If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, I will show you some more stuff you can do with nmap. But, more importantly than that, I will show you a tool which you can use to assign a physical location, namely a city, to an IP address. It’s relatively precise, but the downside of it is that you can only make 1,000 queries per day. I mean, 1,000 queries per day is still fairly reasonable, however if you’re doing some form of mass scanning it won’t really help you much. You will need to go online and download additional libraries for that. But, 1,000 is a very good number, and let me just show you how it actually works.
So, here I have a command. This is the command that I’ve used previously, scanme.nmap.org, and to pull information from it. So, it’s curl ipinfo.IO/, and then you get an IP address here, it’s a curl script, just copy/paste that here, and this is the command, curl. This is the argument that you are passing to it along with the IP address. Once you press ENTER it queries the server, and there you go. You have an IP, and you get a host name as well. You get a city, it’s Vermont, it’s region is California, a country, U.S. You even get some coordinates here, organization, postal code, and so on and so forth. So, you get some really useful information here in regard to an IP address. But, as I said, the downside is that you can make only 1,000 queries per a day. So, you’re not doing anything illegal here, you are simply querying a database somewhere in the world to give you specific information on an IP address. You could have done this by simply typing on the net whois, however I wish to teach you how to do these things in the terminal so that you will be less dependent on the browser. Anyway, let me just go ahead and clear this.
What I would like to cover today with you are some external resources which you can use in combination with nmap. Nmap has a wide variety of scripts that are applicable to it, and then you will be able to use nmap in order to scan for particular vulnerabilities on servers elsewhere in the world. Go ahead and open up your browser. Okay, so I have this website, scanme.nmap.org, open here, and on the website there is a link, it’s nmap.org, and then some links here. Look, here we have a list of categories of the sort of scripts I can run with nmap in order to scan for particular vulnerabilities. There are 490 scripts. For example, here are scripts I can use for DoS (denial of service) attacks. Anyway, let’s go and click on one of the links. I’m going to go ahead and click on vuln, general thing, and now I have all these things here. So, if you’re wondering how you can bypass firewall rules, well, simply use a script. It says, firewall-bypass: detects vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip. Let’s open it up in a new tab. Once you click on it you’ll get the exact syntax on how to use it, so example usage. Instead of just type in the IP address, and that’s it. Literally, that is the only thing that you need to change here. Copy/paste this command, and then just change the last thing into the IP address that you wish to scan. I’m not going to go through all of them, as I said there are 490 different scripts. We will be using a few of them in the later tutorials where we will get into demonstrations, once we actually start attacking particular services and start exploiting their vulnerabilities. There are many resources here which you can utilize, and I strongly advise you to go on to this website and check it out. This is the most important part for you on this website, it’s the availability of these scripts. So, take a look at what they do, and you can save yourself a ton of time by conducting a scan for certain types of exploits. If I click on exploits, it gives me all various sorts of exploits. For example, if I’m attacking a very secure File Transfer Protocol, it explains in great detail what it does, and if you click on it it’s going to give you the exact syntax which you need to use. Literally, the exact syntax which you need to use. Right next to it you just type in the IP address of whatever host you want, and that’s it. There are no changes, there is nothing else that you need to do, you just copy/paste this, and change the name here.
Anyway, I’m just going to go ahead and scroll up, and I have yet another website that I wish to show you. It’s called exploit-db. So, just type in exploit-db, and the first site that pops up should be exploit database by offensive security. This is one of the largest databases out there in regard to vulnerabilities. You can find them all in one place here. There are some very nice wireless tricks that you can use here, reverse shells, privilege escalation, pretty much everything. We will be using this site fairly extensively in the follow up tutorials, but I just wanted to mention it here so that you can explore it a little bit. Feel free to go through the website. For example, take a look at the router that you are using. Identify the router you are using, take a look at what sort of router was provided to you by the ISP provider, and then go ahead and click on search in the upper right corner. I’m going to click on it and search for the vulnerabilities of home routers. See what you can do with it. You can look at it by a port, there is a free text search, description, order, platform, look at how many platforms are down there. If you don’t know what platform it is just just try a free text search. Type in the name of your router in the text search and it’s bound to give you some vulnerabilities, because most home routers have more vulnerabilities than they should. So, that is the task that I leave you with. I want you to open up this website, exploit database, find a vulnerability with your home router, and once you’ve done that there will be a description of how to use it. Try using it, try exploiting it. If it fails, not a problem. We will get into greater detail regarding routers later on in the course. If you have any questions, feel free to post them in the question section.
Before I leave, once more, over here you have scripts that you can use with nmap to detect particular vulnerabilities. Just click on it, you will get the exact syntax. All you need to do is change the IP address. The website is exploit-db, use this website extensively, it is very good. There are a lot of vulnerabilities on it, pretty much all of them are located there. The site is open, free, anybody can access it, no registration required. With that, I bid you farewell.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, I will do some actual scanning, and for that I have picked a domain outside of my local area network. You can find this on the nmap official site, scanme.nmap.org. Feel free to this site as they have given the public permission, but do not abuse the privilege. A few scans per days is sufficient to learn how to use nmap.
So, I need to take this domain. You cannot use control + C or control + V in the terminal because control + C is the universal interrupt command, and control + V will simply not work. You will need to use a mouse and manually do it. In any case, we need to trim this down, we don’t need any of these things, we just want the main name to remain. I’m going to go ahead and type in nmap, space, and there we go. We’re going to scan this domain. However, if I just press ENTER like this, it’s going to conduct some scanning, it will do the job I assure you, but it will not give us any output whatsoever. This will be continuously empty until the scan is complete. For a short scan such as this, zero output in the terminal is fine, but if you’re conducting a scan that can last up to a day, it’s worrying to see that there is nothing here. You can’t be sure whether it’s working, if it is bugged, or what not, and that’s why it’s always better to pass the V option for verbose output. I have a personal preference to pass the VV option for extra verbose output. So, the system tells me pretty much everything that it is doing, and how it is functioning, and I can see it as it progresses, and I can see that some ports are open prior to the completion of the scan. I’ll just go ahead and begin the scan, and you can see immediately, before it finished the scan, it has told me that ports 22 and 80 are open. Now, by default, nmap will scan for 1,000 ports. You can tell it to scan for more ports. You can even tell it to scan for the maximum range of ports which is 65,535. Rarely anyone does this as it is time-consuming. Usually, you have an idea what sort of services you wish to target, and then you scan for the ports on which those services are likely to run. For example, port 22 would be SSH (secure shell), and port 25 is SMTP (simple mail transfer protocol). If you don’t know what that is it’s an email server. 80 would be HTTP (hypertext transfer protocol), and you have nping-echo on port 9929. The state of these ports is rather clear. So, it’s open, open, open, and you can also get a state to closed. It says here not shown, 996 ports closed. When it says filtered, well, usually there’s a firewall setting which is dropping the packets. It may not be closing the board perhaps, but it’s definitely doing something to the packets that are coming through that port. It’s perhaps blocking them from a certain IP, or something of a kind, there can be a lot of options here. In any case, the general meaning of this filtered flag here is that nmap can not determine whether the port is open or closed. Usually, you want to stay away from those ports, or you can do some extra research and find out how you can access them. They may require a particular app, or a particular protocol, to be accessed, and that’s why nmap cannot scan it properly. That can be a bit problematic. Stick to the open ports and see what you can do with the them. Now, nmap also has an option to create a graphical output. Basically, you can dump your results here into a file, you can store it, and sort it as well. You then gain the ability to extract separate bits and pieces of information. For example, if you simply want the IP addresses of hosts that are up, or you want the IP addresses of hosts that have port 22 open or filtered, or that are running a certain service like SSH, or SMTP, or HTTP, etc. However, I won’t be doing that for scanme.nmap.org. I believe I have used their system enough, and for this example I require a range of IP addresses to give you a meaningful result.
