If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, I will show you some more stuff you can do with nmap. But, more importantly than that, I will show you a tool which you can use to assign a physical location, namely a city, to an IP address. It’s relatively precise, but the downside of it is that you can only make 1,000 queries per day. I mean, 1,000 queries per day is still fairly reasonable, however if you’re doing some form of mass scanning it won’t really help you much. You will need to go online and download additional libraries for that. But, 1,000 is a very good number, and let me just show you how it actually works.
So, here I have a command. This is the command that I’ve used previously, scanme.nmap.org, and to pull information from it. So, it’s curl ipinfo.IO/, and then you get an IP address here, it’s a curl script, just copy/paste that here, and this is the command, curl. This is the argument that you are passing to it along with the IP address. Once you press ENTER it queries the server, and there you go. You have an IP, and you get a host name as well. You get a city, it’s Vermont, it’s region is California, a country, U.S. You even get some coordinates here, organization, postal code, and so on and so forth. So, you get some really useful information here in regard to an IP address. But, as I said, the downside is that you can make only 1,000 queries per a day. So, you’re not doing anything illegal here, you are simply querying a database somewhere in the world to give you specific information on an IP address. You could have done this by simply typing on the net whois, however I wish to teach you how to do these things in the terminal so that you will be less dependent on the browser. Anyway, let me just go ahead and clear this.
What I would like to cover today with you are some external resources which you can use in combination with nmap. Nmap has a wide variety of scripts that are applicable to it, and then you will be able to use nmap in order to scan for particular vulnerabilities on servers elsewhere in the world. Go ahead and open up your browser. Okay, so I have this website, scanme.nmap.org, open here, and on the website there is a link, it’s nmap.org, and then some links here. Look, here we have a list of categories of the sort of scripts I can run with nmap in order to scan for particular vulnerabilities. There are 490 scripts. For example, here are scripts I can use for DoS (denial of service) attacks. Anyway, let’s go and click on one of the links. I’m going to go ahead and click on vuln, general thing, and now I have all these things here. So, if you’re wondering how you can bypass firewall rules, well, simply use a script. It says, firewall-bypass: detects vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip. Let’s open it up in a new tab. Once you click on it you’ll get the exact syntax on how to use it, so example usage. Instead of just type in the IP address, and that’s it. Literally, that is the only thing that you need to change here. Copy/paste this command, and then just change the last thing into the IP address that you wish to scan. I’m not going to go through all of them, as I said there are 490 different scripts. We will be using a few of them in the later tutorials where we will get into demonstrations, once we actually start attacking particular services and start exploiting their vulnerabilities. There are many resources here which you can utilize, and I strongly advise you to go on to this website and check it out. This is the most important part for you on this website, it’s the availability of these scripts. So, take a look at what they do, and you can save yourself a ton of time by conducting a scan for certain types of exploits. If I click on exploits, it gives me all various sorts of exploits. For example, if I’m attacking a very secure File Transfer Protocol, it explains in great detail what it does, and if you click on it it’s going to give you the exact syntax which you need to use. Literally, the exact syntax which you need to use. Right next to it you just type in the IP address of whatever host you want, and that’s it. There are no changes, there is nothing else that you need to do, you just copy/paste this, and change the name here.
Anyway, I’m just going to go ahead and scroll up, and I have yet another website that I wish to show you. It’s called exploit-db. So, just type in exploit-db, and the first site that pops up should be exploit database by offensive security. This is one of the largest databases out there in regard to vulnerabilities. You can find them all in one place here. There are some very nice wireless tricks that you can use here, reverse shells, privilege escalation, pretty much everything. We will be using this site fairly extensively in the follow up tutorials, but I just wanted to mention it here so that you can explore it a little bit. Feel free to go through the website. For example, take a look at the router that you are using. Identify the router you are using, take a look at what sort of router was provided to you by the ISP provider, and then go ahead and click on search in the upper right corner. I’m going to click on it and search for the vulnerabilities of home routers. See what you can do with it. You can look at it by a port, there is a free text search, description, order, platform, look at how many platforms are down there. If you don’t know what platform it is just just try a free text search. Type in the name of your router in the text search and it’s bound to give you some vulnerabilities, because most home routers have more vulnerabilities than they should. So, that is the task that I leave you with. I want you to open up this website, exploit database, find a vulnerability with your home router, and once you’ve done that there will be a description of how to use it. Try using it, try exploiting it. If it fails, not a problem. We will get into greater detail regarding routers later on in the course. If you have any questions, feel free to post them in the question section.
