October 26, 2024 • 15 mins
This summary is talking about the Book "The Nmap cookbook Beat the Beast".
Provides a comprehensive guide to using Nmap, an open-source network scanner, for penetration testing and ethical hacking. The guide covers various topics, including basic network concepts, virtual machines, information gathering techniques, scanning methods, vulnerability analysis, and exploiting vulnerabilities. The document aims to equip users with the knowledge and skills necessary to perform effective security assessments and identify security loopholes in networks and systems. It also introduces the Nmap Scripting Engine (NSE), a powerful tool for automating security tasks, detecting malware, and performing advanced exploits.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cyber_security_summary
Get the Book now from Amazon:
https://www.amazon.com/Nmap-cookbook-Beat-Beast-ebook/dp/B09GJQHY1Y?&linkCode=ll1&tag=cvthunderx-20&linkId=c95b7d6ef0f1d025e1400984cd67ee8a&language=en_US&ref_=as_li_ss_tl
Provides a comprehensive guide to using Nmap, an open-source network scanner, for penetration testing and ethical hacking. The guide covers various topics, including basic network concepts, virtual machines, information gathering techniques, scanning methods, vulnerability analysis, and exploiting vulnerabilities. The document aims to equip users with the knowledge and skills necessary to perform effective security assessments and identify security loopholes in networks and systems. It also introduces the Nmap Scripting Engine (NSE), a powerful tool for automating security tasks, detecting malware, and performing advanced exploits.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cyber_security_summary
Get the Book now from Amazon:
https://www.amazon.com/Nmap-cookbook-Beat-Beast-ebook/dp/B09GJQHY1Y?&linkCode=ll1&tag=cvthunderx-20&linkId=c95b7d6ef0f1d025e1400984cd67ee8a&language=en_US&ref_=as_li_ss_tl
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Okay, so let's dive into this whole world of network security.
It's a jungle out there, right, but like understanding how
hackers think that's got to be our first line of defense.
Speaker 2 (00:09):
Right, Yeah, definitely. It's like you got to learn the
language they use, the vulnerabilities, the exploits, all that, exactly.
Speaker 1 (00:15):
And the cool thing is we've got this powerful tool
we can use end map. It's free and everything.
Speaker 2 (00:20):
Yeah, end map. Everyone used it. I mean the pros obviously,
but let's be real, the not so ethical hackers too.
It's that good.
Speaker 1 (00:27):
It's like the Swiss Army knife of network security. But
before we start hacking everything in sight, we need like
a safe place to practice, right, don't want to accidentally
unleach chaos on our own systems.
Speaker 2 (00:37):
Oh absolutely, can't have any friendly fire incidents in the
digital world. That's where virtual machines come in. Vms. Think
of it as a computer within.
Speaker 1 (00:45):
Your computer, your computer within my computer. Okay, that's so
it's like a totally separate.
Speaker 2 (00:48):
Environment, exactly isolated. You can test things out, experiment and
there's zero risk to your main system.
Speaker 1 (00:55):
So I can like go wild in there and trial
sorts of crazy stuff and it won't mess up my
actual comp exactly.
Speaker 2 (01:01):
You break it, just delete it, start over, no harm done.
Speaker 1 (01:04):
That is reassuring. Okay, so VM's got it. And what
about the operating system? Is there a particular one that's
best for you know, ethical hacking?
Speaker 2 (01:12):
Good question. Linux is really popular in the security world,
especially Collie Linux. It comes preloaded with a ton of
security tools.
Speaker 1 (01:21):
End Map included, like a whole arsenal ready to go exactly. Okay,
I'm ready to dive it. But end map it's got
a bit of a reputation for being well, a little complex.
Why do we even start?
Speaker 2 (01:33):
Think of it like planning a heist, but you know
the ethical kind.
Speaker 1 (01:37):
Okay, love a good heist analogy.
Speaker 2 (01:39):
Right, So penetration testers, these are the good guys who
hack into systems to find weaknesses. Right. They follow a
structured approach. It's not just random chaos.
Speaker 1 (01:47):
There's a method to the madness. So what's the plan?
Speaker 2 (01:49):
Five key fiuses reconnaissance, scanning, gaining access, maintaining access, and
then covering your tracks. Sounds intense, it can be, but
today we'll be focused on those first two reconnaissance and scanning.
Speaker 1 (02:02):
Reconnaissance. That sounds like we're going undercover, gathering intel.
Speaker 2 (02:05):
Exactly before you even think about attacking. You got to
understand your target, right, that's reconnaissance. We gather as much
information as possible about the network, the systems, even the
people involved.
Speaker 1 (02:16):
So knowledge is power. But how do we actually gather
that information in the digital world. It's not like we
can just peek through windows.
Speaker 2 (02:25):
Well not exactly. There are two main approaches, active and
passive reconnaissance. Active reconnaissance that's when you directly interact with
the target.