What I’m going to do now is scan my local subnet. If you don’t know what yours is, well, it’s most likely configured as mine is. If it’s not, just type in…let’s just clear the screen first. Type in ifconfig and you will get a result here for eth0, or for whatever interface you are using. Just take a look at this IP address that has been assigned to this interface. So, the lowest and the maximum value of the final octet here, or the first octet here, will be the range of your local subnet. So from 0 to 255. Let me just show you what that looks like in case you did not understand here. Type in nmap, and then for a graphical output we need -oG, – and then we need to give it a range of IP addresses. So, 192.168.1.0 – 255. So, it’s going to scan for all of the IP addresses that have this, and that go from 0 to 255. Now keep in mind that I can customize the range anyway I want. For example, here where it says 1, I can type in – 67. So, it’s going to use these, it’s going to use this octet, and this octet in combination, and it’s going to scan for all possibilities, although that might take a lot of time because that’s a lot of IP addresses. Anyway, I’m not done just yet. What I need to do is actually cause a redirect. So, before I cause a redirect I’m just going give request double verbosity mode. Why am I redirecting my standard output? Well, I don’t want all of the information to be printed out in the terminal window where eventually it will be lost, pretty much as soon as I close the terminal, or as soon as enough commands are passed that the cache needs to be rewritten for the terminal. Furthermore, if it’s written out in standard output and on the terminal itself, I can’t do anything else with it. I cannot manipulate it, it’s not a file that I can take, rather instead it’s just standard output. What I want to do is cause a redirect with a greater than sign into a file. So, I’m just going to go ahead and type in /home/, and I’m going to name this file SCAN, excellent! So, all of the results that nmap gathers will be stored into this file here, and this is the path to the file. Even though I have passed a good amount of hosts here, I’ve given it 255 hosts, because I’m in LAN it’s going to go faster. When you’re doing this over the Internet, a very good idea is to pass a port, or at least a port range. Don’t let it scan all 1,000 ports. Or, even worse, do not specify that it should scan a full port range. Regardless of what sort of internet connection you have, it will take a good amount of time to finish. Furthermore, you’re bound to trigger some red flags, so you should define a port here in order to save yourself a lot of time, and I mean generally you will know which service you want to attack, you will have some sort of an idea there. I’m going to go ahead and pass port 22, that is the port that I wish to scan for, press ENTER, and let’s see if this is successful. There we go, it is functioning. It finished rather fast. Even though I passed double verbosity mode, everything here is being redirected here, so I won’t see anything in the terminal window. If this scan takes longer when you’re doing it over the internet, and it will take longer if you’re doing it over the internet, don’t think immediately that something has failed. So, let’s just do this, ls, now look what I’m doing here. I’m going to do a very similar thing with our scan file, and I’m going to type in grep SCAN, press enter, there we go. I have passed the ls command to list pretty much everything within the home directory, and then I have piped the output of ls to grep, basically pipe means just pass it. I’ve passed the output to grep, and what grep does is basically pull whatever you specify here. It pulls it from the output. I’ve told it to pull whatever is in there, that has the name scan, or that has the string scan within it. So, I could have had a name like AAA, scan, BBB, it would still pull it without any problems. This is one of the ways in which we can make sure that the file is located within a certain folder, especially in situations where you have hundreds of files in a single folder, and you don’t want to go through them manually. Just use grep if you know the name, or if you know a partial name, in order to figure out what is where. So, let’s go ahead and clear the screen, and let me just show you what is located within our scan file. So, less scan, press Enter, and there we go. We have pretty much all the hosts within my LAN network, within my local subnet. They are all down of course because I don’t have 255 computers or devices within my home network, rather instead you see what it has found. It has found the router IP, the router that I’m using for this test, and it says port 22/filtered/TCP/SSH. That one has an open port of 22, it’s status is up, and I also have on 100 status is up, 22 is closed, on 102 is up, it’s filtered, and so on and so forth.
So, let me go ahead and do a very similar thing here because I want to leave it on the screen, so I can explain it to you. The less command is very nice but when you exit it disappears. Cat, however, prints everything within a file to standard output, and it stays here for the duration of the terminal. The reason why I did this will become apparent quite soon. So, what you want to do now is type in cat SCAN as before, and now we want to pipe the output of SCAN to grep in order to pull something out of here, the useful information. Let’s say that I want to pull all the hosts that are up. I want to pull all live hosts, I want to see their IP addresses, and when I type in grep what is the universal markation for all the hosts that are up? Well, you have a flag here, status and then flag up. Let’s go ahead and type in up, press Enter, excellent! I will give you a bit of clarity, there we go. You have these flags which are up, so I have all the hosts here that are currently up and running,
that are alive on the network, but this is not what I want. If I wanted to pass these IP addresses to another program, I wouldn’t be able to pass this whole line because it wouldn’t make any sense. Especially, if the other program is only requesting the IP address of the host. You perform one nmap scan to see which hosts are alive, and then once you figure out which hosts are alive you can do a more detailed scan on those particular hosts. This would save a lot of time. So, we have these hosts here, but we want to pull these IP addresses. I’m afraid I just can’t do that with grep. Perhaps I could, but it would be too complicated and it really wouldn’t be practical. That is why Linux has something that is called awk. Awk is used for formatting text and pulling out certain parts of a file that you have deemed that you need. Now you could make an entire separate tutorial on awk. I would strongly advise that you familiarize yourselves with awk by referencing the man pages. However, for the time being, and for the purposes of this tutorial, we will be using some basic awk commands which pretty much everybody uses, and which are a necessary part of pen-testing. So, cat can print everything to standard output, grep Up. So, grep all of the lines that contain the word up. And then what I want to do here is eliminate this part, leave this part in, and eliminate this part. How shall I do that? Well, the first thing that we need to do is specify a field delimiter. Basically, if you say that the colon here is a field delimiter, this will be one field, this will be another field, and this will be yet another field. So, you will have three fields in total. However, that doesn’t really work for us. If we say that the colon is a delimiter, this entire section that I’ve highlighted will be considered a field, and we will have parentheses, and the status, the parts that we don’t really want. What you can use as a field delimiter here is a space. So space here, this is one field, this is going to be another, and this again is going to be a field delimiter because there’s a space, and this will be a third one, and then you have another space, and the fourth, and so on and so forth. In order to specify a field delimiter to be space, well simply leave an empty space in between the quotation marks. Generally, you would put quotation marks and you would specify a field delimiter in between them. If you wanted a colon this is how you would do it, but we don’t want a colon. We want a space, and that’s it. Open single quotation marks, open curly brackets, type in print $, and then you need to type in the number of the field that you would like to print out. So, we would like to print out the second field, 2, close curly brackets, close quotation marks, press ENTER, and there we go. We have all the IP addresses listed of the host that are up without anything else. Now, what you can do with this is pass it to another file, it’s called SCAN2, press ENTER, and then you can type in nmap – iL scan2, then you can perform a full nmap scan for just four hosts. This might take a bit. No, I don’t want to view it like that. Let me request double verbose, excellent! So, now you can do a full scan for just four hosts instead of doing it for all 255 hosts. Just figure out which hosts are alive, and you don’t need to do that with port 22, just do a ping sweep, and that’s going to be it. You will be able to figure out which hosts are alive, perform detailed analysis of this particular host, and you can see I’m already receiving information here. My home router is filled with holes, but it doesn’t matter at this moment. I am just using it for the demonstration of this tutorial. I’m going to switch it as soon as I’m done with the tutorial. I have 443 on 102, so I probably have some SSL going on there. Port 80 here, port 23. We will soon see what all these services mean. However, you can experience these flags here, and usually you will experience delays because you know there are some packets that are being dropped, some that are being refused by the servers on the other side. You can also have time limiters, and so on and so forth. So, here you can see the scans and what they have revealed thus far. They will tell me everything that I want to know in regard to my local area network. It even gives out the MAC addresses which I’m going to cover up, and you won’t be able to see them, but, in any case, you see how much information you get, and how much time you can save. I am going to end this tutorial here and we will move on to the next one. I hope that you’ve enjoyed this one, and I’ll see you next time.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, I will start a chapter on footprinting. So, I have explained what the act of footprinting is before, but now we will actually go ahead and conduct a few scans to see how it all works, and introduce you to the tools that we will be using.
First off, we need to find ourselves a target to scan. I could scan myself, but that would not be realistic because I already know what the results are going to be. Plus, it would not be a long range scan over the internet, I would be scanning within my own local area network. So, the speed of the scan would not be realistic as it would be a lot faster than when you conduct the scan over the net. So, what I did was I went online, and you can do the same, and on the official nmap website they have a section devoted to actually allowing people to scan them to test their tool out. Here is the written permission that you can actually scan this website. You can scan it to test out the nmap tool, a few scans a day here is fine, but do not scan it a hundred times a day, or use this to test your SSH brute force password cracking tools, etc. So, that’s definitely something you don’t want to do, but you can run a few scans on this site per day and according to them that’s perfectly fine. You are not breaking any laws. I’m just emphasizing one more time that you do have a written permission right here on the site, which is fantastic because it gives us an opportunity to actually simulate real time circumstances to see how nmap behaves.
