Posted on

Learn Ethical Hacking Episode #25: Footprinting with Nmap (Part 2)


If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!

Below is a list of the courses included in the bundle:

The Complete Ethical Hacking Course for 2018!
Certified Ethical Hacker Boot Camp for 2018!
The Complete Ethical Hacker Course: Beginner to Advanced!
Build an Advanced Keylogger for Ethical Hacking!

Hello everybody and welcome to this tutorial. Today, I will do some actual scanning, and for that I have picked a domain outside of my local area network. You can find this on the nmap official site, Feel free to this site as they have given the public permission, but do not abuse the privilege. A few scans per days is sufficient to learn how to use nmap.

So, I need to take this domain. You cannot use control + C or control + V in the terminal because control + C is the universal interrupt command, and control + V will simply not work. You will need to use a mouse and manually do it. In any case, we need to trim this down, we don’t need any of these things, we just want the main name to remain. I’m going to go ahead and type in nmap, space, and there we go. We’re going to scan this domain. However, if I just press ENTER like this, it’s going to conduct some scanning, it will do the job I assure you, but it will not give us any output whatsoever. This will be continuously empty until the scan is complete. For a short scan such as this, zero output in the terminal is fine, but if you’re conducting a scan that can last up to a day, it’s worrying to see that there is nothing here. You can’t be sure whether it’s working, if it is bugged, or what not, and that’s why it’s always better to pass the V option for verbose output. I have a personal preference to pass the VV option for extra verbose output. So, the system tells me pretty much everything that it is doing, and how it is functioning, and I can see it as it progresses, and I can see that some ports are open prior to the completion of the scan. I’ll just go ahead and begin the scan, and you can see immediately, before it finished the scan, it has told me that ports 22 and 80 are open. Now, by default, nmap will scan for 1,000 ports. You can tell it to scan for more ports. You can even tell it to scan for the maximum range of ports which is 65,535. Rarely anyone does this as it is time-consuming. Usually, you have an idea what sort of services you wish to target, and then you scan for the ports on which those services are likely to run. For example, port 22 would be SSH (secure shell), and port 25 is SMTP (simple mail transfer protocol). If you don’t know what that is it’s an email server. 80 would be HTTP (hypertext transfer protocol), and you have nping-echo on port 9929. The state of these ports is rather clear. So, it’s open, open, open, and you can also get a state to closed. It says here not shown, 996 ports closed. When it says filtered, well, usually there’s a firewall setting which is dropping the packets. It may not be closing the board perhaps, but it’s definitely doing something to the packets that are coming through that port. It’s perhaps blocking them from a certain IP, or something of a kind, there can be a lot of options here. In any case, the general meaning of this filtered flag here is that nmap can not determine whether the port is open or closed. Usually, you want to stay away from those ports, or you can do some extra research and find out how you can access them. They may require a particular app, or a particular protocol, to be accessed, and that’s why nmap cannot scan it properly. That can be a bit problematic. Stick to the open ports and see what you can do with the them. Now, nmap also has an option to create a graphical output. Basically, you can dump your results here into a file, you can store it, and sort it as well. You then gain the ability to extract separate bits and pieces of information. For example, if you simply want the IP addresses of hosts that are up, or you want the IP addresses of hosts that have port 22 open or filtered, or that are running a certain service like SSH, or SMTP, or HTTP, etc. However, I won’t be doing that for I believe I have used their system enough, and for this example I require a range of IP addresses to give you a meaningful result.