Speaker 1 (02:34):
Okay, so like knocking on their digital door pretty much. Yeah.
Speaker 2 (02:38):
Passive reconnaissance is more about using what's already out there
publicly available information, open source intelligence or ocent.
Speaker 1 (02:47):
Ocent got it, So like googling someone, it can.
Speaker 2 (02:50):
Be that simple. Think about what you could find out
about a company just from their website social media. You'd
be surprised, that's true.
Speaker 1 (02:57):
You can find out a lot just by like digging
around online.
Speaker 2 (03:00):
Exactly, and that's just scratching the surface. There are tons
of other open sources out there, public records, industry databases,
you name it.
Speaker 1 (03:07):
Wow, so much information out there. Okay, so we've done
our reconnaissance, we've gathered our intel. Time to start scanning
with ENDMP, right, you got it.
Speaker 2 (03:17):
Scanning is where we start to probe the target system
a bit more actively. We're looking for those open doors,
those vulnerabilities that we can exploit ethically.
Speaker 1 (03:26):
Of course, open doors like open ports you mentioned those earlier.
Speaker 2 (03:30):
Exactly. Think of a computer system like a house, right.
Each report is like a door, some are locks, some
are open. End MAP helps us find those open doors,
the ones that might allow us to get inside.
Speaker 1 (03:40):
Okay, that makes sense. So how do we actually use endmap.
It seems pretty complex, like a lot of technical commands
and stuff.
Speaker 2 (03:45):
It can be, but we'll start with the basics and
to use ENDMP effectively, we need to get comfortable with
the Linux terminal. Think of it like the command center
for your computer. It lets you interact with the operating
system directly, the Linux terminal.
Speaker 1 (03:58):
Okay, I have to admit that's a always seem to
bit intimidating, all those cryptic commands.
Speaker 2 (04:03):
I get it. It can feel like a foreign language
at first, but trust me, it's more user friendly than
it looks. It's like learning any new language. Once you
get past that initial learning curve, it opens up a
whole world of possibilities.
Speaker 1 (04:16):
Okay, you've convinced me. Let's talk about those commands. What
are some of the basics.
Speaker 2 (04:21):
Well, for starters, navigating files and directories in the terminal,
it's pretty similar to browsing through folders on your computer.
You've got commands like PWD, which tells you your current
location like a digital.
Speaker 1 (04:33):
Compass, a digital compass, I like that.
Speaker 2 (04:35):
Then there's CD for changing directories, like clicking on a
folder to open it. L's lists all the files and
folders in your current directory, and MDR lets you create
new directories, just like creating new folders on your computer.
Speaker 1 (04:49):
Okay, so PWD, cdl's, MGD. Those seem manageable exactly.
Speaker 2 (04:54):
Those are your bread and butter commands, and once you've
got those down you can start exploring some of the
more advanced.
Speaker 1 (05:00):
So with these basic commands, we can start navigating the
terminal and get ready to unleash end map precisely.
Speaker 2 (05:06):
And once we've got end map up and running, we
can really start digging into the nitty gritty of network security.
All right, so we're feeling good with the Linux terminal.
Time to fire up end map and see what this
thing can do.
Speaker 1 (05:16):
Let's do it unleash the standing power. I'm ready.
Speaker 2 (05:18):
Remember that small business scenario we talked about. Let's say
during reconnaissance we found out their website is hosted on
a server IP address one nine to two point one
six's eight point one one zero zero. I got it.
So a basic end map scan EASYPS just type end
map followed by that IP address.
Speaker 1 (05:35):
So just like that, we're scanning their system.
Speaker 2 (05:37):
Well, hold on a sec. That basic scan is kind
of like shining a giant spotlight on ourselves. Any decent
network admin is going to see that coming a mile away, right.
Speaker 1 (05:45):
I got to be stealthy about it, exactly.
Speaker 2 (05:48):
We want to be more like ninjas slipping in unnoticed.
Speaker 1 (05:50):
Love it. So how do we do that? How do
we come end map ninjas?
Speaker 2 (05:53):
End Map's got a bunch of different scan types. The
NS flag for example, that's a syn scan, much harder
to detect.
Speaker 1 (06:00):
Okay, syn scan sounds stealthy, but how does it actually work?
Speaker 2 (06:04):
Imagine this a normal TCP connection. There's like knocking in
a door and waiting for someone to say come in
before you enter.
Speaker 1 (06:11):
Right, standard procedure s.
Speaker 2 (06:13):
Yn scan is more like gently testing the doorknob. See
if it's unlocked. You're not making a big scene, just
quietly checking things out.
Speaker 1 (06:21):
Very sneaky. I like it. So that helps us find
those open ports. But what about finding out more about
what's behind those doors? You know the actual service is running?
Speaker 2 (06:30):
Excellent point. That's where version detection comes in. We can
add the ANCESV flag to our enmap command.
Speaker 1 (06:36):
And SSV got it, and that tells us.
