CompTIA Security+ SY0-601 – 4.1 Tool to assess organizational security. Part 3

12. tcpdump

In this video I’m going to be showing you how to use a really famous powerful utility called TCP Dump. Now TCP dump is basically a packet capture and utility for a Linux command line. Not all the time are you going to be fortunate enough to be in front of a graphical interface so you can use wireshark. Basically if you’re SSH into a computer it is no graphical interface and you’re going to need a command like TCP dump in order to help you troubleshoot problems and even see traffic coming in and out of a workstation. So let’s go back to our command prompt and basically we’re just going to run the command itself to see what’s happening. Now, you’re about to see a whole lot of traffic online because I’ve actually Remote Desktop this is not actually a full thing.

It’s actually being Remote Desktop to a computer that’s running off of the same interface as the Kali virtual machine is. So we’re going to say it’s going to be dumping a whole lot of traffic here. You just run the command and it basically starts to pick up all traffic on all the interfaces. But you can see right now, this is computer one, 9180, and I’m coming from 190 to 180. So it’s actually picking that up there. So it’s all port 33, 89. You see a lot of that because that’s the actual Remote Desktop port. Some do control Z to stop that. So you can see it’s already capturing packets, but it’s too much data. I’ll show you guys a few different things here we can use if we want to capture specific packets, maybe even some specific hosts. So the first thing here I’ll see is let’s say you want to capture maybe just web traffic.

TCP Dump will say, let’s do the interface th zero and we’ll do on port 80. So now I’m only listening on that interface zero.I’m only listening on port 80. So I’m going to go here. So I have a website that’s on 1921-6188. This is my Windows Ten box. And see, every time I refresh that, you can see a lot of traffic is happening here because it’s basically only taking traffic from here now. And it can show you that what’s it doing is that it’s grabbing the data. I’m using the files information here, and it’s basically grabbing data from that particular website that I have there. Now the other thing here that we can do is going to be a variety of other things that we can look at so let’s stop that. Let’s say TCP dump. You can even specify from a particular host that you may want to just grab data from, so you don’t want to see from all the data.

You can see just host from that host file. So we could say 1188, I think was the IP address, and now it’s only going to listen to that particular IP address. So you notice I’m going here. Even if I go here, it doesn’t do anything right. No packets. Capturing. But if I go to that IP address now, I start capturing. You can see a whole bunch of the TCP handshake is happening there behind me. So this is basically TCP dump, and it’s a really good command to nona. I’m just scratching the surface here. I’m barely teaching you anything here. I just need you to know what this command is for your exam. But now you see what it is. Go have some fun with it. There are tons of switches, tons of tutorial on it. It’s one of the most used Linux commands.

13. NetCat

In this video. I’m going to be explaining it to you. Netcat. Now, netcat is a command that is basically the Swiss Army knife of doing many things. First of all, it is available on Linux, and you could get it to install on Windows. It’s basically a quick port scanner. Sometimes if I just want to, it’s a command I use very frequently if I want to just check if a port’s open without having to go through the whole end app thing. I’ll just run this command. It’s very quick, very easy to run, and it’ll tell me if a port is open. Or you could even do a whole range of ports if needed. And you can even send files through it. And you can even do a simple chat server if needed. So let’s take a look at how to do it. And it’s a pretty simple command to run, not complex at all.

And now you could get this on Windows. Now you could type NC, or you could actually type out the word netcat. I’m to the point of that. Just type NC. Okay? So what I want to do is I want to tell it to look for open ports. That’s the Z I want to say verbal. So I actually want to see the output itself as it’s doing it. We’re going to do Tia. edu, and I’m going to actually just put a port in there that I wanted to check first if I want to check for port 80. Is that open? Yes, it is. So it’s telling me port 80. Now we saw this in the end map when I ran. This. Is port 53 open? Let’s see if it allows me to do that. Yes, it is, but what if so I can even go in here. We know 21 is open. Oops, that one is not right. The connection refuse. That was quick.