What I’m going to do now is scan my local subnet. If you don’t know what yours is, well, it’s most likely configured as mine is. If it’s not, just type in…let’s just clear the screen first. Type in ifconfig and you will get a result here for eth0, or for whatever interface you are using. Just take a look at this IP address that has been assigned to this interface. So, the lowest and the maximum value of the final octet here, or the first octet here, will be the range of your local subnet. So from 0 to 255. Let me just show you what that looks like in case you did not understand here. Type in nmap, and then for a graphical output we need -oG, – and then we need to give it a range of IP addresses. So, – 255. So, it’s going to scan for all of the IP addresses that have this, and that go from 0 to 255. Now keep in mind that I can customize the range anyway I want. For example, here where it says 1, I can type in – 67. So, it’s going to use these, it’s going to use this octet, and this octet in combination, and it’s going to scan for all possibilities, although that might take a lot of time because that’s a lot of IP addresses. Anyway, I’m not done just yet. What I need to do is actually cause a redirect. So, before I cause a redirect I’m just going give request double verbosity mode. Why am I redirecting my standard output? Well, I don’t want all of the information to be printed out in the terminal window where eventually it will be lost, pretty much as soon as I close the terminal, or as soon as enough commands are passed that the cache needs to be rewritten for the terminal. Furthermore, if it’s written out in standard output and on the terminal itself, I can’t do anything else with it. I cannot manipulate it, it’s not a file that I can take, rather instead it’s just standard output. What I want to do is cause a redirect with a greater than sign into a file. So, I’m just going to go ahead and type in /home/, and I’m going to name this file SCAN, excellent! So, all of the results that nmap gathers will be stored into this file here, and this is the path to the file. Even though I have passed a good amount of hosts here, I’ve given it 255 hosts, because I’m in LAN it’s going to go faster. When you’re doing this over the Internet, a very good idea is to pass a port, or at least a port range. Don’t let it scan all 1,000 ports. Or, even worse, do not specify that it should scan a full port range. Regardless of what sort of internet connection you have, it will take a good amount of time to finish. Furthermore, you’re bound to trigger some red flags, so you should define a port here in order to save yourself a lot of time, and I mean generally you will know which service you want to attack, you will have some sort of an idea there. I’m going to go ahead and pass port 22, that is the port that I wish to scan for, press ENTER, and let’s see if this is successful. There we go, it is functioning. It finished rather fast. Even though I passed double verbosity mode, everything here is being redirected here, so I won’t see anything in the terminal window. If this scan takes longer when you’re doing it over the internet, and it will take longer if you’re doing it over the internet, don’t think immediately that something has failed. So, let’s just do this, ls, now look what I’m doing here. I’m going to do a very similar thing with our scan file, and I’m going to type in grep SCAN, press enter, there we go. I have passed the ls command to list pretty much everything within the home directory, and then I have piped the output of ls to grep, basically pipe means just pass it. I’ve passed the output to grep, and what grep does is basically pull whatever you specify here. It pulls it from the output. I’ve told it to pull whatever is in there, that has the name scan, or that has the string scan within it. So, I could have had a name like AAA, scan, BBB, it would still pull it without any problems. This is one of the ways in which we can make sure that the file is located within a certain folder, especially in situations where you have hundreds of files in a single folder, and you don’t want to go through them manually. Just use grep if you know the name, or if you know a partial name, in order to figure out what is where. So, let’s go ahead and clear the screen, and let me just show you what is located within our scan file. So, less scan, press Enter, and there we go. We have pretty much all the hosts within my LAN network, within my local subnet. They are all down of course because I don’t have 255 computers or devices within my home network, rather instead you see what it has found. It has found the router IP, the router that I’m using for this test, and it says port 22/filtered/TCP/SSH. That one has an open port of 22, it’s status is up, and I also have on 100 status is up, 22 is closed, on 102 is up, it’s filtered, and so on and so forth.