Speaker 2 (06:39):
It tells us not just what service is running, but
often the exact version, and that, my friend is gold.
Speaker 1 (06:44):
Okay, I'm sensing this is important. Why is the version
number so.
Speaker 2 (06:48):
Crucial Because outdated software, more often than not, it's got vulnerabilities,
weaknesses that hackers can exploit.
Speaker 1 (06:55):
So it's like knowing someone's doors unlocked and zy they
haven't updated their security system in years.
Speaker 2 (06:59):
Big red f exactly a hacker's dream. Let's say our
scan shows they're running an older version of apatche web server,
for instance, what do we do?
Speaker 1 (07:07):
Time to hit the internet Google apatche version number, exploit
you got it.
Speaker 2 (07:13):
Websites like exploit Database CVE details their gold mines for
this kind of stuff, like catalogs for security flaws.
Speaker 1 (07:21):
So we find a potential exploit, what then do we
unleash it on their system just to prove a point.
Speaker 2 (07:29):
Well, hold your horses there. Remember we're the good guys,
the ethical hackers. We're not in the business of actually
causing harm. We just want to find the weaknesses so
they can be.
Speaker 1 (07:38):
Fixed, right of course, ethical hacking. So how do we
learn from these exploits without actually exploiting them?
Speaker 2 (07:45):
By understanding how they work, we can get into the
minds of the attackers, see how they think. Plus, a
lot of these exploits they have what's called proof of
concept code available publicly. Proof of concept code basically a
demonstration of how the exploit works. We can take that code,
examine it in a safe environment, of course, and see
exactly how it targets the vulnerability.
Speaker 1 (08:04):
So it's like studying your opponent's playbook exactly.
Speaker 2 (08:07):
You learn their moves, their strategies, and that helps you
build up your own defenses.
Speaker 1 (08:12):
Makes sense. So we can analyze this code, understand the exploit,
and figure out how to protect.
Speaker 2 (08:17):
Against it precisely. And there are tools that can actually
help us manage and even automate these kinds of tests.
Have you heard of metasploit.
Speaker 1 (08:25):
Metasploit, Yeah, it's kind of legendary in the security world.
Speaker 2 (08:28):
Right it is. Metasploit is a framework for developing and
executing exploits. But like any powerful tool, it can be
used for good or for let's say less than good purposes.
Speaker 1 (08:39):
Right, double edged sword exactly.
Speaker 2 (08:41):
Our goal is always ethical hacking, using these tools to
make systems more secure, not less.
Speaker 1 (08:47):
Absolutely so, how does metasploit actually work? What's the gist?
Speaker 2 (08:51):
Think of an exploit as like a key that can
unlock a system and give you access metasploit, it's like
this massive keychain holding tons of different keys, all needly organized.
Speaker 1 (09:01):
Okay, I like that analogy. So we've got our keychain
full of exploits. What do we do with it?
Speaker 2 (09:05):
Well, first, you need to know what door you're trying
to unlock, what system, what vulnerability. Remember that Apache server
we were.
Speaker 1 (09:11):
Talking about, yep, the one with the outdated software.
Speaker 2 (09:13):
Right, So we'd search metasploids database for exploits specifically designed
for that Apache version.
Speaker 1 (09:19):
Okay, we find the right key for the right door.
Speaker 2 (09:22):
Then what Here's where things get interesting. We need to
tell metasploit what to do once it gets inside, and
that's where payloads come in.
Speaker 1 (09:30):
Payloads like a little gift we leave behind.
Speaker 2 (09:33):
You could say that a calling card, but in our case,
the calling card might be something harmless, a simple message
or a command, just to prove we were there.
Speaker 1 (09:43):
So we're not trying to actually disrupt their system, just
showing them that we could have if we wanted to.
Speaker 2 (09:48):
Exactly, it's about raising awareness, not causing.
Speaker 1 (09:51):
Chaos, right, responsible disclosure and all that. So metasploit lets
us simulate a real attack, but in a controlled way,
like a training ground for ethical hacking.
Speaker 2 (10:01):
Exactly, a flight simulator for hackers. And the best part
is end map and metasplate. They can actually work together.
Speaker 1 (10:07):
Oh tell me more about this dynamic duo.
Speaker 2 (10:09):
So Endmap it does the initial recon scans the system,
identifies potential vulnerabilities. Then we can take that intel, feed
it right into metasplate.
Speaker 1 (10:17):
And metasploit takes it from there, helps us choose the
right exploit to test those vulnerabilities.
Speaker 2 (10:22):
He got it. It's like a one to two punch.
Enmap finds the weak spots, metasploit helps us see how
those weak spots could be exploited in a real world attack.
Speaker 1 (10:32):
Wow, that's impressive, and this is all stuff that people
can learn to do themselves.
Speaker 2 (10:36):
Absolutely. Yeah, with the right resources and a little bit
of practice, anyone can do this.
