warnning disclaimer
this post does not promote or encourage any illegal activities all contents provided by the post is meant for educational purpose
Footprinting tutorial
And plus, on top of that, I'm not scanning long rangeover the internet, or something of a kind, I would be scanning within my own localnetwork. So the speed of the scan would not be realistic as it would be alot faster than say when you conduct the scan over the net, somedistant and remote server. So what I did was I went online, and you can do thesame, and I found on the official nmap website they have asection devoted to actually allowing people to scan them to test their toolout. Now here is the, I am selecting the permission, there is a writtenpermission here that you can actually scan this website, and they basically say,I mean you can scan it to test it out, a few scans a day here is fine, but do notscan a hundred times a day, or use this to test your SSH brute force passwordcracking tools, etc
So that's definitely something you don't want to do, but youcan run a few scans on this site per day, and according to them that's perfectlyfine. You are not breaking any laws, or anything of a kind, I'm justemphasizing one more time that you do have a written permission right here onthe site. Which is fantastic because it gives us an opportunity to actuallysimulate real time circumstances and see how nmap behaves. Now nmap is anunescapable tool of pretty much any pen tester out there. Many peoplesay today well that it's pointless to port scan, doesn't do you much good,and so on, and so forth. Well, perhaps in terms of exploiting theservices running on the port themselves, it doesn't do you that much good,but just by seeing which ports are open and which ports are closed you can, to afairly good extent, determine what operating system, or what platform, isbeing used on the other side, and then you can find weaknesses of that sameplatform. Of course there are some other ways in doing this, I will show them toyou, like banner grabbing, or something of a kind, but let's just see how nmapreally works. Now nmap is known to basically trigger quite a lot of alarms, quite a lot of firewall red flags so to say, and youwant to make sure that your nmap scans are as quiet as possible. Now thereare tools to actually figure this out, but I will showyou here how to actually do it via terminal. There is also something calledzenmap. Now zenmap is basically a graphical user interface of nmap, butwe will not be using that. Rather, instead, I want to teach you how to use aterminal version. So nmap is the one most commonly used, and it is always used in the terminal text format, rarely anybody uses the actual graphical userinterface. In the previous chapter, we have also discussed how to stayanonymous. So, at the end of the chapter I will be combining these things: scan,footprinting, the act of scanning, and anonymizing your scans. However, you might think about that before you get to the final tutorial of this chapter andperhaps try to do it yourselves. It doesn't matter if you fail, or somethingof a kind, it truly doesn't. What is important is that you give it a shot. Andyou try it once, ok, failure. Fine no problems. Try it twice, thrice, the fourthtime you're bound to have some sort of results, as long as you keep improvingyourself it's fine. In any case, without further ado, let's just type in nmap - - help, oops I mistyped that of course, nmap, press ENTER, and there we go. There are alot of options here, I mean a ton load of options, way more options than weactually need for some sort of basic things
how eventually, over time, youwill come to understand that all of these options are not here for nothing,they are here because they were needed at some point of time, and theyare pretty much all still used. So, what you need to do is scroll down to thebottom, and here you have examples of how nmap runs. So you type in nmap - v, andalmost always, 99% of the time, is verbose output. Basicallyyou're telling your system to give you more information in regards to what itis doing. - A, I'm not sure where this function is, ok here it is, - A enable OSdetection, version detection, script scanning, and traceroute. Idon't think we're gonna need that immediately. There is - o the function which is just for OS detection. Anyway, and then you can pass either thisone, scanme.nmap.org which is basically the domain name, which will getresolved to an IP address, or you can actually pass it an IP address. And ifyou're wondering what this is, this is a mask. And it would be very difficult toexplain in great detail what this is, but for the time being, know that this isactually an IP address range.
So it goes from a certain IP address, to a certainIP address, because this goes way into working, and binary numbers, andso on, and so forth, but you do not actually need to use this format. Notthat many people actually use this particular format with the mask. Theyjust tend to specify very specific ranges, because they don't have the permissions to scan the entire subnet. Rather, instead,they have to create lists, and then skip certain IP addresses,and then continue again from a certain point. So they do need to create lists and can be a problem. Now up here at thetop you have another very important option that's gonna come in handy. Youhave - iL, input file name. So you can actually create a list, in a file, alist of IP addresses, and then you can scan those particular IP addresses. They will also have an ability to do this, look at what's written here. So just take a look at this segment and its10.0, and then this segment here, this octet here is 0-255, and then thelast octet is 1-255. If you're wondering why I'm calling these things octets, it's because they have 8 bits, each one ofthese has 8 bits, and it is represented in a binary form. So it can have 8 zerosor, I don't know, 8 ones, or a combination of ones and zeros. But it has8 bits, so 8 positions. That's why they are called octets. This is a very common formthat people tend to use, and this is what you will find yourselves using. Eitherthis, this will be a method in which you will specify the IP addresses, or youwill be passing files. So these files usually people, well they either make them themselves, or they can find these IP addresses on the internet.So in addition to this site, nmap.org, you also have this one here, major IPblocks. Let me just see if I've typed in that correctly. And this is a...yep,there it is. Okay, so, this is a fantastic website. The entire range of pretty muchall the IP addresses are listed here, and it also says who owns what, it doesn'tsay for everyone of them who owns which one, but for example you can search andfind, and it's give you the appropriate IPaddresses for that particular country, and it's gonna give you the owner ofthose IP addresses. Usually it's just telecoms, but you also have other peoplewho own them as well. So I'll just give it a shot. Search, I don't know, let's just type in Germany or, I don't know, France... whatever. Okay, this is not the first search, but that's not a problem. Actually, you canfind it down here, and I'm not gonna type it in here. I could control f France, there we go. Down here, just saving myself a bit of time there. And there wego. So, you have a range, this is a given range here, it's from 2.0.0.0 to 215.255.255. This is a massive range.