Now nmap is an essential tool for pretty much any pentester out there. Many people will say that it’s pointless to port scan, it doesn’t do you much good, and so on and so forth. Well, perhaps in terms of exploiting the services running on the port themselves it doesn’t do you that much good, but just by seeing which ports are open and which ports are closed you can, to a fairly good extent, determine which operating system, or which platform, is being used on the other side, and then you can find weaknesses of that platform. Of course, there are some other ways of doing this, I will show them to you, but let me show you how nmap works. Nmap is known to trigger quite a few alarms, quite a lot of firewall red flags, and you want to make sure that your nmap scans are as discreet as possible. Now there are tools to actually figure this out, but I will show you here how to do it using the Linux terminal. There is also something called zenmap. Zenmap is a graphical user interface of nmap, but we will not be using that. Instead, I want to teach you how to use it via terminal. So, nmap is the one most commonly used, and it is always used in the terminal text format. People rarely use the actual graphical user interface. In the previous chapter, we have also discussed how to stay anonymous, so at the end of the chapter I will be combining these things: scanning, footprinting, and anonymizing your scans. In any case, without further ado, let’s type in nmap –help, press ENTER, and there we go. There are a lot of options here, I mean a metric ton of options, way more options than we actually need for a basic scan. However, eventually, over time, you will come to understand that all of these options are available for a reason, there is a particular use case for each of them. So, what you need to do is scroll down to the bottom, and here you have examples of how nmap runs. So, 99% of the time you will type in nmap -v for verbose output. For this sort of activity, we will want as much information as possible. We can use -A to enable OS detection, version detection, script scanning, and traceroute. I don’t think we’re going to need that immediately. There is the -O function which is just for OS detection. Anyway, you can pass either scanme.nmap.org, which is basically the domain name and it will get resolved to an IP address, or you can actually pass it an IP address. If you’re wondering what this is, this is a mask. It would be very difficult to explain in great detail what this is, but for the time being know that this is actually an IP address range. It goes from a certain IP address, to a certain IP address, but you do not actually need to use this format. Not that many people actually use this particular format with the mask. They just tend to specify very specific ranges because they don’t have the permissions to scan the entire subnet. Instead, they have to create lists, and then skip certain IP addresses, and then continue again from a certain point. So, they do need to create lists, and that can be a problem.
Now up here, at the top, you have another very important option that’s going to come in handy, you have – iL, input file name. So you can actually create a list, in a file, a list of IP addresses, and then you can scan those particular IP addresses. They will also have an ability to do this, look at what’s written here. So just take a look at this segment and its 10.0, and then this segment here, this octet here is 0-255, and then the last octet is 1-255. If you’re wondering why I’m calling these things octets, it’s because each one of these has 8 bits, and it is represented in binary. So it can have 8 zeros, or 8 ones, or a combination of ones and zeros, but it has 8 bits, so 8 positions. That’s why they are referred to as octets. This is a very common form that people tend to use, and this is what you will find yourselves using. Either this, this will be a method in which you will specify the IP addresses, or you will be passing files. People will either create these files themselves, or they can find these IP addresses on the internet. So in addition to this site, https://nmap.org/, you also have this one here, https://www.nirsoft.net/countryip/. This is a fantastic website. The entire range of pretty much every IP address block is listed here, and it also lists who owns what. You can search and find and it’s going to give you the appropriate IP addresses for that particular country, and it’s going to give you the owner of those IP addresses. Usually it’s just telecoms, but you also have other people who own them as well. So I’ll just give it a shot. Let’s just type in Germany, or I don’t know, France. Okay, this is not the first search, but that’s not a problem. Actually, you can find it down here, and I’m not going type it in here. I could control + F France, there we go. Down here, just saving myself a bit of time there, and there we go. So, you have a range, this is a given range here, it’s from 2.0.0.0 to 215.255.255. This is a massive range. This is a humongous range. Look at how many IP addresses you can have in total, how many of them you can generate within this range. It’s quite a lot. This is owned by French Telecom. I don’t know why they need this many IP addresses. So, as I said, you can sort them out by the owner, and you can see that many of them are not listed here. Wow! France has a lot of IP addresses assigned to it. They’re not free, they cost money. Let’s just go ahead and see down below. Where is it? Where is it? OK, so you see all of these IP addresses, and this is a pretty massive range, so this is a telecom in France. Look at how many IP addresses, IP address ranges they have. So, that’s quite a lot, and this site, as I said previously, we can use to figure out which IP address range we wish to scan. Again, you usually do not have the permission to scan the entire range. You can scan certain IP addresses within that range for which you have a permission. This is a very nice site to determine where the IP address is from, or something like that. However, always remember, once you get an IP address your search engine is your best friend. This is one of the major components of footprinting. You can type in whois, and then type in an IP address, I don’t know I’m just going to type in this random IP address. So, if you don’t want to search for it here, you can have a look at it here. Whois 82.120.0.0? I don’t know if this search will be successful. There we go. So, I’ve typed in whois and I’ve picked the first website out that I could find, and here I have all the information in regards to that particular IP address. I have a country, I have the username of the admin, I suppose, I have the status, remarks, source, and I even have an address, a physical address, of the IP address, which is ridiculous. Yeah, as I said, search engines are your absolute best friends. If you want to find pretty much anything on the net in regards to an IP address, or to do any sort of research, make sure you utilize your favorite search engine.
So, those are the two tools that I wanted to introduce you to. Well, one tool, one website, and one search method which you can use in order to determine where an IP address is from, or whois using it, and even to determine its physical location. Although, it’s physical location can be assigned to a telecom, and that telecom can assign it to a city, and to a specific region in the city. Then you can find it on google maps, or on google earth, but usually those things are not that precise. What is precise, however, is that the IP address belongs to a telecom, and they keep rotating them in between cities. So, if you have let’s say a hundred thousand IP addresses that you have scanned, and if you wish to sort them out by the city, you will get 70-90% accuracy. This can be problematic because you’re going to miss out on some things. You also have something called nslookup. I’m going to use scanme.nmap.org. I have said I want to look up files on scanme.nmap.org, and this is my DNS server, which is basically my router. You see it says port 53. You know immediately that it’s a DNS because all DNS traffic runs on port 53. Then we have the results. So, this is the domain name, and you get the IP address down below. This is also one of the ways in which we can get the IP address off of the site with a domain. Once you know the domain you don’t actually know the IP address until you look it up, but there’s a far simpler method. You don’t need to use nmap. Oh, by the way, nslookup also works in reverse. So, type in nslookup, and you can type in the IP address, go ahead and press Enter. Down below are authoritative answers from the name servers. Basically, that means there are DNS servers and they are giving you responses, and telling you to whom the domain belongs to, and so on and so forth. What I want to show you here is that you can actually get a domain name by typing in nslookup, and then the IP address, and here where it says non authoritative answer you get the IP address, and then you get the name, which is the domain name. However, you might notice that there was a problem here, that this IP address does not match this one. Well, guess what? It actually does. Try looking at it in reverse. It’s 74, 74 here, 207, and 207 here, 244, and 244 here, and 221 here, and 221 here. When you do an nslookup, and when you pass in an IP address, it’s going to do a reverse lookup in the DNS MX records. It’s going to query the DNS servers, and the DNS servers are going to give it a response, but in the MX records this is basically how things are written. You write an IP address in reverse, and then you put this in, -addr.arpa, but this part really is not that interesting to us. This is more interesting to server admins who configure the DNS servers. We will get to DNS servers in the later stages of this course. What is important for you here is we’ve typed in an IP address, you’ve used the tool called nslookup, and you have gotten a domain name in return. Now you can start doing some other things as well, but we will be dealing primarily with nmap. Nmap is a tool used to scan networks and to retrieve information from them. What I’ve showed you in this video is some basic information, retrieval, and some basic external resources that you can use. In any case, I’ll see you in the second part of this nmap introduction, and there we’re going to actually conduct some scans and see how it all works. Thank you for watching and I hope to see you next time.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, I will show you how to schedule tasks to run upon rebooting your system, or at a certain point of time. In this particular tutorial, we will create a script or a command to change your MAC address each time you restart your Linux system. So, every time you reset your computer, each time you turn off your computer and turn it back on, not only does it give you a random address that anonymizes you further on wireless networks, but it will make sure that you do not share your permanent MAC address. You might think to yourself, well, I can just change the MAC address every time I need to change it. Well, you will forget, trust me. It’s far simpler to set a cronjob once, and it will run each time you reboot your computer. If we take a look in ifconfig, I don’t actually have any wireless interfaces configured here, mostly because this is a virtual machine. We will be doing some of the things on my other machine, on my Fedora host machine, but for the time being we will use eth0, my wired interface, as an example. You can just as easily do this with any other interface that you have. The only thing that should vary is the name of interface. For example, this one is eth0, wireless1 would be eth1. On my Fedora system the wireless interface is wlp2s0.