Speaker 1 (10:40):
That's amazing. So what's next in the world of endmap.
Where do we go from here?
Speaker 2 (10:46):
Well? Enmap has this other trick up at sleeve. It's
called the scripting Engine or NSE for short, and this
is where things get really interesting.
Speaker 1 (10:55):
All right, back for more en map goodness. Last time
we were getting really into it with Meta and you mentioned NSE,
the scripting engine. That's en Map's secret weapon.
Speaker 2 (11:03):
Right. You could say that it's like the difference between
having a pre made toolbox and having a workshop where
you can build your own custom tools. That's NSE.
Speaker 1 (11:12):
Love it building our own tools. But before we start
writing code, break it down for me what can we
actually do with NSSE.
Speaker 2 (11:20):
So NSE scripts they can do all sorts of cool stuff,
but first it helps to understand the different types. They
each have their own little job.
Speaker 1 (11:27):
Okay, different types of scripts, makes sense? What give me
some example?
Speaker 2 (11:30):
All right, So some scripts they're called pre rule scripts,
and those guys they run even before n maps starts
its main scan, before.
Speaker 1 (11:38):
The scan even starts. Interesting, what would you need that for?
Speaker 2 (11:42):
Think of it like this. You're investigating a company, right,
A pre rule script could be like discreetly checking for
any public directories they might have left open before you
even approach their main servers.
Speaker 1 (11:54):
Ah, So gathering some intel on the down low before
the real action begins.
Speaker 2 (12:00):
Exactly. Then you've got your host and service scripts. Those
kick in once NMAP has some basic info about the target.
Speaker 1 (12:07):
So the host scripts are all about the device itself,
and the service scripts are focused on specific services running
on that device.
Speaker 2 (12:14):
You've got it. Specialization is key, right, And then we've
got postural scripts. Think of these as the cleanup crew.
Speaker 1 (12:20):
They come in after the scan is done exactly.
Speaker 2 (12:23):
They analyze the results, look for patterns, summarize findings, maybe
even trigger other actions based on what endmap found.
Speaker 1 (12:30):
Wow, so they're like the analyst putting all the pieces together.
This powerful stuff. But we've got to talk about the
elephant in the room. Ye. How hard is it to
actually write these scripts?
Speaker 2 (12:39):
Honestly, not as hard as you might think. NMAP uses Lua,
which is known for being pretty beginner friendly as far
as scripting languages go.
Speaker 1 (12:47):
Okay, it's good to know.
Speaker 2 (12:48):
Plus, NMPs documentation is seriously top notch. Tons of example scripts,
clear explanations, all that good stuff.
Speaker 1 (12:56):
All right, so it's manageable, But let's get specific. What
are like the horror things someone needs to know to
write an NSC script.
Speaker 2 (13:03):
It's like this. Imagine you're giving instructions to a really
really capable assistant, but one who takes everything you say
very literally. That's end map.
Speaker 1 (13:13):
Okay, I can see that.
Speaker 2 (13:14):
So first things First, you describe what your script does.
You know, a title, little blurb just so anyone looking
at your code understands what's up.
Speaker 1 (13:22):
Like a little introduction, setting the stage.
Speaker 2 (13:24):
Yep. Then come the rules. These tell Enmap when to
actually run your script, like is it a script specifically
for web servers or for devices running a certain operating system.
Speaker 1 (13:37):
We're basically setting the conditions for when our scriptures spring
into action exactly.
Speaker 2 (13:42):
And then the heart of it all the code itself.
This is where you get to use n maps.
Speaker 1 (13:46):
Api ATI sounds techy.
Speaker 2 (13:49):
Fancy word, but all it really means is end maps toolkit.
It's what lets your script actually do stuff, send network requests,
read the responses, play around with data. All that jazz.
Speaker 1 (14:00):
Basically teaching NMAP new tricks, combining its existing skills in
new and creative ways nailed it.
Speaker 2 (14:06):
Let's say, for example, you want to check if a
web server is running a very specific version of a
patche one that's known to be vulnerable.
Speaker 1 (14:12):
Sounds like a pretty common real world scenario.
Speaker 2 (14:15):
Oh for sure. So your NSE script first it would
need to figure out if it's even looking at a
web server. Usually those are running on port eighty or
four to forty three, okay, makes sense, and then it
sends a request to that server, kind of like what
your web browser does when you'll load a web page.
Speaker 1 (14:29):
Right, but instead of showing us a web page, our
script is looking for clues exactly.
Speaker 2 (14:34):
See web servers often spill the beans about what software
they're running right there in the response hitter. Our little
scripts can grab that header, check it out, and bam,
if it finds that vulnerable Apache version we're after, we've
got ourselves a red flag.
Speaker 1 (14:47):
Wow. That's incredible, And people can actually learn to do
this themselves.