This is a humongous range. Look at how many, this is how many IP addresses you can have in total, how many of them you can generatewithin this range. It's quite a lot. It's French Telecom. I don't know for some reason they need it. So you can sort them out bythe owner, and you can see that a lot of them are actually not listed here. Wow!France has a lot of IP addresses assigned to it. They're not free, they cost money. Let's just go ahead and see down below. Where is it? Where is it? OK, so you see all of these IP addresses, and this is apretty massive range, so this is a telecom in France. Look at how many IP addresses, IP address ranges they have. So that's quite a lot, and this site, as I said previously, we can use tofigure out which IP address range you wish to scan, but you usually do not havethe permission to scan the entire range. You can scan certain IP addresses withinthat range for which you have a permission. But, also a very nice site todetermine where the IP address is from, or something like that. However, alwaysremember. Once you get an IP address, your search engines on the net areyour best friends. This is one of major components of footprinting. You can do the following... you can type in who is, and thentype in an IP address. I don't know, I'm just gonna type in this random IPaddress. So if you don't want to see it here you can have a look at it here. Who is 82.120.0.0. I don't know, somebody's gonna tell me who this guy is, or whom this is. There we go. So, I've typed in who is and I've picked the first website outthat I could find, and here I have all the information in regards to thatparticular IP address. I have a country. I have the username of the admin Isuppose. I have the status, remarks, source, I even have a, yep, there we go, there'sactually an address, a physical address, of the IP address, which is ridiculous.Yeah, so, as I said, search engines are your best, and I mean absolutely bestfriends. If you want to find pretty much anything on the net, or something likethat, in regards to an IP address to do any sort of research. So those are thetwo tools that I have showed you. Actually, three of them, well one tool andtwo websites that you can...one tool, one website, and one search method which youcan use in order to determine where the IP address is from, or who is using it,and even to determine its physical location. Although, its physical locationcan be assigned to a telecom, and that telecom can assign it to a city, and to aspecific region in the city, or something of a kind. And then you can find it ongoogle maps, on google earth, or something of a kind, but usually those things arenot that precise. What is precise, however, is that the IP address belongs to atelecom, or something or a kind, and they keep rotating them in between the cities.So, if you have let's say a hundred thousand IP addresses that you scanned,and if you wish to sort them out by the city, you will get like seventy to ninetypercent accuracy depending on which you do it. It can be problematic because you're gonna miss out on some things, but if you don'tthink 100% accuracy you can get your sorting done pretty well. There aredatabases which you can update, I will show you these things, they're called geoip lookups. But before we do that, you also have somethingcalled nslookup. And I'm just gonna use this generic namehere, scanme.nmap.org. Let's paste it, and there we go. I havebasically said I want to look up this, I want to look up files on scanme.nmap.org, and, okay, this is my DNS server which is basically my router. Yousee it says port 53. You know immediately that it's a, you know immediately that it's aDNS because all DNS traffic runs on port 53. And then we have the results. So,this is the domain name and you get the IP address down below. So this is alsoone of the ways in which we can get the IP address off of the site with a domain. Because once you know the the domain, you don't actually know the IPaddress until you look it up, or something like that, but there's a farsimpler method. You don't need to use in this lookup. Oh, by the way, nslookup also works in reverse. So type in nslookup, and you can type inthe IP address, so just go ahead and press Enter. Okay, so, this has run througha process of some sort. Down below these are authoritative answers from the name servers. Basically, what that means there are DNS servers and they aregiving you responses, and telling you to whom the domain belongs to, and so on, and so forth. But, look, ignore this part, and for the time being we can also ignorethis part until we get into spoofing the DNS, and changing it,and so on, and so forth. What I want to show you here is that you can actuallyget a domain name by typing in nslookup, and then the IP address, and here whereit says non authoritative answer you get the IP address, and thenyou get the name, which is the domain name. However, you might notice that therewas a problem here, that this IP address does not match this one. Well, guess what?It actually does. Try looking at it in reverse. So it's 74, 74 here, 207, and 207 here, 244, and 244 here, and 221 here, and 221 here. So when you do an nslookup, andwhen you pass in an IP address, it's gonna do a reverse lookup in the DNS MXrecords, or something of a kind. It's gonna query the DNS servers and the DNS servers are gonna give it a response, but in the mx records this isbasically how things are written. You write an IP address in reverse and thenyou put this in-addr.arpa, but this part really is not that interestingto us. This is more interesting to server admins who configure the DNS servers, orsomething of a kind. In any case, for the time being, but don't worry we will getto DNS, DNS servers in the later stages of this tutorial once we are done withthese things. In any case, what is important for you here is we've typed inan IP address, you've used the tool called nslookup, and you have gotten adomain name in return. And now you can start doing some other things as well,but we will be dealing primarily with nmap. Nmap is a tool in order to scannetworks and to retrieve information from them. But what I've showed younow is some basic information, retrieval, and some basic external resources that you can use.
In any case I'll see you in the second part, or part 2, or the second tutorial of this nmap introduction, and there we're gonna actually conduct somescans and see how it all works. Thank you for watching, and I hope to see you next time.