In any case, what we need to do is clear the screen. There is is a Linux software utility called cron, it should be included with nearly every Linux distribution available, and this is what you use in order to schedule tasks to run for you in an automated fashion. Let’s type in crontab –help, press Enter, and there we go. Let’s take a look at the help menu for this command. It’s fairly small, there aren’t that many options, the tool is fairly simple. You use -e to edit user’s crontab, you use -u to specify the user for which you wish to edit the crontab. That’s helpful if you have multiple users on a single system, but by default it will edit the cronjobs for the current user. You can also list the user’s crontabs, delete the user’s crontabs, very important, and you can also always use -i to prompt before deleting. Remember, once you delete something in Linux it’s gone. There are some methods for retrieving deleted information, but more likely than not it’s permanently gone. You will find it very difficult to retrieve information that you have deleted through the usage of terminal. Anyway, enough about that, let’s go ahead and start editing our scripts that will run on startup. So, type in crontab -e, press ENTER, and there we go. We are prompted with this file. This is opened with VI text editor, so we will need to go through some of the basics. Here it says edit this file to introduce tasks to run by cron. I strongly advise reading through this entire file. It’s very small. Just read it. I’m 99% sure that you will be able to understand pretty much everything that is written here. Over here, the last line is actually the format. You have minutes, you have day of the month, you have day of the week, you have a command for the meaning of each of these separate sections. You can read this file here. So, mon is month, the dom is day of the month, this is hour, this is minute, and so on and so forth. Go through this file, read through it, and you will understand this format to the fullest extent.
For the time being, here is the command that I wish to use. In order for you to edit pretty much anything in VI, VI is a Linux text editor, you need to open a file and then press I. Just go ahead and press I on your keyboard, letter I, and it says you are currently in the insert mode. You can see how I’m highlighting it, now it says insert, and now you can actually type things in. What we want to type in is @reboot, and then type in the command macchanger -r, eth0. That is the command that we use in order to randomize the MAC address of our eth0 network interface. Here you have at reboot. So when do we want this to happen? We want it to happen when the system reboots. When we reboot our machine execute this command. If you wanted to run a script you would just need to specify a path to that script, and then a command to execute it. So just press escape now to exit insert mode, and press : on your keyboard. So just press colon on your keyboard and you will be prompted with a command line here. In the command line you need to type in “w” for write, so write these changes to the file, and then in addition to w you also need to write “q”, quit. After you’ve written to the file I want you to quit the file. If this doesn’t work you can also add an additional argument which is an exclamation mark to forcibly do it, but there is no need in this example, it’s going to work. So quit, there we go. This says installing new crontab, excellent! So we’ll just go ahead and clear the screen, type in macchanger -s to show the MAC address of my interface, eth0, press Enter, and you see it says permanent MAC, this one, current MAC that we are using, same one. Let’s go ahead and reboot the computer, and after the reboot we will see a different current MAC address listed. 08 were the first two places that were occupied in the MAC address. Once we reboot the system I will start up the ifconfig, actually not ifconfig, I will use macchanger from now on to actually verify the MAC addresses of my interfaces. Even though, even though, that is not a good thing. You should honestly be using ifconfig because it is the universal way of checking a MAC address on pretty much any Linux distro out there. While on the other hand, macchanger is most likely only installed by default on Kali Linux, and pretty much any other distro does not have it installed by default. Let’s go ahead and use ifconfig. We’re being logged in at the moment, sorry for any delays. This is a virtual machine so it’s bound to have some slight delays, but surprisingly I have found it very efficient. It’s working at a relatively fast pace. I’ll just go ahead and open up our terminal, type in ifconfig, and you can see that the hardware address has been changed. This one is no longer 08. So, to confirm this further, we’ll just go ahead and type in macchanger -s eth0, excellent! So you can see the permanent MAC is this, current Mac is this. It’s of an unknown type, unknown manufacturer that is. You can take a look at the macchanger help menu to specify the type of a MAC address that you want it to assign to your interface. Feel free to play around with that. Again, if you have any questions in regards to that, feel free to post them, I will be more than happy to help you out in any way that I can. In any case, I bid you farewell, and I hope to see you in the next tutorial.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, we will discuss MAC addresses, what they are, how they can be used, and how you can change them in order to anonymize yourself.
So, what is a MAC address? A MAC address is a physical address for all of the individual network interface in your computer. All of your network interfaces have a MAC address, be it a wireless or wired interface, it will have a mac address burned into it. As soon as you connect to a wireless network, or a LAN with a wired cable, that particular MAC address is used to identify you in combination with an IP address within that LAN. The MAC addresses do not go further, they do not go outside the LAN, they do not go outside the first jump from the first router. So, as soon as you go through the first router from your computer, your MAC address is no longer being shared. Anyway, let’s see what a MAC address looks like. So, what command do we use if we want to list our network interfaces? We will be using ifconfig. Press Enter, there we go. I have a loopback interface which I’m not really that interested in, I would like to remove it for the time being, ifconfig eth0, and there we go. I just wanted a listing for this particular interface, and this is your hardware address. Do not confuse it with the ipv6 address which is here. You can see that it is quite a bit lot longer, and it has far more characters than a MAC address. The first three sets of the MAC address are used to identify the manufacturer of the device. You can’t really utilize these last three sets because you don’t really know what the manufacturer has done with them. But, you can use the first three sets in order to figure out who has produced the device, and if you know which company has made has made the device, then you can research the possible vulnerabilities for that device. This is also one of the methods of foot printing, or figuring out a MAC address of a device. If you have a MAC address, you can conclude with reasonable safety who produced the device, and in doing so you will get a better idea of what you can do with the device, how you can exploit it, and so on. Let’s take a closer look here, ifconfig eth0, you can also do this. Let me show you an application of the grep command. You can use | grep, and you type in HWaddr, and there you go, this is a far better listing. It will list eth0, link encap:Ethernet, and HWaddr, so you can see clearly what is written here. I could use the awk command to filter this out, and leave only the MAC address to be printed out, but this provides a good overview as well. Keep in mind that other things can be listed here from one system to another, but you can always view it using the ifconfig command. Once you know how MAC addresses are written, when you know their formats, you will be able to recognize them even in a vast mass of information.
Since MAC addresses are used to identify you within a wireless network, if somebody actually checks the devices within the network they will know who you are, they will be able to kick you off the network, and we would like to protect ourselves from being identified. We want to be anonymous. One of the downsides of MAC addresses and them being used as means of identification, is that you can view the other MAC addresses on the same network. You can then copy those MAC addresses, use them as your own, perform some sort of shenanigans on the network, admins will notice that there is a problem, then they will permanently ban that MAC address. You have successfully performed a denial of service attack. I have seen this used at university multiple times. Basically, what people would do is figure out what the professor’s laptop MAC address is, they would then deliberately perform some kind of malicious activity such as attempting to login in to the router, the administrators would notice, and they would permanently ban that MAC address. This would effectively render the laptop useless for that lecture because that laptop could no longer connect to the wireless projectors where the presentations were being held. They eventually did get caught, and it was a pretty messy situation, but I’m just giving you an example of how these things can be used and abused. I am not suggesting that you should do this. Instead, use it for a benevolent purpose. Don’t use it for silly things that literally have no benefit.