Speaker 2 (14:50):
That's the beauty of NMP and NSC. It's not just
about using a tool, it's about becoming an active participant
in this whole world of cybersecurity. You learn tools, you
build your own, you share your knowledge and the whole
community benefits.
Speaker 1 (15:04):
I love that. So we've gone from feeling a bit
lost in the Linux terminal to navigating it like pros,
from basic end map scans to understanding exploits and you
just dipping our toes into the world of NSE scripting.
Speaker 2 (15:17):
And remember this is just scratching the surface. The more
you learn about cybersecurity, the more you realize there is
to learn.
Speaker 1 (15:23):
It's a journey, not a destination.
Speaker 2 (15:25):
Exactly, So to everyone listening, never lose that curiosity, keep experimenting,
keep learning. Who knows, maybe you'll be the one teaching
us the latest end map trick someday.
Speaker 1 (15:35):
Absolutely, keep those end map skills sharp. Everyone, thanks for
joining us on the deep dive.
Okay, so let's dive into this whole world of network security.
It's a jungle out there, right, but like understanding how
hackers think that's got to be our first line of defense.
Speaker 2 (00:09):
Right, Yeah, definitely. It's like you got to learn the
language they use, the vulnerabilities, the exploits, all that, exactly.
Speaker 1 (00:15):
And the cool thing is we've got this powerful tool
we can use end map. It's free and everything.
Speaker 2 (00:20):
Yeah, end map. Everyone used it. I mean the pros obviously,
but let's be real, the not so ethical hackers too.
It's that good.
Speaker 1 (00:27):
It's like the Swiss Army knife of network security. But
before we start hacking everything in sight, we need like
a safe place to practice, right, don't want to accidentally
unleach chaos on our own systems.
Speaker 2 (00:37):
Oh absolutely, can't have any friendly fire incidents in the
digital world. That's where virtual machines come in. Vms. Think
of it as a computer within.
Speaker 1 (00:45):
Your computer, your computer within my computer. Okay, that's so
it's like a totally separate.
Speaker 2 (00:48):
Environment, exactly isolated. You can test things out, experiment and
there's zero risk to your main system.
Speaker 1 (00:55):
So I can like go wild in there and trial
sorts of crazy stuff and it won't mess up my
actual comp exactly.
Speaker 2 (01:01):
You break it, just delete it, start over, no harm done.
Speaker 1 (01:04):
That is reassuring. Okay, so VM's got it. And what
about the operating system? Is there a particular one that's
best for you know, ethical hacking?
Speaker 2 (01:12):
Good question. Linux is really popular in the security world,
especially Collie Linux. It comes preloaded with a ton of
security tools.
Speaker 1 (01:21):
End Map included, like a whole arsenal ready to go exactly. Okay,
I'm ready to dive it. But end map it's got
a bit of a reputation for being well, a little complex.
Why do we even start?
Speaker 2 (01:33):
Think of it like planning a heist, but you know
the ethical kind.
Speaker 1 (01:37):
Okay, love a good heist analogy.
Speaker 2 (01:39):
Right, So penetration testers, these are the good guys who
hack into systems to find weaknesses. Right. They follow a
structured approach. It's not just random chaos.
Speaker 1 (01:47):
There's a method to the madness. So what's the plan?
Speaker 2 (01:49):
Five key fiuses reconnaissance, scanning, gaining access, maintaining access, and
then covering your tracks. Sounds intense, it can be, but
today we'll be focused on those first two reconnaissance and scanning.
Speaker 1 (02:02):
Reconnaissance. That sounds like we're going undercover, gathering intel.
Speaker 2 (02:05):
Exactly before you even think about attacking. You got to
understand your target, right, that's reconnaissance. We gather as much
information as possible about the network, the systems, even the
people involved.
Speaker 1 (02:16):
So knowledge is power. But how do we actually gather
that information in the digital world. It's not like we
can just peek through windows.
Speaker 2 (02:25):
Well not exactly. There are two main approaches, active and
passive reconnaissance. Active reconnaissance that's when you directly interact with
the target.
Speaker 1 (02:34):
Okay, so like knocking on their digital door pretty much. Yeah.
Speaker 2 (02:38):
Passive reconnaissance is more about using what's already out there
publicly available information, open source intelligence or ocent.
Speaker 1 (02:47):
Ocent got it, So like googling someone, it can.
Speaker 2 (02:50):
Be that simple. Think about what you could find out
about a company just from their website social media. You'd
be surprised, that's true.
Speaker 1 (02:57):
You can find out a lot just by like digging
around online.
Speaker 2 (03:00):
Exactly, and that's just scratching the surface. There are tons
of other open sources out there, public records, industry databases,
you name it.
Speaker 1 (03:07):
Wow, so much information out there. Okay, so we've done
our reconnaissance, we've gathered our intel. Time to start scanning
with ENDMP, right, you got it.
Speaker 2 (03:17):
Scanning is where we start to probe the target system
a bit more actively. We're looking for those open doors,
those vulnerabilities that we can exploit ethically.