So, let me go ahead and do a very similar thing here because I want to leave it on the screen, so I can explain it to you. The less command is very nice but when you exit it disappears. Cat, however, prints everything within a file to standard output, and it stays here for the duration of the terminal. The reason why I did this will become apparent quite soon. So, what you want to do now is type in cat SCAN as before, and now we want to pipe the output of SCAN to grep in order to pull something out of here, the useful information. Let’s say that I want to pull all the hosts that are up. I want to pull all live hosts, I want to see their IP addresses, and when I type in grep what is the universal markation for all the hosts that are up? Well, you have a flag here, status and then flag up. Let’s go ahead and type in up, press Enter, excellent! I will give you a bit of clarity, there we go. You have these flags which are up, so I have all the hosts here that are currently up and running,
that are alive on the network, but this is not what I want. If I wanted to pass these IP addresses to another program, I wouldn’t be able to pass this whole line because it wouldn’t make any sense. Especially, if the other program is only requesting the IP address of the host. You perform one nmap scan to see which hosts are alive, and then once you figure out which hosts are alive you can do a more detailed scan on those particular hosts. This would save a lot of time. So, we have these hosts here, but we want to pull these IP addresses. I’m afraid I just can’t do that with grep. Perhaps I could, but it would be too complicated and it really wouldn’t be practical. That is why Linux has something that is called awk. Awk is used for formatting text and pulling out certain parts of a file that you have deemed that you need. Now you could make an entire separate tutorial on awk. I would strongly advise that you familiarize yourselves with awk by referencing the man pages. However, for the time being, and for the purposes of this tutorial, we will be using some basic awk commands which pretty much everybody uses, and which are a necessary part of pen-testing. So, cat can print everything to standard output, grep Up. So, grep all of the lines that contain the word up. And then what I want to do here is eliminate this part, leave this part in, and eliminate this part. How shall I do that? Well, the first thing that we need to do is specify a field delimiter. Basically, if you say that the colon here is a field delimiter, this will be one field, this will be another field, and this will be yet another field. So, you will have three fields in total. However, that doesn’t really work for us. If we say that the colon is a delimiter, this entire section that I’ve highlighted will be considered a field, and we will have parentheses, and the status, the parts that we don’t really want. What you can use as a field delimiter here is a space. So space here, this is one field, this is going to be another, and this again is going to be a field delimiter because there’s a space, and this will be a third one, and then you have another space, and the fourth, and so on and so forth. In order to specify a field delimiter to be space, well simply leave an empty space in between the quotation marks. Generally, you would put quotation marks and you would specify a field delimiter in between them. If you wanted a colon this is how you would do it, but we don’t want a colon. We want a space, and that’s it. Open single quotation marks, open curly brackets, type in print $, and then you need to type in the number of the field that you would like to print out. So, we would like to print out the second field, 2, close curly brackets, close quotation marks, press ENTER, and there we go. We have all the IP addresses listed of the host that are up without anything else. Now, what you can do with this is pass it to another file, it’s called SCAN2, press ENTER, and then you can type in nmap – iL scan2, then you can perform a full nmap scan for just four hosts. This might take a bit. No, I don’t want to view it like that. Let me request double verbose, excellent! So, now you can do a full scan for just four hosts instead of doing it for all 255 hosts. Just figure out which hosts are alive, and you don’t need to do that with port 22, just do a ping sweep, and that’s going to be it. You will be able to figure out which hosts are alive, perform detailed analysis of this particular host, and you can see I’m already receiving information here. My home router is filled with holes, but it doesn’t matter at this moment. I am just using it for the demonstration of this tutorial. I’m going to switch it as soon as I’m done with the tutorial. I have 443 on 102, so I probably have some SSL going on there. Port 80 here, port 23. We will soon see what all these services mean. However, you can experience these flags here, and usually you will experience delays because you know there are some packets that are being dropped, some that are being refused by the servers on the other side. You can also have time limiters, and so on and so forth. So, here you can see the scans and what they have revealed thus far. They will tell me everything that I want to know in regard to my local area network. It even gives out the MAC addresses which I’m going to cover up, and you won’t be able to see them, but, in any case, you see how much information you get, and how much time you can save. I am going to end this tutorial here and we will move on to the next one. I hope that you’ve enjoyed this one, and I’ll see you next time.

The remainder of the tutorial videos can be found in this YouTube playlist:


You can also enroll in the course and download the videos for offline viewing:

Subscribe on YouTube –

Follow on Steemit –