Greetings, I'm Professor Kay and initial video presentation we're going to have an introduction to end map and map is short for network mapper and it is a network scanning and host detection tool that is very useful during several steps of penetration testing. And map is not limited to merely gathering information and enumeration but it is also a powerful utility that can be used as a vulnerability detector or a security scanner. And map is a multi purpose tool and it can be run on many different operating systems including Windows, Linux, BSD, and Mac and map is available for both the command line interface and the graphical user interface. The graphical user interface is known as Zen map. For this lab, I'll be using my installation of Kali Linux and another install of meta splittable to for this lab, I have both of my machines configured With their networking set to host only adapter, if you need to update your installation of Kali just hold down the choices that you have for adapter and change it over to bridged adapter.
And then you'll be able to update. Once you're done updating, go back in and switch it back to host only adapter. The reason I like using the host only adapter is that it isolates my installation of Kali and the target machine into their own networking environment. It does not intrude on my host networking environment, or my home network. Using the if config command I have checked the networking address for both of these machines, the Kali and my target, and I see that they're both using the 192 dot 168 dot five six network. The last thing I need to do before we get started with the lab is confirm that I do have network connectivity between my Cali machine and my target to do this.
I'm going to do a ping From my Kali machine over to the target, my target IP address is 192 dot 168 dot five, six dot 101. I'm going to go ahead and just hit Enter, and I see that I am getting positive returns. To break the sequence, I will do a Ctrl C. To clear the terminal and Kali, I just use the clear command on a Windows machine, it would just be CLS. And map is as complicated as you want to make it. It can do basic scanning, and it can do sophisticated scanning using a number of different switches scripts and its engine which we will see in a future lab. In this first example, I'm going to scan a single host, which will be my target.
And this is just a basic scan. That's all it is. I'm not using any switches. I'm using the Nmap command, followed by the IP address of the target. And if I hit Enter, you'll see that it comes back and it gives me all the information about what ports and services are currently running on this session. Address.
And map was able to determine that the target machine is a virtual machine running on Oracle VirtualBox. Using a virtual Nic, I can use my up arrow to come to the clear command. And I'm back to my prompt to scan an entire subnet. I can type in n map followed by the IP address, I want it to start with in that subnet. And then I can give it a slash 24, which is cider. And that stands for the subnet mask that we want to use.
So we can identify what portion of the network will the host IP addresses be located in. Now, I could also type this out as the subnet mask like so and that's the same thing. And what we're saying here is the last octet is the only octet that you have to worry about the slash 24 tells n map that the first three octets are already taken and are full and there's no need to look there. We're telling n map that the only octet that you're going to worry about is the last octet. And that is where the host IPS will be located. So I can go back again, I can just slap slap in the four slash 24.
And this just tells an map that I want you to scan the entire network but only look in the last octet for anything to do with host IP addresses. And if you look at the results that you returned with your Nmap scan on this network, you'll see that it tells you it scan 256 IP addresses, it found four hosts and it completed the scan in the following number of seconds. It said it scan all 1000 ports on 192 dot 168 dot 56 dot 102 but those are closed now. That's because M AP is not capable of scanning its own host machine. So whatever you're running and map on, it won't be able to scan that machine. So it came up and it found a scan for dot 156 dot one.
In this next example, we can see how we can scan multiple targets. So I want to scan just two targets with this particular command. And those two targets are identified by their IP addresses. So I'm going to scan 192 dot 168 dot five, six dot one, and I'm going to scan 192 dot 168 dot five, six dot eight, hit enter. In just a moment, it's going to come back with the results. Now, it did not find the 56 dot eight address it found one host, and that would have been the 192 dot 168 dot five six dot one.
In this example, I'm going to have n map stamp a Pacific range of IP addresses starting at DOT one all the way up to dot 100. To do this, I've just typed in the starting IP address of 192 dot 168 dot five, six dot one, I'm going to put in a dash. And then I'm going to type in the ending IP addresses and now n map will scan all the IP addresses from dot one all the way to 100. It comes back and it gives me the results and didn't find a whole lot here. But we didn't expect that because there's actually only two really live machines on this network this Kali machine in my target machine. But if there had been machines using the range of 192 dot 168 dot five six dot one consecutively through to 100 those results would have been present.
And map comes with many different switches that can be used to obtain a number of different results in his first example of Using a switch, we're going to use the small letter s capital L switch to generate a list of all the IP addresses to be scanned. So I've typed in n map, give it a space, give it a dash. Now you add in the switch, give it a space, type in the IP address or the range of IP addresses that you want to scan. In this case, we're back to scanning the entire subnet of dot 56 dot one all the way up to dot 256. So I'm going to go ahead and just hit enter. Let's see what happens here.
And now you see that we have generated that list of all the IP addresses that we want. In Nmap scan. We can also exclude IP addresses that we don't want an Nmap to scan in this example. I've told it that I want you to scan my entire subnet, but I don't want you to scan dot one. Go ahead and hit enter. Since we do not have a DNS server on this network, we can ignore it The failed to resolve when it talks about resolving is talking about resolving an IP address to a hostname or a host name to an IP address.
And that's what you use DNS for. So we can ignore this error message. And you'll see that it's scanned all the way up to dot 101. And this is the results that we have from the scan. Down here at the bottom. Down here at the bottom, we see that it scan 255 IP addresses and if you'll remember, it normally comes back and it tells you that it scanned 256 but in this case, since we told it to skip that first IP address, it was only going to be able to return results for 255.