Speaker 1 (03:26):
Of course, open doors like open ports you mentioned those earlier.
Speaker 2 (03:30):
Exactly. Think of a computer system like a house, right.
Each report is like a door, some are locks, some
are open. End MAP helps us find those open doors,
the ones that might allow us to get inside.
Speaker 1 (03:40):
Okay, that makes sense. So how do we actually use endmap.
It seems pretty complex, like a lot of technical commands
and stuff.
Speaker 2 (03:45):
It can be, but we'll start with the basics and
to use ENDMP effectively, we need to get comfortable with
the Linux terminal. Think of it like the command center
for your computer. It lets you interact with the operating
system directly, the Linux terminal.
Speaker 1 (03:58):
Okay, I have to admit that's a always seem to
bit intimidating, all those cryptic commands.
Speaker 2 (04:03):
I get it. It can feel like a foreign language
at first, but trust me, it's more user friendly than
it looks. It's like learning any new language. Once you
get past that initial learning curve, it opens up a
whole world of possibilities.
Speaker 1 (04:16):
Okay, you've convinced me. Let's talk about those commands. What
are some of the basics.
Speaker 2 (04:21):
Well, for starters, navigating files and directories in the terminal,
it's pretty similar to browsing through folders on your computer.
You've got commands like PWD, which tells you your current
location like a digital.
Speaker 1 (04:33):
Compass, a digital compass, I like that.
Speaker 2 (04:35):
Then there's CD for changing directories, like clicking on a
folder to open it. L's lists all the files and
folders in your current directory, and MDR lets you create
new directories, just like creating new folders on your computer.
Speaker 1 (04:49):
Okay, so PWD, cdl's, MGD. Those seem manageable exactly.
Speaker 2 (04:54):
Those are your bread and butter commands, and once you've
got those down you can start exploring some of the
more advanced.
Speaker 1 (05:00):
So with these basic commands, we can start navigating the
terminal and get ready to unleash end map precisely.
Speaker 2 (05:06):
And once we've got end map up and running, we
can really start digging into the nitty gritty of network security.
All right, so we're feeling good with the Linux terminal.
Time to fire up end map and see what this
thing can do.
Speaker 1 (05:16):
Let's do it unleash the standing power. I'm ready.
Speaker 2 (05:18):
Remember that small business scenario we talked about. Let's say
during reconnaissance we found out their website is hosted on
a server IP address one nine to two point one
six's eight point one one zero zero. I got it.
So a basic end map scan EASYPS just type end
map followed by that IP address.
Speaker 1 (05:35):
So just like that, we're scanning their system.
Speaker 2 (05:37):
Well, hold on a sec. That basic scan is kind
of like shining a giant spotlight on ourselves. Any decent
network admin is going to see that coming a mile away, right.
Speaker 1 (05:45):
I got to be stealthy about it, exactly.
Speaker 2 (05:48):
We want to be more like ninjas slipping in unnoticed.
Speaker 1 (05:50):
Love it. So how do we do that? How do
we come end map ninjas?
Speaker 2 (05:53):
End Map's got a bunch of different scan types. The
NS flag for example, that's a syn scan, much harder
to detect.
Speaker 1 (06:00):
Okay, syn scan sounds stealthy, but how does it actually work?
Speaker 2 (06:04):
Imagine this a normal TCP connection. There's like knocking in
a door and waiting for someone to say come in
before you enter.
Speaker 1 (06:11):
Right, standard procedure s.
Speaker 2 (06:13):
Yn scan is more like gently testing the doorknob. See
if it's unlocked. You're not making a big scene, just
quietly checking things out.
Speaker 1 (06:21):
Very sneaky. I like it. So that helps us find
those open ports. But what about finding out more about
what's behind those doors? You know the actual service is running?
Speaker 2 (06:30):
Excellent point. That's where version detection comes in. We can
add the ANCESV flag to our enmap command.
Speaker 1 (06:36):
And SSV got it, and that tells us.
Speaker 2 (06:39):
It tells us not just what service is running, but
often the exact version, and that, my friend is gold.
Speaker 1 (06:44):
Okay, I'm sensing this is important. Why is the version
number so.
Speaker 2 (06:48):
Crucial Because outdated software, more often than not, it's got vulnerabilities,
weaknesses that hackers can exploit.
Speaker 1 (06:55):
So it's like knowing someone's doors unlocked and zy they
haven't updated their security system in years.
Speaker 2 (06:59):
Big red f exactly a hacker's dream. Let's say our
scan shows they're running an older version of apatche web server,
for instance, what do we do?
Speaker 1 (07:07):
Time to hit the internet Google apatche version number, exploit
you got it.
Speaker 2 (07:13):
Websites like exploit Database CVE details their gold mines for
this kind of stuff, like catalogs for security flaws.
