

95
00:06:58,839 --> 00:07:04,719
exploring port scanning because what it is, it is a virtual machine that is deliberately

96
00:07:04,719 --> 00:07:05,719
vulnerable.

97
00:07:05,719 --> 00:07:10,039
I either is going to be a whole bunch of ports open on this machine so you can get a lot

98
00:07:10,039 --> 00:07:11,639
of detailed results.

99
00:07:11,639 --> 00:07:14,439
Really a prime candidate to show off Nmap.

100
00:07:14,439 --> 00:07:18,439
So if you want to follow along then what to do is to go to your browser.

101
00:07:18,439 --> 00:07:21,319
So I am just going to search for DVWA ISO image.

102
00:07:21,319 --> 00:07:26,519
I click this top link right here and I will download an ISO image here and that is now

103
00:07:26,519 --> 00:07:28,199
downloading right now.

104
00:07:28,199 --> 00:07:30,199
Perfect, so it is now downloaded.

105
00:07:30,199 --> 00:07:32,040
Cool, now I will go to virtual box.

106
00:07:32,040 --> 00:07:35,959
I will create a new machine or just say DVWA.

107
00:07:35,959 --> 00:07:38,639
I will make this a Linux machine and I will say next.

108
00:07:38,639 --> 00:07:40,920
I will say next again and create.

109
00:07:40,920 --> 00:07:43,319
Next and dynamically allocated.

110
00:07:43,319 --> 00:07:47,040
I will just make this I don't know like 3GIG or something whatever it may be.

111
00:07:47,040 --> 00:07:49,879
Now I will go to settings here.

112
00:07:49,879 --> 00:07:53,720
I will go to storage, go to controller, click empty.

113
00:07:53,720 --> 00:07:56,920
I will change this and I will choose a disk file.

114
00:07:56,920 --> 00:08:02,960
I will grab this ISO image and say open and I want to make sure this is on the same network.

115
00:08:02,960 --> 00:08:06,960
I will make this a bridged adapter because that is the same type of connection I have

116
00:08:06,960 --> 00:08:10,160
on my Zubuntu machine and I will click OK.

117
00:08:10,160 --> 00:08:11,879
Now what I will do is I will power this on.

118
00:08:11,879 --> 00:08:12,879
I will click start.

119
00:08:12,879 --> 00:08:14,280
This is beginning to boot up.

120
00:08:14,279 --> 00:08:19,639
OK, so I now see this boot screen if you just give this a minute or so to actually fully

121
00:08:19,639 --> 00:08:22,679
boot and we will eventually see a splash screen.

122
00:08:22,679 --> 00:08:24,839
OK, so we now have this splash screen.

123
00:08:24,839 --> 00:08:29,839
We can choose a live system or we can choose to install by using the arrow keys.

124
00:08:29,839 --> 00:08:31,479
I will just say live system.

125
00:08:31,479 --> 00:08:33,879
OK, so I now have this little command line.

126
00:08:33,879 --> 00:08:40,519
So I will say ifconfig and if you can see here I have an address of 192.1680.72.

127
00:08:40,519 --> 00:08:43,559
That is on the same network as my Zubuntu machine.

128
00:08:43,559 --> 00:08:49,839
So what I will do is I will try to ping this device 192.1680.72 and we can actually see

129
00:08:49,839 --> 00:08:51,759
I have connectivity here.

130
00:08:51,759 --> 00:08:57,039
So what I want to be able to do is to use Nmap to initiate a port scan against this device.

131
00:08:57,039 --> 00:08:59,719
So what I will say is sudo apt install nmap.

132
00:08:59,719 --> 00:09:04,479
Type in my password and I will say yes and it will run through the installation for nmap.

133
00:09:04,479 --> 00:09:05,479
OK, perfect.

134
00:09:05,479 --> 00:09:08,479
So if I now say man nmap, we will see the man page.

135
00:09:08,479 --> 00:09:13,159
Now this is a network exploration tool and if we scroll on down we are going to see a

136
00:09:13,159 --> 00:09:17,839
ton of options that we can use with respect to nmap.

137
00:09:17,839 --> 00:09:21,439
Like I say, port scanning really can be quite an art and a science.

138
00:09:21,439 --> 00:09:24,839
It's very, very in depth or it can be very, very in depth.

