In this lesson, I'll talk about Nmap. Nmap is an important tool for intelligence gathering. It'll give you a picture of what is running on your network. What systems are running, what software each of the ports are running on, what open ports there are. And it also can get a lot of other information that you may not have readily available to you if you have a large network. So Nmap is generally run via command line. However, there is a GUI version called Zenmap as well. So I'm just going to type in nmap, which is the command line side, 128.198.44.10. Now this going to be a regular scan, which it's going to scan the most commonly used ports, and scan those to determine whether or not those ports are up and running and what operating system it could be. The scan has taken about one minute to complete, looks like it has found that all 1000 ports on the system, which is my wired system, are filtered. Which means that they are not necessarily closed, but they are not accepting any traffic to those ports. So the host is up and running, and it will tell you how long it took to ping that address. If we did an intense scan, we might be able to find more information about the system. And we'll do that here on another IP address. So let's move over to Zenmap so we can easily see what's going on. So I'm going to scan this real quick, and instantly, because of the -v, which means verbose, I'm able to see what the scan is doing in real time. You may see down here at the bottom, while this is running, something that's called NSE. This is the Nmap Scripting Engine. The NSE is a very powerful tool that Nmap has to run scripts for all kinds of things. There are authentication tests, there's broadcast scripts, there's brute force scripts, discovery tools like DNS lookups, among other things. Fuzzing, fuzzing is a big one as well looking at what kind of traffic we can send to the system to try to get it to crash. There's also exploit scripts out there as well that we can use directly from Nmap to perhaps exploit a system. And we don't need a large attack sweep. So the intense scan has just completed, and let's look at some of the results. So we already saw that there are open ports here, but let's dig into these. Okay, so, looks like there are 23 ports that are open and 977 ports that are closed. Now because of the intense scan, it also shows us exactly what is running, what software is running on each of the open ports. So it looks like here, port 21 has FTP open. And that is running vsftpd 2.3.4. Now I can use a lot of this information and compromise the system if I have found a vulnerable version of the software. Because of some other scripts, like the script that looks at what is running on port 25 here, which is email, SMTP, it gives me some more information that tells me the possible name of the system. And this one happens to be metasploitable, which we'll exploit here later on in another lesson. Some of the other software that's running on it, Apache httpd 2.2.8, which is a vulnerable version, rpcbind is also vulnerable as well on this system. MySQL is open, and you never want that to be open. Looks like 2121 proftpd is also available. But using Nmap gives us a large amount of information that we can use to compromise anything that we find. And Zenmap allows us to see this information in a nice GUI. If I click on Host Details, I get some more information that's usually not available inside of the main output. However, I can also switch over to Topology and look at where this is connected. Because this is a virtual machine, it's directly connected. However, if I look at my Hosts Viewer, I can look at services that are running and it'll show me easily all these services that are open. So if it's able to extract information by running a script, it will. Nmap has a lot more capabilities, and I will put links to most of this information in one of your readings. But I use Nmap on a regular basis, and it helps me while I'm trying to figure out what systems are on the network. We run a very large network here at the university. It's a Class B network, which means that we have 65,000 hosts or capability to have over 65,000 publicly available hosts on our network. Scanning even just a little bit of those takes some time. So Nmap helps identify what could be opened very quickly. I've used Nmap before when there was been some major network vulnerabilities, it has been able to tell me vulnerable versions of Java, for example, through Nmap when I didn't want to use other software, such as Nessus.