Before I leave, once more, over here you have scripts that you can use with nmap to detect particular vulnerabilities. Just click on it, you will get the exact syntax. All you need to do is change the IP address. The website is exploit-db, use this website extensively, it is very good. There are a lot of vulnerabilities on it, pretty much all of them are located there. The site is open, free, anybody can access it, no registration required. With that, I bid you farewell.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, I will do some actual scanning, and for that I have picked a domain outside of my local area network. You can find this on the nmap official site, scanme.nmap.org. Feel free to this site as they have given the public permission, but do not abuse the privilege. A few scans per days is sufficient to learn how to use nmap.
So, I need to take this domain. You cannot use control + C or control + V in the terminal because control + C is the universal interrupt command, and control + V will simply not work. You will need to use a mouse and manually do it. In any case, we need to trim this down, we don’t need any of these things, we just want the main name to remain. I’m going to go ahead and type in nmap, space, and there we go. We’re going to scan this domain. However, if I just press ENTER like this, it’s going to conduct some scanning, it will do the job I assure you, but it will not give us any output whatsoever. This will be continuously empty until the scan is complete. For a short scan such as this, zero output in the terminal is fine, but if you’re conducting a scan that can last up to a day, it’s worrying to see that there is nothing here. You can’t be sure whether it’s working, if it is bugged, or what not, and that’s why it’s always better to pass the V option for verbose output. I have a personal preference to pass the VV option for extra verbose output. So, the system tells me pretty much everything that it is doing, and how it is functioning, and I can see it as it progresses, and I can see that some ports are open prior to the completion of the scan. I’ll just go ahead and begin the scan, and you can see immediately, before it finished the scan, it has told me that ports 22 and 80 are open. Now, by default, nmap will scan for 1,000 ports. You can tell it to scan for more ports. You can even tell it to scan for the maximum range of ports which is 65,535. Rarely anyone does this as it is time-consuming. Usually, you have an idea what sort of services you wish to target, and then you scan for the ports on which those services are likely to run. For example, port 22 would be SSH (secure shell), and port 25 is SMTP (simple mail transfer protocol). If you don’t know what that is it’s an email server. 80 would be HTTP (hypertext transfer protocol), and you have nping-echo on port 9929. The state of these ports is rather clear. So, it’s open, open, open, and you can also get a state to closed. It says here not shown, 996 ports closed. When it says filtered, well, usually there’s a firewall setting which is dropping the packets. It may not be closing the board perhaps, but it’s definitely doing something to the packets that are coming through that port. It’s perhaps blocking them from a certain IP, or something of a kind, there can be a lot of options here. In any case, the general meaning of this filtered flag here is that nmap can not determine whether the port is open or closed. Usually, you want to stay away from those ports, or you can do some extra research and find out how you can access them. They may require a particular app, or a particular protocol, to be accessed, and that’s why nmap cannot scan it properly. That can be a bit problematic. Stick to the open ports and see what you can do with the them. Now, nmap also has an option to create a graphical output. Basically, you can dump your results here into a file, you can store it, and sort it as well. You then gain the ability to extract separate bits and pieces of information. For example, if you simply want the IP addresses of hosts that are up, or you want the IP addresses of hosts that have port 22 open or filtered, or that are running a certain service like SSH, or SMTP, or HTTP, etc. However, I won’t be doing that for scanme.nmap.org. I believe I have used their system enough, and for this example I require a range of IP addresses to give you a meaningful result.