139
00:09:24,839 --> 00:09:28,000
We can see all of these different flags that we can use.

140
00:09:28,000 --> 00:09:29,159
We can do a list scan.

141
00:09:29,159 --> 00:09:30,399
We can do a ping scan.

142
00:09:30,399 --> 00:09:34,839
If we scroll on down we can run particular scripts against the device.

143
00:09:34,839 --> 00:09:40,600
We can run particular tests which will actually test the operating system that we're targeting

144
00:09:40,639 --> 00:09:46,360
which will tell us if we happen to be connecting to a Windows 7 machine or a Linux Ubuntu machine

145
00:09:46,360 --> 00:09:47,480
so on and so forth.

146
00:09:47,480 --> 00:09:52,120
We can do things like firewall and intrusion detection system evasion.

147
00:09:52,120 --> 00:09:56,560
We can scan via IPv6 and a whole host of other options.

148
00:09:56,560 --> 00:09:59,560
So let me show you how we can use this tool then.

149
00:09:59,560 --> 00:10:02,080
So I'll press Q to quit and let me clear the screen.

150
00:10:02,080 --> 00:10:08,560
So the very basic use of nmap is just to specify the command nmap followed by the target that

151
00:10:08,560 --> 00:10:10,399
you want to well target.

152
00:10:10,519 --> 00:10:19,319
So if I say 192.168.0.72 and I hit enter we can see here we've done a very basic port scan

153
00:10:19,319 --> 00:10:21,840
and we have retrieved some information.

154
00:10:21,840 --> 00:10:29,439
So we can see here that this particular service has port 21 open TCP but it's in the open state.

155
00:10:29,439 --> 00:10:31,679
This is for file transfer protocol.

156
00:10:31,679 --> 00:10:35,439
We can see it has SSH open port 22.

157
00:10:35,440 --> 00:10:43,640
It has a web server open support 80 and it has port 443 open as well as it has a MySQL

158
00:10:43,640 --> 00:10:45,720
database available and open.

159
00:10:45,720 --> 00:10:52,920
So just by doing this very basic nmap scan straight away I can see that this server here

160
00:10:52,920 --> 00:10:55,120
is actually running a web service.

161
00:10:55,120 --> 00:10:59,640
So we can actually take this IP address and pop it into our browser.

162
00:10:59,640 --> 00:11:05,040
So let me just go to my Zabuntu machine grab this or log in here so I can access its web

163
00:11:05,079 --> 00:11:06,079
browser.

164
00:11:06,079 --> 00:11:09,439
So if I go up to my options I go to my web browser.

165
00:11:09,439 --> 00:11:16,439
I'll just type in the IP address 192.168.0.72 and I could do colon port 80 if I choose

166
00:11:16,439 --> 00:11:21,959
to specify give me it over unsecured port 80 and hit enter.

167
00:11:21,959 --> 00:11:29,360
And now here we actually have the web page for the DVWA web server and if we notice here

168
00:11:29,360 --> 00:11:31,399
we can see the connection is not secure.

169
00:11:31,399 --> 00:11:33,879
This is because we are running over port 80.

170
00:11:33,919 --> 00:11:41,240
So straight away just by initiating this scan I was able to infer information about

171
00:11:41,240 --> 00:11:47,200
this server almost immediately I could tell that indeed this server actually is not just

172
00:11:47,200 --> 00:11:49,720
a basic Linux server.

173
00:11:49,720 --> 00:11:54,799
It's a Linux server acting as a web server and we can visit this because it has port 80

174
00:11:54,799 --> 00:11:55,799
open.

175
00:11:55,799 --> 00:11:59,960
Now as it transpires if we just happen to use nmap let me just minimize this and go back

176
00:11:59,960 --> 00:12:01,720
to my SSH session.

177
00:12:01,720 --> 00:12:06,759
Now like I say we can use nmap to get further information say for example we could use the

178
00:12:06,759 --> 00:12:14,120
dash o flag to use OS detection and we can say 192.168.0.72 if I hit enter now.

179
00:12:14,120 --> 00:12:18,200
Oh I'll have to use super user privileges to do OS detection.

180
00:12:18,200 --> 00:12:19,200
Let's try this again.