Everyone who does pentesting or hacking has their own set of favorite techniques for using an Nmap. Everyone has a different set of switches that they like to use. They like to get a certain amount of information and they want to information displayed in such a way, and so everybody develops their own favorite end map command and scanning techniques. In this first scanning technique, we're going to use a very popular scanning technique called the SYN scan. Now the SYN scan is very popular because it doesn't generate any log files on the receiving target. Now, the reason that is is because the handshake that is normally established between this machine and the target machine is not completed.
Since that's the case, then there will be no log attempts are generated on the target machine, which allows us to remain stealthy or anonymous. So I'm gonna go ahead and hit enter and it comes back and letting us know that the command completed and this is what it found. There will be times when you will not be able to use the sin scan because you don't have root privileges. If that's the case, then you're going to have to use the following command. This is called the T TCP Connect scan. And for this, we're going to use the dash small letter s capital T switch.
Now this is going to complete the connection. So this will generate log files. But it is one of those things that you're going to have to figure out if you're going to use it or not. And if you don't have root privileges on the machine, then of course, you're going to have to move up to another command. In this case it is the TCP Connect command. Now, it should be noted that this is only going to scan for TCP ports.
We'll use another command later on to scan for UDP ports as well. So I'm gonna go ahead and hit Enter. And you see that comes back with some really nice results. But this didn't complete the connection. So we did generate a log file. This phone command is going to scan for UDP ports only.
So in our previous scan, you saw how we scan for TCP ports. Now we're going to scan for UDP. ports. So I'm gonna go ahead and hit enter. If you want to know what the status of an end map scan is, because it's taken a long time, all you have to do is hit Enter, and it'll come back up and it'll tell you the following. It will tell you the stats, how many machines have been scanned, and how long it's taken and how much longer it's going to take.
Sometimes a normal TCP SYN scan is not the best solution because of the firewall. Also, IDs and IPS filtering can block the SYN packets from reaching their destination. The target, a fin scan sends the packet with only a fin flag. So it is not required to complete the TCP handshake. And if that's the case, then no log will be generated. But if they do configure the IDs or the IPS to either warn or block because of a fin flag, then this won't work either.
So we're going to go ahead and hit it. through here, and it comes back, and the command completed successfully. But then again, I don't have a firewall. And again, I don't have an IDS IPS in place. And this next command, we see that we can configure and map to perform a simple ping test. Now this is not going to return any results about ports or services.
But it will tell us whether or not the machine is up and available on the network. So we're going to use this dash small letter as capital P command to have an Nmap ping the target. I'm gonna go ahead and hit Enter, and it comes back and it says, host is up the MAC address, it returns that and it tells us that it is an Oracle VirtualBox with using a virtual Nic. This next command uses a combination of a SYN scan, and a version scan to determine what version of software is currently running on the target machine. So we're going to first conduct a SYN scan and we're going Going to find the ports. And then the V is going to be able to tell us what version of software is running on those particular ports.
So I'm gonna go ahead and hit enter. When the results come back, you see, we have the port, the state of the port, the service that is running on the port, and the version of the software. So this is very useful for finding vulnerabilities on the target machine. Because once we find that these ports are open running a certain service, we can then determine if that particular version of that software is vulnerable or not. Another very useful in maps, which is the dash capital O. This is going to come back and give us all the information that in map confined about the current version of the operating system that is running on the target.
Let's go ahead and hit enter. So down here at the bottom, you'll see that the LSD testing was performed. And it tells us that the OS is running Linux kernel and LS detail, it is running Linux version two dot six nine through two dot six dot 33. Now, that's information that you need to know about if you're going to try to attack this machine and go after the operating system. So OS fingerprinting is a very popular technique and it can be used to discover routers, workstations and the like. It also tells you the operating system that is running on the machine and it gives you other OS details.
It also gives you the network distance in this case, it tells us that it is just one hop away. If the target is filtering out connections using a firewall and IDs or an IPS, we can use the following pn command to ensure that we do not ping defined the remote operating system. The dash pn tells Nmap not to ping the remote computer, since sometimes firewalls will block the request. So I'm going to go ahead and just hit enter See what happens here. Now there will be times that end map will not be able to determine what operating system is running on the target for a number of reasons, probably too much information or not enough details. There's a lot of different reasons why you'll get that command up too many fingerprints match this host to get the specifics on EOS details.
If N map cannot detect the remote less accurately, you have the option of using the end maps yes feature. This will come up with as much information as it possibly can and it will make its best effort to guess what the operating system actually is. On the remote target. I'm gonna go ahead and hit enter. Here in the results, we see that it found something to do with a Windows operating system but it can't really determine what the operating system is. So it's going to come back with his best possible guess.
And that's all you can hope for if it doesn't have all the information that it needs. This video and lab provided a good overview Or an introduction and map now there's a lot more to it. If you were to go to the internet and download the end map User Guide, you would have to go out and purchased about a four inch three ring binder. And that might not be big enough. That's how powerful this utility is. That's going to conclude this short video presentation on your introduction to end map.
Now if you have any questions or concerns about any of the material that was covered in the lab or in this video, please do not hesitate to reach out and contact your instructor and I'll see you in my next video.