I was actually going to type 21 in there. And this one here should be open. So it’s really quick if you want to do a range of ports. And this here could take a couple of minutes to scan. So I’m not going to watch it scan. But you can actually go in there and put like from one to 100. So you could do this. It’s a great little command to help you do this, but there are other things that it does. Don’t forget, you can set up simple chat servers with this thing. And you can also do things like setting up file transfers to send files across the network. Don’t forget, this is available for both Windows and Linux, but it comes preinstalled here on Kali Linux. Just use the NC command to get it started.

14. Sniper

In this video, we’re going to be taking a look at a really powerful security framework in Linux called Sniper. Now Sniper is a paid service. It is a paid application, but you can get a community edition that’s basically free. Now this thing does require a little bit of an installation procedure and it does take very long to install it. So the link to install it into Linux, I’m going to put it in the description description, follow the tutorial in it and you’ll be able to install it. Now this thing does take a long time to run. And basically what it is, basically what it is, is a giant scanner. And what this thing does is that it’s going to scan your scan a particular host. And what it does is that it combines many framework from Metasploit to Nmap to many other different frameworks to Osync framework CVE. It’s going to be loaded.

It’s going to tell you a lot of information about this particular host. Do not run this software against hosts that you’re not authorized to do. So I’m going to go ahead now and I’m going to run it. So you can just type in Sniper. And basically here it is. It’s fully installed and it’s really simple to run. You just type it t for the target. We’ll type the computer that I have on my network here and this is that Windows Seven machine that I have now. It will take an incredible amount of time to run, so I ran it before I started the video and I just wanted to show you guys the output of it. So here it is, here’s the output and it’s finally done. And just a couple of quick things that this is going to go on and on for quite a while of all the data that it found. And then I’ll show you the folder where it outputted it too.

So this machine here is running on a Windows Seven and it’s running on a Windows Seven box and it’s going to tell us some information about what it found. So it’s telling us right here it connected. This is coming from the end map port 21. It was a FileZilla. So that’s pretty good. I actually realized it was a FileZilla FTP. Here’s the Mac address of the machine. It was an oracle. It even knew it was a virtual box. So it knows it’s some kind of Windows Seven or it could even be a server. 2008, it goes in to tell you more things about it and then notice how it’s running Metasploit and it’s going to try to exploit it using a variety of different CVE attacks against it. Notice how it’s running this for a backdoor exploit.

And then it does a few other things that are going to be way beyond the scope of our class to go into. But you guys can have a lot of fun doing this. So when it’s done, just to scroll all the way down because there’s a lot of information here. When it’s done, it’s going to output a file, a folder with a whole bunch of different directories in it. So here’s the folder and you just have to follow the link here and basically you go in here and it tells you what it found on this IP address. So it can tell you well, this domain is all sorted. So it only found one domain in there. The target of course was just that one machine that I targeted. And then it goes in to tell you what the end map found with what live hosted we find Mac addresses that’s associated with that hosted node was a virtual box.

The great thing is that it’s categorizing it for you and it’s telling you, hey, what exactly was out there? So here’s the end map output so you don’t have to look at all this crazy garbage behind me here. Puts it nicely and fold it here for you OS fingerprint and it knows that’s as good it’s noise running on Windows seven, which it is running on a Windows seven box ports. Okay, there’s one open that one there and that’s old one. Here we go. Here are the ports that are open 135. So it is a Windows box, it is running for 21 and so on that it does have open. So that’s just the end map. Now we do have vulnerabilities that it could have found. It ran a nexus and it found okay, nothing there.

Let’s see what else. When we have vulnerability reports, it found one critical vulnerability p one critical default credentials was used. We have Nmap that it found and the administrator count was blank. We should have some valid account is disabled though, so you can see that it really goes out and it categorizes a lot of information for you. This is an excellent command for any Pen testers toolkit. Of course it’s an excellent thing for a hackers toolkit too. Anything that’s good for a Pen tester is also good for a hacker. But hey, that’s not us. We are ethical hackers here. We are pen testers. So it’s all good, go and have some fun with this. But once again, do not try this command on hoses that you do not own.

