Posted on 1 Comment

Learn Ethical Hacking Episode #24: Footprinting with Nmap (Part 1)

 

If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!

https://josephdelgadillo.com/ethical-hacking/

Below is a list of the courses included in the bundle:

The Complete Ethical Hacking Course for 2018!
http://bit.ly/2leW0j4
Certified Ethical Hacker Boot Camp for 2018!
http://bit.ly/2yKbler
The Complete Ethical Hacker Course: Beginner to Advanced!
http://bit.ly/2i3kirq
Build an Advanced Keylogger for Ethical Hacking!
http://bit.ly/2yMl3gI

Hello everybody and welcome to this tutorial. Today, I will start a chapter on footprinting. So, I have explained what the act of footprinting is before, but now we will actually go ahead and conduct a few scans to see how it all works, and introduce you to the tools that we will be using.

First off, we need to find ourselves a target to scan. I could scan myself, but that would not be realistic because I already know what the results are going to be. Plus, it would not be a long range scan over the internet, I would be scanning within my own local area network. So, the speed of the scan would not be realistic as it would be a lot faster than when you conduct the scan over the net. So, what I did was I went online, and you can do the same, and on the official nmap website they have a section devoted to actually allowing people to scan them to test their tool out. Here is the written permission that you can actually scan this website. You can scan it to test out the nmap tool, a few scans a day here is fine, but do not scan it a hundred times a day, or use this to test your SSH brute force password cracking tools, etc. So, that’s definitely something you don’t want to do, but you can run a few scans on this site per day and according to them that’s perfectly fine. You are not breaking any laws. I’m just emphasizing one more time that you do have a written permission right here on the site, which is fantastic because it gives us an opportunity to actually simulate real time circumstances to see how nmap behaves.

Now nmap is an essential tool for pretty much any pentester out there. Many people will say that it’s pointless to port scan, it doesn’t do you much good, and so on and so forth. Well, perhaps in terms of exploiting the services running on the port themselves it doesn’t do you that much good, but just by seeing which ports are open and which ports are closed you can, to a fairly good extent, determine which operating system, or which platform, is being used on the other side, and then you can find weaknesses of that platform. Of course, there are some other ways of doing this, I will show them to you, but let me show you how nmap works. Nmap is known to trigger quite a few alarms, quite a lot of firewall red flags, and you want to make sure that your nmap scans are as discreet as possible. Now there are tools to actually figure this out, but I will show you here how to do it using the Linux terminal. There is also something called zenmap. Zenmap is a graphical user interface of nmap, but we will not be using that. Instead, I want to teach you how to use it via terminal. So, nmap is the one most commonly used, and it is always used in the terminal text format. People rarely use the actual graphical user interface. In the previous chapter, we have also discussed how to stay anonymous, so at the end of the chapter I will be combining these things: scanning, footprinting, and anonymizing your scans. In any case, without further ado, let’s type in nmap –help, press ENTER, and there we go. There are a lot of options here, I mean a metric ton of options, way more options than we actually need for a basic scan. However, eventually, over time, you will come to understand that all of these options are available for a reason, there is a particular use case for each of them. So, what you need to do is scroll down to the bottom, and here you have examples of how nmap runs. So, 99% of the time you will type in nmap -v for verbose output. For this sort of activity, we will want as much information as possible. We can use -A to enable OS detection, version detection, script scanning, and traceroute. I don’t think we’re going to need that immediately. There is the -O function which is just for OS detection. Anyway, you can pass either scanme.nmap.org, which is basically the domain name and it will get resolved to an IP address, or you can actually pass it an IP address. If you’re wondering what this is, this is a mask. It would be very difficult to explain in great detail what this is, but for the time being know that this is actually an IP address range. It goes from a certain IP address, to a certain IP address, but you do not actually need to use this format. Not that many people actually use this particular format with the mask. They just tend to specify very specific ranges because they don’t have the permissions to scan the entire subnet. Instead, they have to create lists, and then skip certain IP addresses, and then continue again from a certain point. So, they do need to create lists, and that can be a problem.