181
00:12:19,200 --> 00:12:24,360
Now we're going to get additional information and we can actually see here information relating

182
00:12:24,360 --> 00:12:25,720
to its MAC address.

183
00:12:25,720 --> 00:12:31,360
We can see what system it's running that it is a Linux machine it's not a MAC it is not

184
00:12:31,360 --> 00:12:36,480
a Windows machine we can actually see the kernel which is being run here 2.6 and we can

185
00:12:36,480 --> 00:12:39,800
see how far away in the network it is it's one hop away.

186
00:12:39,800 --> 00:12:44,919
Now what we can also do is say nmap and as opposed to targeting a particular host say

187
00:12:44,919 --> 00:12:51,519
for example 72 as we did before we could actually give nmap a network address and hit enter

188
00:12:51,519 --> 00:12:56,360
and what nmap is going to do it's going to try to find all the hosts within this network

189
00:12:56,360 --> 00:12:58,720
and conduct a scan against those hosts.

190
00:12:58,720 --> 00:13:02,800
So this will indeed take a little bit of time because we happen to be doing much much more

191
00:13:02,800 --> 00:13:07,920
scanning right now but ultimately once this is finished you will have a report back about

192
00:13:07,920 --> 00:13:12,040
the live host and which ports are available on that particular host.

193
00:13:12,040 --> 00:13:18,519
So notice we actually get information relating to our host 0.72 and we can see all the available

194
00:13:18,519 --> 00:13:24,960
ports which are open and we also get information relating to our cells here because we are

195
00:13:24,960 --> 00:13:27,160
also of course on this network.

196
00:13:27,159 --> 00:13:32,799
So indeed we can actually see here that port 22 is indeed open and that is because right

197
00:13:32,799 --> 00:13:39,559
now while I'm connecting to that machine over SSH if I did IP adder show then we can see

198
00:13:39,559 --> 00:13:42,039
here this is our local IP address.

199
00:13:42,039 --> 00:13:47,519
So the nmap command is a very very very useful tool it can be used to identify particular

200
00:13:47,519 --> 00:13:52,559
services which are running on a machine giving you insight as to what you can do against

201
00:13:52,559 --> 00:13:57,759
that machine as well as insight about potential security flaws in that machine.

202
00:13:57,759 --> 00:14:04,079
Say for example if I use the flag nmap-a and target that machine and hit enter.

203
00:14:04,079 --> 00:14:08,279
This is going to run additional tests to try to find particular vulnerabilities against

204
00:14:08,279 --> 00:14:14,599
the machine so not only are we seeing things like FTP being open we actually see the version

205
00:14:14,599 --> 00:14:18,519
of FTP that is open and this is the type of thing that hackers would look for they would

206
00:14:18,519 --> 00:14:21,799
look for vulnerabilities in this particular version.

207
00:14:21,879 --> 00:14:25,479
So in the middle of the play we can see the web server happens to be an Apache web server

208
00:14:25,479 --> 00:14:30,359
with the particular version and we get a whole bunch of other information relating to the

209
00:14:30,359 --> 00:14:31,359
SSL ciphers.

210
00:14:31,359 --> 00:14:36,199
So like I say using this nmap command we can not only just find out information about

211
00:14:36,199 --> 00:14:41,759
the services that a particular server is running we can also use the different abilities of

212
00:14:41,759 --> 00:14:48,879
nmap to port scan our own system to identify these potentially vulnerable services on our

213
00:14:48,879 --> 00:14:55,399
machine and if you happen to identify a particular service that you know is no longer in use

214
00:14:55,399 --> 00:15:00,519
and no longer needed then what you should do is shut down that service and close that

215
00:15:00,519 --> 00:15:06,000
port because it's just simply opening a potential vulnerability for your actual system and server

216
00:15:06,000 --> 00:15:07,360
to be compromised.

217
00:15:07,360 --> 00:15:12,200
So like I say definitely explore the nmap command the man page has so much different

218
00:15:12,200 --> 00:15:17,720
options and examples that you can use to get a wide and different range of information.

219
00:15:17,720 --> 00:15:21,399
But for now that is all I have for port scanning I hope this has been informative for you and

220
00:15:21,399 --> 00:15:22,800
I'd like to thank you for viewing.