In this particular tutorial I would like to introduce you to a tool called macchanger, so macchanger, press enter, and there you go. You can see it is installed by default with Kali. So, it says Usage: macchanger [options] and then device. I’m going to clear this and type macchanger – -help. Let’s see what kind of options we have with this tool. So, you see you have a few options, not many, it’s a fairly simple tool. We just passed –help, we can print the version and exit, we can print the MAC address and exit. Actually, I have never tried this. Let’s give it a try. macchanger -s eth0. It does indeed give the address. I have always used ifconfig. It gives us the permanent MAC address, and then you have the current MAC address with which we can do whatever we want. Go ahead and clear the screen, for convenience sake, and call the help menu once more. Now this is what I was talking about a moment ago, it says do not change vendor bytes. So, if you want to change your MAC address but still stay within the same vendor, it says don’t change the vendor bytes. Those are the first six characters, the first three sets that is. We can set a random vendor Mac of the same kind, you can also use these parameters, however they are not used very often. Usually, what you would use is either a fully random MAC address, or you would use one for a particular vendor. So you would go online, see what the particular vendor MAC addresses are, or you can print known vendors. There is a list included with the program, let me just show you, -l, and there are a lot of them. So it is only showing you the first three sets, and then for the other three you can type in whatever you feel like typing in. If you would like to be discrete on a network, as a standardized device within that network and not raise any suspicions, this is a good way of doing it. You can have the MAC address of a device that the network administrator is familiar with. They won’t be able to tell the difference unless they actually dig deeper. The important thing here is that if anybody digs deep enough they will find that you are doing something, but the idea is not to raise any flags, any suspicion, and in such a way pass through unnoticed. You of course have the ability to generate a fully random MAC address, and you can also set your own. You can use the -m parameter, or –mac, and then you type in the MAC address that you would like. People will use the MAC addresses of legit devices on the network to conduct malicious activity, and then those devices would be banned.
Let me show you what changing a MAC address looks like. We will deal with this sort of an attack a bit later on when we get into wireless hacking, and breaking wireless encryption, and what you can do on a wireless LAN network. Here I just want to show you what a changed MAC address looks like. So let’s just show eth0. Ok, so, we’ve seen this a moment ago, now here’s what happens when I use macchanger. macchanger -random eth0, press Enter, and there we go. It says permanent, current, new. So this is the new MAC address and it says unknown, I haven’t assigned it to any particular vendor. If I now say show, excellent! So it says permanent and current. The current one is the one that is being shown, that can be seen within the LAN network, and that is used to identify you. You can’t actually destroy your own MAC address because it’s literally burned into the device, this one will be shared with everybody else, and this one will remain within your own computer. It will not exit your interface. Anyway, a good practice would be to set up a script which upon booting changes the MAC address, and sets it to random every time you boot your computer. I will show you this in the next tutorial. Until then I hope that you have enjoyed the tutorial, and thank you for watching.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, I will actually connect to a VPN service provider, and I will show you how to prevent DNS leaks as well. Anyway, before I go into all of those technical things, I just wanted to say that VPNs are also a cheap solution if you’re looking for a static IP address. So if you want to setup a home web server, or file-sharing server, with a static IP address you can have a VPN for around $10 a month. That’s a very economical solution for a static IP address, as opposed to going through your ISP provider who will sell it to you for a much larger sum of money. I just wanted to mention that as a bit of extra information.
What we are going to do today is open up this website. I’ve opened up this one, you can open up any other that you would like, but be sure to check the reviews. I am using OpenVPNbook.com because I didn’t need to register, or anything of a kind, I could just start using the VPN service. I don’t need to install any additional software, or anything like that, I just need to download a configuration file, and that is fantastic. That works great for me because there’s minimal work needed, and it’s going to work for you as well. However, if you wish to use a different VPN provider, please feel free to do so. In fact, I encourage you to go out on the internet and have a look around to see which VPN providers are out there, what people are saying about each one of them, and which are the best. Which are the best in terms of cost, privacy, speed, stability, and so on and so forth. Sometimes you will get a VPN and the connection tends to break from time to time. That can be a bit inconvenient. Let’s go ahead and begin the connection process. So, I don’t want PPTP, I want OpenVPN, and which one am I going to take? Okay, let’s take the Germany based VPN. This is a certificate bundle. It should open with ARC manager without any problems. Let’s extract this to the desktop, and then I’ll create a new folder for them. Let’s make it a bit neater, openVPN, there we go. Let’s copy these things into this folder here and move it right there.
Do you remember how we downloaded duplicates of packets with the same name, except one had gnome in the name of the packet and the other one didn’t? So you’ve downloaded the plugins for the gnome network manager, and we’ve downloaded the actual packages for which we can use via a terminal as well. Today, I’m going to connect to a VPN using nothing but terminal. You can also do it through the network manager here. It says VPN connections, configure VPN, as we’ve done before. You just say add, then you can choose here, or you can just import these files here. This is a very simple process and you can do it through a network manager. However, chances are that you will find yourself in an environment that doesn’t have a GUI, and you will need to do it via terminal. The process is not very complicated. You just have two to three commands that you need to type in, and that’s it, no additional configuration is needed. It’s going to auto-load without any problems. Go ahead and clear the screen, you see I’ve been doing some work there, and go ahead and navigate to your desktop. So, /root/Desktop/openVPN/. Let’s see what’s in there. No, I do not want that sort of listing, give me a detailed listing. The LS command has different forms of listings. I can say la, I’ve shown this in one of the first tutorials dealing with the Linux command line interface. So ls -l, and which one shall we choose? We have port 443 going over TCP, TCP port 80, UDP port 25,000, and UDP port 53. I’m going to go ahead with port 443. So type in openvpn – -config vpnbook-de233-, which one is it, tcp443.ovpn, press ENTER, and it’s going to prompt you for a username. Don’t panic. The username is right on the website. See here you have a username. I’m going to go ahead and copy that, press Enter, and we also need the password. I can’t imagine why they added password because it’s a public password for anyone to use. Paste it here, press ENTER, and the connection is now going, it’s being routed, it should be established any moment now. I’m going to go ahead and close this site because I will want to reinitialize Firefox. There you go. Initialization sequence completed. Let’s see where I am. What is my IP? Your IP is 178.162.193.233, and apparently I am in Germany. I can assure you that I am NOT in Germany. That is definitely the IP of the VPN. But, this sort of configuration that we have done now will not withstand the DNS leak test, so we need to actually do some alterations there as well.
In order to protect against DNS leaks, we will need a new terminal, so go ahead and open it. Type in nano /etc/resolv.conf, press enter, and there you go. Now this is generated by the network manager by default, and the nameserver is, this is basically your home router IP address in a LAN. This is not a public IP address, this is one in he LAN that you use to access the router from the LAN network. We don’t want our computer to use our ISP’s DNS servers, do let’s just comment that out. The way this works is your DNS requests are forwarded here to this nameserver, this is basically the IP address of your router, and then your router forwards them to your ISP provider. This in turn records all of your traffic, and this can eventually be used in order to reveal your physical location, which is something we want to avoid. So instead of using the DNS server of your ISP provider, what you want to do is go ahead and type opendns in your browser. I can’t do a DNS test like this because I will show you my IP address, but I assure you that this will not pass. So, where is it? For business, personal, partners, yes, there we go. Go ahead and scroll down and click on DNS, wait for it to open. So on the right side of the page you can see that you have these IP addresses. We have 208.67.222.222, so just go ahead and copy that. This is open DNS which is one of the fastest, safest DNS services on the planet. They’re very nice to use. Other than that, you also have Google’s DNS servers which are 8.8.8.8 and 8.8.4.4, if I’m not mistaken. Nameserver, space, paste, and now I want another one. Name server, space, and I would like to also have this one as well. Now the reason why you are using two IP addresses and not one is because you want to have a fallback. So if this fails, if for whatever reason this server appears to be down, or if your packets fail to reach it, you don’t want your web browser telling you that the connection can’t be established. Instead, you want it to fall back to this one, and then attempt here, and in all likelihood it’s going to pass. Control + O to save it, and Control + X to exit. Do not restart your network manager because it will preload the file once again, and you will again be stuck with the DNS servers of your ISP provider. So let’s just go ahead and see what our DNS leak test says, so check for DNS leak. We’re going to do a standard test. You see the IP address is still shown here. It’s telling me that I’m from Germany, but I’m not. Let’s do a standard test and see what happens here. It says hostname, you see ISP, which we can conclude from the hostname as well, and we have the IP addresses here. Let’s take a look at the ISP here. It says ISP OpenDNS, OpenDNS, OpenDNS. The ISP provider from my own country has not been revealed here, it has been hidden. If I didn’t do this I would definitely have a DNS leak here.