15. scanless

In this video we’re going to be taking a look at a pretty useful command when you want to do a port scan against a host by hiding yourself. So Scanlas is basically utility in Linux that allows you to hide who you are. So basically there’s a port scan by using other domains and it does have a list in it. Let’s take a look. So let’s say Scanlas, and if you want a list of what type of scanners you can use, we can do that. We can do Scanlast l and we’ll see that these are the targets it can use. So basically when we scan people, it’s going to use one of these domains as the scanner. So it’s going to look like it’s coming from hackertarget. com or Spiderrip. com. So it’s pretty simple things. Here we go. We’re going to do Scan scan last.We’re going to do the target is going to be Dia. edu is who we’re scanning.

And basically that’s it. You know what, we just use a random scanner. Any one of those from the list there we’re okay with. So you can actually put in the scanner name. You can do a dash and select which one of those you want. We’re just going to press Enter. So decided to use Hacker target and then it went ahead and scanned the ports for us. And we do notice a web server. We scanned this to the end map earlier. This is a pretty cool utility that basically hides who you are when you’re doing the scan. And so if you’re doing a pen test for an organization and you don’t want them to know, or maybe it’s more of a secretive test and you don’t want anyone to figure out that it’s being scanned and who’s doing it, use this command to hide your identity when doing a port scan.

16. nmap

In this video, I’m going to be going over a really powerful utility that helps you to understand the target that you’re trying to scan and that is Nmap. Now the network mapper is basically now there’s two ways to do it. You could use the command line and you could use the graphical interface. We’ll take a look at the graphical interface, just makes it easier because it’s a very well written graphical interface interface. And this is a software that’s called Zen Map. So you can actually download Zen Map and some here, now my browser here should open up Zen Map. You could just download this and it’s going to include all of the graphical interface that you need on it and it just makes it a whole lot easier. So we’ll do a quick scan. Once again, in this video, I’m going to be scanning my own web servers. You should not be doing this if you don’t have permission to the host that you’re scanning on.

Now this is going to take a couple of seconds to open and then we’re going to run a pretty good scan against Tia. edu. Tia. edu is actually hosted on a web server on a web hostor called HostGator that we host this on. And by the way, I’m not giving anyone in this video permission to scanner or websites. I’m just scanning my own site. So I don’t expect to see traffic on my website from you guys. Keep that in mind, please. Again, I am not giving anyone permission to scan our website. You have to get your own. Okay, so we’re going to be scanning this website. So it already resolved the host names, it already starts to tell me what port numbers are open. So the main objective of this particular scan is not just to tell you the ports that are open, but it’s also going to be telling you what services are running.

So it’s going to tell us things like what FTP is running, what DNS is running. It’s also going to tell us things such as guessing. The operating system is very useful for it. Now you could use Nmap in a command line and you notice there is a command here. So it’s Nmap T-A-V. And this is basically going to do a full intense camera. This does take a few minutes to run, still run it. Okay, so it’s basically completed there. And let’s take a look at the output that we have on it. So first thing it did was that it discovered the port. So we’re running on a sequel port. Now this is a shared web host and so there’s many other sites on this web hoster. Port 443, port 53. So we got a web server, we got DNS, we have FTP, we have a web server, 22 I think is SSH, we have port 110, pop, three, I think 993995, those are going to be secure, pop and IMAP.

So you got quite a lot of ports open here. But if I go down, notice how it’s telling me on port 21 I have that FTP server and it’s telling me the type of FTP that it’s running. I also have an SSH server. It’s telling me the SSH that it’s running as I keep on going down. It even tells me that I’m running some kind of Red hat enterprise in X Six. That’s what’s running the DNS server. It runs on Apache web server. So it keeps on going. It tells me a lot of information that we’re running on this and all the other services and different types of services that it’s running. This gives you a lot of information. Now that we have this type of information, we can then attempt to go and attack this web server because we know what services are running. We can find vulnerabilities by looking at the CVE.

If you guys remember from CVE earlier in the course we talked about, you can find vulnerabilities to CVE based on the different versions of these services that we are running in here. The good thing is that it even tries to guess the operating system. It told us that now we already started running some kind of Red hat Linux. It tells us the US details Linux 4. 4, it’s probably going to be the kernel of it. Okay, so this is a very good scan. You do have a variety of different options that are located here. I just did the best one, which is the intense scan. You guys can check this out please. Again, do not scan things that you don’t have permission to. But if you do have permission, go right ahead and scan away.