Speaker 1 (07:21):
So we find a potential exploit, what then do we
unleash it on their system just to prove a point.
Speaker 2 (07:29):
Well, hold your horses there. Remember we're the good guys,
the ethical hackers. We're not in the business of actually
causing harm. We just want to find the weaknesses so
they can be.
Speaker 1 (07:38):
Fixed, right of course, ethical hacking. So how do we
learn from these exploits without actually exploiting them?
Speaker 2 (07:45):
By understanding how they work, we can get into the
minds of the attackers, see how they think. Plus, a
lot of these exploits they have what's called proof of
concept code available publicly. Proof of concept code basically a
demonstration of how the exploit works. We can take that code,
examine it in a safe environment, of course, and see
exactly how it targets the vulnerability.
Speaker 1 (08:04):
So it's like studying your opponent's playbook exactly.
Speaker 2 (08:07):
You learn their moves, their strategies, and that helps you
build up your own defenses.
Speaker 1 (08:12):
Makes sense. So we can analyze this code, understand the exploit,
and figure out how to protect.
Speaker 2 (08:17):
Against it precisely. And there are tools that can actually
help us manage and even automate these kinds of tests.
Have you heard of metasploit.
Speaker 1 (08:25):
Metasploit, Yeah, it's kind of legendary in the security world.
Speaker 2 (08:28):
Right it is. Metasploit is a framework for developing and
executing exploits. But like any powerful tool, it can be
used for good or for let's say less than good purposes.
Speaker 1 (08:39):
Right, double edged sword exactly.
Speaker 2 (08:41):
Our goal is always ethical hacking, using these tools to
make systems more secure, not less.
Speaker 1 (08:47):
Absolutely so, how does metasploit actually work? What's the gist?
Speaker 2 (08:51):
Think of an exploit as like a key that can
unlock a system and give you access metasploit, it's like
this massive keychain holding tons of different keys, all needly organized.
Speaker 1 (09:01):
Okay, I like that analogy. So we've got our keychain
full of exploits. What do we do with it?
Speaker 2 (09:05):
Well, first, you need to know what door you're trying
to unlock, what system, what vulnerability. Remember that Apache server
we were.
Speaker 1 (09:11):
Talking about, yep, the one with the outdated software.
Speaker 2 (09:13):
Right, So we'd search metasploids database for exploits specifically designed
for that Apache version.
Speaker 1 (09:19):
Okay, we find the right key for the right door.
Speaker 2 (09:22):
Then what Here's where things get interesting. We need to
tell metasploit what to do once it gets inside, and
that's where payloads come in.
Speaker 1 (09:30):
Payloads like a little gift we leave behind.
Speaker 2 (09:33):
You could say that a calling card, but in our case,
the calling card might be something harmless, a simple message
or a command, just to prove we were there.
Speaker 1 (09:43):
So we're not trying to actually disrupt their system, just
showing them that we could have if we wanted to.
Speaker 2 (09:48):
Exactly, it's about raising awareness, not causing.
Speaker 1 (09:51):
Chaos, right, responsible disclosure and all that. So metasploit lets
us simulate a real attack, but in a controlled way,
like a training ground for ethical hacking.
Speaker 2 (10:01):
Exactly, a flight simulator for hackers. And the best part
is end map and metasplate. They can actually work together.
Speaker 1 (10:07):
Oh tell me more about this dynamic duo.
Speaker 2 (10:09):
So Endmap it does the initial recon scans the system,
identifies potential vulnerabilities. Then we can take that intel, feed
it right into metasplate.
Speaker 1 (10:17):
And metasploit takes it from there, helps us choose the
right exploit to test those vulnerabilities.
Speaker 2 (10:22):
He got it. It's like a one to two punch.
Enmap finds the weak spots, metasploit helps us see how
those weak spots could be exploited in a real world attack.
Speaker 1 (10:32):
Wow, that's impressive, and this is all stuff that people
can learn to do themselves.
Speaker 2 (10:36):
Absolutely. Yeah, with the right resources and a little bit
of practice, anyone can do this.
Speaker 1 (10:40):
That's amazing. So what's next in the world of endmap.
Where do we go from here?
Speaker 2 (10:46):
Well? Enmap has this other trick up at sleeve. It's
called the scripting Engine or NSE for short, and this
is where things get really interesting.
Speaker 1 (10:55):
All right, back for more en map goodness. Last time
we were getting really into it with Meta and you mentioned NSE,
the scripting engine. That's en Map's secret weapon.
Speaker 2 (11:03):
Right. You could say that it's like the difference between
having a pre made toolbox and having a workshop where
you can build your own custom tools. That's NSE.
Speaker 1 (11:12):
Love it building our own tools. But before we start
writing code, break it down for me what can we
actually do with NSSE.
Speaker 2 (11:20):
So NSE scripts they can do all sorts of cool stuff,
but first it helps to understand the different types. They
each have their own little job.