Anyway, that is how to protect yourselves, that is how to establish a tunnel, something of a kind. I strongly encourage you to establish VPN connections from the terminal. You will have pre-configured files, you can even do the configurations manually if you really feel like it. As I said before, you can also do it through the network manager, but I strongly advise against it. The network managers can be different from one system to another, so this is not really a universal way of doing it. Furthermore, there are environments, you will encounter a large amount of environments, that won’t have a GUI, or you will be in an environment that has GUI but you will not have the ability to use it. I advise to you to become comfortable doing such configurations in the terminal. If you really want to do it through the network manager, and if you can’t do it on your own, there are a lot of instructions on the net. If you don’t feel like going through forums, feel free to ask in the questions section, and I will be more than happy to help you out, depending on which network manager you are using. In any case, I bid you farewell, I thank you for watching, and I’ll see you next time.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, I am going to introduce you to VPNs, or virtual private networks, and how you can actually connect to them.
If you try to connect to one here, open up your VPN connections here and say configure VPN, you will see that all of the options are unavailable. You will get an error message saying, no VPN plug-in available. Please install one to enable this button. First, we will need an internet connection in order to install these plugins, and if you are on an unsafe connection, or something like that, I would definitely not recommend doing this. Instead, do it from your home network. Install all of the plugins, do all of the necessary prep work, and then you can connect to the VPN of your choice through some other network. In any case, just go ahead and close the network manager. If I hover my mouse over it, it says wired network device not managed. This can present a bit of a problem, so let’s just go ahead and solve that. It’s a relatively easy fix. Go ahead and type in nano /etc/NetworkManager/, with a capital N, and, again, NetworkManager.conf. This is the configuration file for our network manager, and you see here it says managed=false. Let’s replaces this with true, and that’s going to be it. Ctrl + O to save it, Ctrl + X to exit. You will need to restart the network manager in order to apply the updated configuration. So, just type in service network-manager restart. Linux is case sensitive. So, for example, touch test and Test, and if I created these two files they would be completely different. I felt like I should mention that somewhere here as it can be useful, and there we go it says, Wired Network Ifupdown (eth0). Now the interface is managed, so this should work now. Let’s just go ahead and clear the screen.
I have a small file here, it’s basically a list of commands for things that we need to install. I figured it would save some time by writing them down here, and not writing them manually during the tutorial. We’re going to need a few additional plugins for our network manager. What we will need is open VPN and pptp, but I’m just going to go ahead and install the rest as well. So let’s just add the -y so we are not prompted with any questions during the setup process. I could actually do one more thing, so let’s see if we can have them all done in one line. So type in apt-get install, and we can just copy these package names. The amount of y’s that I’ve passed there was unnecessary, but perhaps if I had done it in a different way it would have made a difference. I can pass one -y at the end of this long command because I’m just going to list the packets that I wish to install, and it should work without any problems. So, what is the last one? I need network manager vpnc as well, so let’s just go ahead and paste that here. The last one is the gnome extension, of course, for the GUI. Paste it, pass -y at the end, press ENTER, and there we go. It’s going to proceed on with the installation. There’s going to be a lot of new packets installed. They’re pretty small as they are plugins, so they shouldn’t actually take too much of your hard-disk space, or anything like that. The installation process is fairly fast, this will not take a lot of our time, but you see at the end it actually, well not at the end, but it is restarting the network manager. I will perform an additional reset at the end to cofirm that everything is up-to-date. Actually, it did it by default which is very nice. So, just by stopping and starting the network manager, it’s actually loading up the new configuration, and it seems to be working just fine.
So we no longer need this set of commands. As you saw, you don’t need to actually use every one of these individually. You can just issue one apt-get install command, and then type in all of the packets that you wish. So let’s just go ahead and minimize this, as I’m not gonna need it now, and I can click on add. When I click on add, I will get a list of possible VPN connections that I can use here. I’m just going to stop the tutorial here. In the next one we will have a lot of work to do. We need to go onto a website, find a suitable VPN, and test them out. See how good they are, and see what sort of IP addresses we can actually get from them. In any case, I bid you farewell, and I hope to see you in part 2.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, we will be importing custom chains of proxies. Now I have done literally no prep work for this, deliberately, because I want to see if I
encounter any problems by doing this the first time around on Kali Linux. If I happen to come across any problems, I want to resolve them here together with you because chances are that you will encounter them as well. But, I don’t predict any unsolvable problems here, this should be fairly straightforward.
Let’s just go and type in free sock5 proxies and see if we can find any for ourselves. So, here have Socks proxies – free socks5 and socks4 proxy lists. Let’s see what this website has to offer. So we have a lot of things here that we can use anonymously. I suppose they all claim that they’re anonymous, but that’s very questionable. Generally, you want to be using proxies in countries that have a good reputation for not sharing your private browsing information. So, the countries that do have a good reputation with that, well China doesn’t share much with anybody else. Russia doesn’t share much data either. If they have the Netherlands here that would be awesome, because the Netherlands have fantastic privacy policies in terms of information, in terms of personal user information, and Germany is also not bad. Those are some of the countries which you can use that are fantastic in terms of privacy. They will not share your traffic with pretty much anyone, or so they claim. Who will you trust? That is completely up to you. Again, it doesn’t really matter that much for the sake of this tutorial series, because all of the work that we will be doing here is white hat, and all of it is legal. So, you can use any of these to simulate a real attack. Even if you can reverse tracks and find yourself it’s still okay, as long as you are using some sort of a proxy to give real-time circumstances, and encounter real time problems. Also, to circumvent firewalls and so on, if you want to use Netflix, or something like that, you will need a proxy in the United States. However, a proxy wouldn’t suffice due to the slow speeds, rather you will need a VPN.
Anyway, without further ado, you have the IP address here which we will need, you have a port number here, we won’t need this, we will need this, and we will need a version. Let’s see if there are any any proxies from the Netherlands. No, the Netherlands is not even listed here. Let’s go ahead and select the first five from the list. So I need to copy this, open up my terminal, and let’s arrange the windows to make copy/pasting convenient. There we go. Let’s grab the Firefox browser and just expand it accordingly. So I now have all of the information that I need. I have the port number, version, and the IP address. Let me clear the terminal, nano/etc/proxychain.conf, make sure that dynamic is selected and everything else is commented out. Go ahead and scroll down to the bottom, and let’s get started. Now we need to specify our proxychains. Anything special that we need to know here? No. Type in the host port, user values, nope, doesn’t specify anything special. Let’s go ahead and type in socks5. Let me confirm that this first one is socks5, yep, it is socks5, and paste the IP address. Let’s just go ahead and add tabs here to be on the safe side, so that it all is neatly done and sorted. So, it’s 33169, press ENTER, so socks5, tab, what is the next one? The next one is 9480. Paste it, tab, and the port number is 1080. Let’s add the next one, no this one is actually socks4, and the next one is actually socks5. As you can see, it’s a fairly simple process. I mean, there’s nothing really special that you need to do here, just create a list of proxies which we will end up using. I can assure you that most likely half of these proxies do not work. Not because I can see some information here on the screen that you can’t, but because I have experience with such proxies, and they generally do not tend to work. But, enough of them work for you to be able to anonymize yourself to a good extent. So the next one is 1806, and 0. Make sure you get the ports right. If you put in the wrong port your connections will be dropped by default for that IP address, and you’ll think that the proxy is malfunctioning when it’s not. It’s just you typing in the wrong port. So, again, we have socks5, an IP address here. What is the port number? 1080 again. You will see that some port numbers have been standardized, and they are just repeating, so you don’t need to do that much thinking there. Press Enter. Now I can save save the file, excellent! Okay, so, let’s exit nano.