What I’m going to do now is scan my local subnet. If you don’t know what yours is, well, it’s most likely configured as mine is. If it’s not, just type in…let’s just clear the screen first. Type in ifconfig and you will get a result here for eth0, or for whatever interface you are using. Just take a look at this IP address that has been assigned to this interface. So, the lowest and the maximum value of the final octet here, or the first octet here, will be the range of your local subnet. So from 0 to 255. Let me just show you what that looks like in case you did not understand here. Type in nmap, and then for a graphical output we need -oG, – and then we need to give it a range of IP addresses. So, 192.168.1.0 – 255. So, it’s going to scan for all of the IP addresses that have this, and that go from 0 to 255. Now keep in mind that I can customize the range anyway I want. For example, here where it says 1, I can type in – 67. So, it’s going to use these, it’s going to use this octet, and this octet in combination, and it’s going to scan for all possibilities, although that might take a lot of time because that’s a lot of IP addresses. Anyway, I’m not done just yet. What I need to do is actually cause a redirect. So, before I cause a redirect I’m just going give request double verbosity mode. Why am I redirecting my standard output? Well, I don’t want all of the information to be printed out in the terminal window where eventually it will be lost, pretty much as soon as I close the terminal, or as soon as enough commands are passed that the cache needs to be rewritten for the terminal. Furthermore, if it’s written out in standard output and on the terminal itself, I can’t do anything else with it. I cannot manipulate it, it’s not a file that I can take, rather instead it’s just standard output. What I want to do is cause a redirect with a greater than sign into a file. So, I’m just going to go ahead and type in /home/, and I’m going to name this file SCAN, excellent! So, all of the results that nmap gathers will be stored into this file here, and this is the path to the file. Even though I have passed a good amount of hosts here, I’ve given it 255 hosts, because I’m in LAN it’s going to go faster. When you’re doing this over the Internet, a very good idea is to pass a port, or at least a port range. Don’t let it scan all 1,000 ports. Or, even worse, do not specify that it should scan a full port range. Regardless of what sort of internet connection you have, it will take a good amount of time to finish. Furthermore, you’re bound to trigger some red flags, so you should define a port here in order to save yourself a lot of time, and I mean generally you will know which service you want to attack, you will have some sort of an idea there. I’m going to go ahead and pass port 22, that is the port that I wish to scan for, press ENTER, and let’s see if this is successful. There we go, it is functioning. It finished rather fast. Even though I passed double verbosity mode, everything here is being redirected here, so I won’t see anything in the terminal window. If this scan takes longer when you’re doing it over the internet, and it will take longer if you’re doing it over the internet, don’t think immediately that something has failed. So, let’s just do this, ls, now look what I’m doing here. I’m going to do a very similar thing with our scan file, and I’m going to type in grep SCAN, press enter, there we go. I have passed the ls command to list pretty much everything within the home directory, and then I have piped the output of ls to grep, basically pipe means just pass it. I’ve passed the output to grep, and what grep does is basically pull whatever you specify here. It pulls it from the output. I’ve told it to pull whatever is in there, that has the name scan, or that has the string scan within it. So, I could have had a name like AAA, scan, BBB, it would still pull it without any problems. This is one of the ways in which we can make sure that the file is located within a certain folder, especially in situations where you have hundreds of files in a single folder, and you don’t want to go through them manually. Just use grep if you know the name, or if you know a partial name, in order to figure out what is where. So, let’s go ahead and clear the screen, and let me just show you what is located within our scan file. So, less scan, press Enter, and there we go. We have pretty much all the hosts within my LAN network, within my local subnet. They are all down of course because I don’t have 255 computers or devices within my home network, rather instead you see what it has found. It has found the router IP, the router that I’m using for this test, and it says port 22/filtered/TCP/SSH. That one has an open port of 22, it’s status is up, and I also have on 100 status is up, 22 is closed, on 102 is up, it’s filtered, and so on and so forth.
So, let me go ahead and do a very similar thing here because I want to leave it on the screen, so I can explain it to you. The less command is very nice but when you exit it disappears. Cat, however, prints everything within a file to standard output, and it stays here for the duration of the terminal. The reason why I did this will become apparent quite soon. So, what you want to do now is type in cat SCAN as before, and now we want to pipe the output of SCAN to grep in order to pull something out of here, the useful information. Let’s say that I want to pull all the hosts that are up. I want to pull all live hosts, I want to see their IP addresses, and when I type in grep what is the universal markation for all the hosts that are up? Well, you have a flag here, status and then flag up. Let’s go ahead and type in up, press Enter, excellent! I will give you a bit of clarity, there we go. You have these flags which are up, so I have all the hosts here that are currently up and running,
that are alive on the network, but this is not what I want. If I wanted to pass these IP addresses to another program, I wouldn’t be able to pass this whole line because it wouldn’t make any sense. Especially, if the other program is only requesting the IP address of the host. You perform one nmap scan to see which hosts are alive, and then once you figure out which hosts are alive you can do a more detailed scan on those particular hosts. This would save a lot of time. So, we have these hosts here, but we want to pull these IP addresses. I’m afraid I just can’t do that with grep. Perhaps I could, but it would be too complicated and it really wouldn’t be practical. That is why Linux has something that is called awk. Awk is used for formatting text and pulling out certain parts of a file that you have deemed that you need. Now you could make an entire separate tutorial on awk. I would strongly advise that you familiarize yourselves with awk by referencing the man pages. However, for the time being, and for the purposes of this tutorial, we will be using some basic awk commands which pretty much everybody uses, and which are a necessary part of pen-testing. So, cat can print everything to standard output, grep Up. So, grep all of the lines that contain the word up. And then what I want to do here is eliminate this part, leave this part in, and eliminate this part. How shall I do that? Well, the first thing that we need to do is specify a field delimiter. Basically, if you say that the colon here is a field delimiter, this will be one field, this will be another field, and this will be yet another field. So, you will have three fields