Speaker 1 (11:27):
Okay, different types of scripts, makes sense? What give me
some example?
Speaker 2 (11:30):
All right, So some scripts they're called pre rule scripts,
and those guys they run even before n maps starts
its main scan, before.
Speaker 1 (11:38):
The scan even starts. Interesting, what would you need that for?
Speaker 2 (11:42):
Think of it like this. You're investigating a company, right,
A pre rule script could be like discreetly checking for
any public directories they might have left open before you
even approach their main servers.
Speaker 1 (11:54):
Ah, So gathering some intel on the down low before
the real action begins.
Speaker 2 (12:00):
Exactly. Then you've got your host and service scripts. Those
kick in once NMAP has some basic info about the target.
Speaker 1 (12:07):
So the host scripts are all about the device itself,
and the service scripts are focused on specific services running
on that device.
Speaker 2 (12:14):
You've got it. Specialization is key, right, And then we've
got postural scripts. Think of these as the cleanup crew.
Speaker 1 (12:20):
They come in after the scan is done exactly.
Speaker 2 (12:23):
They analyze the results, look for patterns, summarize findings, maybe
even trigger other actions based on what endmap found.
Speaker 1 (12:30):
Wow, so they're like the analyst putting all the pieces together.
This powerful stuff. But we've got to talk about the
elephant in the room. Ye. How hard is it to
actually write these scripts?
Speaker 2 (12:39):
Honestly, not as hard as you might think. NMAP uses Lua,
which is known for being pretty beginner friendly as far
as scripting languages go.
Speaker 1 (12:47):
Okay, it's good to know.
Speaker 2 (12:48):
Plus, NMPs documentation is seriously top notch. Tons of example scripts,
clear explanations, all that good stuff.
Speaker 1 (12:56):
All right, so it's manageable, But let's get specific. What
are like the horror things someone needs to know to
write an NSC script.
Speaker 2 (13:03):
It's like this. Imagine you're giving instructions to a really
really capable assistant, but one who takes everything you say
very literally. That's end map.
Speaker 1 (13:13):
Okay, I can see that.
Speaker 2 (13:14):
So first things First, you describe what your script does.
You know, a title, little blurb just so anyone looking
at your code understands what's up.
Speaker 1 (13:22):
Like a little introduction, setting the stage.
Speaker 2 (13:24):
Yep. Then come the rules. These tell Enmap when to
actually run your script, like is it a script specifically
for web servers or for devices running a certain operating system.
Speaker 1 (13:37):
We're basically setting the conditions for when our scriptures spring
into action exactly.
Speaker 2 (13:42):
And then the heart of it all the code itself.
This is where you get to use n maps.
Speaker 1 (13:46):
Api ATI sounds techy.
Speaker 2 (13:49):
Fancy word, but all it really means is end maps toolkit.
It's what lets your script actually do stuff, send network requests,
read the responses, play around with data. All that jazz.
Speaker 1 (14:00):
Basically teaching NMAP new tricks, combining its existing skills in
new and creative ways nailed it.
Speaker 2 (14:06):
Let's say, for example, you want to check if a
web server is running a very specific version of a
patche one that's known to be vulnerable.
Speaker 1 (14:12):
Sounds like a pretty common real world scenario.
Speaker 2 (14:15):
Oh for sure. So your NSE script first it would
need to figure out if it's even looking at a
web server. Usually those are running on port eighty or
four to forty three, okay, makes sense, and then it
sends a request to that server, kind of like what
your web browser does when you'll load a web page.
Speaker 1 (14:29):
Right, but instead of showing us a web page, our
script is looking for clues exactly.
Speaker 2 (14:34):
See web servers often spill the beans about what software
they're running right there in the response hitter. Our little
scripts can grab that header, check it out, and bam,
if it finds that vulnerable Apache version we're after, we've
got ourselves a red flag.
Speaker 1 (14:47):
Wow. That's incredible, And people can actually learn to do
this themselves.
Speaker 2 (14:50):
That's the beauty of NMP and NSC. It's not just
about using a tool, it's about becoming an active participant
in this whole world of cybersecurity. You learn tools, you
build your own, you share your knowledge and the whole
community benefits.
Speaker 1 (15:04):
I love that. So we've gone from feeling a bit
lost in the Linux terminal to navigating it like pros,
from basic end map scans to understanding exploits and you
just dipping our toes into the world of NSE scripting.
Speaker 2 (15:17):
And remember this is just scratching the surface. The more
you learn about cybersecurity, the more you realize there is
to learn.
Speaker 1 (15:23):
It's a journey, not a destination.
Speaker 2 (15:25):
Exactly, So to everyone listening, never lose that curiosity, keep experimenting,
keep learning. Who knows, maybe you'll be the one teaching
us the latest end map trick someday.
Speaker 1 (15:35):
Absolutely, keep those end map skills sharp. Everyone, thanks for
joining us on the deep dive.
Popular Podcasts
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com