Let’s go ahead and expand our beloved terminal, the holy grail of power, and type in pretty much the same thing as we typed in the previous tutorials, proxychains Firefox www.duckduckgo.com. Keep in mind you can type in any URL here, and as long as it’s valid it will open it. So let’s just go ahead and see what happens. Press Enter…nothing, literally nothing. What happened? It didn’t start proxychains. Why not? Well, you need to close the browser first, and we unfortunately had this list open that continuously keeps changing as well. That’s a problem, because you cannot have Firefox open and then start it again through proxychains. You need to close it completely, make sure that it is completely closed, I can see nothing in my working menu down there, and let’s try again. Same thing. See, now it’s taking a bit longer. As soon as you see that something flies through with proxychains, you know that something is wrong because there is no way it’s going to be fast. So what do we got here? Timed out, timed out, again we have timeouts, and it’s a dynamic chain so it’s trying to go through all of them, but it’s skipping those that are not functional. When I was first getting started I was like, I’m going to use 50 proxies, and I’m going to be completely anonymous. No, I wasn’t even able to load the most basic of sites, or issue even the most basic of requests with that. You need to keep it low, in terms of proxies, depending on their speed. So, hopefully one of them is going to pass, and one of them is going to work. This is one way of troubleshooting, another way is just looking at the screen and see what’s happening here. So, I’m just waiting for at least one of them, yes, there we go. One of them said, okay, but it needs to go through and try all of the other proxies in our chain. Hopefully, it’s not going to take too much time. So we have all of these timeouts, and only one of them was confirmed as being functional. Which proxy was okay? DNS response duckduckgo.com, there we go. It should be open now, no it is not. This was just a DNS response. Okay, it’s formulating a request again through a different series. Come on, please succeed…excellent! This one didn’t succeed, well, now it has. DNS response is DuckDuckGo.com is 50.18.192.250. Has it opened? No, it has not. Okay, we must wait a bit longer, and this is the sad reality of using free proxies. If I had confirmed that these proxies were functional prior to recording this tutorial it would have made this much simpler, but I just wanted to make a point here and show you that you’re not going to get very far using a lot of free proxies. Imagine scanning a hundred hosts using proxychains like this, and this would be the amount of time that it would take to even load a basic web site. Imagine how long a scan would take. It would take practically forever. Okay, finally it is requesting information on port 443. As you can see, all of the above communication was attempting to get a response from a DNS server. This is how much information has been processed before we even started to load duckduckgo.com. As you can see by the port names, it’s 53, the 53 is our DNS port. If we go down below, you can see that finally I’m looking for port 443 somewhere around here. I swear I saw it a moment ago. 1080, that’s a proxy port, this is a proxy port as well, 53 again, DNS resolution port, yes, there we go, 443 has begun here. It’s still loading it. I wonder if it has opened it? Yes, there we go. It is up and running, and the site is functional, but it has taken us a lot of time to open it using free proxies. I would recommend sticking to two or three at max and it should work, and stick with the ones that have the best grades, reviews, and so on. Stick with the ones that have the greatest up-time as well. In any case, I bid you farewell, and I hope to see you in the next tutorial.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. I’m just going to pick off from where I left off in the previous one.
As I said before, you have a type of proxy here, and you always want to be using socks5. You don’t want to be using HTTP because it isn’t a very secure protocol, and socks4 doesn’t support very many options. Anyway, this is the IP address of the proxy server, we will enter a few of them manually later on, and this here is the port number on which the proxy server is listening, the port that is open. Over here, these two words, now what some proxy servers, especially paid ones, will always have is a username and a password. You can type them here in plain text, unfortunately, but it is assumed that only you, and you alone, have access to this computer. Besides, not everyone can read this file. So if you type in the username and password here, you will gain access to a certain proxy that you have chosen. These are just examples. We won’t actually be using these proxies. We need to go down below, and here is the end of the file. So if I press ENTER a couple of times, there we go. There is only one proxy active at the moment, it’s socks4, and all traffic is being routed through there. Now tor by default listens on this port, and our connections will be going through tor now, but just in case I want to add socks, and you should really do this, socks5, press tab, and type in exactly the same IP address. By the way, this 127.0.0.1 is the loopback address of your computer. This is for inter device communication. If you ping this address, you’re pinging yourself, basically, and usually people ping this address in order to make sure that the IP protocol is set up correctly. So, let’s just type in 127.0.0.1, same port number, space here, no tabs, 9050. There we go. Press Ctrl + O to save the file, press ENTER, and by the way you don’t need to use Nano to edit this file. You can also use VI or some other text editor in order to edit it. I like using nano. It’s practical and it’s fairly simple. It’s much simpler than VI. I know how to use VI as well but it’s a bit more complicated, so I prefer to keep it out of the tutorials. Anyway, press Ctrl + O to save. It doesn’t hurt to save the file as many times as you like, and then press Ctrl + X to exit. There we go. Now we have the file saved. Clear the screen. You always want to make sure that you are working in a very neat environment. Then go ahead and type in service tor status to see if tor is running. Tor is not running so it gives you an answer, and what we want is to start tor up. So service tor start, press ENTER, there we go. Now the tor service has started, and it is up and running.
So the next thing that we need to do is use proxychains in combination with tor, and in combination with our internet browser, in order to be able to access a third party in order to verify that all of is working properly, and that we are anonymous. A lot of people do the configuration, and they type in service tor start, and that’s it. They don’t verify these settings. They start to scan and what happens? Of course, they get detected because they most likely misconfigured something. What you want to do is go ahead and type in proxychains, so proxychains. Remember, we do not want to browse the Internet as a root user. We’re just going to use it to verify our proxychains settings, and then I’m going to close the web browser. So, I’m only using it for that purpose. We will use proxychains later on for a different purpose, for scanning, and so on and so forth, and then we can use it as root. But, it’s not a good idea for web browsing, for security reasons. Anyway, proxychains and then type in Firefox, or you can type in your preferred web browser. I think Firefox works the best with proxychains since that is the default browser of Kali Linux. Even though it says iceweasel, it’s Firefox, trust me. So type in proxychains Firefox, and we can type in the web site that we wish to visit. So, let’s just type in www.duckduckgo.com. Now duckduckgo is a search engine that also helps to anonymize you. You will have a far greater extent of anonymity than you do when using Google, or an equivalent popular search engine, as they record your traffic, they record your IP addresses, and that can be problematic in itself, especially when you’re doing some sort of footprinting. You do not want to be recorded anywhere. Anyway, let’s just go ahead and press enter, and the web browser is loading. You can see that the loading time is definitely not the fastest, it’s a bit slow, but it has loaded it up. We will just go ahead back to our terminal and see, excellent, so you see that the link has been established here. There are some problems as it says denied somewhere, but that’s OK. You’re bound to encounter errors here, especially when you’re using custom chains. You will see that there will be more error messages than there will be okay messages. But, believe it or not, the connection still manages to pass through somehow and still manages the function in spite of that. Anyway, I’ll just go back and open up our web browser once again, and just type in check for DNS leaks, and press Enter. Okay, so DNS leak test, excellent! Let’s go ahead and click on this one and see what happens. Hello, this is my public IP address now, 217.13.197.5, and it says that I am from Germany. I assure you that I am not from Germany. If you wish to to verify all of this you can open up a new terminal and type in service tor stop, and then open up your regular web browser without the proxychains command, do the same test again, and you will see that you will get a completely different IP address, which will be your real IP address. Anyway, it says hello, this is me from Germany. I’m going to perform a standard test, I’m not going to do an extended test, it’s the same thing for the most part. This one does more rounds but you get the same information, more or less. So it goes query one, excellent! This is my DNS, this is my ISP provider. So look this is what they have concluded in regards to my DNS: it’s level 3 communications, and it says the country is the United States. This makes no sense whatsoever, so I am anonymous now. I can’t be detected, which is a very good thing to have indeed.
This IP address will change from time to time. Let me just copy it, and I am going to go ahead and show you that it actually does change. So, accessories, I’m pretty sure there is a text editor here, excellent! So I’m just going paste this IP address, and now what I’m going to do is go ahead and close this browser. I don’t need this, so service tor stop, it’s stopping it, service tor start, it’s starting it. So, you don’t need to actually write start/stop, you can also do service tor restart, and it’s going to do the whole process for you. So you can save a little bit of time there. Let’s just repeat the process. I’m going to go ahead and type in proxychains Firefox, and I will request the same search engine as well. Will it open? Now don’t be discouraged if it doesn’t open it straight away. If it says you don’t have connectivity, or the website is not available, just try typing in the service tor restart command a couple of times until you get it. Sometimes certain IP addresses are blocked and you need to be assigned the one that is not, so don’t immediately jump to a conclusion. Just try resetting it a couple of times and you will resolve the problem. A different IP address will be assigned to you each time. Anyway, let’s just go ahead and type in check for DNS leaks, press Enter, and here we go. I’m just going use the same website, dnsleaktest.com, that’s the name of it, excellent! So you see now I don’t even need to compare the IP, obviously it’s different. So this one is 217.13, this one is 91.109, so completely different IP address here, and from a completely different place. Now it says that I am from the United Kingdom, apparently somewhere in London. I’ll go ahead and issue a standard test to see what sort of resolutions I get here. This might take a while, that’s why I’m doing the standard test, this one was a bit slower. It depends on how far away the servers are. I suppose I’m a bit closer to Germany than I am to United Kingdom. I suppose this depends on the speed of the server’s as well. Anyway, you can see my DNS resolutions here, it’s level 3 communications, again. Yeah, I am completely anonymous with this. I am unlikely to be detected by pretty much anything.