Now up here, at the top, you have another very important option that’s going to come in handy, you have – iL, input file name. So you can actually create a list, in a file, a list of IP addresses, and then you can scan those particular IP addresses. They will also have an ability to do this, look at what’s written here. So just take a look at this segment and its 10.0, and then this segment here, this octet here is 0-255, and then the last octet is 1-255. If you’re wondering why I’m calling these things octets, it’s because each one of these has 8 bits, and it is represented in binary. So it can have 8 zeros, or 8 ones, or a combination of ones and zeros, but it has 8 bits, so 8 positions. That’s why they are referred to as octets. This is a very common form that people tend to use, and this is what you will find yourselves using. Either this, this will be a method in which you will specify the IP addresses, or you will be passing files. People will either create these files themselves, or they can find these IP addresses on the internet. So in addition to this site, https://nmap.org/, you also have this one here, https://www.nirsoft.net/countryip/. This is a fantastic website. The entire range of pretty much every IP address block is listed here, and it also lists who owns what. You can search and find and it’s going to give you the appropriate IP addresses for that particular country, and it’s going to give you the owner of those IP addresses. Usually it’s just telecoms, but you also have other people who own them as well. So I’ll just give it a shot. Let’s just type in Germany, or I don’t know, France. Okay, this is not the first search, but that’s not a problem. Actually, you can find it down here, and I’m not going type it in here. I could control + F France, there we go. Down here, just saving myself a bit of time there, and there we go. So, you have a range, this is a given range here, it’s from 2.0.0.0 to 215.255.255. This is a massive range. This is a humongous range. Look at how many IP addresses you can have in total, how many of them you can generate within this range. It’s quite a lot. This is owned by French Telecom. I don’t know why they need this many IP addresses. So, as I said, you can sort them out by the owner, and you can see that many of them are not listed here. Wow! France has a lot of IP addresses assigned to it. They’re not free, they cost money. Let’s just go ahead and see down below. Where is it? Where is it? OK, so you see all of these IP addresses, and this is a pretty massive range, so this is a telecom in France. Look at how many IP addresses, IP address ranges they have. So, that’s quite a lot, and this site, as I said previously, we can use to figure out which IP address range we wish to scan. Again, you usually do not have the permission to scan the entire range. You can scan certain IP addresses within that range for which you have a permission. This is a very nice site to determine where the IP address is from, or something like that. However, always remember, once you get an IP address your search engine is your best friend. This is one of the major components of footprinting. You can type in whois, and then type in an IP address, I don’t know I’m just going to type in this random IP address. So, if you don’t want to search for it here, you can have a look at it here. Whois 82.120.0.0? I don’t know if this search will be successful. There we go. So, I’ve typed in whois and I’ve picked the first website out that I could find, and here I have all the information in regards to that particular IP address. I have a country, I have the username of the admin, I suppose, I have the status, remarks, source, and I even have an address, a physical address, of the IP address, which is ridiculous. Yeah, as I said, search engines are your absolute best friends. If you want to find pretty much anything on the net in regards to an IP address, or to do any sort of research, make sure you utilize your favorite search engine.

So, those are the two tools that I wanted to introduce you to. Well, one tool, one website, and one search method which you can use in order to determine where an IP address is from, or whois using it, and even to determine its physical location. Although, it’s physical location can be assigned to a telecom, and that telecom can assign it to a city, and to a specific region in the city. Then you can find it on google maps, or on google earth, but usually those things are not that precise. What is precise, however, is that the IP address belongs to a telecom, and they keep rotating them in between cities. So, if you have let’s say a hundred thousand IP addresses that you have scanned, and if you wish to sort them out by the city, you will get 70-90% accuracy. This can be problematic because you’re going to miss out on some things. You also have something called nslookup. I’m going to use scanme.nmap.org. I have said I want to look up files on scanme.nmap.org, and this is my DNS server, which is basically my router. You see it says port 53. You know immediately that it’s a DNS because all DNS traffic runs on port 53. Then we have the results. So, this is the domain name, and you get the IP address down below. This is also one of the ways in which we can get the IP address off of the site with a domain. Once you know the domain you don’t actually know the IP address until you look it up, but there’s a far simpler method. You don’t need to use nmap. Oh, by the way, nslookup also works in reverse. So, type in nslookup, and you can type in the IP address, go ahead and press Enter. Down below are authoritative answers from the name servers. Basically, that means there are DNS servers and they are giving you responses, and telling you to whom the domain belongs to, and so on and so forth. What I want to show you here is that you can actually get a domain name by typing in nslookup, and then the IP address, and here where it says non authoritative answer you get the IP address, and then you get the name, which is the domain name. However, you might notice that there was a problem here, that this IP address does not match this one. Well, guess what? It actually does. Try looking at it in reverse. It’s 74, 74 here, 207, and 207 here, 244, and 244 here, and 221 here, and 221 here. When you do an nslookup, and when you pass in an IP address, it’s going to do a reverse lookup in the DNS MX records. It’s going to query the DNS servers, and the DNS servers are going to give it a response, but in the MX records this is basically how things are written. You write an IP address in reverse, and then you put this in, -addr.arpa, but this part really is not that interesting to us. This is more interesting to server admins who configure the DNS servers. We will get to DNS servers in the later stages of this course. What is important for you here is we’ve typed in an IP address, you’ve used the tool called nslookup, and you have gotten a domain name in return. Now you can start doing some other things as well, but we will be dealing primarily with nmap. Nmap is a tool used to scan networks and to retrieve information from them. What I’ve showed you in this video is some basic information, retrieval, and some basic external resources that you can use. In any case, I’ll see you in the second part of this nmap introduction, and there we’re going to actually conduct some scans and see how it all works. Thank you for watching and I hope to see you next time.

The remainder of the tutorial videos can be found in this YouTube playlist:

 

You can also enroll in the course and download the videos for offline viewing:

https://jtdigital.teachable.com/p/hacking-free/

Subscribe on YouTube – https://www.youtube.com/c/JosephDelgadillo?sub_confirmation=1

Follow on Steemit – https://steemit.com/@jo3potato

1 thought on “Learn Ethical Hacking Episode #24: Footprinting with Nmap (Part 1)

  1. Very nice post. I just stumbled upon your
    blog and wished to say that I’ve really enjoyed surfing around your blog posts.
    In any case I will be subscribing to your rss feed and I hope you write again very soon!

Comments are closed.