Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 1 00:00:00,950 --> 00:00:04,860 Information gathering is one of the most important steps 2 2 00:00:04,860 --> 00:00:07,970 when it comes to hacking or penetration testing. 3 3 00:00:07,970 --> 00:00:11,530 If you think of it, you can't really gain access to a system 4 4 00:00:11,530 --> 00:00:14,810 if you don't have enough information about it. 5 5 00:00:14,810 --> 00:00:17,990 So, for example, let's say you're connected to a network 6 6 00:00:17,990 --> 00:00:21,070 and one of the devices connected to this network 7 7 00:00:21,070 --> 00:00:22,690 is your target. 8 8 00:00:22,690 --> 00:00:25,260 Now for you to hack into that target, 9 9 00:00:25,260 --> 00:00:28,310 first you need to discover all of the connected clients 10 10 00:00:28,310 --> 00:00:31,910 to this network, get their MAC address, their IP address, 11 11 00:00:31,910 --> 00:00:35,620 and then from there try to maybe gather more information 12 12 00:00:35,620 --> 00:00:39,683 or run some attacks in order to gain access to your target. 13 13 00:00:40,680 --> 00:00:42,650 Now, there are a number of programs 14 14 00:00:42,650 --> 00:00:44,330 that will do this for you. 15 15 00:00:44,330 --> 00:00:47,050 Examples are NetDiscover and Nmap, 16 16 00:00:47,050 --> 00:00:49,260 which do this job really, really well. 17 17 00:00:49,260 --> 00:00:52,220 So in this lecture, we'll start with the simpler one, 18 18 00:00:52,220 --> 00:00:56,780 which is NetDiscover and see how to use it to quickly map 19 19 00:00:56,780 --> 00:00:59,110 the network we're connected to. 20 20 00:00:59,110 --> 00:01:00,620 And in the next lecture, 21 21 00:01:00,620 --> 00:01:02,780 I'm gonna show you how to use Nmap 22 22 00:01:02,780 --> 00:01:05,920 to gather detailed information about all 23 23 00:01:05,920 --> 00:01:09,053 of the clients connected to the same network. 24 24 00:01:10,420 --> 00:01:15,420 So, I have my Kali terminal in here, and if I do ifconfig, 25 25 00:01:15,530 --> 00:01:20,050 you'll see I have eth0, it has an IP address. 26 26 00:01:20,050 --> 00:01:23,850 And like I said, this is the virtual interface created 27 27 00:01:23,850 --> 00:01:27,170 by VirtualBox when we set the Kali machine 28 28 00:01:27,170 --> 00:01:28,783 to use a NAT network. 29 29 00:01:29,870 --> 00:01:34,150 Now, I also said that this NAT network behaves exactly like 30 30 00:01:34,150 --> 00:01:35,730 an Ethernet network. 31 31 00:01:35,730 --> 00:01:38,650 And as far as the Kali machine is concerned, 32 32 00:01:38,650 --> 00:01:42,680 it thinks that it is connected to a real wired network. 33 33 00:01:42,680 --> 00:01:44,010 And as you can see in here, 34 34 00:01:44,010 --> 00:01:46,133 it's telling me that wired connected. 35 35 00:01:47,480 --> 00:01:51,420 Now, I have my virtual Windows machine right here. 36 36 00:01:51,420 --> 00:01:54,910 It is configured to use the same NAT network 37 37 00:01:54,910 --> 00:01:56,970 as the Kali machine. 38 38 00:01:56,970 --> 00:02:00,120 Remember, we're still in the network hacking section, 39 39 00:02:00,120 --> 00:02:04,650 so both you and the target machine need to be connected 40 40 00:02:04,650 --> 00:02:06,400 to the same network. 41 41 00:02:06,400 --> 00:02:09,430 So as far as these two computers are concerned, 42 42 00:02:09,430 --> 00:02:13,130 they think that they are connected to the same network. 43 43 00:02:13,130 --> 00:02:16,090 So what I wanna do right now is use NetDiscover 44 44 00:02:16,090 --> 00:02:19,960 and see how we can use it to discover all devices connected 45 45 00:02:19,960 --> 00:02:21,173 to the same network. 46 46 00:02:22,330 --> 00:02:24,040 Now the method that I'm gonna show you 47 47 00:02:24,040 --> 00:02:25,860 will work exactly the same, 48 48 00:02:25,860 --> 00:02:28,180 whether you're using it against a virtual network, 49 49 00:02:28,180 --> 00:02:31,100 like I'm doing right now, or against real network, 50 50 00:02:31,100 --> 00:02:34,603 and even if your target is a Wi-Fi or a wireless network. 51 51 00:02:35,690 --> 00:02:38,130 So all you have to do is type the name of the program, 52 52 00:02:38,130 --> 00:02:41,350 which is NetDiscover, and then type dash r 53 53 00:02:41,350 --> 00:02:45,333 to specify an IP range to search for. 54 54 00:02:46,170 --> 00:02:49,680 This needs to be arranged that can be accessed by you. 55 55 00:02:49,680 --> 00:02:54,020 So right now you can see that my IP is 10.0.2.16 56 56 00:02:54,020 --> 00:02:57,980 and I can only access IPs on the same subnet. 57 57 00:02:57,980 --> 00:03:02,860 So IPs on the same subnet start at 10.0.2.0, 58 58 00:03:02,860 --> 00:03:06,730 and they would end at 10.0.2.254 59 59 00:03:06,730 --> 00:03:11,253 because 254 is the last IP that a client can have. 60 60 00:03:12,380 --> 00:03:17,380 So, my range is gonna be 10.0.2.1 61 61 00:03:17,400 --> 00:03:20,800 and I wanna search for clients that might have an IP 62 62 00:03:20,800 --> 00:03:25,010 of 10.0.2.1, 10.0.2.2, 10.0.2.3, 63 63 00:03:25,010 --> 00:03:28,803 all the way up to 10.0.2.254. 64 64 00:03:29,700 --> 00:03:32,780 So instead of manually typing all of these IPs, 65 65 00:03:32,780 --> 00:03:35,920 I can just type over 24 66 66 00:03:35,920 --> 00:03:38,500 and NetDiscover will automatically know 67 67 00:03:38,500 --> 00:03:41,570 that I'm trying to search for all of the IPs 68 68 00:03:41,570 --> 00:03:46,457 that start at 10.0.2.1 and end at 10.0.2.254. 69 69 00:03:47,400 --> 00:03:51,290 So this is a way of specifying an IP range 70 70 00:03:51,290 --> 00:03:53,360 for the whole subnet. 71 71 00:03:53,360 --> 00:03:57,540 So if I hit enter now, you'll see that NetDiscover 72 72 00:03:57,540 --> 00:04:01,440 will show me all the IPs of the devices connected 73 73 00:04:01,440 --> 00:04:03,070 to the same network. 74 74 00:04:03,070 --> 00:04:05,610 And note that the first three parts of the IPs 75 75 00:04:05,610 --> 00:04:08,703 are always the same because they are on the same subnet. 76 76 00:04:09,710 --> 00:04:12,950 And I also have the Mac addresses of these clients 77 77 00:04:12,950 --> 00:04:15,340 and Net discovers also attempting 78 78 00:04:15,340 --> 00:04:17,763 to guess the device vendor. 79 79 00:04:18,620 --> 00:04:21,870 Now, if I press queue, this will quit the program. 80 80 00:04:21,870 --> 00:04:25,640 And right now, we have a list of all the connected clients 81 81 00:04:25,640 --> 00:04:26,963 to the same network. 82 82 00:04:28,020 --> 00:04:30,770 Now, like I said, you can also use this method 83 83 00:04:30,770 --> 00:04:35,240 to discover clients connected to the same Wi-Fi network. 84 84 00:04:35,240 --> 00:04:38,643 The only thing is, right now, if I do ifconfig, 85 85 00:04:39,640 --> 00:04:41,770 you can see that my Kali machine 86 86 00:04:41,770 --> 00:04:44,120 does not have a wireless adapter, 87 87 00:04:44,120 --> 00:04:46,863 it's not connected to a Wi-Fi network. 88 88 00:04:47,970 --> 00:04:49,520 And like I said before, 89 89 00:04:49,520 --> 00:04:52,600 you cannot access the built in wireless card 90 90 00:04:52,600 --> 00:04:55,140 from a virtual machine. 91 91 00:04:55,140 --> 00:04:57,410 Therefore, if you want to do this 92 92 00:04:57,410 --> 00:05:00,420 or run any of the wireless attacks that we're gonna see 93 93 00:05:00,420 --> 00:05:03,510 in the future against a real computer 94 94 00:05:03,510 --> 00:05:05,470 and a real wireless network, 95 95 00:05:05,470 --> 00:05:08,463 you're gonna need to use a wireless adapter. 96 96 00:05:09,720 --> 00:05:12,210 Now, I'm gonna include links in the description 97 97 00:05:12,210 --> 00:05:14,240 that will help you pick a good adapter 98 98 00:05:14,240 --> 00:05:16,480 that works with Kali Linux. 99 99 00:05:16,480 --> 00:05:18,650 But right now I actually have one, 100 100 00:05:18,650 --> 00:05:19,890 and I'm just gonna connect it 101 101 00:05:19,890 --> 00:05:21,940 and use it just to prove to you, 102 102 00:05:21,940 --> 00:05:24,980 if things work on the virtual machines connected 103 103 00:05:24,980 --> 00:05:26,930 to the virtual network, 104 104 00:05:26,930 --> 00:05:30,630 they will work exactly the same against a real network 105 105 00:05:30,630 --> 00:05:32,630 with real machines. 106 106 00:05:32,630 --> 00:05:34,813 So, I'm gonna connect my adapter now. 107 107 00:05:35,980 --> 00:05:40,900 And if I do ifconfig, it's still not showing up, 108 108 00:05:40,900 --> 00:05:45,900 so I'm gonna connect it from my devices, USB, 109 109 00:05:46,010 --> 00:05:48,093 and click on the adapter name, 110 110 00:05:49,240 --> 00:05:52,150 and let's see if it shows up now. 111 111 00:05:52,150 --> 00:05:55,923 Perfect, as you can see, I have an adapter now called Lan0. 112 112 00:05:57,380 --> 00:05:58,860 And what I'm gonna do is, 113 113 00:05:58,860 --> 00:06:03,180 I need to connect this adapter to a Wi-Fi network first 114 114 00:06:03,180 --> 00:06:06,280 before I can discover all the connected clients 115 115 00:06:06,280 --> 00:06:07,313 to this network. 116 116 00:06:08,300 --> 00:06:11,070 So I'm gonna go to my network manager, 117 117 00:06:11,070 --> 00:06:13,040 I'm gonna click in here 118 118 00:06:13,040 --> 00:06:16,175 and you wanna click on Select Network. 119 119 00:06:16,175 --> 00:06:18,360 And as you can see, automatically now, 120 120 00:06:18,360 --> 00:06:20,620 it's actually connected to a network. 121 121 00:06:20,620 --> 00:06:23,150 But in your case, you'd wanna select a network 122 122 00:06:23,150 --> 00:06:24,580 and click on Connect, 123 123 00:06:24,580 --> 00:06:27,290 and then it will ask you for the password. 124 124 00:06:27,290 --> 00:06:29,030 So now I'm actually connected 125 125 00:06:29,030 --> 00:06:32,410 and you'll see if I do ifconfig again. 126 126 00:06:32,410 --> 00:06:36,143 Right now, lan0 has an IP address. 127 127 00:06:37,390 --> 00:06:40,010 So this means that it is connected to a network 128 128 00:06:40,010 --> 00:06:42,963 and this means that we can use it now with NetDiscover. 129 129 00:06:44,600 --> 00:06:47,060 So again, I'm gonna use the exact same command 130 130 00:06:47,060 --> 00:06:50,240 that I used before just to show you and prove to you 131 131 00:06:50,240 --> 00:06:52,520 that if this works against virtual machines, 132 132 00:06:52,520 --> 00:06:54,383 it will work against real machines. 133 133 00:06:55,350 --> 00:06:58,160 And the only difference is going to be the IP. 134 134 00:06:58,160 --> 00:07:00,170 So I'm gonna remove this IP. 135 135 00:07:00,170 --> 00:07:05,170 And as you can see right now, my IP is 192.168.1.8. 136 136 00:07:06,320 --> 00:07:08,600 So therefore, the range that I'm gonna look 137 137 00:07:08,600 --> 00:07:12,997 for is gonna start at 192.168.1.1, 138 138 00:07:14,820 --> 00:07:17,240 and I'm gonna leave the over 24 here 139 139 00:07:17,240 --> 00:07:21,190 because this will tell NetDiscover that I want to start 140 140 00:07:21,190 --> 00:07:25,913 at 192.168.1.1 and finish at 192.168.254. 141 141 00:07:28,500 --> 00:07:30,423 So if I hit enter now. 142 142 00:07:32,370 --> 00:07:34,960 Now, this did not work and I know why. 143 143 00:07:34,960 --> 00:07:36,710 In order for this to work, 144 144 00:07:36,710 --> 00:07:39,593 you actually have to disable the NAT network. 145 145 00:07:40,520 --> 00:07:44,500 So to disable the NAT network, we're gonna go on devices, 146 146 00:07:44,500 --> 00:07:46,300 we're gonna go on network, 147 147 00:07:46,300 --> 00:07:49,673 and we're gonna uncheck the Connect Network Adapter. 148 148 00:07:51,010 --> 00:07:53,010 So now once done with this, 149 149 00:07:53,010 --> 00:07:56,053 if we just run the exact same command again. 150 150 00:07:58,000 --> 00:08:02,460 As you can see, it's discovering all the connected clients, 151 151 00:08:02,460 --> 00:08:05,530 all their IP addresses, all their MAC addresses, 152 152 00:08:05,530 --> 00:08:07,780 and it's guessing the manufacturer, 153 153 00:08:07,780 --> 00:08:09,480 and you can see it's also discovering 154 154 00:08:09,480 --> 00:08:11,630 some Apple devices here. 155 155 00:08:11,630 --> 00:08:12,860 So as you can see, 156 156 00:08:12,860 --> 00:08:16,543 it's working perfectly using the exact same command. 157 157 00:08:17,510 --> 00:08:20,330 Now, I only did this just to show you 158 158 00:08:20,330 --> 00:08:23,010 that if things work against virtual machines 159 159 00:08:23,010 --> 00:08:24,840 and I guess virtual networks, 160 160 00:08:24,840 --> 00:08:27,490 then they will work against real machines 161 161 00:08:27,490 --> 00:08:30,570 because these virtual machines and virtual networks 162 162 00:08:30,570 --> 00:08:33,140 are modeled of a real machines. 163 163 00:08:33,140 --> 00:08:35,500 And as far as the machines are concerned, 164 164 00:08:35,500 --> 00:08:38,140 they actually think they are real computers 165 165 00:08:38,140 --> 00:08:39,243 and real machines. 14539