in total. However, that doesn’t really work for us. If we say that the colon is a delimiter, this entire section that I’ve highlighted will be considered a field, and we will have parentheses, and the status, the parts that we don’t really want. What you can use as a field delimiter here is a space. So space here, this is one field, this is going to be another, and this again is going to be a field delimiter because there’s a space, and this will be a third one, and then you have another space, and the fourth, and so on and so forth. In order to specify a field delimiter to be space, well simply leave an empty space in between the quotation marks. Generally, you would put quotation marks and you would specify a field delimiter in between them. If you wanted a colon this is how you would do it, but we don’t want a colon. We want a space, and that’s it. Open single quotation marks, open curly brackets, type in print $, and then you need to type in the number of the field that you would like to print out. So, we would like to print out the second field, 2, close curly brackets, close quotation marks, press ENTER, and there we go. We have all the IP addresses listed of the host that are up without anything else. Now, what you can do with this is pass it to another file, it’s called SCAN2, press ENTER, and then you can type in nmap – iL scan2, then you can perform a full nmap scan for just four hosts. This might take a bit. No, I don’t want to view it like that. Let me request double verbose, excellent! So, now you can do a full scan for just four hosts instead of doing it for all 255 hosts. Just figure out which hosts are alive, and you don’t need to do that with port 22, just do a ping sweep, and that’s going to be it. You will be able to figure out which hosts are alive, perform detailed analysis of this particular host, and you can see I’m already receiving information here. My home router is filled with holes, but it doesn’t matter at this moment. I am just using it for the demonstration of this tutorial. I’m going to switch it as soon as I’m done with the tutorial. I have 443 on 102, so I probably have some SSL going on there. Port 80 here, port 23. We will soon see what all these services mean. However, you can experience these flags here, and usually you will experience delays because you know there are some packets that are being dropped, some that are being refused by the servers on the other side. You can also have time limiters, and so on and so forth. So, here you can see the scans and what they have revealed thus far. They will tell me everything that I want to know in regard to my local area network. It even gives out the MAC addresses which I’m going to cover up, and you won’t be able to see them, but, in any case, you see how much information you get, and how much time you can save. I am going to end this tutorial here and we will move on to the next one. I hope that you’ve enjoyed this one, and I’ll see you next time.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, I will start a chapter on footprinting. So, I have explained what the act of footprinting is before, but now we will actually go ahead and conduct a few scans to see how it all works, and introduce you to the tools that we will be using.
First off, we need to find ourselves a target to scan. I could scan myself, but that would not be realistic because I already know what the results are going to be. Plus, it would not be a long range scan over the internet, I would be scanning within my own local area network. So, the speed of the scan would not be realistic as it would be a lot faster than when you conduct the scan over the net. So, what I did was I went online, and you can do the same, and on the official nmap website they have a section devoted to actually allowing people to scan them to test their tool out. Here is the written permission that you can actually scan this website. You can scan it to test out the nmap tool, a few scans a day here is fine, but do not scan it a hundred times a day, or use this to test your SSH brute force password cracking tools, etc. So, that’s definitely something you don’t want to do, but you can run a few scans on this site per day and according to them that’s perfectly fine. You are not breaking any laws. I’m just emphasizing one more time that you do have a written permission right here on the site, which is fantastic because it gives us an opportunity to actually simulate real time circumstances to see how nmap behaves.
Now nmap is an essential tool for pretty much any pentester out there. Many people will say that it’s pointless to port scan, it doesn’t do you much good, and so on and so forth. Well, perhaps in terms of exploiting the services running on the port themselves it doesn’t do you that much good, but just by seeing which ports are open and which ports are closed you can, to a fairly good extent, determine which operating system, or which platform, is being used on the other side, and then you can find weaknesses of that platform. Of course, there are some other ways of doing this, I will show them to you, but let me show you how nmap works. Nmap is known to trigger quite a few alarms, quite a lot of firewall red flags, and you want to make sure that your nmap scans are as discreet as possible. Now there are tools to actually figure this out, but I will show you here how to do it using the Linux terminal. There is also something called zenmap. Zenmap is a graphical user interface of nmap, but we will not be using that. Instead, I want to teach you how to use it via terminal. So, nmap is the one most commonly used, and it is always used in the terminal text format. People rarely use the actual graphical user interface. In the previous chapter, we have also discussed how to stay anonymous, so at the end of the chapter I will be combining these things: scanning, footprinting, and anonymizing your scans. In any case, without further ado, let’s type in nmap –help, press ENTER, and there we go. There are a lot of options here, I mean a metric ton of options, way more options than we actually need for a basic scan. However, eventually, over time, you will come to understand that all of these options are available for a reason, there is a particular use case for each of them. So, what you need to do is scroll down to the bottom, and here you have examples of how nmap runs. So, 99% of the time you will type in nmap -v for verbose output. For this sort of activity, we will want as much information as possible. We can use -A to enable OS detection, version detection, script scanning, and traceroute. I don’t think we’re going to need that immediately. There is the -O function which is just for OS detection. Anyway, you can pass either scanme.nmap.org, which is basically the domain name and it will get resolved to an IP address, or you can actually pass it an IP address. If you’re wondering what this is, this is a mask. It would be very difficult to explain in great detail what this is, but for the time being know that this is actually an IP address range. It goes from a certain IP address, to a certain IP address, but you do not actually need to use this format. Not that many people actually use this particular format with the mask. They just tend to specify very specific ranges because they don’t have the permissions to scan the entire subnet. Instead, they have to create lists, and then skip certain IP addresses, and then continue again from a certain point. So, they do need to create lists, and that can be a problem.