If you wanted to, for example, use proxychains with nmap, I’m not going to go into great detail now, I will show you this when we get to the nmap section, but before we do we can see some verbose output here on how this is actually functioning. So, there are certain domains which are being contacted, you can see pretty much everything that is going on here. It isn’t a bad idea to sometimes go through this sort of information, especially if you do not have connectivity, or if you wish to better understand exactly where your traffic going, where it is passing through, and how is it spinning around. Anyway, let’s just go ahead and clear the screen and use, let’s say, proxychains nmap, and this is all that you would need to do in order to route all of nmaps traffic through proxychains. This is pretty much true for any application. Just invoke the application as you would, so normal nmap invocation would be nmap, and then some IP address here, and then a port number here, and some arguments as well to go along with it. But instead of just typing it like that, you can use proxychains and hide yourself. How would you invoke a browser on a regular basis? You would type in Firefox, press enter, and that would of course open up a Firefox browser. So, any application that you can start through your terminal, and you can start all of them through your terminal, just type in proxychains in front of it, and all the network information generated by that application will be routed through proxychains. Now will it use a preset of proxies or will it use tor? That is up to how you have configured it. There will be a part three to this chapter. I will show you how you can import custom chains of proxies, and how you can use those proxies to access things on the net, or to hide your activity behind them. In any case, I bid you farewell, and I thank you for watching.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, I will be talking about how you can configure proxychains to work in combination with tor in order to anonymize traffic. Not only web browsing traffic, but rather instead, all network related traffic generated by pretty much all of your applications. Now there are a few applications which will not work in combination with proxychains. Namely, one such application is Metasploit. Now Metasploit is practically a hacking framework, and it is of crucial importance for pretty much any sort of hacking activity in today’s world. It allows automated generation of the code needed to break certain systems, and it also contains a list of vulnerabilities as well. However, what I want to do here today is show you how you can anonymize pretty much all footprinting traffic, or traffic generated by nmap when you’re gathering information, or even when you are web browsing, and how you can cover your tracks in general.
One of the first things that you do need to do, in Kali Linux they come pre-installed, is download tor and proxychains. You may need to install these two software packages on other systems. Tor can be difficult. I have seen systems where tor is not installed by default, and I have shown in the previous tutorial how to install tor without any problems. What we will need to do here on Kali Linux is simply configure the software, and not install anything. So, let’s just navigate over to the etc proxychains configuration file, nano/etc/proxychains.conf, press ENTER, and there we go, we are in the configuration file. What is proxychains? Well, it gives you the ability to route your traffic through a series of proxy servers and stay anonymous by hiding behind them, or by having them forward your request so that it looks as if your requests are coming from them, as opposed to from you. Surprisingly enough, there is a large number of free proxy servers available that you can use, but they’re not very stable, they tend to go up and down, and they’re not very fast. So, for specific targets they can be useful, but not for any form of brute forcing attack. If you are doing something to a certain target, if you’re trying to log in or you’re already logged in, you can definitely do it through proxychains, and it will be reasonably fast and stable. If you’re performing some sort of mass scanning, or you’re brute forcing a password, proxychains with a list of proxies selected from the internet, free proxies that is, will not be very stable. I mean, it’s going to work eventually in a technical sense, but it will consume more time than you can spare. And by more time than you can spare, I mean a month or two to do a simple scan. For the time being, I want to show you how to use proxychains, how to configure them, because they are really useful useful. I use them fairly often, many people do, and it’s a fantastic piece of software.
First off, you have different types of proxies here which you can use. You have HTTP, socks4, and socks5. Now there are fundamental differences between these protocols. You always want to find yourselves a socks5 proxy, as that is the most advanced protocol, and it has the ability to anonymize all sorts of traffic. HTTP, well as the name itself says, it’s for HTTP traffic, and socks4 is very similar to socks5 but it does not support the ipv6 protocol, and it does not support the UDP protocol. So, socks4 can be rather problematic. You always want to make sure that you’re using sock5 whenever possible. Anyway, down below you have these options which we will go over. To enable these options you don’t need to type in any complex lines of code, or anything of a kind, you just delete the hash and that’s it. Save the file, the option is enabled. This hash presents a commented out line, meaning that the system reading this file will ignore it if there is a hash. If there isn’t a hash it will take it into consideration and interpret it accordingly. Anyway, what we have here are statements which allow us to specify how we want our traffic to be routed. So, first off, we have dynamic chain. Dynamic chain is an option which you will find people using the most. It is the most commonly used option, a preferable one, and I honestly think it’s the best one because it’s the most stable one. Here’s why. Suppose you have ABCD proxies, so those are some servers with IP addresses with open ports. If you have a strict chain policy like we have here, you will only be able to access any site by going through ABCD. So, you have to go through all of them, and you have to go through them in that specific order, ABCD. I am sure you can already see how that could present problems. I mean, if you’re paying for five proxies that’s not a problem because they will always be operational, they will always be up. That’s not a bad option at all. However, most people use free proxies, and they don’t tend to pay for them. Why would you pay for 5-10 proxies for a simple scan? They’re not free, they cost money, they’re not that expensive either, but still, the act of paying itself identifies you, and it diminishes the amount of anonymity you have on the net. There are some complex payment methods with which you can use to anonymize yourself, such as cryptocurrency, but still, it’s far simpler to use dynamic chains. So I’m going to go ahead and un-comment this line of code. Strict chains will no longer be used. I will be using dynamic chains. One more thing to note here is that if you want to use proxychains in combination with tor, so if you want to route all of your traffic through the Tor network, not just web traffic, you must enable dynamic chains. I mean there is a chance that it will work with strict chains, but due to the instability of tor nodes it is highly unlikely. Anyway, if you are using dynamic chains it gives you the ability to go from ABCD, to your desired destination, by not having to adhere to any order. So let’s say that C is down. You would go through ABD and it would work without any problems. If B was down you would go through AD, and you would still reach your destination. So, as long as one single proxy is functional it’s going to work, and it doesn’t require a specific order.
Down below you have random chain. Now random chains are, in effect, basically the same thing as resetting your services. If you’re resetting tor you will be assigned a new IP address, I mean tor assigns you a new IP address every 10 minutes or so, but with the random chain option you can specify a list of IPs. And then you can tell your computer, OK, I want you to connect to this point, and every time you connect, every time you transmit a packet, I want you to use a different proxy. We can do that as well, that’s definitely a viable option. You can say, OK, use this one five times and then change it to another one, or something like that. There are a lot of options to specify here, primarily the chain length. If we go ahead down below there’s the quiet mode, and you don’t really need that. Proxy DNS requests – no leak for DNS data, this is very important. You cannot have any DNS leaks. Let me explain to you what DNS leaks are. Even though somebody cannot get your particular IP address, they can get the IP address of the DNS server that you are using. What DNS servers do is resolve the domains to IP addresses, and vice-versa. So, for example, if you typed in youtube.com, the DNS server of your local ISP provider will resolve that into some sort of an IP address that YouTube has, and it will make a request. You do not want that happening because your local DNS server will be discovered, and that information can be used in order to figure out your personal IP address, and then your physical location is pretty much compromised. You definitely need proxy DNS here. It might slow you down a bit, but without it you won’t be anonymous. It is just a matter of time before somebody finds you. If you go down below we have some other options here, but we’re not really interested in them at the moment. What we got here are formats for entering proxies, and I’m going leave it at that. We will cover the rest in the follow-up tutorial. But, just a key note before you go onto the next tutorial, have a look at these. You don’t need to go on the internet and read anything about it, just have a look at the format here, how they are written. This is an example of proxychains and how you can write them down. So you have a type of proxy, you have an IP address, figure out what this number is, what this name is, and what this word here is. I will of course explain all of this in the next tutorial, but just try to figure it out on your own. It’s pretty simple. In any case, I bid you farewell, and I’ll see you in the next tutorial.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing: