WEBVTT 1 00:00:00.040 --> 00:00:02.480 Okay, let's unpack this. Have you ever picked up a 2 00:00:02.480 --> 00:00:05.599 tool that seems straightforward at first glance, like a simple 3 00:00:05.679 --> 00:00:09.000 multi tool, only to discover it can well build an 4 00:00:09.119 --> 00:00:10.759 entire house or maybe even a city. 5 00:00:10.880 --> 00:00:11.279 Uh huh. 6 00:00:11.480 --> 00:00:13.640 Well, today we're taking a deep dive into end map, 7 00:00:14.039 --> 00:00:17.600 a tool in cybersecurity that's far more powerful than most realize. 8 00:00:18.079 --> 00:00:22.160 It's often misunderstood as just a basic port scanner, but 9 00:00:22.239 --> 00:00:27.199 it's truly a precision instrument for gaining profound insight into 10 00:00:27.239 --> 00:00:28.359 systems and networks. 11 00:00:28.519 --> 00:00:30.600 It's remarkable, isn't it. And map has been around since 12 00:00:30.719 --> 00:00:33.679 nineteen ninety seven. That's like even before Google was a 13 00:00:33.719 --> 00:00:34.280 household name. 14 00:00:34.399 --> 00:00:35.000 Wow. Yeah. 15 00:00:35.119 --> 00:00:40.320 Yet its continuous evolution, driven by constant updates and community contributions, 16 00:00:40.679 --> 00:00:42.920 keeps it incredibly relevant and capable. 17 00:00:43.280 --> 00:00:44.479 So what's our goal today? 18 00:00:44.640 --> 00:00:46.840 Our mission today is to cut through the noise and 19 00:00:46.880 --> 00:00:50.439 give you a real shortcut to understanding end map's core functions. 20 00:00:50.479 --> 00:00:54.600 It's absolutely crucial role in a cybersecurity career, and importantly, 21 00:00:54.759 --> 00:00:57.880 how it's ethically and legally applied in real world scenarios. 22 00:00:58.159 --> 00:01:01.719 And we've drawn some incredibly insights from a fantastic source 23 00:01:02.200 --> 00:01:06.599 ultimate penetration testing with enmap, which is hot off the 24 00:01:06.599 --> 00:01:08.640 presses from March twenty twenty four. 25 00:01:08.680 --> 00:01:09.200 Very current. 26 00:01:09.280 --> 00:01:12.200 Yeah, so this deep dive is custom tailored for you, 27 00:01:12.560 --> 00:01:15.359 whether you're just curious or maybe prepping for a critical 28 00:01:15.400 --> 00:01:19.840 meeting in the world of offensive security. We'll explore surprising facts, 29 00:01:20.120 --> 00:01:24.200 real world anecdotes, and give you those aha moments about 30 00:01:24.200 --> 00:01:28.879 a tool that genuinely elevates cybersecurity assessments. Let's start right 31 00:01:28.920 --> 00:01:32.480 where the magic happens. Many people hear enmap and immediately 32 00:01:32.519 --> 00:01:36.159 think port scanner the default thought, and while that's its 33 00:01:36.200 --> 00:01:39.400 fundamental core, saying endmap is just a port scanner is 34 00:01:39.480 --> 00:01:41.799 kind of like saying a master chef only knows how. 35 00:01:41.680 --> 00:01:45.120 To boil water, exactly, a huge oversimplification. Sure, you can 36 00:01:45.239 --> 00:01:47.560 use it for a simple scan, but in the right hands, 37 00:01:47.599 --> 00:01:51.079 it becomes this incredibly versatile instrument, and the foundation of 38 00:01:51.159 --> 00:01:53.840 Enmap's depth, what allows it to be that precision instrument 39 00:01:53.879 --> 00:01:57.040 you mentioned truly begins with a solid understanding of basic 40 00:01:57.120 --> 00:01:59.959 network elements, things like ports and protocol. 41 00:02:00.359 --> 00:02:01.120 The fundamentals. 42 00:02:01.239 --> 00:02:05.280 Absolutely, as you know any experience network pro knows, ports 43 00:02:05.319 --> 00:02:08.800 are virtual anchor points that services us to process network traffic. 44 00:02:09.120 --> 00:02:12.960 We're talking over sixty five thousand potential ports primarily using 45 00:02:13.000 --> 00:02:18.039 either TCP Transmission Control Protocol or UDP User Data gram Protocol, 46 00:02:18.479 --> 00:02:22.360 and the distinction, particularly PCP's essential three way handshake s 47 00:02:22.479 --> 00:02:24.960 y n s y m ack ack is crucial. 48 00:02:24.960 --> 00:02:25.439 Why is that? 49 00:02:25.680 --> 00:02:28.840 Well, if that handshake gets interrupted, maybe by a firewall, 50 00:02:29.000 --> 00:02:32.719 the connection just isn't established. Simple as that. Familiar TCP 51 00:02:32.879 --> 00:02:35.719 ports like eighty for HTTP and four forty three for 52 00:02:35.840 --> 00:02:38.599 HTTPS are classic examples everyone knows. 53 00:02:38.680 --> 00:02:41.520 So how does this foundational knowledge translate when we actually 54 00:02:41.520 --> 00:02:44.479 put endmap to work. Our source material uses the public 55 00:02:44.520 --> 00:02:47.680 scan m dot nmap dot org target to illustrate this really. 56 00:02:47.479 --> 00:02:48.919 Well, yeah, that's a great test bed. 57 00:02:49.000 --> 00:02:52.319 A simple default scan just ENMP scan me dot nmap 58 00:02:52.360 --> 00:02:55.520 dot org immediately reveals a wealth of information. You'll see 59 00:02:55.520 --> 00:02:57.639 not just open ports like twenty two, nine nine, twenty 60 00:02:57.719 --> 00:03:01.319 nine and uh three one three three classic hacker port right, 61 00:03:01.319 --> 00:03:03.280 but also filtered ones like twenty five, eighty and five 62 00:03:03.319 --> 00:03:05.479 four to thirty one at the top one thousand common boards. 63 00:03:05.560 --> 00:03:08.319 End map scans by default, and the output it even 64 00:03:08.319 --> 00:03:13.919 classifies six distinct port states open, closed, filtered, unfiltered, open 65 00:03:13.960 --> 00:03:15.000 filtered and. 66 00:03:14.919 --> 00:03:17.159 Closed filtered and filtered usually means. 67 00:03:16.960 --> 00:03:20.360 Filtered often hints at a firewalls, presence blocking or dropping 68 00:03:20.439 --> 00:03:24.560 the probes. Okay, now here's where nmp's true power begins 69 00:03:24.560 --> 00:03:28.479 to reveal itself. By adding what are called flags or options, 70 00:03:28.719 --> 00:03:31.680 you dramatically expand its capabilities flags. 71 00:03:31.360 --> 00:03:33.360 Right like command line switches exactly. 72 00:03:33.479 --> 00:03:35.479 Consider the atch a flag. You can think of it 73 00:03:35.520 --> 00:03:38.000 as a for all, it tells nmap to go dupe 74 00:03:38.280 --> 00:03:40.520 on scan m dot nmap dot org. For instance, it 75 00:03:40.520 --> 00:03:44.000 can uncover the operating system like Ubuntu Linux and precise 76 00:03:44.120 --> 00:03:47.159 service versions such as open SSAH six point six point 77 00:03:47.159 --> 00:03:49.919 one and a patchy two point four point seven. You 78 00:03:50.000 --> 00:03:52.639 might even notice Port eighty shift from filtered to open 79 00:03:52.680 --> 00:03:54.159 as nmap gathers more info. 80 00:03:54.439 --> 00:03:57.039 Ah, so it gets smarter as it goes sort of yeah. 81 00:03:57.319 --> 00:04:00.960 Or for surgical precision, nash svvp T twenty two targets 82 00:04:01.000 --> 00:04:04.240 just port twenty two for service versioning while providing verbose 83 00:04:04.280 --> 00:04:06.199 output telling you exactly what it's doing. 84 00:04:06.319 --> 00:04:06.759 Got it? 85 00:04:06.800 --> 00:04:11.960 And for immediate vulnerability insights the script vulners dot NSS flag. 86 00:04:12.719 --> 00:04:15.919 This one's amazing. It can pull a list of known 87 00:04:16.000 --> 00:04:20.800 vulnerabilities for a specific version like OpenSSH six point six 88 00:04:20.839 --> 00:04:24.360 point one P one directly from the vulners dot org database, 89 00:04:24.680 --> 00:04:26.560 complete with CBS scores. 90 00:04:26.800 --> 00:04:30.199 Wow. So it goes from scanner to vulnerability assessment tool 91 00:04:30.279 --> 00:04:30.680 just like that. 92 00:04:30.759 --> 00:04:32.360 Precisely it transforms. 93 00:04:32.399 --> 00:04:34.759 That's a lot of options, right, But the core insight 94 00:04:34.839 --> 00:04:38.079 here isn't just knowing these flags individually, but understanding how 95 00:04:38.079 --> 00:04:42.519 their strategic combination transforms en map exactly. It's about the synergy. 96 00:04:42.839 --> 00:04:45.959 It moves from just a scanner into this sophisticated diagnostic tool, 97 00:04:46.240 --> 00:04:49.560 letting you tailor your reconnaissance for almost any scenario. And 98 00:04:49.600 --> 00:04:51.399 the good news is you don't have to memorize every 99 00:04:51.399 --> 00:04:54.160 single flag. End map itself has built in help with 100 00:04:54.199 --> 00:04:56.879 the aashlag always useful or the man map command in Linux, 101 00:04:56.959 --> 00:04:59.240 and of course the full documentation is always online at 102 00:04:59.279 --> 00:05:00.000 ndmap dot org. 103 00:05:00.199 --> 00:05:01.680 Yep, the website's indispensable. 104 00:05:01.839 --> 00:05:05.040 The power, as the book really highlights, comes from combining 105 00:05:05.040 --> 00:05:10.000 these flags strategically, moving beyond individual features to truly amplified capabilities. 106 00:05:11.600 --> 00:05:14.639 So if n map sounds this powerful, you might be wondering, Okay, 107 00:05:14.639 --> 00:05:17.879 how does it really fit into a cybersecurity career? The 108 00:05:17.879 --> 00:05:21.959 field is, well, it's incredibly vast. Oh yeah, huge from 109 00:05:22.000 --> 00:05:26.800 deep cryptography to proactive thread hunting. Many aspiring professionals try 110 00:05:26.800 --> 00:05:29.639 to be open to anything you know, focusing on roles 111 00:05:29.680 --> 00:05:32.800 like SoC analysts, GRC, and pen testing all at once. 112 00:05:33.000 --> 00:05:36.319 The scattergun approach right, but that often leads to knowledge 113 00:05:36.319 --> 00:05:38.720 that's as they say, a mile wide and an inch 114 00:05:38.759 --> 00:05:41.680 deep very common. What's far more effective is gaining a 115 00:05:41.720 --> 00:05:46.319 solid baseline than truly deep diving into a particular area specialize, 116 00:05:46.360 --> 00:05:46.920 which leads. 117 00:05:46.800 --> 00:05:49.959 To an important question, where exactly does end map fit 118 00:05:50.000 --> 00:05:53.439 into that specialized deep dive. It's a foundational tool. It 119 00:05:53.480 --> 00:05:56.920 shows up on baseline SERTs like CompTIA Security Plus and 120 00:05:57.000 --> 00:06:00.439 more specialized ones like penthest plus and Certified Epic Hacker 121 00:06:00.519 --> 00:06:04.720 CEH for hands on exams like EJPC or OSCP. You'll 122 00:06:04.759 --> 00:06:07.439 absolutely rely on it for critical reconnaissance, so. 123 00:06:07.360 --> 00:06:09.959 It's unavoidable for offensive security roles pretty much. 124 00:06:10.160 --> 00:06:14.040 NMAP is most applicable to network penetration tests, purple teaming, 125 00:06:14.160 --> 00:06:17.040 and red teaming. Instead of a generic answer like oh, 126 00:06:17.160 --> 00:06:20.680 i'd scan ports and analyzed services, with NMAP, you'll learn 127 00:06:20.759 --> 00:06:23.759 to confidently articulate a much more nuanced. 128 00:06:23.160 --> 00:06:25.560 Approach like what give us an example. 129 00:06:25.399 --> 00:06:28.759 Like saying i'd begin mapping the attack surface by enumerting 130 00:06:28.800 --> 00:06:32.120 ports and services with a custom end map scan designed 131 00:06:32.160 --> 00:06:36.519 to minimize network noise, maybe using packet fragmentation and reduce speed, 132 00:06:37.000 --> 00:06:40.600 scanning only the local subnet first and definitely avoiding the 133 00:06:40.639 --> 00:06:44.240 gateway initially. I'd then output that to an XML file 134 00:06:44.279 --> 00:06:46.560 for import into Legion for a graphical view. 135 00:06:47.000 --> 00:06:50.000 Okay, that sounds like someone who knows what they're doing exactly. 136 00:06:50.120 --> 00:06:53.079 That immediately signals a much higher degree of knowledge to 137 00:06:53.079 --> 00:06:53.759 anyone listening. 138 00:06:53.839 --> 00:06:57.560 That's a powerful example of real world application. How do 139 00:06:57.639 --> 00:07:02.759 you in a real engagement and balance that minimize network 140 00:07:02.759 --> 00:07:07.600 noise approach with the client's desire for comprehensive coverage. Are 141 00:07:07.600 --> 00:07:09.120 the trade offs you often have to explain? 142 00:07:09.399 --> 00:07:13.040 Oh, definitely, it's all about communication. Really. You balance it 143 00:07:13.079 --> 00:07:16.639 by setting clear expectations upfront in the rules of engagement, 144 00:07:16.759 --> 00:07:19.480 the row y right the contract, and through regular check 145 00:07:19.519 --> 00:07:22.720 ins during the test. You explain that a stealthier scan 146 00:07:23.040 --> 00:07:25.680 might not find every single open port on day one, 147 00:07:25.839 --> 00:07:28.759 but it greatly reduces the risk of detection by the 148 00:07:28.800 --> 00:07:32.199 blue team and allows for a more prolonged, potentially more 149 00:07:32.199 --> 00:07:33.680 effective engagement. 150 00:07:33.959 --> 00:07:36.519 So it's a time versus stealth calculation. 151 00:07:36.160 --> 00:07:38.279 Often, Yeah, it's a conversation you have with the client 152 00:07:38.319 --> 00:07:42.600 based on their goals. So having covered the indispensable technical 153 00:07:42.639 --> 00:07:44.720 aspects of end MAP and its role in a career, 154 00:07:45.360 --> 00:07:48.639 a crucial layer we absolutely must add now is the 155 00:07:48.800 --> 00:07:51.519 ethical and legal framework that governs its use. 156 00:07:51.680 --> 00:07:56.120 That's a critical point. MAP performs active reconnaissance. It's establishing 157 00:07:56.120 --> 00:07:58.720 direct connections with targets, right, It's knocking on the door, 158 00:07:59.040 --> 00:08:02.120 which means you must have explicit permission from the system owner, 159 00:08:02.480 --> 00:08:03.920 no exceptions none. 160 00:08:04.319 --> 00:08:07.639 Compare this to passive reconnaissance like using shodand on io, 161 00:08:07.720 --> 00:08:11.839 which queries archived publicly available information without any direct connection 162 00:08:11.879 --> 00:08:13.160 to the target system itself. 163 00:08:13.600 --> 00:08:16.199 Ah okay, so showed in is like looking at public records, 164 00:08:16.560 --> 00:08:18.120 en MAP is like trying the doorknob. 165 00:08:18.240 --> 00:08:22.079 That's a decent analogy. Yeah, this distinction is absolutely crucial 166 00:08:22.160 --> 00:08:25.319 for legal and professional use. Ethically, on a broader scale, 167 00:08:25.399 --> 00:08:28.839 this means you also carry a profound ethical responsibility as 168 00:08:28.879 --> 00:08:31.560 a penetration tester. One of the cardinal rules is to 169 00:08:31.600 --> 00:08:37.240 avoid impacting the CIA triad, confidentiality, integrity, and crucially here 170 00:08:37.679 --> 00:08:39.440 availability ACA triad. 171 00:08:39.519 --> 00:08:41.399 Right. Yeah, the core tenets. 172 00:08:41.320 --> 00:08:44.759 Well, n MAP itself rarely causes major service disruption on 173 00:08:44.799 --> 00:08:49.559 its own. Aggressive scanning using unsafe arguments or maybe untested scripts, 174 00:08:49.720 --> 00:08:52.840 especially when aimed at fragile legacy systems, oh boy, can 175 00:08:53.000 --> 00:08:57.159 very realistically impact the availability of systems. Taking down production 176 00:08:57.240 --> 00:08:59.240 systems is not only a very bad day for you, 177 00:08:59.480 --> 00:09:01.840 but it can have serious consequences. 178 00:09:01.159 --> 00:09:03.879 For your client career, limiting potentially potentially. 179 00:09:03.960 --> 00:09:07.399 Yes, So, understanding precisely what your scans are doing and 180 00:09:07.440 --> 00:09:09.639 how they're doing it is ter amount. You need to 181 00:09:09.639 --> 00:09:11.480 know your tool to truly. 182 00:09:11.240 --> 00:09:15.320 Unlock end maps capabilities. In security assessments, it's crucial we 183 00:09:15.360 --> 00:09:19.720 clarify the distinct roles of say, automated vulnerability scans versus 184 00:09:19.759 --> 00:09:23.519 a nuanced penetration test. These terms get mixed up all 185 00:09:23.559 --> 00:09:27.519 the time, constantly. Yeah. The vulnerability scanner, like NESSUS or 186 00:09:27.559 --> 00:09:32.840 OpenVAS is primarily a tool for enumerting systems, identifying CPE 187 00:09:33.159 --> 00:09:34.279 Common Platform. 188 00:09:34.039 --> 00:09:38.360 Enumeration standardized names for software and hardware right. 189 00:09:38.159 --> 00:09:42.159 And then automating the search for cvees, common vulnerabilities and exposures. 190 00:09:42.360 --> 00:09:46.080 They're fantastic for recurring checks, but they are inherently prone 191 00:09:46.080 --> 00:09:48.600 to false positives and false negatives. 192 00:09:48.639 --> 00:09:51.679 What makes this particularly compelling is that many commercial and 193 00:09:51.759 --> 00:09:55.679 even open source vulnerability scanners actually leverage end map under 194 00:09:55.679 --> 00:09:58.600 the hood to gather that initial CPE information. 195 00:09:58.759 --> 00:10:01.399 Oh interesting, So endmap is often part of the engine. 196 00:10:01.120 --> 00:10:04.240 Often yeah for our purposes though. Penetration test is a 197 00:10:04.320 --> 00:10:08.360 highly involved, intricate process, using both automated and manual techniques, 198 00:10:08.679 --> 00:10:10.159 often from a black box. 199 00:10:09.919 --> 00:10:12.440 Perspective, meaning you start with zero knowledge. 200 00:10:12.080 --> 00:10:15.279 Pretty much no prior knowledge of the client's organization beyond 201 00:10:15.320 --> 00:10:18.720 the scope defined in the Rules of Engagement the ROWE. 202 00:10:18.759 --> 00:10:22.240 The ultimate goal is to simulate a sophisticated malicious actor 203 00:10:22.720 --> 00:10:26.919 actively trying to avoid detection and achieve specific objectives. 204 00:10:27.200 --> 00:10:30.720 To achieve this kind of deep simulation, pent testers follow 205 00:10:30.879 --> 00:10:32.840 industry recognized frameworks, don't they. 206 00:10:32.960 --> 00:10:36.519 Yes, absolutely, We'll be mapping end map techniques to both 207 00:10:36.759 --> 00:10:41.720 the IMEI r RK framework, specifically the reconnaissance tactic and 208 00:10:41.799 --> 00:10:47.039 active scanning techniques like IP blocks, vulnerability scanning, and wordless stanning, 209 00:10:47.440 --> 00:10:50.919 and also the Lockheed Martin cyber kill chain, which illustrates 210 00:10:50.919 --> 00:10:54.000 the logical progression of an advanced persistent threat and apt 211 00:10:54.639 --> 00:10:57.480 from reconnaissance all the way to actions on objectives. 212 00:10:57.519 --> 00:10:59.600 Got IT frameworks provide structure. 213 00:10:59.320 --> 00:11:02.320 Exactly, and this naturally leads us to the more advanced 214 00:11:02.320 --> 00:11:06.039 forms of security assessments red teaming and purple teaming. 215 00:11:06.279 --> 00:11:07.279 Okay, break those down. 216 00:11:07.440 --> 00:11:10.440 Red teaming is essentially an advanced pentist where restrictions are 217 00:11:10.480 --> 00:11:14.360 significantly reduced and the Blue team the defenders, are actively 218 00:11:14.360 --> 00:11:18.360 trying to detect, block, and contain the Red team the attackers, 219 00:11:18.440 --> 00:11:21.159 so it's a live fire exercise pretty much. The goal 220 00:11:21.240 --> 00:11:25.360 here isn't just finding vulnerabilities, but assessing the holistic maturity 221 00:11:25.399 --> 00:11:29.200 of the client's security program, from user awareness training right 222 00:11:29.279 --> 00:11:31.200 through to incident response. 223 00:11:30.879 --> 00:11:32.440 Capabilities and purple teaming. 224 00:11:32.639 --> 00:11:36.600 Purple teaming, in contrast, involves close collaboration between red and 225 00:11:36.639 --> 00:11:39.759 blue teams, often in real time. The goal is to 226 00:11:39.840 --> 00:11:42.639 identify precisely what the blue team can. 227 00:11:42.519 --> 00:11:45.679 Detect h working together to improve detection exactly. 228 00:11:45.879 --> 00:11:48.919 N MAP is immensely helpful here because its versatility allows 229 00:11:48.919 --> 00:11:53.360 for crafting numerous scenarios and generating indicators of compromise IOCs 230 00:11:53.639 --> 00:11:56.399 to test detection thresholds. For example, you could start with 231 00:11:56.440 --> 00:12:02.240 an obvious noisy scan right and progressively add obfuscation techniques 232 00:12:02.279 --> 00:12:05.159 until detection is bypassed. This allows the blue team to 233 00:12:05.200 --> 00:12:08.960 adjust their IDs, their eder or firewall settings. Accordingly, it's 234 00:12:09.000 --> 00:12:10.320 a calibration exercise. 235 00:12:10.720 --> 00:12:14.679 Given that NMAP is an active scanner and fundamentally requires permission, 236 00:12:15.440 --> 00:12:18.399 Where do you safely practice these powerful techniques? You can't 237 00:12:18.440 --> 00:12:19.000 just scan. 238 00:12:18.879 --> 00:12:22.360 Google definitely not the answer, as the book clearly highlights, 239 00:12:22.840 --> 00:12:26.440 is a lab environment. It's absolutely essential for true hands 240 00:12:26.480 --> 00:12:28.759 on experience and learning. You need a safe. 241 00:12:28.639 --> 00:12:31.759 Sandbox, makes sense, how do you set one up well? 242 00:12:31.799 --> 00:12:34.559 A robust lab environment can be set up for surprisingly 243 00:12:34.639 --> 00:12:38.200 little to no cost. We highly recommend nd MAP installed 244 00:12:38.240 --> 00:12:40.360 on both Windows and Collie. 245 00:12:39.960 --> 00:12:42.320 Linux Collie the Pen Testing District YEP. 246 00:12:42.600 --> 00:12:46.080 Using virtual box or VMware to host your virtual machines. 247 00:12:46.360 --> 00:12:49.639 You'll also want additional tools like zenmap, the graphical front 248 00:12:49.720 --> 00:12:53.039 end for endmap, and Legion, which often come pre installed 249 00:12:53.039 --> 00:12:54.559 on modern Collie versions. 250 00:12:54.600 --> 00:12:55.799 And what do you scan in the lab? 251 00:12:55.960 --> 00:12:59.200 For targets? You can use intentionally vulnerable virtual machine images. 252 00:12:59.440 --> 00:13:01.519 Vulne hub is a great resource for this, things like 253 00:13:01.559 --> 00:13:04.480 the planets Earth and Mercury. Or you could even set 254 00:13:04.519 --> 00:13:07.360 up a Windows Server twenty twenty two VM and install 255 00:13:07.399 --> 00:13:11.559 applications like Jenkins and open source Automation Server commonly seen 256 00:13:11.600 --> 00:13:12.759 in enterprise pentists. 257 00:13:12.840 --> 00:13:17.639 Okay, so download enmap virtual box, Collie some vulnerable vms exactly. 258 00:13:18.000 --> 00:13:20.519 You can figure Collie in virtual box, give it enough 259 00:13:20.559 --> 00:13:24.080 memory at least four GB recommended, and create a GNAT 260 00:13:24.080 --> 00:13:27.159 network maybe call it NMAP lab, so your vms can 261 00:13:27.200 --> 00:13:28.960 talk to each other but are isolated from. 262 00:13:28.879 --> 00:13:30.840 Your main network, right, isolation is key. 263 00:13:31.000 --> 00:13:33.200 Then you can use a simple end map scan like 264 00:13:33.480 --> 00:13:36.200 nmap natat five ten point zero point two point zero 265 00:13:36.200 --> 00:13:39.360 two four to discover the IP addresses of your vulnerable 266 00:13:39.440 --> 00:13:41.120 vms on that lab subnet. 267 00:13:41.240 --> 00:13:43.399 And you can take it further. Oh yeah, to. 268 00:13:43.480 --> 00:13:45.720 Truly take your lab to the next level. You can 269 00:13:45.759 --> 00:13:49.039 even install open source security products like Wazoo. It's a 270 00:13:49.080 --> 00:13:51.600 free SIME and XDR solutions. 271 00:13:51.279 --> 00:13:54.080 SIME and XDR security monitoring tools. 272 00:13:53.840 --> 00:13:57.919 Right security, incident and event management, and extended detection and response. 273 00:13:58.360 --> 00:14:01.320 This lets you visualize engage the level of obfuscation during 274 00:14:01.320 --> 00:14:05.000 your advanced scanning tech seeks. You're effectively learning Blue team 275 00:14:05.120 --> 00:14:07.039 and Purple team skills at the same time. 276 00:14:07.200 --> 00:14:09.000 Wow, so you can see your own scans from the 277 00:14:09.039 --> 00:14:10.759 defender's perspective precisely. 278 00:14:11.120 --> 00:14:14.480 The source truly emphasizes that while seeing demonstrations is helpful, 279 00:14:14.519 --> 00:14:18.639 the most valuable learning comes from doing, making mistakes, troubleshooting, 280 00:14:18.960 --> 00:14:21.600 forcing yourself to dig deeper in your own lab environment. 281 00:14:21.799 --> 00:14:22.759 That trial and error. 282 00:14:22.960 --> 00:14:27.960 Absolutely, that hands on practice, as the author experienced firsthand, 283 00:14:28.080 --> 00:14:31.240 solidifies your understanding far more efficiently than just reading about it. 284 00:14:31.480 --> 00:14:35.120 Understanding an organization's attack surface is absolutely core to security. 285 00:14:35.600 --> 00:14:37.879 This defines it as the set of points on the 286 00:14:37.919 --> 00:14:40.960 boundary of a system where an attacker can try to enter, 287 00:14:41.120 --> 00:14:43.720 cause an effect on, or extract data basically all the 288 00:14:43.720 --> 00:14:46.879 ways in Yeah, think of your own home, not just 289 00:14:46.960 --> 00:14:49.960 doors and windows, but maybe a remote garage door opener 290 00:14:50.000 --> 00:14:52.519 in your car, or that baby monitor you just bought 291 00:14:52.600 --> 00:14:54.240 that might have a hidden security flaw. 292 00:14:54.360 --> 00:14:56.159 Uh oh personal story. 293 00:14:55.960 --> 00:14:58.559 Yeah, it was a real aha moment for me when 294 00:14:58.600 --> 00:15:01.600 I realized my own new baby uditor had an ancient 295 00:15:01.679 --> 00:15:07.519 telnet port wide open, an unauthenticated, unencrypted protocol from the seventies. 296 00:15:07.559 --> 00:15:09.759 Wow on a new device. 297 00:15:09.559 --> 00:15:12.039 On new device. It just goes to show how easily 298 00:15:12.080 --> 00:15:14.799 these overlooked points can become a critical attack surface even 299 00:15:14.799 --> 00:15:15.679 in our own homes. 300 00:15:15.519 --> 00:15:18.720 And organizations face this on a much much grander scale, 301 00:15:18.840 --> 00:15:22.519 especially complex or rapidly growing ones. For a pen tester, 302 00:15:23.000 --> 00:15:26.559 truly grasping the attack surface is critical before you decide 303 00:15:26.559 --> 00:15:30.360 how to attack. For defenders, it's essential to know every 304 00:15:30.440 --> 00:15:33.840 possible attack point to properly deploy security. 305 00:15:33.360 --> 00:15:35.559 Controls external versus internal. 306 00:15:35.679 --> 00:15:40.519 Yeah. In external testing you're mapping from outside the network websites, VPNs, 307 00:15:40.759 --> 00:15:44.399 things exposed to the Internet. In internal testing, you're looking 308 00:15:44.440 --> 00:15:47.559 for what's reachable once you've already gained some initial access 309 00:15:47.559 --> 00:15:48.399 inside the network. 310 00:15:48.440 --> 00:15:50.159 And how does that process usually start? 311 00:15:50.679 --> 00:15:54.679 It often starts with passive reconnaissance using tools like OASAMASS 312 00:15:54.879 --> 00:15:58.679 or checking certificate transparency logs via CRT dot SHA. For 313 00:15:58.759 --> 00:16:03.360 subdomain enumeration, you gather potential targets, consolidate them, and then 314 00:16:03.399 --> 00:16:05.720 you move to en map for the active mapping part. 315 00:16:05.879 --> 00:16:08.320 Okay, now let's get into the n MAP flags that 316 00:16:08.399 --> 00:16:11.440 specifically help you map an attack surface. We've touched on some, 317 00:16:11.600 --> 00:16:13.879 but let's list the key ones for basic analysis, the 318 00:16:13.879 --> 00:16:16.799 ones you'll use like day in and day out sound good. First, 319 00:16:17.360 --> 00:16:19.039 sv service Version Detection. 320 00:16:18.879 --> 00:16:21.840 CRUCIAL tells you what is running and which version. Not 321 00:16:21.919 --> 00:16:23.679 just that poor eighty is open, but is it a 322 00:16:23.720 --> 00:16:26.559 patchy two point four point seven or Genix one point 323 00:16:26.600 --> 00:16:26.919 one eight? 324 00:16:27.080 --> 00:16:30.320 That version number is key next A the all in 325 00:16:30.399 --> 00:16:31.200 one scan. 326 00:16:31.200 --> 00:16:34.840 Yeah OS detection service version ing. It's slower, but very 327 00:16:34.879 --> 00:16:36.960 comprehensive for that initial reconnaissance phase. 328 00:16:37.039 --> 00:16:38.559 Nice T for timing right T. 329 00:16:38.639 --> 00:16:42.639 Zero is paranoid slowest T five's insane. Fastest default is 330 00:16:42.679 --> 00:16:45.879 T three. You absolutely need to adjust this for balancing 331 00:16:45.919 --> 00:16:49.080 speed and stealth. AERE adds more detail to the output, 332 00:16:49.279 --> 00:16:52.480 essential for troubleshooting and just understanding what end map is 333 00:16:52.480 --> 00:16:56.559 actually doing under the hood. ASOX for XML output non negotiable, 334 00:16:56.720 --> 00:17:00.679 really essential for importing into other analysis tools like zenmap 335 00:17:00.759 --> 00:17:04.519 or Legion. Always always save your scan results. 336 00:17:04.599 --> 00:17:06.960 Nice to specify ports yeah, nice. 337 00:17:06.720 --> 00:17:08.920 P eighty or arrange nice P eighty to OFF four 338 00:17:08.880 --> 00:17:11.039 to forty three or a list nas P eighty thy 339 00:17:11.119 --> 00:17:13.559 four hundred and forty three. NAS is useful for a 340 00:17:13.640 --> 00:17:15.599 quick scan of the top one hundred ports or all 341 00:17:15.640 --> 00:17:18.319 norts if you really need to check everything all sixty five, 342 00:17:18.680 --> 00:17:21.240 five hundred and thirty five and have a lot of time. 343 00:17:21.400 --> 00:17:22.960 ACU for UDP scanning. 344 00:17:23.119 --> 00:17:26.039 Often overlooked, but critical services like DNSS and m P 345 00:17:26.200 --> 00:17:28.640 and VPN protocols run on UDP. You'll miss things if 346 00:17:28.640 --> 00:17:32.119 you only scan TCP. Very handy filter shows only open ports, 347 00:17:32.119 --> 00:17:34.200 cuts through the noise of closed or filtered ports, lets 348 00:17:34.240 --> 00:17:35.519 you focus on potential. 349 00:17:35.240 --> 00:17:38.119 Entry point, and finally, reason this one's great for troubleshooting. 350 00:17:38.480 --> 00:17:42.200 Reveals why NMAP reported a port status in g sinec 351 00:17:42.319 --> 00:17:46.519 reset super helpful for understanding filtered ports and firewall behavior. 352 00:17:46.599 --> 00:17:48.559 Okay, so those are the building blocks. 353 00:17:48.240 --> 00:17:51.079 Exactly, and combining these flags is truly where the power 354 00:17:51.119 --> 00:17:54.400 comes alive. An initial scan might look something like and 355 00:17:54.480 --> 00:17:58.359 mapbattgc to open B twenty one million, twenty two million, 356 00:17:58.440 --> 00:18:00.839 twenty five million, eighty billion, one one hundred and ten billion, 357 00:18:00.839 --> 00:18:03.440 one hundred and seventy nine billion, one hundred seventy nine million, 358 00:18:03.480 --> 00:18:06.000 four hundred forty three million, eight hundred and forty three 359 00:18:06.200 --> 00:18:08.559 at GBA eight hundred and four hundred and forty three 360 00:18:08.880 --> 00:18:13.079 deshil targets dot t xtox results one dot xml break 361 00:18:13.079 --> 00:18:15.680 that down. Okay, so al targets dot tixt to read 362 00:18:15.720 --> 00:18:18.559 target ips from a file and desh ox results one 363 00:18:18.599 --> 00:18:20.079 dot xml to save the output. 364 00:18:20.160 --> 00:18:22.640 Makes sense and when you find vulnerabilities right. 365 00:18:22.640 --> 00:18:26.480 When identifying vulnerabilities, remember context is key. A high severity 366 00:18:26.519 --> 00:18:31.519 CVE with no known public exploit and no SISEKEV observations. 367 00:18:31.039 --> 00:18:35.799 keV known exploited vulnerabilities Exactly that CVE might be less 368 00:18:35.880 --> 00:18:38.960 valuable in a timebound PENTICS than a moderate severity one 369 00:18:38.960 --> 00:18:41.720 with readily available proof of concept exploits. 370 00:18:41.279 --> 00:18:44.839 That you can actually use, so focus on demonstrable impact precisely. 371 00:18:45.240 --> 00:18:47.759 The critical insight here is that the true value for 372 00:18:47.799 --> 00:18:51.799 a pentester lies in assessing the real world exploitable impact 373 00:18:51.920 --> 00:18:56.480 of a vulnerability within that specific client context, not just 374 00:18:56.640 --> 00:18:59.480 its theoretical CVSS score. The book has a case study 375 00:18:59.519 --> 00:19:02.240 on this, right yeah compelling one about a small financial 376 00:19:02.279 --> 00:19:06.880 services business. They used simple, regularly scheduled endmap scans to 377 00:19:06.920 --> 00:19:11.000 continuously monitor their attack surface. They gained crucial insight without 378 00:19:11.039 --> 00:19:14.119 a huge budget, proving end maps immense value even for 379 00:19:14.200 --> 00:19:15.359 smaller organizations. 380 00:19:15.480 --> 00:19:19.039 Once you've mapped that attack surface, turning raw information into 381 00:19:19.119 --> 00:19:23.720 actionable intelligence, the next step is identifying legitimate vulnerabilities that 382 00:19:23.759 --> 00:19:25.519 can actually be exploited. 383 00:19:25.119 --> 00:19:26.279 Right the refinement stage. 384 00:19:26.400 --> 00:19:31.920 Think of it like a military intelligence cycle, planning, collection, processing, analysis, 385 00:19:31.960 --> 00:19:33.839 and dissemination a good analogy. 386 00:19:34.200 --> 00:19:38.079 This refinement often starts with common Platform Enumeration or CPE, 387 00:19:38.559 --> 00:19:42.319 that standardized way of encoding it product names maintained by NIST. 388 00:19:42.440 --> 00:19:44.200 How does endmap find CPEs. 389 00:19:44.599 --> 00:19:48.319 Endmap tries to identify them by analyzing things like ICMP 390 00:19:48.480 --> 00:19:53.359 time to live values, TCP initial sequence number sampling, service banners, 391 00:19:53.400 --> 00:19:56.759 and headers. Then it queries its internal databases. 392 00:19:56.799 --> 00:19:58.119 But you mentioned it a caveat. 393 00:19:58.279 --> 00:20:00.920 Yeah, a crucial one. MP is isn't always one hundred 394 00:20:00.920 --> 00:20:04.720 percent accurate on specific versions or patch levels. Always try 395 00:20:04.720 --> 00:20:07.440 to verify with another tool or a manual check if possible. 396 00:20:07.519 --> 00:20:11.839 Okay. Once CPE is established, you look for cvees, correct. 397 00:20:11.759 --> 00:20:16.640 Common vulnerabilities and exposures those common identifiers for specific security weaknesses. 398 00:20:16.920 --> 00:20:21.079 And while the Common Vulnerability scoring system CVSS scores vulnerabilities 399 00:20:21.079 --> 00:20:23.799 from zero to ten, it lacks that crucial context we. 400 00:20:23.799 --> 00:20:25.680 Talked about, right, the impact context. 401 00:20:25.759 --> 00:20:29.640