Now up here, at the top, you have another very important option that’s going to come in handy, you have – iL, input file name. So you can actually create a list, in a file, a list of IP addresses, and then you can scan those particular IP addresses. They will also have an ability to do this, look at what’s written here. So just take a look at this segment and its 10.0, and then this segment here, this octet here is 0-255, and then the last octet is 1-255. If you’re wondering why I’m calling these things octets, it’s because each one of these has 8 bits, and it is represented in binary. So it can have 8 zeros, or 8 ones, or a combination of ones and zeros, but it has 8 bits, so 8 positions. That’s why they are referred to as octets. This is a very common form that people tend to use, and this is what you will find yourselves using. Either this, this will be a method in which you will specify the IP addresses, or you will be passing files. People will either create these files themselves, or they can find these IP addresses on the internet. So in addition to this site, https://nmap.org/, you also have this one here, https://www.nirsoft.net/countryip/. This is a fantastic website. The entire range of pretty much every IP address block is listed here, and it also lists who owns what. You can search and find and it’s going to give you the appropriate IP addresses for that particular country, and it’s going to give you the owner of those IP addresses. Usually it’s just telecoms, but you also have other people who own them as well. So I’ll just give it a shot. Let’s just type in Germany, or I don’t know, France. Okay, this is not the first search, but that’s not a problem. Actually, you can find it down here, and I’m not going type it in here. I could control + F France, there we go. Down here, just saving myself a bit of time there, and there we go. So, you have a range, this is a given range here, it’s from 2.0.0.0 to 215.255.255. This is a massive range. This is a humongous range. Look at how many IP addresses you can have in total, how many of them you can generate within this range. It’s quite a lot. This is owned by French Telecom. I don’t know why they need this many IP addresses. So, as I said, you can sort them out by the owner, and you can see that many of them are not listed here. Wow! France has a lot of IP addresses assigned to it. They’re not free, they cost money. Let’s just go ahead and see down below. Where is it? Where is it? OK, so you see all of these IP addresses, and this is a pretty massive range, so this is a telecom in France. Look at how many IP addresses, IP address ranges they have. So, that’s quite a lot, and this site, as I said previously, we can use to figure out which IP address range we wish to scan. Again, you usually do not have the permission to scan the entire range. You can scan certain IP addresses within that range for which you have a permission. This is a very nice site to determine where the IP address is from, or something like that. However, always remember, once you get an IP address your search engine is your best friend. This is one of the major components of footprinting. You can type in whois, and then type in an IP address, I don’t know I’m just going to type in this random IP address. So, if you don’t want to search for it here, you can have a look at it here. Whois 82.120.0.0? I don’t know if this search will be successful. There we go. So, I’ve typed in whois and I’ve picked the first website out that I could find, and here I have all the information in regards to that particular IP address. I have a country, I have the username of the admin, I suppose, I have the status, remarks, source, and I even have an address, a physical address, of the IP address, which is ridiculous. Yeah, as I said, search engines are your absolute best friends. If you want to find pretty much anything on the net in regards to an IP address, or to do any sort of research, make sure you utilize your favorite search engine.
So, those are the two tools that I wanted to introduce you to. Well, one tool, one website, and one search method which you can use in order to determine where an IP address is from, or whois using it, and even to determine its physical location. Although, it’s physical location can be assigned to a telecom, and that telecom can assign it to a city, and to a specific region in the city. Then you can find it on google maps, or on google earth, but usually those things are not that precise. What is precise, however, is that the IP address belongs to a telecom, and they keep rotating them in between cities. So, if you have let’s say a hundred thousand IP addresses that you have scanned, and if you wish to sort them out by the city, you will get 70-90% accuracy. This can be problematic because you’re going to miss out on some things. You also have something called nslookup. I’m going to use scanme.nmap.org. I have said I want to look up files on scanme.nmap.org, and this is my DNS server, which is basically my router. You see it says port 53. You know immediately that it’s a DNS because all DNS traffic runs on port 53. Then we have the results. So, this is the domain name, and you get the IP address down below. This is also one of the ways in which we can get the IP address off of the site with a domain. Once you know the domain you don’t actually know the IP address until you look it up, but there’s a far simpler method. You don’t need to use nmap. Oh, by the way, nslookup also works in reverse. So, type in nslookup, and you can type in the IP address, go ahead and press Enter. Down below are authoritative answers from the name servers. Basically, that means there are DNS servers and they are giving you responses, and telling you to whom the domain belongs to, and so on and so forth. What I want to show you here is that you can actually get a domain name by typing in nslookup, and then the IP address, and here where it says non authoritative answer you get the IP address, and then you get the name, which is the domain name. However, you might notice that there was a problem here, that this IP address does not match this one. Well, guess what? It actually does. Try looking at it in reverse. It’s 74, 74 here, 207, and 207 here, 244, and 244 here, and 221 here, and 221 here. When you do an nslookup, and when you pass in an IP address, it’s going to do a reverse lookup in the DNS MX records. It’s going to query the DNS servers, and the DNS servers are going to give it a response, but in the MX records this is basically how things are written. You write an IP address in reverse, and then you put this in, -addr.arpa, but this part really is not that interesting to us. This is more interesting to server admins who configure the DNS servers. We will get to DNS servers in the later stages of this course. What is important for you here is we’ve typed in an IP address, you’ve used the tool called nslookup, and you have gotten a domain name in return. Now you can start doing some other things as well, but we will be dealing primarily with nmap. Nmap is a tool used to scan networks and to retrieve information from them. What I’ve showed you in this video is some basic information, retrieval, and some basic external resources that you can use. In any case, I’ll see you in the second part of this nmap introduction, and there we’re going to actually conduct some scans and see how it all works. Thank you for watching and I hope to see you next time.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
Together we’re going to take a journey through Linux and give you the knowledge you need to be a power user, but first we must ask the question, what is Linux? Well, confusingly it depends on who you ask. In order to get an idea of what Linux is we’ve gotta go back in time. In the early 1980’s Richard Stallman, then working in the AI lab at MIT, started the GNU project with the goal of creating an entirely free and open Unix-like operating system. This all started when the lab got a new printer, but the license restricted his ability to modify the code. He had hacked earlier printers to electronically send messages to users who printed items when the printing was complete, as well as notifying other users when the printer was free to use. By the early 1990’s there was almost enough GNU software to create an entire operating system, however their kernel, the GNU Hurd, was not yet complete. Meanwhile, in the early 1990’s Linus Torvalds set out on a hobby project to develop Unix-like colonel known as Linux, and used GNU software such as GNU’s “C” compiler to do it. While a kernel on its own was useless, he ended up including GNU software with the kernel tree to release an operating system. Later, Richard Stallman’s free software foundation sponsored the group Debian to release a GNU/Linux distribution that was completely open for people to use and contribute to. Debian over the years grew from a small group of Free Software Foundation hackers, to the enormous community that is today. Due to its popularity, Debian has become the base of countless Linux distributions. Because of how open the software is, anybody to read the source code, modify it, and then redistribute it. Because of this, this is what we have now, it’s kind of a mess. There are so many Linux distributions that a common problem for beginners is what Linux distribution should I use. While there are a few distros out there that actually include its own software, one of the biggest problems in Linux is how many distros there are and the fact that a lot of them are the same distribution with new wallpapers, and icons, and everything else is the same. Ubuntu was started in the early 2000’s and is owned and distributed by Canonical. The base of Ubuntu is Debian, and Ubuntu has become so popular that it has in turn been forked countless times. Forking is a process which the operating system is used as the base of a new distribution. Ubuntu includes it’s own desktop environment called Unity, and has recently started distributing phones running a version of Ubuntu. Canonical also contributes bug fixes and other contributions upstream, meaning that they send these changes back to Debian to include in future releases. While Debian releases new versions sporadically, Ubuntu’s aim was to capture the stability of Debian, but released new versions more frequently. As such, Canonical releases two distributions a year, one in April and one in October. The naming convention of Ubuntu is year & month. So, the version we’ll be working with was released in October of 2015 and it’s called Ubuntu 15.10. Every two years in April, a long-term support version is released called LTS, which is officially supported for five years. While releases in between LTS versions are supported for only 9 months, the next LTS release will be in April of 2016. So, to download Ubuntu we’re going to go to Ubuntu.com, and when the page loads we’re going to see in the top navigation that there’s an option that says desktop. Just click on that, this is the version of Ubuntu we’re gonna be working with, and then when you get on the overview page, just click download Ubuntu, the big orange button in the main area. And on this page it’s gonna give us a few versions, so it’s gonna prompt us to download the last LTS release which was released 2014, in April. If you’re gonna be running Ubuntu on a server it makes sense to you long-term support versions because you only need to install a new version like every five years. You can install more frequently because there’s new LTS version every two years, but with a non LTS version there’s only official support and bug fixes for nine months. So, we’re gonna go with one of the nine months cycles here and download the latest stable release which is Ubuntu 15.10, this was released maybe 10-15 days ago. We’re gonna download 64 bit because that’s the processor type we’re running. You can either click the download button to download it directly in the browser, or you can click alternative downloads & torrents to view what other type of other files you can download. Now, if you’re running on a really super fast internet connection it doesn’t really make a difference. The in browser download is probably going to download just as quickly as a torrent, however if you don’t have an incredible internet connection, a torrent download is going to make a lot of sense. It’s going to download a lot quicker than it would in the browser. Now, I’ve already got my version downloaded, it took about 10-15 minutes, because I have really bad at the moment. Next thing we’re gonna do, we’re not going to install to directly onto our hard drives yet. That’s an awful big commitment to make when you you’re not really familiar with the system. So, we’re gonna do is go to VirtualBox.org, and this is a piece of software that allows us to create virtualized machines, virtual machines are a virtual computer if you want to call it that. This allows us to create different virtual machines, set them up differently, as well as star different operating systems on one. So, when you get to VirtualBox.org there’s a gigantic button here that you cannot miss. Click on that and it’s gonna take you to the download page for VirtualBox. Now, it offers different packages dependent on different operating systems. This is going to be for the host machine, and to put that it clearer terms, the computer that I’m in right now that we can see is running Windows 10, that is the host. So, I need to download VirtualBox 5 for Windows hosts, this link right here, click that it’s gonna start the download. Now, I’ve already got mine downloaded. We’re going to need these in the next few videos, so thanks for watching!
So, now you don’t only have to scan devices on your local network, you can
also scan external IP addresses or host names. So, I’m going to scan my server here by typing “nmap pointybracket.net” and then the host name of my server. It’s gonna take a moment and I’ve got a lot of open ports just because I have so many different things running. I’ve got, there’s a lot of things that run on it and some things that I just setup that I’ve never really used and haven’t bothered to shut them down, and so what we get here is my host and we can see that I’ve got FTP, SSH, SMTP, we’ve got the standard domain in HTTP, pop3, there’s a bunch of stuff here and I’m not going to go into what all those are but we can see that these are everything that the server has. You can also set a file, so let me clear this. Let’s open up gedit. So, we’re going to create a file of of hosts that we want to regularly scan and this can save time when we scan them if you’ve got like you know a few hosts that you regularly check on. So, I’m going to put “pointybracket.net” “192.168.0.1” and “192.168.0.100” and I’m gonna save this as “networks.txt” So, what we can do there is we can type “nmap -iL -/networks.txt.” so it’s a lowercase “i” and a capital “L” and then the location of that file, so it was “networks.txt” in my home directory. This is going to scan each of the hosts that is in that networks file. It returns in the order that they were scanned in, so that’s pretty neat. I want to go over a few more things with you guys regarding this command it does get pretty big there’s so much so that you can do with this, and so I really urge you guys to go and explore this if networking is one of your interests, if you want to really you know follow that. One of the things I want to show you guys is how we can turn on OS inversion detection during the scan, and so what we’re going to do is type “nmap -A 192.168.0-100” and this is going to scan, oh I had a little typo in the IP address there so I had just fix that, so this should tell me the operating system versions that are running on the devices on my network, and you can also find this information about other hosts. Aside from this, just while this is running you can scan aa network and find out which servers and devices are up and running by using the flag “-sP” You can display the reason that a port is in a particular state by having the flag “–reason” You can choose to only show opened ports which appears to be the default functionality here, it doesn’t show the closed ports. You can actually also show all of the host interfaces for a machine by typing “–iflist” in the list of arguments for this command, and I mean again it’s really big so go ahead and look this up. If you wanna type in google.com “nmap commands” there’s a bunch of different ones that you guys should play around with, this was more of an introduction onto the most common or basic functionalities of this program. I’m going to cancel this here and I’m just going to restart. This will go a bit faster, I’m just going to target my own IP address here so we can get this done and you guys can see the example output that this is gonna do when adding the “-A” slag in here. So, here you can see a lot of information about this machine. Let’s go to the top here. We’ve got the port, the state, and the service, as well as the version of the service. So, I have Apache 2.4.12 installed and that’s also the same one here. If we go down we get more information about the host cell, so we have OS UNIX, we’ve got the computer name, the domain name if anything is configured, the fully qualified domain name, and just a lot more information. So, that is the nmap command and it would be useful if you’re trying to just scan your network, and one of the examples that comes off the top of my head that would be you know when I would use command is if I noticed that the internet’s you know running a bit slow. Let’s say I’ve got 10 people in my house and half of them may or may not be using the internet and I wanna see how many people are online, this is what I would do in that instance or if you you know if you want to check how many machines offer a certain service, or what the IP address is that you need to use to access a certain service on another machine, this would help you figure that out. So, thank you guys for watching this video, I will see you guys again soon.
Hey guys, welcome back. This is the last video in the networking module. I just want to give you guys the tools you need to further your knowledge of networking in general, and how networking tasks would be performed on Linux. So, there is one more tool that I want to introduce you guys to called “nmap” So, nmap is an abbreviation for the term network mapper, and it’s an open source tool that can tell you what devices are on the network, what IP addresses are in use, and what services each machine is offering. So, let’s go ahead we need to install the tools so let’s run “sudo apt-get install nmap” and it’s going to download about 3 megabytes of data and it’s going to expand to 18 megabytes. Alright, now that this is installed the way we’re going to use this is by simply typing and “nmap” and then we can do a bunch of things after this. So, the first thing we’re gonna cover is how to scan specific IP address, so I wanna get the IP address that I have so I’m gonna run “ifconfig” So, “nmap 192.168.0.100 and we can see what ports are open, well we can see what ports are available, their state, and then also the service that they provide by name. So, I have Apache installed on this machine, you guys should have it installed on yours as well, if you went through the Apache videos and so you should see the same
thing here. And so the port is 80, the state is opened because we’ve got we’ve got Apache running right now, it automatically runs when start up the machine, and the service that the port provides is http. So, if I were also running an SSH server on this machine you would see another entry in this list for port 22, it would say state open, and service SSH or something to that effect. Now, if we want more information we can run “nmap -v” then the IP address again, so “192.168.0.100” “-v” means verbose and what verbos mode does in most applications is it also, aside from the regular output, it also gives you more direction on what’s happening in the application or provides more information than you would normally get, so in this instance we see that it’s doing a bunch of scans. It scans the IP address then for 1,000 ports and it finds all these ports that are open, and then also finds a bunch of a bunch of closed ports listed here, closed ports, and it it gives us the same output as before. So, that’s neat, I only have one device on my network actually except for my router. Now, my router I believe is 192.168.0.1 So, that is the IP address for my router, so what we can do is scan multiple IP addresses at a time in multiple ways. So, the first way that we’re gonna do is by specifying each IP address. So, let’s go ahead and run “nmap 192.168.0.” and then we’re going to add the last values in here separated by comma. So, first I’m going to scan my machine as well as the router and if I had a network address of 192.168.0.10 I could also do that, but I don’t so I’m not going to. Now, what we see here would be my router. We can see this is the IP address for it and this is what services it offers on which ports, and then we get my machine right here that provides the same output as it does before but this is how it would output multiple machines scan results. Now, you can also scan a range of IP address. So, let’s go ahead and run nmap command again 192.168.0.1-100 this is gonna go from 1 all the way to a 100 and it’s gonna scan all IP addresses within that range, so if I had a bunch of machines on my network, which I actually do I have my phone on that network as well, and that’s it actually so I’ve my router, my computer, and my phone. My phone is not coming up so I’m not doing anything on my computer right at the moment, I’m just checking what IP address I have on my phone here, if I can find out how. Ok, so the IP address on my phone is .101, so I’m what gonna do is run the previous command and just have it scan from 1-101. We should see three machines come up, I don’t think my phone has any services or open ports that it would list, but let’s have a look here. And when you scan multiple IP addresses the more you ,the longer it takes. Okay, so there’s nothing available from my phone coming up. Now, you can also scan, so when we talked about IP addresses we discovered that you can use anything from 0 to 255. So, if I were to want to scan all IP addresses that begin with 192.168.0, I could then put this in here, right, but rather than doing that we can actually use a wild card here. And, I’m actually gonna cancel this because it’s gonna take a while.